A shift in our corporate and individual attitude to the misuse of data is now central to the Office of the Data Protection Authority's (the ODPA) future approach to governance and enforcement in Guernsey.

Following the end of the transitional relief period under the Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law) in May this year, we have now rounded up the key issues which the ODPA have communicated to us and which will dictate that approach.

A change in culture in the workplace

The ODPA has repeatedly highlighted its encouragement for a shift in our attitude (as consumers as well as businesses) so that the misuse of data is seen as both legally and socially unacceptable.

While legislation and regulatory action both have a role to play in protecting our data, the ODPA sees each of us as the key factor in achieving secure, ethical use of our data. As we begin to recognise the ever-growing value of our personal information and have open access to information about the frequency and severity of data breaches, we can begin to impose an ethical baseline when it comes to the use of our data and punish those businesses which fall beneath it. Over time this will have the effect of building a self-correcting market.

A simple rule of thumb for officers and employees undertaking any aspect of personal data management, to ensure they don’t fall foul of the standards of protection required by the ODPA, is to treat personal data in the manner in which they, themselves, would wish their own personal data to be treated.

Predict, prevent, detect, enforce

The ODPA is seeking to achieve a balanced approach across the four key areas of regulation (prediction, prevention, detection and enforcement) in fulfilling its functions under the law.

In particular, businesses have been reminded that the principal purpose of the breach reporting requirements under the law is to assist the regulator in predicting breaches and preventing harm before it has occurred, identifying areas in the industry which may require additional resources and training to achieve compliance and/or best practice, rather than as an enforcement tool.

Delayed introduction of self-funded charging system

The ODPA released a statement on 28 October 2019 to confirm that while it had been working with the States of Guernsey for the past year to agree a funding model for the ODPA's activities based on the charging of annual registration fees, it has taken longer than expected to agree and implement such a model.

Guernsey's Data Protection Commissioner, Emma Martins stated that the ODPA's goal is to achieve a "fair, low-cost, low-admin business that allows local businesses to concentrate their efforts on running their businesses well, rather than filling in bureaucratic forms."

The delay in agreeing the funding model has resulted in the extension of the current registration exemptions for small businesses and sole traders. Those persons to which the exemptions apply will, now, not be required to register with the ODPA until January 2021.