The advent of the GDPR represents the biggest change in data protection law for more than 20 years and will be adopted wholesale in both Guernsey and Jersey, even though they sit outside the EU, in order to preserve their adequacy status – a necessity for the islands financial services businesses which are dependent on a free flow of information. Inevitably, much of the focus in the media over the GDPR has been on the increased fines of up to €20 million, or 4% of global annual turnover, and in companies where the management of data is not currently a priority there may be a rude awakening. However, for others the GDPR will feel more like a tightening of the rules, by bringing the legislation into line with what some would already consider best practice.

The new law introduces a risk-based approach to governance, and evidence of the correct compliance procedures being in place will be essential. Another key component will be accountability, with some organisations being required to appoint a Data Protection Officer in much the same way as Money Laundering Reporting Officers already take responsibility for AML/CFT compliance. Other new elements include mandatory breach reporting for data loss, increased protection for children and new rules about transparency, requiring companies to be clearer about the data they are holding and how that data will be used. Individuals will also now have the right to have their data deleted when it is no longer required, with the introduction of a so-called ‘right to be forgotten’.

As such, the GDPR certainly creates new compliance obligations and must become a key element of every company’s risk management framework at board level. Most financial services businesses in the Channel Islands should already be live to the issues of handling personal data, and be aware of the risks involved. The Panama Papers debacle served as a stark reminder to the offshore industry, when law firm Mossack Fonseca received worldwide media attention after information about its clients’ financial dealings was published. The reputational risks associated with data breaches have therefore long provided the impetus for companies to do what the GDPR will now compel them to do by law, and for most, the issue is already a boardroom issue. Where this is already the case, the key decision is to identify the right person in place as the Data Protection Officer, who can drive implementation across the business over the next 12 months. The individual concerned needs a good understanding of both the existing and new law, and will likely need upskilling over the coming months to keep abreast of the implementation timetable.

Moving swiftly on the appointment of a Data Protection Officer will avoid expensive, eleventh-hour remedying in May next year, and will make the adoption of the GDPR run smoothly. We advise companies to focus on two things when identifying the right person: first, the individual chosen must have sufficient influence within the business to be taken seriously and listened to at all levels; and second, they must have a genuine interest in the subject matter. With the right person leading the charge, and with an ongoing commitment to data protection, the advent of the GDPR should not cause undue concern. Where the new regulatory powers will have the potential to shock is in businesses that are currently oblivious to their data protection responsibilities.

Share
Twitter LinkedIn Email Save as PDF
More Publications
30 Jul 2021 |

Fighting international fraud

First published in New Law Journal, July 2021. Appleby partners Anthony William and Jared Dann an...

Contributors: Jared Dann, Claire Corkish
12 Mar 2021 |

Material adverse change clauses in light of the Covid-19 pandemic

Experts from each of our key global offices provide jurisdiction specific advice and answer question...

8 Mar 2021 |

Appleby Celebrates International Women’s Day

International Women’s Day is celebrated annually in support of gender equality and equal participa...

23 Feb 2021 |

Fit and Proper in the Channel Islands – A Regulatory Enforcement Update

It is sometimes easy to forget with all that has happened over the last 12 months that there was a w...

1 Dec 2020 |

Reflections from the Virtual Fund Finance Symposium

The Fund Finance Association’s Virtual Symposium took place from 16th to 20th November. Attendees ...

27 Nov 2020 |

NAV Facilities: A Promising Vaccine for Funds in the Era of Covid-19?

The spotlight has been on NAV facilities and other bespoke financings as an area poised for growth, ...

30 Oct 2020 |

When Worlds Collide – How COVID is Connecting Technology with Natural Resources

Dating back to the beginning of 2020, the natural resources sector has been extremely active at both...

Contributors: Peter Colegate