GDPR: One year to go

Print

WITH one year to go until the General Data Protection Regulation (GDPR) comes into force across the European Union (EU) on 25th May 2018, the Office of the Information Commissioner and Data Protection Commissioner is today launching a website, which will contain advice and guidance to help island businesses get to grips with the new legislation.

‘With one year to go I’m delighted that industry is talking about GDPR. I’ve spoken at dozens and dozens of briefings, seminars and other events over the past few months and am pleased to say that GDPR is certainly on the radar of the businesses I have spoken with – awareness is far greater than it was even six months ago,’ said Emma Martins, Data Protection Commissioner / Information Commissioner.

‘With 365 days to go we have launched a microsite which will become a useful portal for businesses looking for guidance. I urge islanders to keep an eye on this as we will be uploading information as it becomes available. I also want to give reassurance to businesses that GDPR is not a revolution, it’s an evolution of current data legislation, so if you’re compliant currently, you have a great base from which to work.

‘Local legislation is currently being drafted and both Jersey and Guernsey’s governments have committed to a harmonised approach to this,’ added Mrs Martins. ‘When this legislation is finalised we can then start to develop more detailed guidance. To date every island business has been sent general guidance on GDPR but we know we’ve got work to do to make sure businesses have access to specific guidance. We are working very hard behind the scenes to make sure that our office is ready for the changes.’

In order to be prepared, business can begin by ensuring they have a detailed understanding of the data they hold and how they process this. This underpins the accountability aspect of GDPR. Any effective data governance strategy has to begin with a comprehensive data audit, which can be obtained by answering the following key questions:

  • What personal data do you hold? Do you hold any special category data?
  • Where is it from and where is it sent?
  • Why is it processed? For what purpose?
  • How is the processing lawful and fair? Which of the conditions is met? Have you provided individuals with details about the processing of their data, including reference to the rights they have?

When it comes into force, the General Data Protection Regulation (GDPR) aims to strengthen data protection rights for individuals and harmonise compliance requirements for businesses. GDPR is set to be the largest change to the protection of personal data across Europe since the implementation, in 1995, of the EU Data Protection Directive, which is currently in force. At that time, and in response to the transfer controls on data exported from the EU, the Channel Islands implemented the Data Protection (Bailiwick of Guernsey) Law, 2001 and the Data Protection (Jersey) Law 2005 which ensured the continued free flow of data to the islands.

The Regulation will be overseen by the European Parliament, the European Council and the European Commission. The governments of Jersey and Guernsey, together with the Channel Islands Brussels Office, are working with the Commission, as well as key stakeholders, to ensure the islands are prepared for the changes and businesses are aware of their responsibilities and have time to prepare.

For more information, business can go to www.thinkgdpr.org