One of the key factors for effective regulation is independence and that has been the driving factor behind the development of the new funding model. Both the General Data Protection Regulation (GDPR) and our own local law (designed to be equivalent to GDPR) require that data protection regulators be independent of government, industry and other external sources.
Data protection equivalence
Demonstrating equivalence to GDPR will go some way towards confirming to the European Commission that Guernsey should remain on the list of “adequate” jurisdictions for international flows of data to and from the EU. That adequacy assessment is ongoing, hence the need to ensure that this area was addressed. Without “adequacy”, data flows between the island and the EU would be significantly impeded, which would in turn hamper the island’s recovery from the pandemic and its ability to capitalise on the emerging digital economy.
Guernsey’s new data protection model
The new model will come into force from January 2021. All data controllers and processors established in the Bailiwick will be required to register/re-register with the ODPA between January-March 2021.
Registration can be completed either following completion/submission of the annual validation process via the Guernsey Registry, or directly with the ODPA. This should streamline the process, particularly for those using the Registry’s online submission platform.
The current exemptions that have been in place since the new law came into force will cease as at January 2021, with the exception of those processing personal data for domestic/household purposes. Registration will then be required. Charities and not-for-profit organisations will be required to register, but will not have to pay the registration fee.
- GBP50 for organisations with fewer than 50 full time employees (FTEs)
- GBP2,000 for entities with 50 or more FTEs
Details as to how to assess the number of FTEs will be published in due course. The fees will then be payable annually, dovetailing with the annual requirement to review the information submitted for registration purposes.
The ODPA has recognised from feedback provided by industry that for those administering and/or registering a number of entities, some form of bulk registration process may be beneficial. This is being considered and more details will follow.
The implementation of a self-funding model will allow the ODPA to be independent of the States and should assist with demonstrating adequacy. The streamlined process is to be welcomed, as is the news that the fee structure is very straightforward.
DATA PROTECTION EVOLUTION
The devil is (as always) in the detail – whilst the position may be clear for many local entities, there will be further analysis needed for those operating into the island. We are aware from discussions with clients that the bulk registration process is something of particular interest, so we await further guidance and information on that process, along with further information on assessing the number of FTEs.
More widely, this step shows Guernsey’s continued evolution and proactive growth in this area and is a recognition of the importance of data protection and effective regulation within the Bailiwick. Operating both as a tool for marketing the islands to a global marketplace and as a mechanism for building trust in a digital environment, it is vital that we continue to innovate and move forwards in this area.
We have been advising a wide range of clients on these matters, so do get in touch if you have any questions or would like to know more.
Who is the data protection regulator in Guernsey?
In Guernsey, the Office of the Data Protection Authority (ODPA) is the independent regulatory authority for the purposes of The Data Protection (Bailiwick of Guernsey) Law, 2017 and associated legislation. The ODPA is tasked with the development and implementation of the regulatory regime necessary to oversee the Law’s requirements.