The Data Protection (Bailiwick of Guernsey) Law, 2017 and the Data Protection (Jersey) Law 2018 place significant obligations on organisations which process personal data. Here, Huw Thomas and Alexandra Gill identify nine key areas which all Channel Islands businesses should consider when seeking compliance with the new laws.
1. Find a Champion
Some organisations (public authorities and certain organisations who undertake high risk and large scale processing) will need to appoint a data protection officer (DPO).
Whilst a DPO may not be legally required, every organisation should ensure that someone within their management has responsibility for data protection issues.
2. Raise awareness
Everyone in your organisation who deals with personal data (and that will be almost everyone) will need to know something about data protection.Key decision makers will need to know quite a lot!
3. Make a map
Identify what you collect; why you collect it; who you share it with; and what safeguards are in place to protect personal data.
4. Controller or processor?
Data protection law distinguishes between controllers and processors. The distinction is important to determine what responsibilities and liabilities your organisation shoulders from a legal, regulatory and commercial perspective.
It also requires that a legally binding agreement exists between controllers and processors and sets out certain requirements for those agreements.
Organisations should update their supply agreements as necessary.
5. Re-think your lawful basis
What are you legal mechanisms for justifying the processing? Even if you repapered your privacy notices last year, you should review these periodically to ensure that they still accurately reflect your current processing activities.
6. Tell People
Most organisations will need to publish a privacy notice which tells people whose personal data you hold a number of things, including:
- what personal data you hold
- why you hold it
- what you are going to do with it
- what their rights are in relation to their personal data
7. Plan, plan, plan
Create a plan. Implement the plan. Practice the plan.Whether this relates to data breach responses or how to handle a data subject access request, having policies in place are only useful when key personnel know how to use them.
8. Cross-border sharing
If you transfer personal data outside the EEA, then appropriate legal mechanisms must be in place to safeguard that transfer.These include: binding corporate rules, Standard Contractual Clauses and derogations such as explicit consent. Data flows to the UK from the EU may need to be revisited when (or if) Brexit occurs.
9. Security: a risk-based approach
The new laws do not identify the exact security measures which you should have in place. Rather, it requires you to have a level of security that is 'appropriate' to the risks presented by your processing.
What is 'appropriate' will depend on a number of factors including the purpose, nature and subject matter of the processing, the likelihood and severity of risks posed to individuals if personal data is not secure and best practices and costs.The key is to identify the risks and apply measures which are commensurate with those risks.
An original version of this article was published in the Guernsey Press's data protection & cyber security supplement, May 2019.