Uncertain. Vague. Burdensome.
Prior to the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, there was an air of uncertainty and scepticism surrounding the new legislation. Fuelled by the additional resources that were required to comply with the changes the new regime brought, many organisations viewed GDPR as burdensome.
On the same day as the GDPR came into effect, the Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law) came into force in order to align Guernsey's data protection regime with the GDPR.
Since this time, organisations have continued to deal with the challenges the Law brings. Whilst there was, and still is, much work to do for organisations to ensure compliance with the new regime, there have been many positives for individuals and organisations alike.
Why was change required?
From a technological and data perspective, the world is a very different place today in comparison to when The Data Protection (Bailiwick of Guernsey) Law, 2001 was enacted. The internet was in its infancy and was not widely available to all. It seems so unimaginable today, but at that time, not everyone had a mobile phone. It meant that the way in which data was used and shared was fairly limited.
Fast forward a number of years and the situation is vastly different. We face unprecedented times in relation to cyber security risks posed to both individuals and organisations. The internet is widely accessible and people can organise more or less every aspect of their lives via their mobile phone. This has resulted in a huge increase in the amount of data and a revolution in the way in which it is used and shared. Globally, data protection regimes were not fit for purpose. They simply could not keep up with the digital world.
Whilst Guernsey had been ahead of the curve (in that it has had data protection legislation since 1986), the regime had become outdated and required updating. The focus of the Law was to provide increased data protection for the public and reinforce the obligations on organisations. As a result, the Law brought in a number of changes by introducing:
- Refined measures on how consent can be obtained and when it could be relied upon.
- Enhanced rights for individuals around how data is processed and accessed, how data can be rectified, erased or transferred as well as the right to object to processing in certain circumstances.
- Accountability and governance obligations in addition to notification obligations in the event of a data breach.
- Requirements in relation to the transfer of personal data between parties and between jurisdictions, with a particular emphasis on data transfers outside of the EU.
Where are we now?
Data and privacy has rarely moved out of the spotlight since the new regime came into force. For organisations it has been a busy time, not least because of the additional items that had to be dealt with during the "transitional period" which has recently ended.
Whilst the new regime in Guernsey may have brought some challenges with it and will continue to do so for some time, it has also served to bring a number of positives.
The new regime has allowed individuals to realise the potential of their data but this is also true for organisations – data can be an invaluable asset. The Law meant organisations had to get to grips with the data they held and whilst this may have been viewed as a burdensome task at the outset, the benefits of good quality data sets will be evident from a decision making, productivity, compliance and marketing perspective.
We have also seen a move towards transparency and trust which will help organisations retain their existing customer base as well as attracting new customers as consumer confidence continues to grow in an increasingly digital marketplace. Trust is key in the online world. In addition, having a strong GDPR-compliant framework which extends and modifies cyber security practices will assist in combating the very real threat of a cyber attack.
Increasingly, organisations are bringing ethics into their data protection practices, moving compliance on from simply complying with the law.
The next chapter
The Office of the Data Protection Authority (the Authority) has recently published its strategic plan for 2019-2022 which is designed to implement the Authority's goal to deliver effective and independent data protection regulation. Similarly, data protection and security should be an integral part of any organisation's strategic plan.
The Authority has also recently issued its first press release on enforcement action, a reprimand issued to the Policy and Resources Committee of the States of Guernsey for wrongful disclosure of health data of a staff member. Whilst there are other enforcement measures in the pipeline and it has taken some time for this step to be taken, it also demonstrates a pragmatic approach being taken. Engagement is still the primary focus.
Data protection is a topic that will stay top of the agenda for boards for some time to come; compliance certainly cannot be seen as a tick-box exercise that was undertaken in the lead up to the Law coming into effect and not to be looked at again. Ongoing compliance is key to success. Indeed, the UK Information Commissioner's Office views data protection as "an enabler of growth and innovation" for organisations.
It is without question that further challenges lie ahead and the next few months will be interesting. However, now that the initial hard work and trepidation is over, organisations can continue to build on the changes they have made to date and focus on reaping the benefits that compliance with the new regime can bring.
First published by Guernsey Chamber of Commerce, September 2019
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.