Businesses in the Channel Islands need to continue their efforts to adapt their policies and practices to comply with the requirements of The General Data Protection Regulation (GDPR), according to Carey Olsen counsel Huw Thomas.
More than 200 delegates attended Carey Olsen's recent half-day data protection conferences in Guernsey and Jersey, which were focussed on 'Data protection in the financial services industry'. Speaking at the conclusion of the Jersey conference, Huw observed that many businesses were still grappling with the challenges presented by GDPR, despite the fact that it has been more than a year since the legislation was introduced on 25 May 2018 and a month since the period of 'transitional relief' for Channel Islands businesses came to a close on 25 May 2019.
"While we are seeing wide engagement by many businesses across the Channel Islands to address their compliance with GDPR, the general consensus is that no one was ready on 25 May 2018 – and many are still not ready now. There has been a heavy reliance on a 'one size fits all' approach to compliance, which would be unlikely to satisfy regulators if challenged," said Huw.
Huw led discussions with associate and fellow data protection specialist Alexandra Gill as they considered the overarching themes that had emerged in the past year. Alexandra also presented at the Guernsey event on GDPR challenges for the trusts and private wealth sector, while partner Andreas Kistler led on the same topic in Jersey. Partners Tony Lane (Guernsey) and James Willmott (Jersey) considered the GDPR impact on local M&A activity, while Huw and senior associate Leonie Corfield (Guernsey) examined the subject from a funds perspective in each island respectively.
The Carey Olsen team were also joined by Rachel Masterton, deputy commissioner at the Office of the Data Protection Authority in Guernsey and Jay Fedorak PhD, commissioner at the Jersey Office of the Information Commissioner who fielded questions by Carey Olsen partners Elaine Gray and Siobhan Riley, respectively, and provided crucial regulatory insight about trends they have seen at local level regarding data breaches and registration.
Huw said one of the greatest challenges for businesses was how to address the questions posed by the new data protection regime in the context of systems and processes which have evolved before GDPR was even conceived.
"Data protection issues crop up in all manners of areas, from mergers and acquisitions, funds compliance and data subject access requests in a trusts context. Often it is only when a data subject wishes to exercise their rights or a data breach occurs that issues around data handling are unearthed."
Alexandra said that uncertainty from a legal, regulatory and political perspective was also making things more challenging for businesses.
"Businesses are being confronted with many difficult and contradictory issues at the moment, from how to comply with data subject access requests in light of developments in case law to what will happen with standard contractual clauses – being the legal mechanism which many businesses rely on to transfer personal data outside of the Channel Islands and the EEA, and which are currently under judicial review", said Alexandra.
Leonie added: "In addition, regulators across Europe are still grappling with how to enforce GDPR. This translates locally into questions around how the Guernsey and Jersey regulators themselves will be funded. Additionally, the impact of Brexit on data processing to, from and within the UK continues to raise questions across all aspects of legal practice".
For tips on how to ensure data protection compliance as a Channel Islands business, please refer to the following article (co-authored by Huw and Alexandra): Nine practical steps to take to ensure data protection compliance as an organisation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.