Bailiwick’s adequacy re-assessment by the European Commission is underway

The European Commission (EC) have begun the process of reassessing the Bailiwick’s ‘adequacy’ as a non-EU country in relation to how well we meet the standards of data protection laid out in the EU’s General Data Protection Regulation (GDPR).

Why is this important?
Data plays a vital role for all business sectors. An adequacy decision from the EC is essential to the continued success of the Bailiwick’s economy as it allows EU organisations to easily transfer data to the islands of the Bailiwick.

How did the Bailiwick achieve its current ‘adequate’ status?
By implementing its own data protection legislation that protects local citizens’ rights and ensuring local organisations offer goods or services to people within the EU in a way that is compliant with the standards of data protection laid out in the GDPR.

The Bailiwick is one of thirteen jurisdictions that the EC currently recognises as offering an adequate standard of data protection. This recognition was given to our 2001 Law and whilst ‘grandfathered’ across to the GDPR regime, it was acknowledged that a review of our adequacy would be needed, at a time chosen by the EC.

What happens now?
The EC has recently requested that all currently adequate jurisdictions conduct a self-assessment process to begin this review.

In April 2019 The Office of the Data Protection Authority submitted a report to the States of Guernsey which will form part of the detailed adequacy report being compiled for submission to the EC in early May 2019.

Once the States of Guernsey submit their assessment to the EC it will be considered and the result of the process will be announced. It is expected that all adequate jurisdictions will be subject to regular ongoing review by the EC.

ODPA opens public consultation on future events programme

The Office of the Data Protection Authority (ODPA) is running a month-long public and industry consultation to seek feedback on the scope and format of its future events programme.

The start of the consultation will be marked by a sold-out event on Wednesday 10 April at which the ODPA will outline the proposed programme, present the aims and seek feedback from attendees.

The ODPA intends to use its programme to initiate positive cultural change through being accessible to local organisations and citizens of all ages, improving compliance by building awareness of topical issues in data protection, encouraging innovation and excellence in data protection practices, exploring official guidance with the regulated community and gathering feedback from local industry and individuals.

Emma Martins, Guernsey’s Data Protection Commissioner, confirmed the importance of the ODPA’s events programme.

‘This is a key aspect of our statutory obligation under section 61 of the Law to raise public awareness of citizens’ rights and promote awareness of controllers and processors’ legal duties. We have given considerable thought to how best to achieve this and look forward to listening to what people have to say about our plans.’

The proposed programme includes sessions on ‘what is data?’, individuals’ rights, data ethics and principles, excellence and innovation in data protection and the application of data protection in the workplace.

The one hour session will take place at 12:00 on Wednesday 10 April at the ODPA’s offices in Le Bordage and includes a welcome from the Commissioner and presentation of the programme. Time will be allocated to feedback gathering from the attendees who will be split into small groups.

Anyone who wishes to take part in the public consultation can visit to review the proposed events programme and send their feedback by 10 May 2019.

Once finalised, the ODPA aims to start the programme in June 2019 and will accept bookings via


Episode Two of the Data Protection TeaBreak gives further context to our public consultation. It was recorded on 11 April, the day after the public session detailed above and features our Data Protection Commissioner Emma Martins and Chief Operating Officer Tim Loveridge discussing how the ODPA plans to engage with the community and hopefully reduce data breaches.

Open letter on data breaches and the imbalance of power

“Recent weeks have seen media coverage of a number of data breach issues: the court case against a former employee of Health and Social Care accused of accessing people’s medical records; an elected member of the States of Guernsey had a code of conduct complaint upheld relating to the loss of a parishioner’s sensitive paperwork; and most recently our office released statistics showing an increase in reported local personal data breaches.

Invariably, the public and media do not have access to all the details surrounding each breach and the real harms they often cause. Data protection cases, by their very nature, often involve a significant amount of highly personal and confidential information which isn’t ever made public. The focus, therefore, is often on the individual or organisation responsible for the breach and it is frequently only their side of the story which is heard. As the regulator of the local data protection law, we are bound by strict confidentiality standards. However, we would wish to highlight this imbalance. All those involved have a right to be heard, to be treated fairly and ethically, and to have their rights respected. An imbalance can occur when certain powerful groups or individuals have a platform, when others do not.

Our local law is clear – it exists to protect the individual from harms due to misuse of their personal data. And make no mistake, the harms that can be caused by data being compromised are very real. Anyone with first-hand experience will tell you it is not an overstatement to say that mishandling personal data can ruin lives, ruin careers, ruin reputations, and destroy organisations. Wider international conversations about the potential individual and social harms of data misuse are testament to this.

We would like to reassure everyone in the Bailiwick that we are here to empower individuals and to protect their legal rights as much as we are here to support active engagement and compliance by industry. We want to ensure everyone has a voice and is respected regardless of the power or status of the individual or organisation who may have mishandled data. Protection of data is not a luxury, it is an essential part of living a dignified life in a democracy.”

– Emma Martins
Data Protection Commissioner 


The text above was submitted for consideration to the Letters page of our local newspapers The Guernsey Press and Bailiwick Express on 17 March 2019.

ODPA provides plain English guide and drop-in sessions

The Office of the Data Protection Authority (ODPA) is offering practical guidance to all Bailiwick organisations via a free guide to the transitional aspects of the data protection law, and fortnightly drop-in sessions.

Transition: a plain English guide for organisations offers advice to local organisations ahead of 25 May 2019 when the 12 month transitional period of the law ends.

There are several complex areas that did not come into force when The Data Protection (Bailiwick of Guernsey) Law, 2017 was introduced in May 2018, the same day as the EU’s General Data Protection Regulation (GDPR). The guide gives a plain English overview of each of these areas in turn explaining the steps organisations need to take to comply with them.

Emma Martins, Data Protection Commissioner, confirmed the importance of providing guidance to the regulated community.

‘As with any law, data protection legislation is full of technical and legal language which is challenging even to experts. Data protection is not just for lawyers, it matters to us all so we must ensure that the rights and obligations the law sets out are presented in an accessible and straightforward way, using jargon-free language. At my office we are committed to communicating as clearly and concisely as possible in everything we do. Encouraging understanding of and engagement with data protection means we can all benefit from ensuring it is done well.’

In the new guide, the ODPA follows a hypothetical local estate agent, called Moving & Shaking, to put the advice in a real-world context and help explain these complex areas of the law.

In addition to the plain English guide, the ODPA is also hosting fortnightly drop-in sessions. From 13 March onward organisations can visit the ODPA’s office between 09:00 – 12:00 every other Wednesday. The aim of these sessions is to give organisations regular opportunities to ask questions, and discuss any issues. The next session will be held on Wednesday 27 March, and a calendar of the dates for 2019 can be found at

Organisations will soon be able to request a ‘study visit’, whereby small groups of staff from a regulated organisation can explore a specific issue or topic in more depth with a member of ODPA staff.


Q. What is transition? 
A. When The Data Protection (Bailiwick of Guernsey) Law, 2017 came into force in May 2018 there were several complex areas that were given ‘transitional relief’. This means that organisations were given an additional year (the transition period) before they had to comply with those more complex aspects.

All of the ODPA’s advice on transition can be found at: – this includes ‘Transition: a plain English guide for organisations’, as well as:

  • A more technical summary
  • The legal document that gives a full technical outline of the transitional aspects of the Law [The Data Protection (Commencement, Amendment and Transitional) (Bailiwick of Guernsey) Ordinance, 2018]
  • Details of all Bailiwick citizens’ legal rights under the Law
  • Details of the Seven Data Protection Principles that define all organisations’ legal responsibilities
  • How to seek consent correctly under the new Law
  • How to incorporate data protection by design and by default into your activities
  • Specific guidance on Data Protection Impact Assessments (including screening questions, a suggested template, and how to link the seven data protection principles to your impact assessment)
  • Q&As

ODPA report further increase in local data breaches

Forty-five personal data breaches have been reported to The Office of the Data Protection Authority (ODPA) in the two months up to 22 February 2019, with 22 of the 45 from the local healthcare sector.

This is an increase compared with 28 over the previous two month period to 13 December 2018. The rise is likely due to organisations becoming more aware of their legal obligation to report breaches and the ODPA fully expects to see further increases as awareness continues to grow.

Most incidents were low-level with no further action required. However, the ODPA has a heavy caseload of ongoing investigations, and a number of the recent breaches will be subject to further enquiry.

The Bailiwick’s Data Protection Commissioner, Emma Martins, cautioned against looking at the breach statistics in isolation.

‘Whilst it appears on face value that the healthcare sector is disproportionately responsible for more breaches, the reality is much more complex. This sector routinely deals with significant amounts of sensitive ‘special category’ personal data, so more of their breaches are likely to meet the severity criteria at which there is a legal obligation to report to us. That, combined with the fact that certain healthcare providers are taking what we consider to be the enlightened approach of choosing to report all breaches to us, means that we see a high number of healthcare data breaches in the statistics. Organisations within other sectors, such as certain public authorities assess all incidents and only report medium-to-high level personal data breaches to us. This gives the appearance that these sectors are experiencing fewer breaches.’

Mrs Martins also emphasised that organisations who report are positively engaged with their legal obligations to protect people’s data.

‘Whilst no-one wants to see breaches, the reality is they are happening all the time. We would be more concerned if no reports were received as that would indicate a lack of compliance with the law as well as a lack of trust and confidence in our office by the regulated community.’

All organisations are encouraged to take a proactive approach to their breach reporting obligations in the knowledge that this will assist them in understanding and managing their own risk, as well as providing the ODPA with valuable information to support its work.

This release is part of the bi-monthly breach report statistics the ODPA have been releasing since June 2018.

Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.













1 March: Update on Brexit and data protection 

On 1 February 2019, the States of Deliberation approved the Data Protection (Authorised Jurisdiction) (Bailiwick of Guernsey) Ordinance, 2019.

This Ordinance recognises the UK as a ‘designated jurisdiction’ which means that data transfers from the Bailiwick to the UK can continue once the UK has left the EU. With so much still unknown about what form Brexit will take, this Ordinance alleviates concern that existing data transfers to the UK could be adversely impacted by the UK’s EU departure causing knock-on problems for local organisations.

The Ordinance, which will come into effect on the day the UK leaves the EU regardless of whether the departure is managed under some form of transition arrangement or not, has within it an expiry date of 31 December 2020. The Bailiwick is aware that the UK will be applying for ‘adequacy‘ under the GDPR as soon as it is able to as it is key for ensuring data flows from EU Member States, hence the decision to include an expiry date. Furthermore, the States of Deliberation agreed that should the European Commission rule on the UK’s adequacy before the expiry of the Ordinance, it would be revoked.

We are pleased to have played a role in this pragmatic approach to data transfers that provides a degree of certainty to local businesses in relation to existing transfers. We would like to thank the policy and drafting team and the Committee for Home Affairs for bringing the Ordinance to fruition and the States for their recognition of the need to provide a firm way forward.

Read: Leaving the EU: the data protection implications of a Hard Brexit for UK businesses with EU data flows and clients 

13 Feb: Emma Martins’ speech to the NED Forum

The Bailiwick of Guernsey’s Data Protection Commissioner, Emma Martins, gave a speech at a Non-Executive Director Forum event on 13 February 2019. Emma summarised why it is essential that all board members engage with their organisation’s data protection commitments in the same way that they would approach any other area of corporate governance:

“After headline grabbing fines and looming deadlines of 2018, there can be few boards and board members that are not aware of GDPR and our local equivalent legislation, The Data Protection (Bailiwick of Guernsey) Law, 2017.

The role played by the board and by individual board members is absolutely critical if organisations are to get this right.

Strong board members have, traditionally, had to demonstrate financial and commercial acumen. That is, of course, still the case, but in this data-driven era the role has become so much broader. Governance is key to success and governance now, without question, encompasses the handling of data.

As a starting point you should know what your organisation is up to in terms of data.

You must know:

  • what data your organisation is responsible for
  • where the data is sourced from
  • what the legal basis is for the processing
  • what role data plays in your organisation’s business processes
  • where your organisation’s data is located
  • who else may have access to it

You also need to have a good understanding of risk because data has become so intrinsic to all business activity, regardless of sector. If your data is compromised, you have a problem – operationally, reputationally and economically.

So one of the important processes that you need to ensure is in place and ensure everyone is aware of is a data breach response plan – regardless of the size, or nature of your business.


This is a very basic illustration of steps and you will need to tailor them to your own organisations.

The mapping of your data processes and an understanding of the technical and operational activities as well as having a plan for when things go wrong are crucial, but so too is culture.

When talking about a culture, one of the most important and influential aspects has got to be the tone at the top. Whether you like it or not, how you approach data governance, how you respond and, engage with the compliance requirements will determine how the rest of your staff do too – both positively and negatively.

If you want to create a positive culture around how data protection is handled in the organisations you are responsible for, my advice is:

Get to know your data protection officer (DPO)
If your organisation has a DPO, get to know them. Even if you do not have a DPO, there should be someone who is responsible for this area of the business and compliance. Find out who that is.

Take an interest in what they are doing and remember that they are autonomous and should have a direct line of communication with the board.

Use your DPO’s knowledge and professional expertise to improve your own knowledge and understanding.

Meet and talk with them regularly – both formally and informally.

Support them and make sure their voice is heard at the top of the organisation and amongst all staff.

Encourage and allow constructive challenge

You are an ambassador for your organisation and how you communicate both internally and externally really does matter.

Always be mindful of the significance of C-suite level communications and attitudes.

Fines have grabbed attention but this is not just about fines. Resourcing good data governance means supporting your DPO and all staff in their personal training and development.

Data security should be on the risk register of all organisations and appropriate investment is important in this key area.

You should ensure that an ongoing governance programme and framework for data protection compliance is in place. This should be reflected in the organisation’s policies and procedures and staff need to be updated.

Personal behaviour
Talk the talk and walk the walk.

Make sure that you align your own practices with company policies and procedures and general good governance principles.

Show leadership and lead from the front, staff need to value and trust you.

Above and beyond law, ethics matters and will increasingly become a market and commercial differentiator. Doing the right thing is increasingly important in all areas of our lives. How organisations engage with their legal and ethical responsibilities when handling data will determine their economic and reputational health in fundamental ways. Taking short cuts may feel beneficial in the short term but this approach will come back to haunt you. Consumers and citizens are demanding more transparency, accountability and ethics from businesses. Those that deliver on those demands have the opportunity to take the best advantage of the opportunities that present themselves in this data-driven era.”

Official statement: verdict on recent data breach case

We would like to make the following statement regarding the recent verdict in the data breach case involving a former States of Guernsey employee accessing confidential patient records:

‘As the local data protection regulator, we have been following this case carefully. We await the opportunity to review the judgement in detail which will allow us to consider what steps, if any, may now be appropriate from a regulatory perspective. We would like to emphasise that this matter was dealt with under The Data Protection (Bailiwick of Guernsey) Law, 2001, which was repealed in May 2018 and replaced by The Data Protection (Bailiwick of Guernsey) Law, 2017 which provides increased statutory obligations for both organisations and individuals, as well as more comprehensive enforcement powers.’

It is an opportune moment to remind everyone handling personal data of the importance of committing to, and investing in, high standards of compliance. Failing to do so risks undermining trust and confidence in a very serious way.

Please contact us if you have any questions.

2 Feb: Digital ACE

(Sat 2 February, 12:00 – 17:00, Beau Sejour)

Come along to our stand at Digital ACE event ‘Empower’ zone to talk to our staff about the human stories at the heart of data protection. Our Deputy Commissioner Rachel Masterton, our Operations & Compliance Manager Lawrence West, and our Communications Manager Leanne Archer will be on our stand.

You can also find out why you should care about data protection (hint: it’s about protecting you)

We would also like to draw attention to website – this is provided by UK Safer Internet Centre and operated by SWGfL. It allows you to report harmful content you see online, such as:

  1. Online abuse
  2. Bullying or Harassment
  3. Threats
  4. Impersonation
  5. Unwanted Sexual Advances (not image-based)
  6. Violent content
  7. Self-Harm or Suicide content
  8. Pornographic content

Also, SWGfL are launching a child-safe internet browser called Swiggle. This browser is aimed at 7-11 year olds, and is to be used alongside adult-supervision. It allows young people to safely search for educational content online.

If you cannot attend Digital ACE and you have questions please contact us.


31 January: Update on Brexit and data protection

Following events in the UK Parliament earlier this week, the States of Deliberation are due to consider a draft ordinance that would designate the UK as an authorised jurisdiction under our local data protection legislation. Building on the foresight of the drafting team behind the Data Protection (Bailiwick of Guernsey) Law, 2017, this designation will mean that transfers of personal data to the UK by locally based organisations can continue after Brexit.

This covering paper and associated draft Ordinance, prepared by the Committee for Home Affairs, explains that this designation will remain in place until the end of December 2020 or until the European Commission has made a judgement as to the adequacy (or otherwise) of the UK’s data protection regime (whichever is the earlier).  This move is intended to provide some assurances to local organisations who transfer personal data to the UK as part of their day-to-day business and to remove the need to implement alternatives safeguards to protect personal data dispatched to the UK’s shores, balancing the Bailiwick’s need to trade with the UK against its desire to maintain adequacy and the benefits to Bailiwick businesses that that brings.  This approach has been taken underpinned by confidence in the UK’s expressed intention to maintain GDPR complaint legislation and to seek an adequacy finding by the European Commission as soon as possible once it becomes a third country.

The ODPA would like to thank the Committee for Home Affairs and the team behind the paper and associated legislation for their pragmatic solution to the uncertainty that Brexit has caused in relation to data transfers and encourages organisations with any questions to get in touch.

19 December: update on Brexit and data protection
Data protection implications of Brexit for the Bailiwick
Leaving the EU: the data protection implications of a Hard Brexit for UK businesses with EU data flows and clients‘ (May 2018 document)