Data protection law turns one year old


TWELVE months on from the introduction of new data protection legislation, the Office of the Data Protection Authority (ODPA) is focused on ensuring Islanders’ rights are protected.

25 May 2019 marks the first anniversary of The Data Protection (Bailiwick of Guernsey) Law, 2017, and also the end of ‘transitional relief’, the grace period permitted for certain aspects of the law that did not come into force last year. The new law is now in full force and gives local citizens ten rights. Citizens gain the new right to data portability from 25 May 2019, which makes it much easier to move personal data from one organisation to another.

The Data Protection Authority (L-R): Simon Entwistle, Jennifer Strachan, Richard Thomas CBE, Emma Martins, Chris Docksey, John Curran. Authority member, Mark Lempriere, is not pictured.

Emma Martins, the Bailiwick’s Data Protection Commissioner, commented on the cultural shift that has moved data protection into the mainstream.

‘A year on from the frenzied build-up to GDPR, it feels good to be well on the path towards a more thoughtful approach to compliance with our regulated community. We are encouraged to see more organisations moving towards a state of enlightened compliance, where they understand and believe in the object of our local data protection law. This approach leads to much better outcomes for everyone, transforming compliance from a box-ticking exercise, to an environment that puts the human beings whose rights are at the heart of the legislation centre stage.’

The ODPA’s mission is to provide effective data protection regulation – independently from government – and ensure high standards of data protection in the community. This is achieved through education and information, preventing poor handling of personal data and taking appropriate enforcement action where necessary against non-compliance. This mission aims to benefit individuals, organisations, and society as a whole.

‘How we use our regulatory powers fundamentally affects the nature and quality of compliance, so we operate with appropriate governance mechanisms, and the highest standards of ethics embedded into everything we do. We know that our effectiveness as a regulator plays a major role in ensuring data protection standards are met in our regulated community. We are lucky to have a positive relationship with our regulated community, and we appreciate the trust they place in us,’ added Mrs Martins.

The ODPA has been running a series of events, including fortnightly drop-in sessions, public and industry consultations on its future events programme, published guidance literature and also provided speakers at industry seminars.


Object of The Data Protection (Bailiwick of Guernsey) Law, 2017

The Law exists to:

  1. protect the rights of individuals in relation to their personal data, and provide for the free movement of personal data, in a manner equivalent to the GDPR and the Law Enforcement Directive, and
  2. make other provisions considered appropriate in relation to the processing of personal data.

Citizens’ rights

Citizens have the following 10 rights under The Data Protection (Bailiwick of Guernsey) Law, 2017:

  1. Right to information for personal data collected from data subject
  2. Right of access
  3. Right to object to processing for direct marketing purposes
  4. Right to object to processing on grounds of public interest
  5. Right to object to processing for historical or scientific purposes
  6. Right to rectification
  7. Right to erasure
  8. Right to restriction of processing
  9. Right not to be subject to decisions based on automated processing
  10. Right to data portability (can be exercised from 25 May 2019)

The ODPA’s five strategic objectives for 2019-2022 are:

  1. To develop the ODPA’s capabilities to deliver on their enhanced statutory duties.
  2. To be a relevant, responsive and effective regulator
  3. To support organisations in delivering their obligations and empower individuals to exercise their rights.
  4. To develop and maintain effective relationships.
  5. To elevate discussions around the protection of data to engage the community and individuals in a relevant and positive way, recognising the personal, social, and economic opportunities and threats that the data economy poses.