We are reminding all local entities to check whether they should be registered with us, ahead of some changes to our registration process.
If an entity is established in the Bailiwick of Guernsey, and is doing anything with personal data The Data Protection (Bailiwick of Guernsey) Law, 2017 (‘the Law’), requires them to register with the ODPA and pay a registration fee. This registration fee contributes to funding the ODPA’s activities.
There are three groups of entities currently exempt from registration:
- entities who only process data for accounts and record-keeping for core business purposes, for staff administration and to market their own goods or services;
- entities who only process data under instructions given by another entity;
- and entities who have charity or not-for-profit status.
These exemptions were due to end on 25 May 2019, but on 13 May 2019 The Committee for Home Affairs agreed to the extension of these exemptions until 31 December 2019. After that date all currently exempt entities will have to be registered with the ODPA.
If you currently benefit from an exemption you don’t have to do anything yet. More information will be provided later in the year to tell you what you will need to do.
The amount of information collected during the ODPA’s registration process will be scaled back considerably from 25 May 2019, meaning entities will no longer have to provide information about:
- the purposes they process personal data for;
- the types of personal data they process;
- the people whose personal data is processed;
- the organisations data is disclosed to;
- and where data is transferred to.
As a result it will be much more straightforward for entities to register, renew, or edit their information.
The new transparency requirements of the Law mean that entities themselves need to be much more open about the nature of their processing. This reduces the value of a public register that requires the submission and administration of the same information. The register will be removed from the ODPA’s website on 24 May 2019, but will continue to be administered internally by ODPA staff.
For entities who are already registered, when they renew their registration after 25 May it will be simpler and more straightforward. If an entity does not currently have a copy of their existing registration they can download or print their information from the ODPA’s register before 23 May. After 24 May the ‘search the register’ function of the ODPA website will be removed and entities will only be able to renew or amend their registrations. These changes mean that aspects of the ODPA’s systems will be down for one day on 24 May to allow the technical updates to be made.
The Bailiwick’s Data Protection Commissioner, Emma Martins, welcomed the developments.
‘We recognise that businesses want regulatory administration processes to be as straightforward as possible. We are continuing to think carefully about how best to support our regulated community and make compliance as simple as we can. We want their time to be spent looking after data well, not completing forms that do little to assist in overall compliance standards.’
From 2020 onwards, it is expected that a new reporting and funding model will be in place. Work is ongoing to devise a fair, simple, and innovative funding model, and more information on this will be available soon.
- When The Data Protection (Bailiwick of Guernsey) Law, 2017 came into force in May 2018 there were several complex areas that were given ‘transitional relief’. This means that organisations were given an additional year (the transition period) before they had to comply with those more complex aspects.
- Under the old (2001) Law controllers were required to ‘notify’ the Data Protection Commissioner (i.e. formally let them know via the ODPA online notification form) that they were processing personal data, and to provide certain details about this processing. During transition and following the introduction of the new Law, entities meeting certain conditions were exempt from this need to notify.
- Under the new 2017 Law, the ‘notification’ process is now known as ‘registration’.
- The term ‘entities’ in the context of this press release refers to any organisation or person who acts as a ‘controller’ of personal data, this means they are responsible for the decisions made about how they use personal data about staff, customers, suppliers, or any other people.