Introduction

A shift in Guernsey's corporate and individual attitude towards the misuse of data is now central to the Office of the Data Protection Authority's (ODPA's) future approach to governance and enforcement in Guernsey.

Following the end of the transitional relief period under the Data Protection (Bailiwick of Guernsey) Law 2017 in May 2019, this article rounds up the key issues which the ODPA has communicated and which will dictate its approach.

Changes in culture in the workplace

The ODPA has repeatedly highlighted its encouragement for a shift in attitudes, for both consumers and businesses, so that the misuse of data is seen as both legally and socially unacceptable.

While legislation and regulatory action both have a role to play in protecting data, the ODPA sees consumers and businesses as the key factor in achieving secure, ethical use of data. As consumers begin to recognise the ever-growing value of their personal information and have open access to information about the frequency and severity of data breaches, they can begin to impose an ethical baseline when it comes to the use of their data and punish those businesses which fall beneath it. Over time, this will have the effect of building a self-correcting market.

A simple rule of thumb for officers and employees undertaking any aspect of personal data management to ensure they do not fall foul of the standards of protection required by the ODPA is to treat personal data in the manner in which they would wish their own personal data to be treated.

Predict, prevent, detect, enforce

The ODPA is seeking to achieve a balanced approach across the four key areas of regulation (prediction, prevention, detection and enforcement) in fulfilling its functions under the law.

In particular, businesses have been reminded that the principal purpose of the breach reporting requirements under the law is to assist the regulator in:

  • predicting and preventing breaches before they have occurred;
  • identifying areas in the industry which may require additional resources; and
  • training to achieve compliance and best practice, rather than as an enforcement tool.

Delayed introduction of self-funded charging system

The ODPA released a statement on 28 October 2019 to confirm that while it had been working with the States of Guernsey for the past year to agree a funding model for the ODPA's activities based on the charging of annual registration fees, it has taken longer than expected to agree and implement such a model.

Guernsey Data Protection Commissioner Emma Martins stated that:

the ODPA's goal is to achieve a fair, low-cost, low-admin business that allows local businesses to concentrate their efforts on running their businesses well, rather than filling in bureaucratic forms.

The delay in agreeing the funding model has resulted in the extension of the current registration exemptions for small businesses and sole traders. Those persons to which the exemptions apply will no longer be required to register with the ODPA until January 2021.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.