Anyone who is currently exempt from the legal requirement to register with the Office of the Data Protection Authority (ODPA) will now continue to be exempt until January 2021.
This means that any local entity (such as small businesses and sole traders) who currently meet the exemption criteria (find out what these are here) will not need to register with the ODPA until the beginning of 2021.
From 1 January 2021 all exemptions to registering with the ODPA will end, and any local entity doing anything with personal data will be legally obliged to register with the ODPA and pay a small annual fee that will contribute towards the ODPA’s operational costs.
The ODPA is an independent regulator and as such must be financially independent. It is working with the States of Guernsey towards agreeing a self-funding model which meets its operational costs mostly from annual fees paid by registered entities, rather than taxpayers.
It has taken longer than expected for the States of Guernsey and the ODPA to agree and implement a self-funding model. Because of this delay the Committee for Home Affairs will shortly be extending the current registration exemptions. They were due to end on 31 December this year, but will now continue until 31 December 2020.
Emma Martins, the Bailiwick’s Data Protection Commissioner commented on the extension.
‘For the past year we have been working hard to try to reach agreement with the States of Guernsey on how the ODPA’s operational activities are funded. Above all else, we want to ensure that we agree on a fair, low-cost, low-admin model that allows local businesses to concentrate their efforts on running their businesses well, rather than filling in bureaucratic forms. We continue to pursue that goal.’
Below are some Q&As around what this means for local businesses and other entities:
Q: I’m confused – what exactly does this mean for local organisations and other entities who process personal data?
A: If you are a currently registered entity, everything stays the same as it is now. Just carry on renewing your annual registration as you always have done. You will be automatically notified if anything changes.
A: If you are currently exempt from registration, you will continue to be exempt until January 2021. But please remember: you are only exempt from registration, you are not exempt from complying with the local data protection law. Access advice, guidance, and resources on compliance here.
Q: How do I know if I’m exempt or not?
A: The following three groups of entities are exempt from registration until January 2021:
- entities who only process data for accounts and record-keeping for core business purposes, for staff administration and to market their own goods or services;
- entities who only process data under instructions given by another entity;
- entities who have charity or not-for-profit
If you’re still not sure if any of the above exemptions apply to you, please read our guidance document: Exemptions to Registration.
Q: Why are the exemptions being extended?
A: It has taken longer than expected for The States of Guernsey and The Data Protection Authority to reach agreement on a self-funding model.
In November 2018 The Data Protection Authority and the Committee for Home Affairs submitted a joint proposal to the Policy & Resources Committee outlining an innovative, low-cost, low-admin, equitable self-funding model that would involve automatically tacking on a ‘data protection fee’ to Guernsey Registry’s annual validation process. The proposed fee was 10% of any given entity’s annual validation fee (i.e. £25 – £50 per entity, per year).
This model was supported by the Policy & Resources Committee, but the Committee for Economic Development could not support it.
All parties continue to work closely with the aim of developing a model that everyone can support, and that works for local businesses. Whilst the details of the model are being worked out it makes sense to maintain the status quo (i.e. keep exemptions in place) to minimise disruption to Bailiwick organisations.
Q: What is going to happen in January 2021?
A: On the 1 January 2021 (or perhaps earlier, if a workable self-funding model can be implemented) all exemptions to registration will cease. Any entity who is doing anything with personal data will be legally obliged to register with the ODPA for the first time. There is an annual fee associated with this registration, which each entity must pay. This annual fee goes toward funding the ODPA’s operational activity. It is not yet clear what the annual fee will be, but The Data Protection Authority would like it to be low (between £25-£50/year per entity).
Q: 1 January 2021 is a public holiday and my office will be closed. Do I need to register on that specific day?
A: No, you can register at any point in the normal working days leading up to 1 January 2021 if you wish. The ODPA are exploring the possibility of an amnesty period for the month of January 2021 to give local organisations more time to register, details on whether this is possible will be announced in due course.
Q: The ODPA annual registration fee is currently £50, will I have to pay more from 2021?
A: Hopefully not, but it’s not yet clear what the fee will be. What is clear is that The Data Protection Authority is committed to keeping the fee as low as possible in order to maintain the Bailiwick’s competitiveness as a place to set-up, and operate successful businesses. It is also committed to a fair, low-admin approach to collecting its fee.
Q: Why do I need to pay at all?
A: Anyone doing anything with personal data in the Bailiwick has a legal obligation under The Data Protection (Bailiwick of Guernsey), Law 2017 to pay an annual fee to the ODPA. This law also states that the ODPA must be self-funded, to allow itself to be independent of The States of Guernsey. This independence is essential as the ODPA regulates the States in the same way it regulates all other local entities.
Q: Why can’t the ODPA just fund itself by giving out large fines?
A: Any fines issued by The Data Protection Authority are payable to The States of Guernsey’s general revenue fund and are not used to fund the ODPA. To maintain its independence and neutrality the ODPA cannot be seen to be financially benefitting from any fines it issues: large or frequent fines could be misinterpreted as being based on a funding need rather than a levy for wrongdoing.
Q: How much funding is The States of Guernsey giving the ODPA for 2020?
A: £1.1 million has been requested to meet the ODPA’s 2020 operating costs. This will enable the ODPA to fulfil its statutory duties, and includes the cost of staff, premises, casework, public awareness activities, maintaining secure IT systems etc. The ODPA provides full financial information in its Annual Report (see all previous reports here).
Q: How much annual funding will The States of Guernsey give the ODPA from 2021 onwards?
A: This isn’t clear yet. Hopefully the ODPA will not have to rely too heavily on taxpayers’ money from 2021 as by then the self-funding model should be in place. However, the States are legally obliged to meet any shortfall between what the ODPA raises in fee income and what its operational budget is in any given year.
Q: What is personal data?
A: It is any information that relates to an identified or identifiable living person. Things like: your name, your address, your medical records, CCTV footage of you, your social media activity, your internet browsing history, what your boss once said in an email about you, your political views, your sexuality etc.
Q: What is ‘processing’ personal data?
A: ‘Processing’ refers to pretty much anything an entity* does with personal data. It includes activities like: collecting, storing, organising, using, altering, disclosing, erasing and destroying personal data. Profiling is also considered to be processing.
*An ‘entity’ could be: your bank, a school, your plumber, the States of Guernsey, an online retailer, a social media platform, your employer, a politician acting in their official capacity, the supermarket you shop at, your GP’s practice, your insurer, in short: anyone who is deciding how your personal data is used. These sorts of entities are called ‘controllers’ in data protection law.
Q: What does the ODPA do?
A: The ODPA is the operational body that carries out the regulatory functions of the Law delegated by The Data Protection Authority. The ODPA records data breaches, investigates complaints, runs education programmes and examines proposed legislation and how it may affect individual privacy. The ODPA empowers individuals to exercise their rights, as well as supporting organisations to meet their compliance requirements and take action if they fall short.
Q: What happens next?
A: There is still some uncertainty as to when the self-funding model will be in place, and how this will affect local entities. The ODPA expects a decision on its self-funding model from The States of Guernsey by the end of 2019. It is committed to providing a workable lead-in-time and will provide regular updates through its website, newsletter and the usual media channels.
Please ensure you subscribe to the ODPA’s monthly newsletter so that you are kept up to date.
Below is an extract from Deputy Mary Lowe’s statement regarding the ODPA’s 2020 funding position: Statement by the President of the Committee for Home Affairs (Wednesday 16 October 2019)
“I move on to Data Protection[.]
As Members may be aware discussions are continuing with the Data Protection Authority and the Policy and Resources Committee to find the best way to introduce a universal annual data protection licence fee which is modest and unbureaucratic.
Apart from very small businesses and charities, most of those who will need to have a licence will be Guernsey registered companies. We therefore need to help business owners and managers to pay the fee with the minimum of fuss. We had explored the possibility of it becoming part and parcel of the annual validation process of the Company Registry but it became apparent from our colleagues at Economic Development that this could have unforeseen complications.
We have therefore moved to exploring an alternative which preserves the independence of the Company Registry but seamlessly allows company owners to continue, after having completed their Annual Validation, through to the Data Protection Office website to pay their licence fee, unless they declare they are exempt.
All this is taking time to develop and will probably require some legislation.
This does mean that for 2020 the States, as required under the Law, will have to continue to fund the Data Protection Authority from General Revenue as part of the budget.”