Guernsey: The GDPR, Guernsey And The Financial Sector

Last Updated: 19 January 2018
Article by Nin Ritchie

Most Read Contributor in Guernsey, September 2018

Collas Crill Senior Associate Nin Ritchie considers the effect that the EU's General Data Protection Regulation is going to have on financial firms and the steps that they should think of taking when gearing up for it.

You don't need a lawyer to tell you that the General Data Protection Regulation (GDPR) juggernaut is steadily chuntering towards any organisation who operates or wants to operate in or with the EU, and there is nothing you can do about it other than to be prepared and ready for the impact when it hits on 25 May 2018. On that cheery note, maybe I should stop there, but I won't!

Guernsey is on track to introduce the Data Protection (Bailiwick of Guernsey) Law 2017 (DPGL) in conjunction with the coming into force of the GDPR. It will do two things. It will make Guernsey an 'equivalent' jurisdiction (being one of only 11 non-EU jurisdictions to have this status); and, in doing so, it will extend GDPR-type obligations to Guernsey organisations regardless of where they are in the world and with whom they chose to do business. The cost of getting it wrong is high and, depending on the seriousness of the mistake, the fine may well be too much for some organisations to bear.

William Mason, the director general of the Guernsey Financial Services Commission (GFSC), told a recent meeting that the GFSC employed interns in the summer to sort through, scan and shred more than five million pages (1,750 archive boxes) to make sure that, by spring next year, it would be complying with the GDPR. I have a few points to make about this. Firstly, what happened to students spending their summer as surf instructors? Secondly (and more importantly), the GFSC will no doubt expect the entities it licenses to follow suit and take their obligations seriously. Thirdly, that volume of documents and data is probably a drop in the ocean compared with the data that some of the regulator's larger globally operating licensees are holding. Mason noted that although the GFSC's clean-up exercise had been a bureaucratic chore (not least for the sun-deprived interns), it would save money on archive space in the long term.

It is that 'bureaucratic chore', the process to get complaint with GDPR/DPGL, that compliance teams ought to be focusing on now. That is not a choice – it has to happen – but why should an organisation go through the cost and disruption of such a major overhaul without getting some commercial value from it?

Have no doubt, unless an organisation is in the unique and fortunate position of opening for business with GDRP/DPGL-compliant systems and processes on the date when the GDPR/DPGL become effective, it will have to make some organisational, technical and legal changes to get up to scratch.

So where is the good news? Many organisations in Guernsey have been operating in a healthy and compliant way for years, maybe even decades. The need to work towards GDPR/DPGL compliance presents such firms with a unique opportunity to take stock of the data they hold and have a good peer through the looking glass at (i) how it flows, (ii) where it is stored, (iii) who has access to it, and (iv) how it can be managed more effectively.

Some firms have grown quickly and/or been acquisitive in recent years. The GDPR/DPGL might inspire them to consider, as appropriate, whether and how to centralise systems and resources. Now may be the right time on the data mapping journey (if it hasn't happened already) for them to consider how to get the best use out of the data they hold and set up a system to make that operational.

Think about Big Data at its most basic level. For example, if one's firm has a central resource for holding "client due diligence" (CDD) data that streamlines the client take-on process, that only retains what it needs but still helps it assess business risks, set its risk appetite, do its target marketing and even price its products and services.

We must take other considerations into account. In view of recent case law and regulatory developments, here are four points that a financial firm ought to consider when gearing up for GDPR.

Privilege

Decisions in the recent cases of Re the RBS Rights Issue Litigation [2016] EWHC 3161 (Ch) (08 December 2016) and Serious Fraud Office v Eurasian Natural Resources Corporation Ltd [2017] EWHC 1017 (QB), which have caused a huge stir amongst dispute lawyers, show that data flows and the identities of the people who may have access to data are vexed subjects. These cases focus on privilege, thankfully only something to which organisations need to turn if they find themselves on the unwelcome end of a regulatory or law enforcement investigation or some form of litigation. The documents protected by privilege are those an organisation can hold back from producing to the other side.

The current position (pending the appeal of the SFO in its case) is that legal advice privilege will only cover confidential communications between an organisation's lawyers and people charged with obtaining that legal advice. Communications with anyone else in the organisation, even if they originally had the job of providing the lawyers with the facts and figures they needed to provide their advice, will not be protected by privilege. With that in mind, and in the hope that the organisation never finds itself at the receiving end of such unpleasantries, organisations might think about imposing appropriate checks and balances in line with principles of the GDPR to ensure that the processing of data, including legal advice, is streamlined to be what is necessary and accessible to only its intended recipients.

Trustee disclosure

Turning to the rights of the beneficiaries of trusts to information under the UK's existing data protection regime, the decision in Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74 shows that Guernsey trustees should ensure that information relating to their deliberations and exercise of their discretion (including any legal advice they seek) remains in Guernsey in order to avoid the danger that the information may be disclosable under another jurisdiction's data protection legislation.

That English decision confirmed two important principles:

  • that English law firms are not exempt from the scope of the English data protection regime and, when faced with a subject access request, English lawyers must comply with the request by disclosing any personal information they hold that is not privileged; and, arguably more importantly for trustees,
  • the question of interplay between the English data protection regime and a beneficiary of a trust's rights to information has been firmly resolved in favour of the statutory entitlement to information created by England's Data Protection Act 1998.

Here the laws differ between England and Guernsey. The current Guernsey data protection laws include specific subject access request exemptions that mirror its trust law provisions restricting disclosure, whereas the English regime does not. Therefore, as long as those exist (and fingers crossed the exemption carries over to the DPGL) Guernsey trustees, if advised by their Guernsey lawyers, should be exempt from complying with a beneficiary's subject access request. It is timely for a trustee to use this opportunity to ensure that it is confident in its data flows and, to the extent possible, in order to limit the risk exposing its data to others who have access to it, implement controls to limit sharing beneficiary data with other parties, particularly those outside of Guernsey.

The Common Reporting Standard

The Organisation for Economic Co-operation and Development's CRS is another data protection minefield. Many know that Guernsey as an early CRS 'adopter' was faced with its first reporting deadline on 30 June 2017, with hefty sanctions possible for non-compliance. Guernsey's reporting 'financial institutions' were and are obliged to complete 'due diligence' on reportable persons: a heady task with new data being collected continually as new clients come on board and old clients' circumstances change. Given the tight timeframe for the first reports, many organisations found themselves pulling data together from various sources in order to have something to report. This cannot have been effective in terms of time or money and certainly cannot be the model for future reporting. Each organisation now has to streamline its processes to obey CRS while also adhering to the principles of the GDPR.

The bottom line

William Mason certainly had a point about saving money on archive space; why pay for space to store data that one's organisation simply should not be holding? How can an organisation know what personal data it holds, let alone whether that data is adequate, relevant, limited to what is necessary, accurate and kept up-to-date (or erased or rectified if it is wrong) when it is in a brown box under lock and key in a warehouse offsite? The simple answer is that it can't.

I'm sorry, future interns, your summers may not be as bright as they used to be! I am certain that you will have many more hours of sorting, scanning and shredding to look forward to. I hope you do it in an intelligent way, with streamlined systems capturing personal data that is only being used for the purposes for which it is being processed.

An original version of this article was first published by Compliance Matters, November 2017.

For more information about Guernsey's finance industry please visit www.guernseyfinance.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions