The advent of the GDPR represents the biggest change in data protection law for more than 20 years and will be adopted wholesale in both Guernsey and Jersey, even though they sit outside the EU, in order to preserve their adequacy status – a necessity for the islands financial services businesses which are dependent on a free flow of information. Inevitably, much of the focus in the media over the GDPR has been on the increased fines of up to €20 million, or 4% of global annual turnover, and in companies where the management of data is not currently a priority there may be a rude awakening. However, for others the GDPR will feel more like a tightening of the rules, by bringing the legislation into line with what some would already consider best practice.
The new law introduces a risk-based approach to governance, and evidence of the correct compliance procedures being in place will be essential. Another key component will be accountability, with some organisations being required to appoint a Data Protection Officer in much the same way as Money Laundering Reporting Officers already take responsibility for AML/CFT compliance. Other new elements include mandatory breach reporting for data loss, increased protection for children and new rules about transparency, requiring companies to be clearer about the data they are holding and how that data will be used. Individuals will also now have the right to have their data deleted when it is no longer required, with the introduction of a so-called ‘right to be forgotten’.
As such, the GDPR certainly creates new compliance obligations and must become a key element of every company’s risk management framework at board level. Most financial services businesses in the Channel Islands should already be live to the issues of handling personal data, and be aware of the risks involved. The Panama Papers debacle served as a stark reminder to the offshore industry, when law firm Mossack Fonseca received worldwide media attention after information about its clients’ financial dealings was published. The reputational risks associated with data breaches have therefore long provided the impetus for companies to do what the GDPR will now compel them to do by law, and for most, the issue is already a boardroom issue. Where this is already the case, the key decision is to identify the right person in place as the Data Protection Officer, who can drive implementation across the business over the next 12 months. The individual concerned needs a good understanding of both the existing and new law, and will likely need upskilling over the coming months to keep abreast of the implementation timetable.
Moving swiftly on the appointment of a Data Protection Officer will avoid expensive, eleventh-hour remedying in May next year, and will make the adoption of the GDPR run smoothly. We advise companies to focus on two things when identifying the right person: first, the individual chosen must have sufficient influence within the business to be taken seriously and listened to at all levels; and second, they must have a genuine interest in the subject matter. With the right person leading the charge, and with an ongoing commitment to data protection, the advent of the GDPR should not cause undue concern. Where the new regulatory powers will have the potential to shock is in businesses that are currently oblivious to their data protection responsibilities.