Regulatory markets evolve at various speeds and the data protection regime is one example of a market developing at an exponential pace. From BA, to Experian and now Grindr, the path to compliance has been littered with good and bad practices, eye-watering fines and examples of real-world harms being exposed. World Data Protection Day (28th January for the un-initiated) is a good opportunity to reflect on that progress.
Guernsey's regime has also been moving at pace, with significant engagement programmes from the regulator (ODPA), regulatory sanctions and the establishment of a forum for practitioners (the Bailiwick of Guernsey Data Protection Association). Most recently, there has been an overhaul of the registration system and the introduction of the Levy Collection Agent (LCA) regime as part of the ODPA's move towards a self-funding model.
Registration requirements and the LCA process have both been well-publicised, though with the run-up to Christmas 2020 and the current "lockdown", businesses may be forgiven for some of these matters remaining on the "to do" list. We have been engaging with a wide range of businesses from different sectors to assist them in understanding their obligations, and foresee a continued number of instructions in the run-up to the deadline at the end of February 2021.
Whilst registration for Controllers and Processors has been a requirement for a number of years, the increasing profile and importance of data protection in today's digital (global) marketplace has caused some to re-evaluate their approach to entities which they administer. Whilst the process itself is straightforward (registering via the portal takes a matter of minutes), the groundwork involved in assessing the status of a given structure/entity and its processing operations is often more complex. This is especially the case for overseas entities, administered and/or managed from Guernsey.
Oscar Wilde wrote that "What seems to us as bitter trials are often blessings in disguise." This could be applied to any form of regulatory change which brings with it additional work. However, in this instance, there are real benefits, including a greater understanding of data protection obligations generally and the ability to build trust with clients through safeguarding of their data. The reputational and economic backlash that arises when things go wrong demonstrate that the "blessings" are not necessarily that well disguised.
On 1 October 2020, the Data Protection (General Provisions) (Bailiwick of Guernsey) (Amendment No. 2) Regulations, 2020 (the Amendment Regulations) came into force, amending Part 1 of the Data Protection (General Provisions) (Bailiwick of Guernsey) Regulations, 2018 (the Principal Regulations).
The Amendment Regulations ultimately seek to regulate a new registration and levy regime which is in place from 2021. This regime firstly requires all controllers and processors established in the Bailiwick who process personal data (and who are not exempt in accordance with the Amendment Regulations) to complete an annual return during January-February of each year (as opposed to at any point during the year) and pay an annual levy. Secondly, it enables controllers and processors to either pay the annual levy to the ODPA directly, or through a LCA.
Each controller/processor is also required to file a return for 2021 (in effect re-registering if already registered). This is a one-off requirement to establish a picture of the regulated market and ensure that data on the market is current.
Established in Bailiwick
The key question is whether you are "established in the Bailiwick" – for most businesses this is easy – Guernsey entities and structures carrying on business here will fall within the definition. The more complex issues arise for overseas entities (such as funds) managed and/or administered from Guernsey. It is important to consider this question in detail, as assessing whether an entity falls within scope is rarely straightforward.
Registration from January 2021 and Registration fee
The previous exemptions from registration expired in December 2020; the Amendment Regulations now require that you register with the Authority in January/February 2021 and pay a registration fee. The registration fee will be £2,000 if you have 50 or more "full-time equivalent" employees and £50 otherwise (including if you are a non-profit organisation or are required to designate a data protection officer under the Law, for example).
Failure to register with the ODPA is an offence and may lead to criminal or civil sanctions, including a possible penalty of up to £5,000,000, though a penalty at that level is unlikely in the current climate.
LCA's and the levy regime
LCAs have been introduced to make the payment of levies for administered entities in particular easier to handle. LCAs may register with or pay the annual levy to the ODPA on behalf of a number of organisations.
Your organisation can operate as a LCA if it is licensed or certified by the GFSC, for example. Before operating as a LCA, the LCA must first register as a controller/processor and declare their intention to act as LCA. LCAs cannot act for an organisation with 50 or more "full-time equivalent" employees, those required to designate a Data Protection Officer under the Law, another LCA or charities/not-for-profit organisations. Once the LCA has registered its "client" entities and paid the levy/registration fees, the LCA will then issue each of the "client" entities with Certificates of Exemption, which must be presented to the ODPA upon request as evidence of compliance.
Exemptions
Unless your organisation is exempt from the Amendment Regulations, your organisation will be required to register and pay an annual levy to the ODPA. There are intentionally very limited grounds to claim exemption. Not-for-profits and charities are still required to register, for example, but will not pay fees. Most, if not all, trading businesses with individuals as clients, customers or employees, will be covered by the regime.
Failure to pay the annual levy is also an offence under the law and may attract sanctions including a financial penalty.
The way forward
All organisations should be aware of the new regime and where it sits in the wider data governance and regulatory framework for the Bailiwick. A helpful Q&A has been produced by the ODPA and can be accessed here.
For many, the new regime will be straightforward and their assessments of their processing activities similarly clear. However for others, particularly those administering overseas structures, the questions are significantly more complex as to whether those structures fall within the regime. Careful analysis of the position is required, so do let us know if we can assist with turning your "bitter trials" into "blessings".
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
