The advent of the GDPR represents the biggest change in data protection law for more than 20 years and will be adopted wholesale in both Guernsey and Jersey, even though they sit outside the EU, in order to preserve their adequacy status – a necessity for the islands’ financial services businesses which are dependent on a free flow of information. Inevitably, much of the focus in the media over the GDPR has been on the increased fines of up to €20 million, or 4% of global annual turnover, and in companies where the management of data is not currently a priority there may be a rude awakening. However, for others the GDPR will feel more like a tightening of the rules, by bringing the legislation into line with what some would already consider best practice.

GDPR Compliance

The new law introduces a risk-based approach to governance, and evidence of the correct compliance procedures being in place will be essential. Another key component will be accountability, with some organisations being required to appoint a Data Protection Officer in much the same way as Money Laundering Reporting Officers already take responsibility for AML/CFT compliance. Other new elements include mandatory breach reporting for data loss, increased protection for children and new rules about transparency, requiring companies to be clearer about the data they are holding and how that data will be used. Individuals will also now have the right to have their data deleted when it is no longer required, with the introduction of a so-called ‘right to be forgotten’.

As such, the GDPR certainly creates new compliance obligations and must become a key element of every company’s risk management framework at board level. Most financial services businesses in the Channel Islands should already be live to the issues of handling personal data, and be aware of the risks involved. The Panama Papers debacle served as a stark reminder to the offshore industry, when law firm Mossack Fonseca received worldwide media attention after information about its clients’ financial dealings was published. The reputational risks associated with data breaches have therefore long provided the impetus for companies to do what the GDPR will now compel them to do by law, and for most, the issue is already a boardroom issue. Where this is already the case, the key decision is to identify the right person in place as the Data Protection Officer, who can drive implementation across the business over the next 12 months. The individual concerned needs a good understanding of both the existing and new law, and will likely need upskilling over the coming months to keep abreast of the implementation timetable.

Moving swiftly on the appointment of a Data Protection Officer will avoid expensive, eleventh-hour remedying in May next year, and will make the adoption of the GDPR run smoothly. We advise companies to focus on two things when identifying the right person: first, the individual chosen must have sufficient influence within the business to be taken seriously and listened to at all levels; and second, they must have a genuine interest in the subject matter. With the right person leading the charge, and with an ongoing commitment to data protection, the advent of the GDPR should not cause undue concern. Where the new regulatory powers will have the potential to shock is in businesses that are currently oblivious to their data protection responsibilities.

First published by Business Brief, April 2017

Twitter LinkedIn Email Save as PDF
More Publications
20 Mar 2023

Trusts: Comparison between the Crown Dependencies

Our Private Client and Trusts specialists in Guernsey, Isle of Man and Jersey outline some of the ke...

19 Jan 2023

The Edinburgh Reforms: An Offshore Perspective

On 9 December 2022, the UK Chancellor of the Exchequer announced a package of reforms to the UK fina...

27 Sep 2022

Similar but Different

While the basic features of the trust remain, there are some notable differences in how trusts can b...

23 Feb 2022

Anonymisation of decisions: an invitation to consider this more but the unscrupulous need not apply!

The adage that ‘justice must not only be done, but must also be seen to be done” derives from a ...

25 Nov 2021

Regulatory Approach to ESG across the Crown Dependencies

New requirements may require investment products to display a label reflecting their sustainability ...

30 Jul 2021

Fighting international fraud

First published in New Law Journal, July 2021. Appleby partners Anthony William and Jared Dann an...

1 Jul 2021

Saunders v Vautier where the beneficial class is not closed - the debate goes on...

The rule in Saunders v Vautier is familiar territory for trust lawyers.  In the modern world it is ...

12 Mar 2021

Material adverse change clauses in light of the Covid-19 pandemic

Experts from each of our key global offices provide jurisdiction specific advice and answer question...

8 Mar 2021

Appleby Celebrates International Women’s Day

International Women’s Day is celebrated annually in support of gender equality and equal participa...