The current European Data Protection Directive was finalised many years ago at a time when few people had access to the internet, conducted business "online", used cloud storage or transferred data electronically. The manner in which our data is collected, accessed and used has changed profoundly and, accordingly, the General Data Protection Regulation (the GDPR), represents the biggest data protection reform in Europe for many years. Its overarching aim is to harmonise data protection legislation across all member states and do away with the cacophony of laws which exist at present. It will be of direct effect to all member states and is due to come into force in mid-2018.
Jersey's data protection regime is presently governed by the Data Protection (Jersey) Law 2005 (the DPL) which is modelled (for the most part) on the Data Protection Act 1998 which is in force in England and Wales. Compliance with the DPL is regulated by the Information Commissioner (who also has responsibility for the Data Protection (Bailiwick of Guernsey) Law 2001). Both Jersey and Guernsey have been formally assessed by the European Commission as meeting current EU data protection standards. This "adequacy" provision means that Jersey is deemed to provide sufficient protection of an individual's right to fair and just processing of their personal information to ensure free and unhindered data transfers from EEA Member States, notwithstanding the fact that Jersey is not part of the EU or EEA itself.
Following the coming into force of the GDPR and in order that Jersey remains an attractive destination for business and commerce, it is likely that the DPL will either have to be amended or replaced with a new piece of legislation to ensure that Jersey continues to be regarded a country providing an adequate level of protection to receive and hold data.
HOW WILL THE GDPR AFFECT MY BUSINESS?
Certain research suggests that many businesses are unaware of the GDPR and, even if they are, have not taken any steps within their organisation to work out how they are going to address the necessary changes to comply with the GDPR once in force. This is, of course, made more difficult in that it is not yet known how Jersey proposes to deal with matters on a legislative level but it is expected that Jersey will want to maintain its adequacy status and, if so, will put in place legislation which is in line with the GDPR.
If that is the case, then the simple fact is that life is likely to be more burdensome for data controllers in that whilst the GDPR is broadly similar to the current law, it will place a number of new obligations on any business that handles the data of EU citizens or offers services to them, independent and irrespective of where the business is actually located. The silver lining in all of this is that the GDPR should improve consumer confidence in the businesses that hold and process their data and this harmonised approach should reduce costs for businesses which operate in several jurisdictions and accordingly are obliged to comply with the laws of each separate jurisdiction.
KEY POINTS OF THE GDPR
Controllers will be obliged to:
- appoint a data protection officer if their core activities require regular, systematic monitoring of data subjects on a large scale or entail the processing of sensitive data on a large scale
- keep records of all processing activities and provide them to the data protection authorities upon request. An exception applies to organisations with fewer than 250 employees in certain circumstances
- Report any data breach within 72 hours
It will give data subjects:
- Tighter consent requirements
- Greater access to personal data and the right to data portability
- "The right to be forgotten" (erasure of non-relevant data)
- Right to an effective judicial remedy against a controller/processor and the right to compensation.
- Penalties for non-compliance > €20 million or 4% of annual turnover (whichever is greater)
The message for data controllers is clear: you will need to invest in compliance. It's all part of the process.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.