Guernsey: Update: End Of Transitional Relief

The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law) came into force on 25 May 2018 and sets out key principles, obligations and rights in relation to processing personal data. Whilst most aspects of the Law came into force on 25 May 2018, certain aspects are not effective until 25 May 2019 (the Transition Date).

The 12 month transitional period was embedded in the Law to allow organisations sufficient time to implement changes in a structured fashion. Since that time, the Office of the Data Protection Authority (ODPA) has also issued guidance on how organisations can achieve compliance.

Transitional Relief Provisions

Duty to notify regarding pre-collected personal data

Duty

The Law places a duty on controllers (and processors acting on a controller's behalf) to provide individuals with information regarding the processing of their data (and which covers the lifespan of the processing, from the point of collection to deletion). This requirement is usually achieved by providing individuals with a privacy notice or fair processing statement.

At the time the Law came into force, data collected before the Transition Date was exempt from this notification duty. This was done to enable businesses to focus on new relationships and having processes in place for future processing. Businesses should by now have reviewed data they held as at that date and ensure that their privacy notices also cover any historic data and data processing.

Practical steps to ensure compliance

Privacy notices must be made easily accessible to all individuals whose personal data is processed.

To achieve best practice, organisations should send their privacy notice to all individuals and explain that the updated privacy notice replaces any previous notice provided by the organisation. Alternatively, make the notice available (i.e. via your website) to those individuals and inform them of any changes that are subsequently made.

Duties of joint controllers

Duty

Where joint controllers (organisations who share the decision-making around the processing of personal data) work together, the Law requires that they must explicitly agree, and record, their respective responsibilities so that each party is sufficiently clear as to their obligations. They must also provide details of the relationship to data subjects.

Practical steps to ensure compliance

Organisations should focus on any contracts that were entered into prior to the Transition Date and that have not been amended to detail the obligations of the contracting parties in respect of data protection (or which do not provide sufficient detail).

Contracts must specify the respective roles, relationships, responsibilities and duties of each controller in relation to data subjects. These provisions may also impose a mutual duty to assist one another in the event of a data breach and/or who shall pay for the cost of these additional steps. The contract should also set out which joint controller shall be the designated point of contact for any individual wishing to exercise their rights under the Law.

Note that regardless of any terms set out in the contract as to the named point of contact, individuals are nevertheless entitled to exercise any of their rights against any of the joint controllers.

Duty to carry out impact assessments

Duty

Controllers are under a duty to undertake an impact assessment (DPIA) prior to carrying out any "high risk" processing. This will assist in identifying and minimising the risks of any particular project whilst allowing organisations to systematically and comprehensively analyse data. The requirement will apply in the following situations:

1. when a controller is about to process special category data on a large scale;

2. when a controller is about to start systematic and extensive automated processing and decision-making;

3. when a controller is about to start large-scale and systematic monitoring of a public place.

Whilst DPIAs are obligatory in the above circumstances, organisations may find that using them in other situations and/or at the outset of projects (even where not otherwise required) may assist in identifying privacy issues early. This can assist in reducing development time and costs (particularly abortive costs) at a later stage.

Practical steps to ensure compliance

Impact assessments should begin at the early stages of a project and should be an ongoing process. Organisations must consider both the likelihood and the severity of any impact on individuals. A template should be put in place for when impact assessments need to be undertaken. The ODPA has a suggested template available on its website which can be used as a starting point.

It is worth noting that whilst the template is a helpful tool, it will need to be adapted to the specific situation in which it is being applied. The assessment process should generally involve a range of stakeholders within a business, from management, HR, operations, technical and the business line itself. Engagement is key to preventing unforeseen issues arising later on in the project.

An effective impact assessment can bring many benefits to an organisation, including financial and reputational benefits as well as putting the organisation in good stead in complying with the accountability principle of the Law, as it is a demonstrable record of the consideration of data protection issues.

Controller/processor duties

Duty

Where a controller uses a processor to process personal data on its behalf, the processor must:

1. prove that they comply with the Law and enter into a legally binding contract with controllers in which they provide comprehensive guarantees in relation to their processing activities;

2. assist controllers to meet their obligations under the Law (such as breach reporting, discussed below) by putting in place adequate measures;

3. obtain permission from the controller before outsourcing any of its work to another processor.

Practical steps to ensure compliance

Controllers and processors must proactively enter into (or revise) contracts with each other which clearly define responsibility, as well as ensuring that they adequately protect personal data belonging to individuals. Processors are required to be compliant with the Law as much as controllers. To that extent, controllers should take ownership of contract revisions and ensure that the "supply chain" of processors are matching their expectations (and the requirements of the Law).

Details of the subject matter, duration, nature, scope, context and purpose of the processing must be set out in the contracts, together with details of the categories of data being processed.

Contracts that were in place prior to the Transition Date must be revisited to ensure that they comply with the Law.

Right to data portability

Duty

The Law provides for individuals to request that their data is transmitted from one controller to another without hindrance (in certain circumstances). The information must be provided to the new controller in a structured, commonly used and machine-readable format.

Practical steps to ensure compliance

This right comes into effect on the Transition Date.

Organisations must investigate how they can comply with this requirement in the event the right is exercised by a data subject. Organisations should have a policy in place for recording such requests and when actioned, a secure method for transmission of the data must be used. It may be prudent for organisations to run a test to see if they are able to comply with such requests, prior to one being received.

Reporting of data breaches

Duty

Processors and controllers are under an obligation to report personal data breaches. For processors, this entails giving notice of the breach to the controller as soon as practicable. Controllers are required, within 72 hours of becoming aware of a breach, to provide written notice to the relevant supervisory authority (the ODPA locally).

Practical steps to ensure compliance

There is nothing "new" in this obligation that will come into force on the Transition Date. The transitional element only refers to the fact that if controllers were aware of a breach prior to 25 May 2018, it does not need to be reported. Controllers and processors alike should ensure however that they have adequate measures and systems in place so that in the event of a breach, they can comply with the strict time limits for reporting.

Validity of consents obtained before 25 May 2018

Duty

The Law provides for a number of conditions that organisations can rely on in order to process personal data lawfully. "Consent" is one of these conditions. "Consent" (under the Law) is any specific, informed and unambiguous indication by a data subject that they agree to the processing of their personal data. It is important to note that the requirements are prescriptive and as such, often difficult to meet (and demonstrate). It is highly likely that businesses will be reliant on one of the other processing conditions in most cases in order to be able to process data lawfully.

Practical steps to ensure compliance

Organisations must review all personal data held to establish if consent is being relied on as the basis for processing personal data. This exercise can be undertaken as part of a data audit. If upon review it becomes apparent that consent is being relied on, organisations must determine whether pre-existing consents satisfy the criteria set out in the Law. If they do not, and organisations wish to rely on consent as the legal basis for processing personal data going forward, it will be necessary to obtain new consents which satisfy the new criteria. It the controller does not wish to rely on consent (either because of its difficulties, it is no longer appropriate, or there is a more appropriate legal basis), then it should communicate its position to the relevant individual(s) affected and record the decisions; it should also update its privacy notices.

New registration requirements

Duty

Organisations that process personal data will be required to register with the OPDA. The duty applies to both controllers and processors.

Controllers registered under previous data protection legislation are deemed to be registered under the Law unless 12 months has elapsed from their last registration, at which point they will be required to register under the Law.

Practical steps to ensure compliance

Controllers should have appropriate registrations in place or if not, address any lack of registration in readiness for the Transition Date.

Processors were not required to notify the Data Protection Commissioner under previous data protection legislation and so controllers should be working with processors to make them aware of the new registration requirements.

Further guidance is expected from the OPDA in the lead up to the Transition Date on the registration requirements for the different types of entities and structures based in Guernsey. We have been working with a number of clients affected by the requirements and would recommend that advice is taken at an early stage, as some of the questions around registration are complex.

Summary

The Transition Date is rapidly approaching and businesses have had a period of time to investigate required changes and implement updates to their policies and procedures. However, we anticipate that with the amount of regulatory change in the past twelve months on various fronts, there may well be issues that remain outstanding. To that end, and given the pace of development in the areas of data protection and privacy, do get in touch to discuss any issues you may have, so that your Transition day passes uneventfully.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.