Its all part of the process(ing): getting ready
for the General Data Protection Regulation
Article first published in CONNECT in April 2016
The current European Data Protection Directive was finalised many years ago at a time when few people had access to the internet, conducted business “online”, used cloud storage or transferred data electronically. The manner in which our data is collected, accessed and used has changed profoundly and, accordingly, the General Data Protection Regulation (the GDPR), represents the biggest data protection reform in Europe for many years. Its overarching aim is to harmonise data protection legislation across all member states and do away with the cacophony of laws which exist at present. It will be of direct effect to all member states and is due to come into force in mid-2018.
Jersey’s data protection regime is presently governed by the Data Protection (Jersey) Law 2005 (the DPL) which is modelled (for the most part) on the Data Protection Act 1998 which is in force in England and Wales. Compliance with the DPL is regulated by the Information Commissioner (who also has responsibility for the Data Protection (Bailiwick of Guernsey) Law 2001). Both Jersey and Guernsey have been formally assessed by the European Commission as meeting current EU data protection standards. This “adequacy” provision means that Jersey is deemed to provide sufficient protection of an individual’s right to fair and just processing of their personal information to ensure free and unhindered data transfers from EEA Member States, notwithstanding the fact that Jersey is not part of the EU or EEA itself.
Following the coming into force of the GDPR and in order that Jersey remains an attractive destination for business and commerce, it is likely that the DPL will either have to be amended or replaced with a new piece of legislation to ensure that Jersey continues to be regarded a country providing an adequate level of protection to receive and hold data.