En Voyage_Issue#11_Flickbook
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Data protection laws already<br />
exist to protect our personal<br />
data in basic ways but they are<br />
outdated and have not kept up<br />
with society’s reliance upon email,<br />
social media, mobile apps and the<br />
internet. The purpose of the EU’s<br />
European General Data Protection<br />
Regulation 2016/679 (“GDPR”) is to<br />
modernise personal data laws to<br />
give individuals more protection<br />
and control over their personal<br />
data and to raise the standard of<br />
data protection laws. Similarly, the<br />
EU’s Law <strong>En</strong>forcement Directive<br />
(EU 2016/680) (“LED”) protects<br />
citizens’ rights to data protection<br />
when their data is processed by<br />
law enforcement authorities.<br />
It is crucial for the international<br />
finance industry in Guernsey, a<br />
non-EU jurisdiction, to be able to<br />
collect information from clients<br />
and share it with affiliates and<br />
service providers across the UK<br />
and the European Union without<br />
delay or regulatory barriers.<br />
For that reason, Guernsey<br />
has been one of only 11 non-<br />
EU jurisdictions (called “third<br />
countries”) whose data protection<br />
regimes have benefited from<br />
an adequacy decision of the EU<br />
Commission. This means that<br />
the EU has judged Guernsey to<br />
have equivalent data protection<br />
standards to those in the EU,<br />
thereby allowing data to flow<br />
between the Bailiwick and Europe.<br />
Therefore it came as no surprise<br />
that in April 2017 the States of<br />
Guernsey announced that it<br />
was committed to introducing<br />
legislation that implements the<br />
GDPR and LED. On 29 November<br />
2017 the States approved the<br />
draft Data Protection (Bailiwick of<br />
Guernsey) Law 2017 (the “DPL”)<br />
to implement the GDPR and<br />
LED. The DPL now requires Royal<br />
Assent. It is expected to come into<br />
force on or around 25 May 2018,<br />
at the same time that the GDPR<br />
comes into effect across the EU.<br />
WHAT ARE SOME OF THE<br />
MOST IMPORTANT CHANGES<br />
IN THE NEW LAW?<br />
Strengthens the rights<br />
of data subjects<br />
The DPL confers a raft of new<br />
rights on the people to whom<br />
the personal data relates (data<br />
subjects), such as the right to be<br />
forgotten and the right to data<br />
portability (i.e., being able to<br />
switch service providers, such<br />
as mobile phone companies,<br />
without losing data). New civil<br />
actions can be brought by data<br />
subjects for breach of statutory<br />
duties against data controllers<br />
(those who decide how and<br />
why data is processed) and data<br />
processors (those who process the<br />
personal data) when the breach<br />
causes damage. “Damage” is<br />
defined widely to include financial<br />
loss, distress, inconvenience<br />
and other adverse effects.<br />
Heavier duties on data controllers<br />
and new duties on data processors<br />
The DPL will impose much<br />
wider duties on data controllers<br />
and creates new duties for<br />
data processors. For example,<br />
data controllers will need to<br />
have written agreements with<br />
all of their data processors<br />
and sufficient guarantees from<br />
processors that they will meet<br />
the DPL’s requirements; while<br />
data processors will be required<br />
by law to delete or return all data<br />
after finishing their services.<br />
A more independent and<br />
more powerful regulator<br />
Once the DPL is in force,<br />
the Guernsey Data Protection<br />
Commissioner will be called the<br />
Data Protection Authority and will<br />
be given far more independence<br />
and power than the Commissioner<br />
presently enjoys. Data processors,<br />
as well as data controllers, will<br />
need to register with the Authority<br />
and pay a fee. The Authority’s<br />
greater powers will include the<br />
ability to give tougher penalties<br />
for breach of data protection<br />
law, reaching up to as much as<br />
10% of global annual turnover<br />
with a limit of £10 million.<br />
Guernsey businesses need<br />
to prepare now for the DPL<br />
coming into force in May 2018.<br />
Babbé LLP can assist with your<br />
business’ preparations, no<br />
matter how large or small.<br />
90 <strong>En</strong> <strong>Voyage</strong> | Aurigny’s Magazine