A New Standard for Data Protection and Privacy In Guernsey

The Data Protection (Bailiwick of Guernsey) Law, 2017, also known as the Data Protection Law for short, is a comprehensive data privacy protection policy that was passed in 2017. While the island of Guernsey is a Crown Dependency of the United Kingdom, it is neither formally a part of the country, nor the European Union, and as such does not fall under the jurisdiction of the General Data Protection Regulation or the UK’s GDPR law. As such, the island needed legislation that would protect the personal data of their citizens, as the collection and processing of personal data are critical to the success of Guernsey’s economy. To this end, the Data Protection Law forges the legal grounds upon which data can be legally collected, processed, stored, used, or disclosed within the island. Moreover, the law also sets forth various punishments that can be imposed against individuals or organizations who fail to comply with the law.

How are data controllers and processors defined under the Data Protection Law?

Under the Data Protection Law, data controllers are defined as any “person who, either alone or jointly or in common with other persons, determines the purposes for which and the manner in which any personal data are, or are to be, processed”. Conversely, the law defines a data processor as any “Any person, other than an employee of the data controller, who processes personal data on behalf of the data controller”. Moreover, personal data is defined as data “which relates to a living individual who can be identified from those data or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”.

As it pertains to the scope and application of the Data Protection Law, the personal scope of the law protects call personal data that is collected or processed in relation to the citizens of Guernsey. Alternatively, the territorial scope of the law applies not only to data controllers and processors operating within the island of Guernsey, but to all islands with the Bailiwick of Guernsey. While the island of Guernsey is not a part of the United Kingdom, it is a part of the larger English Chanel islands, which include three sub- jurisdictions, Guernsey, Alderney, and Sark, collectively known as the Bailiwick of Guernsey. As such, the provisions of the Data Protection Law are applicable not only to the island of Guernsey but to the entire Bailiwick of Guernsey as well.

What are the requirements of data controllers and processors under the Data Protection Law?

As the purpose for enacting the Data Protection Law was to provide citizens residing within the Bailiwick of Guernsey with a level of data protection and privacy that is on par with the EU’s GDPR law, the Data Protection Law also sets forth various principles that data controllers and processor operating within the territory must abide by at all times. These principles include:

• Lawfulness, fairness, and transparency– All personal data that is collected or processed must be done so in a way that is fair, lawful, and transparent.
• Purpose limitation– All personal data that is collected and processed must only be utilized for specified, legitimate, and explicit purposes.
• Data minimization– All personal data that is collected and processed must be adequate, relevant, and limited to the purposes for which it was collected or processed.
• Accuracy– All personal data that is collected or processed must be accurate, as well as kept up to date where necessary. Data controllers and processors are responsible for ensuring that any personal data in their possession that has been found to be inaccurate is either rectified or erased without undue delay.
• Storage limitation– All personal data that is collected and processed must be kept in a form that allows for the identification of related data subjects, for no period of time longer than is necessary to achieve the purposes for which said data was collected or processed.
• Integrity and confidentiality– Personal data must be collected and processed in a manner that ensures that said data is secured appropriately, including protecting against damage, unauthorized access or use, unlawful collection or processing, and destruction.
• Accountability– Data controllers and processors are responsible for upholding the principles stated above.

What are the rights of data subjects under the Data Protection Law?

Under the Data Protection Law, data subjects who reside with the Bailiwick of Guernsey have the following data protection and personal privacy rights:

• The right to be informed.
• The right to access.
• The right to erasure.
• The right to object or opt-out.
• The right to data portability.
• The right not to be subject to automated decision-making.

In terms of penalties related to non-compliance with the law, the Data Protection Law is enforced by the Office of the Data Protection Authority or the ODPA for short. As such, the ODPA is authorized to impose a variety of monetary penalties and administrative sanctions against data controllers and processors who fail to adhere to the provisions set forth in the Data Protection Law. To illustrate the potential severity of such consequences, the ODPA fined a data controller operating within Guernsey £80,000 ($107,776) in September of 2020 for a “lack of transparency in relation to the processing of personal data published in a public directory and breach of the accuracy principle”.

As the island of Guernsey has a somewhat unique status due to its classification as a Crown Dependency of the United Kingdom, the territory needed a data protection law that would ensure that citizens within the region would have their personal data and privacy protected. This was achieved with the passing of the Data Protection Law in 2017, as has many provisions that are similar to that of the UK’s GDPR law. As such, citizens who reside within the Bailiwick of Guernsey can rest assured that their personal data is being protected at all times when they are conducting business or engaging in services.