What is the GDPR? What does it mean for businesses in Jersey? Following talks given by Advocate Davida Blackmore (Feb 2017) and Advocate Vicky Milner (Mar 2017) we have briefly addressed below a number of key questions.
Q: What is the GDPR?
The General Data Protection Regulation (“GDPR”) is new EU law. It entered into force on 24 May 2016 but shall apply from 25 May 2018. Click here for a link to ec.europa.eu which contains more information.
Q: Why is the EU introducing this law?
Current data protection law is out of date, particularly given dramatic technological changes, which have impacted on how we communicate and how data is created, stored, shared and utilised.
Key aims of the GDPR are to:
“…strengthen citizens' fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market.”
Q: Is it relevant to Jersey given that we have our own data protection law?
Adequacy: Jersey’s existing data protection regime has been classified by the EU as providing “adequacy”, in terms of cross-jurisdiction transfers of data and the level of protection it affords to individuals in relation to their personal information. Both from community and business perspectives it is important that we maintain our “adequacy” status. In order to do this we will need to bring our legislation, data protection regulation and practices into line with those of the EU.
In addition the GDPR will have extra-territorial effect (in certain circumstances it will operate outside the geographical boundaries of the EU). The GDPR will apply to:
(1) Activities of an establishment in the EU, wherever the processing actually takes place; and
(2) Processing of EU data subjects by an entity: (a) offering goods or services within the EU; or (b) monitoring behaviour within the EU
Q: Can controllers rely on existing contracts with processors or are fundamental changes now required?
Current Jersey data protection law places the compliance onus on controllers, not processors. Under the GDPR both controllers and processors have obligations.
Where a controller outsources processing to a third party service provider (a data processor) the controller will need to have robust contracts in place (and meticulous record keeping) setting out:
- what the data is and how it is to be processed by the service provider
- the duration of the processing
- the obligations on the processor in respect of breach reporting
- the technical and organisational measures the processor has in place
- any audit assistance obligations on the part of the processor
Depending of course on arrangements currently in place, it may not be sufficient to try and put a “patch” on existing systems - a root and branch review of systems and agreements with third parties may be required.
Please note that the answer above does not address issues arising under the JFSC's Outsourcing Policy, which has recently been amended.
Q: Does the GDPR make any distinction between personal data and commercial data?
The GDPR deals with personal data: “information relating to an identified or identifiable natural person (‘data subject’)”. It does not regulate use of other data, to the extent that such other information does not consist of or include personal data. It does not regulate purely financial information, for example, if no natural person is identifiable from it.
In terms of “commercial data”, the response will depend on what is meant by this term, which is not defined in the GDPR.
Recital 18 to the GDPR states:
“This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.”
Use of big data in a commercial context may well fall within the scope of the GDPR, including where such use constitutes profiling. Under Article 22(1) of the GDPR:
"The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
Q: What about data storage and data hosting when using US service providers? Will they have to comply?
Any non-EU established organisations will be subject to the GDPR where they are either “offering goods or services” to EU citizens (with or without payment) or routinely “monitoring” their behaviour within the EU.
Mere accessibility of a site from within the EU is not likely to be sufficient to bring that organisation within the ambit of the GDPR. Each organisation will need to assess its responsibilities and liabilities individually. Much will turn on the specific services those US providers are offering and who they are targeting.
Q: Is Jersey intending to introduce a “gold standard” law which is more onerous than the GDPR?
At a conference on 4 November 2016 the Island’s authorities confirmed that Jersey will implement equivalent local legislation to the GDPR, thus ensuring that Jersey keeps pace with the EU’s gold standard data protection framework. The government has not given any indication that it intends to bring in legislation which imposes more onerous obligations on local organisations than the GDPR.
Q. Where can I find more information?
European law and guidance: ec.europa.eu
Jersey data protection guidance: dataci.je
UK data protection guidance: ico.org.uk