Draft Data Protection (Bailiwick of Guernsey) Law, 2017 released
20 December 2017
The eagerly-awaited draft Data Protection (Bailiwick of Guernsey) Law, 2017 (the Draft) has now been released. The law once finalised will be a watershed moment for data protection across the Bailiwick, and will repeal and replace the existing Data Protection (Bailiwick of Guernsey) Law, 2001.
Headline points include:
- Fines of up to £300,000 or up to 10% of global annual turnover or global gross income for the three preceding financial years (whichever is higher) to a limit of £10 million, against processors and controllers of personal data who breach the data protection principles. These principles require the data to be processed:
- lawfully, fairly and transparently;
- in accordance with specified, explicit and legitimate purposes;
- only to the minimum extent necessary;
- accurately, securely and accountably; and
- stored only so long as necessary.
- Fines of up to £5 million for failing to comply with other data protection requirements covering, for example, anonymisation and the giving of consent on behalf of children accessing social media.
A separate law enforcement ordinance will be prepared to implement equivalent EU provisions. This is one to watch as an indicator of the States' approach to enforcement, particularly in the early stages of the law's implementation.
The Draft is of course subject to change as it makes its way through the States' legislative processes. However, the significant penalties are likely to remain, to ensure equivalence with the EU's General Data Protection Regulation. Given the likely effective date of May 2018, organisations should use the Draft as a working document and stay close to any changes in the finalised version.
The Data Protection (Jersey) Law 201- and the Data Protection Authority (Jersey) Law 201- were lodged with the States Assembly in Jersey on 5 December 2017 and are expected to be debated by the States of Jersey on 16 January 2017.