Data protection law change, 6 months on

Print

The Office of the Data Protection Commissioner staff (L-R: Tim Loveridge, Leanne Archer, Mike Appelqvist, Emma Martins, Rachel Masterton, Lesley Le Bailly, Lawrence West)

The Office of the Data Protection Commissioner (ODPC) is marking the six-month anniversary of the introduction of Europe’s General Data Protection Regulation (GDPR), and equivalent local legislation by providing an update on their activities since 25 May, as well as an indication of the road ahead.

The unprecedented interest in data protection in the lead up to 25 May 2018, combined with a stream of data scandals has ensured the issue of data has remained high on the agenda of business, government and individuals in the six months since implementation of wide-ranging legal reform across Europe and in the Bailiwick.

The ODPC has, along with other regulatory offices, been focused on ensuring the new legislation is workable and effective. Like any significant legal framework, there remains some ambiguity and uncertainty as society grapples with fast evolving global technological and social change which may take time to work through. That should not deflect from the significance of the reform and a true understanding of why it is needed and what it seeks to deliver.

The data protection commissioner, Emma Martins, commented on the ODPC’s role and regulatory approach:

‘The ‘datification’ of all our lives has brought with it changes to the way we live and how others shape our experiences, relationships and power balances. Regulatory effectiveness plays a major role in ensuring delivery of obligations in respect of data protection standards. How we, as the regulator, use our powers will fundamentally affect the nature and quality of compliance and we want to ensure we do so with integrity and with appropriate accountability and governance mechanisms embedded into everything we do. Part of delivering on that means that we ensure relevant and timely information is published about the law and our activities recognising that we are funded by the community and industries we are here to support.’

Increase in local organisations registered with ODPC
Since 25 May 454 local organisations have fulfilled the legal obligation to register with the ODPC. This is on top of the 2,000 who registered prior to that date. It is a criminal offence for local organisations to be handling any information related to any living person without registering, unless a legal exemption applies.

Enquiries and outreach
The ODPC answered approximately 400 emails sent to enquiries@odpc.gg since 25 May. Organisations and citizens are welcome to submit any queries they have to the ODPC via email, phone, letter, or in person. Since 25 May the data protection commissioner, and her deputy have undertaken 14 speaking engagements at events held by local industry bodies, associations, charities, schools etc. The ODPC events programme will commence in early 2019 – this is a key aspect of the ODPC’s statutory obligation to raise public awareness of citizens’ rights and to promote awareness of local organisations’ legal duties when handling personal information.

Funding secured to end of 2019
On 15 May 2018 Policy & Resources Committee approved the investment case and funding for the establishment of the ODPC and its operational costs through till the end of 2019. Thereafter, there is an intention to move towards a model that is predominantly funded through the collection of fees from local organisations. Our operating budget for 2018 stood at approximately £667,000 with a predicted operating budget for 2019 of ~£1.1 million.

Online breach reporting introduced
A secure, online system was developed to allow organisations to perform their new legal duty of reporting data breaches to the ODPC. This was in place for 25 May 2018, and in the six months to date we have received 71 breach notifications via this system.

Independent status
The ODPC’s board is The Data Protection Authority which officially became a fully independent regulator on 25 May 2018. This Board provides independent governance and oversight of the Office of the Data Protection Commissioner which performs the day-to-day regulatory function. The Board has met twice in the 6 months since 25 May to formalise the governance arrangements for delivery of its statutory functions.

The Board retains the power to fine organisations up to a maximum of £10 million, for any data protection breaches that are deemed deliberate, wilful, repeated, seriously negligent or having caused significant harm.

New recruits
To assist in delivering on their statutory duties, between June and August 2018 three members of staff were recruited: an interim Chief Operating Officer, an Office Manager, and a Communications Manager, bringing the total headcount to 7.

Office move
In July 2018 the ODPC moved into new premises that allow sufficient office space for current staff and future growth. An event space was created within the office which will allow the ODPC to deliver on their statutory requirement to raise public awareness of citizens’ data protection rights and to promote awareness of data controllers/processors’ legal duties.

Systems and data migration
A key part of the ODPC’s independence from the States has been establishing stand-alone systems, financial controls and infrastructure. This took place during May – August 2018.

Project work
Work has commenced on the following projects: what the ODPC funding model from 2020 will look like; re-development of web-based services to bring in-line with upcoming statutory requirements; best practice in investigation and compliance; best practice in data forensics; public/industry engagement via an events programme; and establishing Memoranda of Understanding with key entities.

The next 6 months
The key change ahead for local organisations and citizens to be aware of is the end of what the Law calls ‘transitional relief’. Transitional relief relates to the period of time from when the Law was introduced (25 May 2018), to when every aspect of it comes into force (25 May 2019). The year delay was built into our local Law specifically to give local organisations sufficient time to fully prepare for the more complicated areas which are subject to this transitional relief.

— Notes —

 

Key statistics: in the 6 months since 25 May law change

454 Number of additional local organisations who have fulfilled their legal obligation to register with the ODPC
400 Number of email enquiries ODPC have answered
14 Number of speaking engagements by the commissioner and deputy commissioner
£667,000 The ODPC’s operating budget for 2018
2 Number of board meetings held by The Data Protection Authority
3 Number of additional staff recruited to ODPC

 

Infographic of key milestones (May 2018 – May 2019)

 

 

 

 

 

 

 

 

 

Transitional relief

As its name suggests ‘transitional relief’ refers to the year-long grace period following the introduction of the new Law in May 2018. When the Data Protection (Bailiwick of Guernsey) Law, 2017 was introduced the following nine areas did not fully come into force because they are subject to ‘transitional relief’:

  1. Duty to notify pre-collected data (sections 12 & 13)
  2. Duties of joint controllers (section 33)
  3. Duty to carry our impact assessment (sections 44 & 45)
  4. Processor-use duty (section 34)
  5. Processor duty to establish measures (sections 35 & 36)
  6. Duty of processor to obtain controller authorisation (section 36)
  7. Delay of right to data portability (section 14)
  8. Validity of consents obtained before 25 May 2018
  9. New registration requirements (sections 39 & 40)

What does the end of transitional relief mean for organisations?
Local organisations should use the remaining 6 months of transitional relief to review how the nine areas impact them and fully prepare themselves to be compliant. A good place to start is to read the ODPC guidance note published in June 2018 at www.odpc.gg/transition.

What does the end of transitional relief mean for citizens?
When the transition period ends in May 2019, all islanders will gain a new right of ‘data portability’. This means that they will be legally entitled to request an organisation who holds their personal data to transport it to another organisation. This data must be provided in a format that is easy to download, organise, tag, and be machine-readable.

Over the next 6 months the ODPC will be publishing and disseminating further guidance to support local organisations. To ensure you receive this guidance you are encouraged to sign up to the ODPC’s monthly newsletter at: www.odpc.gg/newsletter.