Friday 16 September 2016
A project that will see Guernsey introduce new data protection legislation in line with the EU's General Data Protection Regulation (GDPR) will be discussed by States Members next week.
The GDPR is due to come into force in May 2018, and applies to all companies worldwide that process the personal data of EU citizens. The Channel Islands must have similarly robust legislation if they are to maintain adequacy and ensure continued access to the EU single market, considered crucial for Guernsey's economy.
Deputy Mary Lowe, the President of the Committee for Home Affairs, said businesses in Guernsey could be assured by the work that the government is doing.
"While the new laws will impact how Channel Islands businesses process personal data, at this point of the project there is no specific action that companies need to take.
As long as firms are complying with existing data protection legislation, they will be well-positioned to fulfil their obligations under the new laws."
The GDPR is in many regards similar to current Channel Islands data protection legislation, however it will:
- Increase the rights of individuals in relation to their personal data
- Widen the definition of personal data - includes genetic, social and economic, for example
- Tighten rules around obtaining consent to use personal information
- Make the appointment of a Data Protection Officer mandatory for some organisations
- Introduce data breach notification within 72 hours to the local DP Authority
- Expand liability beyond data controllers to all organisations that deal with personal data
- Introduce increased fines - up to 4% of global annual turnover or EUR 20million (whichever highest)
Colin Vaudin, Chief Information Officer for the States of Guernsey and Senior Responsible Officer for the project, said a policy letter will be discussed by deputies on 21 September, with a further report providing more information taken to the Assembly either late 2016 or early next year.
"We want to further develop Guernsey as a well-regulated data protection jurisdiction with highly trained DP staff. It further evidences that Guernsey is an excellent and safe place to do business.
Our work with colleagues on the Committee for Home Affairs and Committee for Economic Development to develop our new law is gathering momentum. The new law will be based on the GDPR and will seek to ensure we have granted adequacy by the EU, therefore retaining vital access to the single market.
We have actively engaged with decision-makers and experts in Brussels on this issue. We know what the expectations are from the EU, and this project is about ensuring we meet those expectations while taking an approach that is proportionate."
The General Data Protection Regulation will enable the European Commission to strengthen and unify data protection for individuals within the EU. It also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The regulation was adopted on 27 April 2016. It enters into application 25 May 2018 after a two-year transition period.
Guernsey and Jersey are working together to ensure that their respective legislation is replicated as far as possible. They are also committed to retaining the pan-island role of Data Protection Commissioner, to offer in-sync regulation.
Read the full report in the downloads section on this page.