Guernsey's Committee for Home Affairs lodged its Policy Letter concerning proposed revisions to Guernsey's data protection laws yesterday.
The Policy Letter (accessible here) seeks the States' approval for the preparation of legislation aligning Guernsey's data protection laws with both the requirements of the General Data Protection Regulation ("GDPR") and the Directive relating to the Processing of Personal Data for the Purposes of the Prevention of Crime ("Law Enforcement Directive").
Regardless of whether Guernsey implements its own legislation, GDPR has extra-territorial effect and as such will impact on Guernsey businesses when it starts being enforced in May 2018. The States has decided that Guernsey should revise its data protection laws to align with GDPR in order to demonstrate both its commitment to international standards and to show that Guernsey is a jurisdiction that provides adequate levels of protection for personal data.
The Policy Letter summarises a number of core revisions which align with the requirements of GDPR, such as:
- utilising the Data Protection Principles,
- strengthening data subjects' rights,
- introducing liability for data processors,
- imposing legal obligations on data controllers to report data breaches,
- setting out legal frameworks for international data transfers,
- imposing a requirement to appoint a Data Protection Officer in certain circumstances,
- introducing a system of administrative fines which broadly mirrors that set out under GDPR, and
- creating the "Data Protection Supervisory Authority" to fulfil the role currently held by the Data Protection Commissioner.
Carey Olsen's Richard Field sits on the GDPR Industry Working Party and has been involved in the consultation process:
"The announcement that Guernsey's legislation will look broadly similar to GDPR is welcome news and demonstrates the island's commitment to the highest standards of international regulation. GDPR is undoubtedly a seismic shift in data protection terms and I urge businesses to engage with the consultation process and to familiarise themselves with the new regime as soon as possible. Do get in touch if you would like some advice, training, or for a copy of our Channel Islands Guide to GDPR."
Jersey have also issued instructions to the Law Draftsman to draft a new Data Protection Law which meets the ‘adequacy’ requirements of the GDPR and the Law Enforcement Directive. The approach taken is likely to be very similar to that of Guernsey.