Guernsey's data protection regulator, the ODPA, has announced that it has reached agreement with the States of Guernsey over transitioning to a self-funding model. The updated data protection legislation is now a little over two years old, but the scale of the task of implementing a framework for oversight has been significant. It is not surprising that core areas of implementation have taken priority, but nevertheless it is important to recognise this as a milestone development.
One of the key factors for effective regulation is independence and that has been the driving factor behind the development of the new funding model. Both the GDPR and our own local law (designed to be equivalent to GDPR) require that data protection regulators be independent of government, industry and other external sources. Demonstrating equivalence to GDPR will go some way towards confirming to the European Commission that Guernsey should remain on the list of "adequate" jurisdictions for international flows of data to and from the EU. That adequacy assessment is ongoing, hence the need to ensure that this area was addressed. Without "adequacy", data flows between the island and the EU would be significantly impeded, which would in turn hamper the island's recovery from the pandemic and its ability to capitalise on the emerging digital economy.
The new model will come into force from January 2021. All data controllers and processors established in the Bailiwick will be required to register/re-register with the ODPA between January-March 2021.
Registration can be completed either following completion/submission of the annual validation process via the Guernsey Registry, or directly with the ODPA. This should streamline the process, particularly for those using the Registry's online submission platform.
The current exemptions that have been in place since the new law came into force will cease as at January 2021, with the exception of those processing personal data for domestic/household purposes. Registration will then be required. Charities and not-for-profit organisations will be required to register, but will not have to pay the registration fee.
GBP50 for organisations with fewer than 50 full time employees (FTEs)
GBP2,000 for entities with 50 or more FTEs
Details as to how to assess the number of FTEs will be published in due course. The fees will then be payable annually, dovetailing with the annual requirement to review the information submitted for registration purposes.
The ODPA has recognised from feedback provided by industry that for those administering and/or registering a number of entities, some form of bulk registration process may be beneficial. This is being considered and more details will follow.
The implementation of a self-funding model will allow the ODPA to be independent of the States and should assist with demonstrating adequacy. The streamlined process is to be welcomed, as is the news that the fee structure is very straightforward.
The devil is (as always) in the detail - whilst the position may be clear for many local entities, there will be further analysis needed for those operating into the island. We are aware from discussions with clients that the bulk registration process is something of particular interest, so we await further guidance and information on that process, along with further information on assessing the number of FTEs.
More widely, this step shows Guernsey's continued evolution and proactive growth in this area and is a recognition of the importance of data protection and effective regulation within the Bailiwick. Operating both as a tool for marketing the islands to a global marketplace and as a mechanism for building trust in a digital environment, it is vital that we continue to innovate and move forwards in this area.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.