While the media's attention in the past six months has been lavished on Brexit and President Trump, there is one particular news story that is still not getting a huge amount of attention, but which will affect businesses across Jersey – regardless of the United Kingdom's position within the European Union and US foreign policy – sooner than might be expected.
The General Data Protection Regulation (GDPR) is an EU-wide reform of privacy and data protection legislation that is due to take effect from May 25 2018. It is a major update of Europe's data privacy laws that has been born from the era of Big Data and mobile technology. At its heart, the regulation is about:
- giving new rights for members of the public to control their data (including the much-discussed right to be forgotten);
- imposing new and enhanced responsibilities on companies and other organisations in relation to safeguarding the data that they process; and
- harmonising standards across the European Union and beyond to help to create a single digital market.
From the Jersey perspective, the "and beyond" element is critical for two reasons:
- The EU reforms are wide-ranging – they affect not just European countries, regulators and governments, but all firms that want to trade in the European Union, setting out key standards for the collection, retention and use of data. Because the changes to the law effectively spread beyond the European Union's borders, they will have an impact on businesses in Jersey.
- Jersey's existing data protection legislation, the Data Protection (Jersey) Law 2005, is based on the 1998 UK Data Protection Act. This means that Jersey law effectively predates the widespread use of smartphones and social media and 20 years of increasingly rapid and fundamental changes in the way we live and do business. Legislation on the island will therefore need to be updated to align with the General Data Protection Regulation so that Jersey can maintain its 'adequacy' status – that is, formal recognition that Jersey's laws match the reformed legislation and higher standards in the European Union.
Jersey's regulator, the Information Commissioner, has already warned that any failure to prioritise and resource the necessary preparations for the General Data Protection Regulation reforms could have a seriously detrimental effect on the island's financial and digital sectors, both of which rely on seamless and rapid flows of information across jurisdictional borders.
Among the changes brought about by the General Data Protection Regulation, the following are likely to affect Jersey's business community:
- New criteria for obtaining consent to process personal data – under the General Data Protection Regulation, an individual's consent must be freely given, specific, informed and unambiguous, so simple opt-out mechanisms will no longer suffice, and silence or inactivity cannot be taken as consent.
- The right to be forgotten will enable individuals to demand the deletion of their data.
- New protection for children will be introduced, requiring parental consent before their personal information can be processed.
- Firms will be required to notify national regulators, typically within 72 hours, if they are hacked and, where high-risk breaches take place, to notify the individuals concerned.
- Many businesses will be required to employ appropriately qualified data protection officers, responsible for ensuring data protection compliance.
- Fines for serious contraventions of the rules may be up to €20 million – almost £16 million – or 4% of global annual turnover.
The hefty fines underline the seriousness of the reforms. However unlikely it may be for a fine to be levied for a first offence or a minor breach, the law allows for punitive fines for a reason – the European Union is taking data protection seriously.
Fundamentally, Jersey businesses must ensure that they comply with the new regulation when it comes into force in May 2018. That means starting work now – not in a year's time – to:
- assess how the General Data Protection Regulation will affect the business;
- decide what changes will be needed to ensure compliance;
- resource and implement those changes in line with published guidance; and
- take steps to ensure compliance can be documented and demonstrated.
It is particularly important to bear in mind that the General Data Protection Regulation is based on the concept of data protection "by design". Simply put, this means that data privacy risk and compliance must be built into all systems, processes and procedures across an organisation. Working to ensure that a business is ready for May 2018 will not just be an IT project; it will require accountability and engagement from board level down through all levels of the business.
Organisations that have not yet started to engage seriously with the General Data Protection Regulation reforms are almost certainly behind at least some their competitors. However, speed and competitive edge are not really what is at stake here: compliance is what matters. Take it seriously and do it right.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.