The States of Guernsey is supporting a self-funding model for the Office of the Data Protection Authority (ODPA), to reinforce its role as a fully independent regulatory body.
The ODPA is the operational body that carries out the regulatory functions of The Data Protection (Bailiwick of Guernsey) Law, 2017 delegated by the Data Protection Authority. Its new self-funding model means that, from January 2021, most of its operational costs will be met by annual fees paid by the regulated community (i.e. local businesses and other organisations who handle personal data), with the States of Guernsey contributing around £300,000 per year.
The way the ODPA is funded has changed because it is legally and politically obliged to operate independently of the States of Guernsey. Reinforcing this independence is an important part of the ODPA’s effective regulatory oversight, and being able to demonstrate this independence is critical to the Bailiwick retaining its ‘adequacy’ status with the European Commission. This status allows the free-flow of data between the islands and the EU which is crucial to the Bailiwick’s current and future economic success.
Deputy Mary Lowe, President of the Committee for Home Affairs said,
‘Data is an essential part of the modern economy. It is a precious commodity in both our business and personal lives and needs to be properly safeguarded. The Committee has been working closely with the Authority and we are in agreement that moving the ODPA to become self-funding will prove important in demonstrating that while the States creates the Data Protection legislation, the Authority is able to act without fear or favour in its investigations.’
Emma Martins, the Bailiwick’s Data Protection Commissioner, commented on the work that has led to this point,
‘The States of Guernsey civil servants, politicians, as well as ODPA staff and board members have worked hard since 2018 to reach agreement on how best to fund the ODPA. Our focus was always on ensuring that we agreed on a low-cost, low-admin model that is as fair as possible to local businesses. Especially at this challenging time for everyone, we want people to focus their efforts on running their businesses well, rather than filling in bureaucratic forms. We are pleased to finally be in a position to start work preparing for the changes ahead and we will publish further details over the coming months.’
FREQUENTLY ASKED QUESTIONS
Q: What is personal data?
It is any information that relates to an identified or identifiable living person. Things like: your name, your address, your medical records, CCTV footage of you, your social media activity, your internet browsing history, what your boss once said in an email about you, your political views, your sexuality etc.
Q: What is ‘processing’ personal data?
‘Processing’ refers to pretty much anything an entity* does with personal data. It includes activities like: collecting, storing, organising, using, altering, disclosing, erasing and destroying personal data. Profiling is also considered to be processing.
*An ‘entity’ could be: your bank, a school, your plumber, the States of Guernsey, an online retailer, a social media platform, your employer, a politician acting in their official capacity, the supermarket you shop at, your GP’s practice, your insurer, in short: anyone who is deciding how your personal data is used. These sorts of entities are called ‘controllers’ in data protection law.
Q. What is changing?
From 2021, a new registration regime (approved by the States of Guernsey) will be in place for the Office of the Data Protection Authority (ODPA). This regime means that all controllers and processors established in the Bailiwick that process personal data will be legally required to register with the ODPA and pay a fee each year.
Q. Why is the registration regime changing?
The new data protection legislation that came into force for the Bailiwick in 2018 (The Data Protection (Bailiwick of Guernsey) Law, 2017) provided for the creation of an independent regulator. The funding mechanism that was in place prior to that time was maintained until the end of 2020 to allow for political agreement on a sustainable and efficient funding model for the future.
Q. Who decided to make these changes?
The States of Guernsey agreed that the ODPA should be self-funding to ensure full independence.
Since legislation came into force in 2018, the ODPA has been working with the States of Guernsey to agree a new registration regime to enable this. All parties have focused on providing a regime that is as low cost and administratively straightforward as possible for organisations.
The Committee for Home Affairs agreed the new model in February 2020 and the Policy and Resources Committee agreed it in March 2020. The ODPA was then tasked with implementing the model ready for January 2021.
Q. I am registered with the ODPA now, what does it mean for me?
If you are currently registered with the ODPA, you will need to provide the ODPA with new information confirming your registration, between January-March 2021. If you complete an annual validation with Guernsey Registry, you will be prompted to complete your ODPA registration at the end of the Registry’s process. If you do not complete an annual validation with Guernsey Registry, you can simply register directly via the ODPA’s website.
Q. I am not currently registered with the ODPA, what will I have to do?
If you are not currently required to register with the ODPA because you benefit from the limited exemptions (see odpa.gg/exemptions for details), those exemptions will end at the end of 2020 (the only exception is for domestic/household purposes). You will therefore need to register and pay between January-March 2021. If you complete an annual validation with Guernsey Registry, you will be prompted to complete your ODPA registration at the end of the Registry’s process. If you do not complete an annual validation with Guernsey Registry, you will be able to register directly via the ODPA website. You will need to do this between January-March 2021.
Q. I am a charity/not-for-profit, what does this mean for me?
You will need to complete the registration process as above between January-March 2021, but you do not need to pay.
Q. How much will it cost?
It is recognised that no one wants to pay large administrative costs for running a business, however big or small. The ODPA has always been absolutely clear that its funding model should be as cost effective as possible. The 2020 economic climate has redoubled efforts to ensure that all expenditure is proportionate, necessary and has the highest standards of financial and operational governance built in. The ODPA has worked hard, together with the States of Guernsey, to keep the cost organisations are required to pay as low as possible.
With all of that in mind, there is a simple two-tier cost structure:
- For small organisations with fewer than 50 full-time equivalent (FTE*) employees, the annual levy will remain £50/year.
- For large organisations with 50+ FTEs the annual levy will be £2,000/year.
* The Regulation will include details on how to calculate your total FTE.
All charities/not-for profits will pay zero fee, but must still register and review this each year.
Q.Where will the money go?
The new fees regime will allow the ODPA to move towards self-funding status, giving it full financial independence from the States of Guernsey. This independent status is both a political and legal requirement. The ODPA’s statutory responsibilities are set out at odpa.gg/about-us (under ‘Functions of The Authority and ODPA’) and you can see its plan for performing these tasks via the ODPA Strategic Plan (2019-2022) at odpa.gg/strategic-plan.
The Bailiwick has had a data protection regulator for many years. Up to now, it has received funding from the States of Guernsey with some income also coming directly from registration fees paid by local organisations. The strengthened data protection regulatory framework has enhanced individuals’ rights to reflect the scale of personal data processing in this digital era. It has also strengthened the role of the regulator to provide for appropriate powers and ensuring independence.
Q. How often do I need to pay?
Following your initial registration fee, payable by all (except charities/not-for-profits) in January-March 2021 an annual levy (of either £50 or £2,000 depending on your organisation’s size) will be due during the first quarter of each following year.
Q. I am responsible for registering a number of entities. What are the changes for us?
The ODPA is aware that where an organisation is responsible for registering a number of controllers and/or processors a simpler bulk registration process would be helpful. Consideration is being given to this and more information will be released when available.
Q. I complete an annual validation via Guernsey Registry, how will this process work for me?
The ODPA want to make the registration process as easy as possible. This ensures that costs are kept to a minimum and it also does not divert you with administrative processes which do little to support overall data protection compliance.
To this end, the ODPA has worked with Guernsey Registry to make sure you are given a timely prompt to register with the ODPA once you have completed your annual validation with the Guernsey Registry. This allows the process to be as straightforward as possible for you.
If you prefer, you can of course disregard the prompt at the end of the Guernsey Registry process and simply register directly with the ODPA at a time convenient to you between January-March 2021.
Q. I do not complete an annual validation with Guernsey Registry, how will this process work for me?
You will be able to register directly via the ODPA website. The process is designed to be as straightforward as possible whilst recognising that the ODPA have a statutory requirement to collect certain information from you.
Q. What does the ODPA do with the data it collects for the registration process?
Following changes to legislation in May 2019, the ODPA is no longer required to maintain a public-facing register of controllers and processors. Therefore, all registration data will be processed internally for administrative purposes only.
Q. Why do we need to fund a data protection regulator?
Data increasingly powers the economy as well as affecting our own individual lives, both personally and professionally. The Bailiwick relies on the free flow of data to support and develop the current economy as well as to ensure it is well positioned to take advantage of the emerging digital economy.
Our government recognises how important data protection standards are for our jurisdiction and has therefore provided high quality legislation to ensure appropriate safeguards sit around the personal data that resides and flows through the Islands. As with any legislation, there needs to be effective oversight – both to ensure people and businesses are supported in complying with the requirements, as well as to ensure that complaints are investigated independently and robustly.
Whilst most funding has come from the States of Guernsey up until now, it raised challenges in relation to ensuring the ODPA’s independence (both actual and perceived). With government responsible for handling some of the highest volumes and most sensitive personal data in the Bailiwick, fully independent oversight is essential. Once government made the decision to move the ODPA to a self-funding model, a lot of effort went into devising a fair, low-cost, simple registration model that provides the ODPA with sufficient funding.
Ensuring our jurisdiction has a properly resourced and effective data protection regulator supports islanders’ rights, supports businesses to handle data properly and serves to underpin the Bailiwick’s digital strategy.