until GDPR implementation

Data Protection Reform in the Channel Islands

The EU has recently approved the General Data Protection Regulation (GDPR), the largest change to the protection of personal data since the Directive in 1995. The GDPR comes into effect for EU Member States on 25 May 2018.

We are undoubtedly at a turning point for data protection and the GDPR has implications for the Channel Islands in two ways:

  • Local companies targeting goods or services to EU citizens will be required to comply with the GDPR, regardless of what regulatory or legislative regime is in place locally.
  • The Islands ‘adequacy’ ruling under the current EU Directive will be re-assessed against the GDPR and it is highly unlikely that the current Laws will be considered adequate against the new standard.

Both Governments have therefore made the decision that the GDPR will be incorporated into local law, with the aim to be ready for implementation in May 2018 in line with the EU legislative timetable.

KEY FEATURES OF GDPR

Whilst some aspects of the current Laws are replicated in GDPR, the following are key differences.

Risk Based Approach

Risk based approach to governance & increased documentary evidence required

Accountability

Increased accountability for data controllers and processors

Rights of Individuals

Individual's rights are enhanced and extended in a number of important areas

Child Protection

Children are afforded higher levels of protection

Breach Reporting

Data breaches must be reported to data protection authority with 72 hours

Changes for Public Authorities

Legitimate interests processing condition removed for public authorities

FAQs

Why does GDPR matter?

GDPR will drastically change the way businesses can collect, store and protect the personal information of their customers, clients, and even visitors to your website.

It is a Europe-wide set of data protection laws designed to harmonise data privacy practice across Europe. The emphasis is on protecting citizens and their data, and giving users more information about and control over how it’s used. The new regulations will come into force by May 2018.

Who does it affect?

If you process people’s personal data, in the context of selling goods or services to citizens in other EU countries, you definitely need to comply with GDPR. Compliance with the current Jersey (2005) and Guernsey (2001) data protection legislation is not sufficient.

The States of Jersey and States of Guernsey have indicated that they will implement an equivalent law and it is likely that these local laws will be similar to GDPR.

GDPR defines personal data as anything that can be used to directly or indirectly identify the person. Names, photos, email addresses, bank details, posts on social networking websites, medical information or IP addresses.

What are the penalties for non-compliance?

Organisations can be fined up to 4% of their annual global turnover, or up to €20 million.

I don't have customers in the EU. Will I still be affected?

GDPR only protects EU citizens, however the Channel Islands is now committed to implementing GDPR locally to protect its own citizens.  During 2017 we will see clarity about what the local legislation will look like as the law drafting work progresses.  We will update this website as new information is released.

How does my business become compliant?

There are a number of areas that are affected by the GDPR.  The Key Features page of this website gives a good overview of what these are and the actions needed to become compliant.  The Resources section provides links to further, more detailed articles.

Whilst it is clear that GDPR will have a significant impact on all Channel Island businesses, those who are taking their current legal obligations in respect of data protection seriously will be at a distinct advantage.

EMMA MARTINS

Information Commissioner, Jersey
Data Protection Commissioner, Guernsey