The advent of the GDPR represents the biggest change in data protection law for more than 20 years and will be adopted wholesale in both Guernsey and Jersey, even though they sit outside the EU, in order to preserve their adequacy status – a necessity for the islands financial services businesses which are dependent on a free flow of information. Inevitably, much of the focus in the media over the GDPR has been on the increased fines of up to €20 million, or 4% of global annual turnover, and in companies where the management of data is not currently a priority there may be a rude awakening. However, for others the GDPR will feel more like a tightening of the rules, by bringing the legislation into line with what some would already consider best practice.

The new law introduces a risk-based approach to governance, and evidence of the correct compliance procedures being in place will be essential. Another key component will be accountability, with some organisations being required to appoint a Data Protection Officer in much the same way as Money Laundering Reporting Officers already take responsibility for AML/CFT compliance. Other new elements include mandatory breach reporting for data loss, increased protection for children and new rules about transparency, requiring companies to be clearer about the data they are holding and how that data will be used. Individuals will also now have the right to have their data deleted when it is no longer required, with the introduction of a so-called ‘right to be forgotten’.

As such, the GDPR certainly creates new compliance obligations and must become a key element of every company’s risk management framework at board level. Most financial services businesses in the Channel Islands should already be live to the issues of handling personal data, and be aware of the risks involved. The Panama Papers debacle served as a stark reminder to the offshore industry, when law firm Mossack Fonseca received worldwide media attention after information about its clients’ financial dealings was published. The reputational risks associated with data breaches have therefore long provided the impetus for companies to do what the GDPR will now compel them to do by law, and for most, the issue is already a boardroom issue. Where this is already the case, the key decision is to identify the right person in place as the Data Protection Officer, who can drive implementation across the business over the next 12 months. The individual concerned needs a good understanding of both the existing and new law, and will likely need upskilling over the coming months to keep abreast of the implementation timetable.

Moving swiftly on the appointment of a Data Protection Officer will avoid expensive, eleventh-hour remedying in May next year, and will make the adoption of the GDPR run smoothly. We advise companies to focus on two things when identifying the right person: first, the individual chosen must have sufficient influence within the business to be taken seriously and listened to at all levels; and second, they must have a genuine interest in the subject matter. With the right person leading the charge, and with an ongoing commitment to data protection, the advent of the GDPR should not cause undue concern. Where the new regulatory powers will have the potential to shock is in businesses that are currently oblivious to their data protection responsibilities.

Share
Twitter LinkedIn Email Save as PDF
More Publications
7 Nov 2019 |

The Inequality of Equality Legislation in the Channel Islands

This summer Guernsey launched its public consultation in relation to proposals to introduce a compre...

9 Oct 2019 |

Transparency and the Crown Dependencies

Transparency of beneficial ownership information has been a political issue since June 2013 when Bri...

18 Sep 2019 |

Offshore listing Vehicles to benefit from the Shanghai - London stock connect

Offshore listing Vehicles to benefit from the Shanghai - London stock connect

Contributors: Huiyan Liew
28 Jun 2019 |

Internal Investigations - Evidence for the Prosecution

Sophisticated organisations are frequently required to undertake internal investigations. These can ...

Contributors: Anthony Williams
26 Jun 2019 |

Regulatory Headwinds

Faced with increased scrutiny from regulators on both global and jurisdictional levels, businesses m...

Contributors: David Dorgan
19 Jun 2019 |

Beneficial Ownership Update: Crown Dependencies

The Crown Dependencies (Jersey, Guernsey and the Isle of Man) have announced a joint policy commitme...

Contributors: Alison MacKrill, Caren Pegg
21 May 2019 |

Royal Court of Jersey Directs the Winding up of an Insolvent Trust

The Royal Court of Jersey has recently handed down an important decision in relation to the winding ...

Contributors: Amy Benest