13 Feb: Emma Martins’ speech to the NED Forum

The Bailiwick of Guernsey’s Data Protection Commissioner, Emma Martins, gave a speech at a Non-Executive Director Forum event on 13 February 2019. Emma summarised why it is essential that all board members engage with their organisation’s data protection commitments in the same way that they would approach any other area of corporate governance:

“After headline grabbing fines and looming deadlines of 2018, there can be few boards and board members that are not aware of GDPR and our local equivalent legislation, The Data Protection (Bailiwick of Guernsey) Law, 2017.

The role played by the board and by individual board members is absolutely critical if organisations are to get this right.

Strong board members have, traditionally, had to demonstrate financial and commercial acumen. That is, of course, still the case, but in this data-driven era the role has become so much broader. Governance is key to success and governance now, without question, encompasses the handling of data.

As a starting point you should know what your organisation is up to in terms of data.

You must know:

  • what data your organisation is responsible for
  • where the data is sourced from
  • what the legal basis is for the processing
  • what role data plays in your organisation’s business processes
  • where your organisation’s data is located
  • who else may have access to it

You also need to have a good understanding of risk because data has become so intrinsic to all business activity, regardless of sector. If your data is compromised, you have a problem – operationally, reputationally and economically.

So one of the important processes that you need to ensure is in place and ensure everyone is aware of is a data breach response plan – regardless of the size, or nature of your business.


This is a very basic illustration of steps and you will need to tailor them to your own organisations.

The mapping of your data processes and an understanding of the technical and operational activities as well as having a plan for when things go wrong are crucial, but so too is culture.

When talking about a culture, one of the most important and influential aspects has got to be the tone at the top. Whether you like it or not, how you approach data governance, how you respond and, engage with the compliance requirements will determine how the rest of your staff do too – both positively and negatively.

If you want to create a positive culture around how data protection is handled in the organisations you are responsible for, my advice is:

Get to know your data protection officer (DPO)
If your organisation has a DPO, get to know them. Even if you do not have a DPO, there should be someone who is responsible for this area of the business and compliance. Find out who that is.

Take an interest in what they are doing and remember that they are autonomous and should have a direct line of communication with the board.

Use your DPO’s knowledge and professional expertise to improve your own knowledge and understanding.

Meet and talk with them regularly – both formally and informally.

Support them and make sure their voice is heard at the top of the organisation and amongst all staff.

Encourage and allow constructive challenge

You are an ambassador for your organisation and how you communicate both internally and externally really does matter.

Always be mindful of the significance of C-suite level communications and attitudes.

Fines have grabbed attention but this is not just about fines. Resourcing good data governance means supporting your DPO and all staff in their personal training and development.

Data security should be on the risk register of all organisations and appropriate investment is important in this key area.

You should ensure that an ongoing governance programme and framework for data protection compliance is in place. This should be reflected in the organisation’s policies and procedures and staff need to be updated.

Personal behaviour
Talk the talk and walk the walk.

Make sure that you align your own practices with company policies and procedures and general good governance principles.

Show leadership and lead from the front, staff need to value and trust you.

Above and beyond law, ethics matters and will increasingly become a market and commercial differentiator. Doing the right thing is increasingly important in all areas of our lives. How organisations engage with their legal and ethical responsibilities when handling data will determine their economic and reputational health in fundamental ways. Taking short cuts may feel beneficial in the short term but this approach will come back to haunt you. Consumers and citizens are demanding more transparency, accountability and ethics from businesses. Those that deliver on those demands have the opportunity to take the best advantage of the opportunities that present themselves in this data-driven era.”

Official statement: verdict on recent data breach case

We would like to make the following statement regarding the recent verdict in the data breach case involving a former States of Guernsey employee accessing confidential patient records:

‘As the local data protection regulator, we have been following this case carefully. We await the opportunity to review the judgement in detail which will allow us to consider what steps, if any, may now be appropriate from a regulatory perspective. We would like to emphasise that this matter was dealt with under The Data Protection (Bailiwick of Guernsey) Law, 2001, which was repealed in May 2018 and replaced by The Data Protection (Bailiwick of Guernsey) Law, 2017 which provides increased statutory obligations for both organisations and individuals, as well as more comprehensive enforcement powers.’

It is an opportune moment to remind everyone handling personal data of the importance of committing to, and investing in, high standards of compliance. Failing to do so risks undermining trust and confidence in a very serious way.

Please contact us if you have any questions.

2 Feb: Digital ACE

(Sat 2 February, 12:00 – 17:00, Beau Sejour)

Come along to our stand at Digital ACE event ‘Empower’ zone to talk to our staff about the human stories at the heart of data protection. Our Deputy Commissioner Rachel Masterton, our Operations & Compliance Manager Lawrence West, and our Communications Manager Leanne Archer will be on our stand.

You can also find out why you should care about data protection (hint: it’s about protecting you)

We would also like to draw attention to ReportHarmfulContent.online website – this is provided by UK Safer Internet Centre and operated by SWGfL. It allows you to report harmful content you see online, such as:

  1. Online abuse
  2. Bullying or Harassment
  3. Threats
  4. Impersonation
  5. Unwanted Sexual Advances (not image-based)
  6. Violent content
  7. Self-Harm or Suicide content
  8. Pornographic content

Also, SWGfL are launching a child-safe internet browser called Swiggle. This browser is aimed at 7-11 year olds, and is to be used alongside adult-supervision. It allows young people to safely search for educational content online.

If you cannot attend Digital ACE and you have questions please contact us.


31 January: Update on Brexit and data protection

Following events in the UK Parliament earlier this week, the States of Deliberation are due to consider a draft ordinance that would designate the UK as an authorised jurisdiction under our local data protection legislation. Building on the foresight of the drafting team behind the Data Protection (Bailiwick of Guernsey) Law, 2017, this designation will mean that transfers of personal data to the UK by locally based organisations can continue after Brexit.

This covering paper and associated draft Ordinance, prepared by the Committee for Home Affairs, explains that this designation will remain in place until the end of December 2020 or until the European Commission has made a judgement as to the adequacy (or otherwise) of the UK’s data protection regime (whichever is the earlier).  This move is intended to provide some assurances to local organisations who transfer personal data to the UK as part of their day-to-day business and to remove the need to implement alternatives safeguards to protect personal data dispatched to the UK’s shores, balancing the Bailiwick’s need to trade with the UK against its desire to maintain adequacy and the benefits to Bailiwick businesses that that brings.  This approach has been taken underpinned by confidence in the UK’s expressed intention to maintain GDPR complaint legislation and to seek an adequacy finding by the European Commission as soon as possible once it becomes a third country.

The ODPA would like to thank the Committee for Home Affairs and the team behind the paper and associated legislation for their pragmatic solution to the uncertainty that Brexit has caused in relation to data transfers and encourages organisations with any questions to get in touch.

19 December: update on Brexit and data protection
Data protection implications of Brexit for the Bailiwick
Leaving the EU: the data protection implications of a Hard Brexit for UK businesses with EU data flows and clients‘ (May 2018 document)

Data Protection Day: it’s all about you

The Office of the Data Protection Authority is marking this year’s Data Protection Day on 28 January with a sold-out event for professionals in the field, as well as outlining why all islanders should care about data protection.

Data Protection Day has been recognised internationally annually since 2007, with the aim of raising awareness and promoting privacy and data protection best practices.

The lunchtime event on 28 January will explore the role of the Data Protection Officer and the special protections the Law gives to individuals who hold these roles within local organisations.

The Data Protection (Bailiwick of Guernsey) Law, 2017, introduced on 25 May 2018, requires certain types of organisations to have a Data Protection Officer (DPO). The role is independent, reports to the highest tier of management and no conflict of interest must exist which would impact on the performance of the DPO’s functions.

The DPO position demands many skills ranging from legal and technical to operational and managerial and the post holder has to be able to communicate effectively across their organisation, including at board/senior management level.

Alongside the event for professionals working in data protection, the ODPA have also produced a publication outlining why everyone should care about data protection, this can be found at: www.odpa.gg/all-about-you.

Emma Martins, Data Protection Commissioner, commented on why the role of a Data Protection Officer is so important, demanding many skills of the individual and confirmed that more public events will be held soon to support data professionals as well as other groups and sectors.

‘An effective data protection professional is a huge asset for an organisation because data is so intrinsic to nearly all business activity. A business community and jurisdiction that recognises and values professionals who deliver high standards of data governance will have a real impact on reputation and results.  The sharing of ideas and experiences between these highly skilled professionals will be invaluable. Looking beyond Monday’s event, we are putting a lot of thought into our future events programme. The programme will focus on increasing awareness of the scope of personal data, citizens’ legal rights, as well as supporting organisations in their compliance efforts. The Bailiwick is well placed to deliver exceptional quality in this area. This is demonstrated by the world-class standards in local financial services compliance, where highly qualified professionals are a core part of that industry’s success.’









A brief history of 2,000+ years of privacy

2019 is still just a few weeks old.
The ink has dried on new data protection laws locally and further afield.
And every week seems to reveal a new story of organisations being held to account for not taking care of the most valuable asset they have – our personal information.

It feels like a good time to reflect on how we got here – to this world where data protection seeks to protect our human right to privacy.

Looking back we know that the thread of privacy can be traced through human history, from the ancient Greeks, all the way to the Universal Declaration of Human Rights following World War II, and on to the introduction of the EU’s GDPR.

But, privacy as a concept is a difficult thing to define. It changes over time, across cultures and religions, social groups and generations. It is unlikely that if, today, you asked a handful of people what they consider privacy to be, that you would get the same answer from any of them.

A standard dictionary definition of privacy is ‘a state in which one is not observed or disturbed by other people’.

This notion of privacy can be traced back over 2,300 years, to the Greek philosopher Aristotle’s (384-322 BC) discussions of the distinction between the public sphere of political activity and the private sphere of life relating to family.

The earliest treatises on privacy were seen in America in the late 1800s, but 1948 was a defining moment closer to home when the Universal Declaration of Human Rights was adopted which included the Right to Privacy.

As technological advances accelerated, so the legal frameworks of protection evolved. In 1980, the OECD issued guidelines on data protection in direct response to the increasing use and power of computers to process data. A year later, the Council of Europe adopted the Data Protection Convention – Treaty 108 – which was the first time the right to privacy was enshrined into law for European countries.

1995 was another important year which saw implementation of the European Data Protection Directive 95/46 which contained language and principles which will be very familiar to those with a knowledge of today’s data protection legal landscape.

Bringing us up to date, the General Data Protection Regulation (GDPR) was approved by the EU Parliament in 2016 after years of discussions, negotiations and heavy lobbying.

The GDPR came into force in May 2018 and has undoubtedly been one of the highest profile data protection legal developments in history. Its model of empowering independent regulators to oversee compliance of the legal rights and obligations enshrined within the legislation is in contrast to other models of data protection across the world. It is a model which has been reflected in the Bailiwick of Guernsey’s approach.

Implementation of the first data protection law for the Bailiwick was in 1986, a law which was replaced in 2001 in response to developments in Europe. More recently we have been one of the first to update our local legislation in line with the new GDPR standards. The Data Protection (Bailiwick of Guernsey) Law 2017 brought the protection of personal data up to some of the highest global standards and marks the start of a new chapter in the history of data protection and informational privacy, security and governance for us.

Whilst data protection laws are not exclusively seeking to address privacy in its broadest sense, they are linked to the concept of privacy for individuals in very fundamental ways.

Recent years have seen an explosion in both computer processing power and the scale of data being created. More of our lives are ‘datafied’ than ever before. If we think about an average person’s day and the data trail (or ‘digital exhaust’) left in that person’s wake it has the potential to provide an extraordinary level of detail about every aspect of their life. It is therefore impossible to disentangle serious questions of privacy from questions about what happens to our data. Questions such as: who has access to our data? What are their motivations and intentions? Can we trust them to look after our data and not use it to manipulate us or others?

In the data economy, robust data protection is essential to build the trust and confidence of consumers. In a democracy, robust data protection overlaps other fundamental rights that seek to ensure the citizen is afforded important rights and freedoms.

Much has changed since Aristotle’s time but as human beings, there are some things which, despite the dramatic changes in context, have changed very little. Considering questions of privacy as relevant to the human condition and to human happiness, associating it with dignity, autonomy and well-being – all of these things matter as much to us today as they did to the ancient Greeks.

New name for data protection regulator

As of 14 January 2019, The Office of the Data Protection Authority (ODPA) is the new name for the local data protection regulator.

This replaces the previous name of The Office of the Data Protection Commissioner.

This re-naming formally recognises the legal body of the Data Protection Authority which was established in May 2018 and is defined in Part XI of The Data Protection (Bailiwick of Guernsey) Law, 2017.

The Data Protection Authority is made up of: a Chair, five voting members, and the Data Protection Commissioner is an ex-officio and non-voting member. The Data Protection Authority delegates responsibility for most of the day-to-day regulatory activities to The Office of the Data Protection Authority which employs the Data Protection Commissioner, the Deputy Data Protection Commissioner and other staff.

This is the new logo:






Find out more: About Us


19 December: update on Brexit and data protection

With UK parliament set to vote on the draft agreement on Britain’s withdrawal from the European Union in the week of 14 January, we’d like to reassure local organisations that in the event of a ‘no deal’ Brexit in March 2019 consideration is being given to the need to invoke the statutory provision in our local Law to continue to recognise the UK as an adequate country from a data protection perspective. This means that organisations could continue to transfer personal data to/from the UK as they do now.

We can also confirm that on 17 December we met with the States of Guernsey’s data protection policy team to discuss the situation, to ensure readiness to respond with a firm approach in the event of any Brexit scenario. And we will continue to work in partnership with the States as things evolve over the coming weeks.

Increase in local data breaches

Twenty-eight personal data breaches have been reported to The Office of the Data Protection Commissioner (ODPC) in the last two months up to 13 December 2018.

The number of breaches has increased slightly, when compared with the previous reporting period of 26 reported breaches over the two months up to 18 October. The increase is likely due to two factors: firstly, organisations are increasingly more aware of their legal obligation to report breaches; and secondly, certain organisations have erred on the side of caution by reporting incidents that do not necessarily meet the breach classification criteria.

The ODPC encourages all local organisations to continue with this cautious approach as this provides valuable intelligence to the real-world risks faced by local organisations.

Most incidents reported to the ODPC were low-level with no further action required. However, the ODPC has a heavy caseload of ongoing investigations into breaches and complaints that do require significant further inquiry.

As with the previous reporting period, there have been a number of incidents where hackers have gained control of email accounts using social engineering techniques.

Guernsey’s Data Protection Commissioner, Emma Martins commented on the role of breach reporting and organisations’ duty to consider the people affected.

‘We continue to see local organisations engaging in their legal obligation to report data breaches to our office. This is an essential aspect of compliance as it requires organisations to proactively engage with the risks they face in protecting people’s personal information. It also ensures they robustly consider the impact a breach may have on the people whose data has been affected.’

The ODPC uses the breach report information received to shape activities, particularly its communications strategy and regulatory action plan. Understanding where organisations are vulnerable enables the ODPC to target its resources in the most effective way.

The ODPC is working to improve its online breach reporting mechanism and has asked for any comments to be submitted via enquiries@odpc.gg.


DOWNLOAD INFOGRAPHIC – personal data breach: legal criteria

Personal data breach: legal criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPC encourages all incidents to be reported.

‘Significant interests’ explained
A person’s ‘significant interests’ are defined in our local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

Action points for organisations after a personal data breach:

  • Read: ODPC breach reporting guidance document(includes checklists and templates);
  • Let ODPC know the breach has occurred – via the secure online breach reporting mechanism;
  • Take steps to limit the damage. Where appropriate, advise any person who received data in error that they should delete the data and must not make use of or disclose the data to anyone else;
  • Consider whether it may be necessary or appropriate to report the breach to any other regulatory or law enforcement agency;
  • In some cases you will need to notify the person whose data was disclosed in the breach;
  • Ensure your organisation reviews and learns from what has happened.

Action ODPC take following a reported breach:

  • They record the breach, securely and confidentially, and assess its severity;
  • They contact the organisation to confirm receipt of the breach report and discuss what happens next (each report is assessed on a case by case basis);
  • Where necessary the ODPC may need to communicate with other data protection authorities, if the breach is likely to affect people outside of the Bailiwick.

6 December 2018: Official office opening event

On Thursday 6 December, we welcomed invited guests to attend the official opening of our new offices at St Martin’s House. We would like to thank all our guests who braved the elements to attend, it was our pleasure to see you all.

We reflected on the significance of our office environment, which allows us to now host our own board meetings (the third of which was held during the day yesterday), meet privately with members of the public, and in 2019 – begin holding public events.

Special thanks also to Ben Fiore and Louise Lawton – both immensely talented local artists whose work depicts our jurisdiction and islanders, in the public areas of our offices.