Things are going to change both in Guernsey and Jersey on the Data Protection front. The catalyst is the recently approved General Data Protection Regulation (GDPR) from the EU. Shortly the islands will find themselves in a measuring up exercise against the GDPR and laws and practice can be expected to change in anticipation. The Channel Islands are going to work together on this one in an endeavor that hopefully signals better intra-island coordination on such issues. They are committed to a pan-island Data Protection Commissioner role. Drafting of local legislation is underway.
It is extra-territorial
We’re all getting a bit used to this following FATCA and CRS, but being an EU regulation isn’t stopping this from having a reach outside the EU. If you hold data on EU citizens you are going to be held to account.
It is a regulation not a directive
It’s an important distinction within EU regulation. Directives are implemented separately by different jurisdictions. Regulations straight out become law when they are passed then entered into the Official Journal. As of 24 May 2016 this happened with a two year window to it becoming binding on 25 May 2018. Even if Guernsey or Jersey do not implement it into local law its going to be binding on those holding data on EU citizens regardless.
A risk based approach to governance and increased documentary evidence
Data protection needs to be integrated into your corporate risk management. This means building it into the Business Risk Assessment. Policies for breach management and ensuring expectations are incorporated into the relevant contracts will form part of business risk management.
It isn’t all the Data Controllers problem any more
It used to be the case that personal data was the responsibility of the Data Controller. Now any person or entity processing this data (for themselves or others) will be responsible for its protection. That includes cloud providers. Channel Island businesses will need to look closely at their partners and service providers and the agreements that they operate under too.
Naming and shaming
Data breaches cause reputational damage. Think Mossack Fonseca, Sony etc. This is going to see certainly EU countries adopt similar approaches to public statements of reprimand. In order to be considered equivalent in terms of approach its likely the Channel Islands will follow similar practice. You don’t need me to tell you how much reputation is valued in these parts!
You can be liable for compensation claims
If data loss occurs as a result of unlawful processing, compensation may be due. This could be as part of a collective claim by injured parties. If you thought naming and shaming was bad for a reputation, consider it being followed by huge financial claims and a drawn out public legal dispute about your alleged negligence.
Transferring data to third countries will be tightened up
If personal data is to be transferred outside of the European Economic Area, the data controller is going to be responsible for ensuring an appropriately equivalent level of privacy before this takes place otherwise it just shouldn’t happen. In a service organisation driven marketplace like the Channel Islands this can have far reaching and unexpected consequences. You are going to want to look at your existing set up now.
The right to be forgotten about
There will be a right to have your personal data removed. This needs to be equivalently straight forward to adding it in the first place. On a logistical level this is hard to actually do and interacts with other laws on data retention.
Clarity of rights, uses and purpose of personal data handling
Firstly users should not have to opt out of having your data used – instead they should opt in. If you hold personal data, controllers need to inform users of their rights and document that this has happened. Children will be afforded higher rates of protection including parental consents. Also the ‘legitimate interests’ processing condition will be removed for public authorities.
Cracking the whip on incident reporting and sanctions
Regulators will have to be informed of breaches within 72 hours. Fines for non-compliance can be up to the higher of €20m or 4% of global revenue. Regardless of the 72 hour time frame, individuals impacted should be told where there exists a high risk to their rights and freedoms e.g. identity theft, personal safety. Think the Talk Talk situation.
The Change Environment
With the introduction of the GDPR there will be in increased emphasis on making sure effective data protection practices and safeguards are in place before processing of such data starts. In practice this means a ‘change management’ approach to getting ready to make sure of compliance with the Regulation when it takes effect. Practical steps involve:
- Analysis of data protection on existing and projected projects involving data
- Data Protection Impact Assessments (DPIA) where mandatory in a lot of cases where ‘reasonable expectations’ would see this as best practice.
- Early buy in of Board/senior management awareness and preparation for the implementation point
- Consideration of resources and procedural implications – consider outsourcing where resources are an issue
- Integration of GDPR into your Business Risk Assessment and risk register including measurement and controls
- Setting responsibilities – or appointing appropriate persons – to keep up to date with developments. Non-EU organisations may be required to appoint a representative in an EU Member State in certain cases.
- Appointing a Data Protection Officers (DPO’s) – this will be mandatory for public authorities and for private sector organisations where the processing is considered high risk.
- Amending policies for subject access requests – the GDPR grants enhances rights to individuals in accessing their personal data. The time frame is lower – requests must be complied with within a month – and you can no longer charge a fee.
- What will you do if there is a breach – have a plan!
- Getting ready for the changes begins with a comprehensive data audit. This will help underpin the accountability aspect of compliance and shore up documentation and procedures.
Preparing for what is coming
The value of a two year lead in time is the benefit of time to get it right. The data businesses hold is often complex, on multiple systems and not always subject to the same rules and procedures. Privacy and accountability for breaching it are not new concepts but they are about to become enshrined in legal protections like never seen before. Existing business risk analysis and policies may no longer be appropriate. Contracts with service organisations may no longer be sufficient to protect data and/or reputations. The cost of getting it wrong can be high in an environment where regulators have shown a willingness to make examples.
How we can help:
- Dedicated data protection officer roles
- Advisory and gap analysis on existing data protection protocols
- Data Protection Impact Assessments
- Risk management advisory services
- Health checks on documented procedures and internal controls