The Implementation of GDPR in Jersey – six months on

It has now been six months since the implementation of the new Data Protection (Jersey) Law 2018 came into force, incorporating the new European Data Protection Regulation (GDPR). This new initiative brings data protection into the twenty first century with provisions to address some of the challenges that rapidly advancing information technology. It replaces the previous generation of data protection regulation that emerged during the age of paper.

Now technological advancements, including the introduction of social media, have expanded our ability to collect, use, analyse and disclose personal data. This has improved services to individuals and reduced costs but has also created new risks to privacy. Breaches are becoming larger, more frequent and more harmful.

GDPR places new responsibilities on business, including transparency around the management of personal data, and gives new rights to individuals. Businesses must document their data management practices and many must appoint a Data Protection Officer. Businesses must also report data breaches to the Jersey Office of the Information Commissioner (JOIC), whenever there is the potential for harm to the data subjects. They must respond to requests for correction and deletion of personal data, as well as requests to transfer their data to other businesses.

In the two years since the European Commission announced GDPR, there was a great level of awareness and preparation by businesses in Jersey. A new industry in data consultancy emerged to assist business in preparing to comply with the new rules. The JOIC provided advice and direction and fielded a large number of enquiries.

Since 25 May, however, there has been less public attention and fewer calls from businesses. This might be an indication that all businesses are confident about their level of compliance.  However, compliance with GDPR is not a one-time event. It is an ongoing process. After businesses establish policies and procedures train their employees, they should check and confirm that everyone is complying with those requirements, at least annually.

The workload of the JOIC has grown since 2017. Complaints have doubled and self-reported breach notifications have increased considerably. Some of the breaches reported do not meet the threshold for harm that requires reporting. Nevertheless, there is no harm in reporting minor breaches. It increases our knowledge and enables us to assist businesses in responding to them.

Our greatest challenge is building the capacity of the JOIC to meet its new responsibilities. In addition to dealing with a growing number of complaints, we must expand our public education programme and develop implementation tools to assist businesses. We must move into larger office space and develop a new funding model, along the lines of other independent regulators, like the Jersey Financial Services Commission and the Channel Islands Financial Ombudsman. For JOIC to be credible in the eyes of the public, it needs to be financially and administratively independent of the States of Jersey. The Law created a Jersey Data Protection Authority, with an independent board that provides a new model of governance, oversight and accountability separate from the States. Once we have the space to grow, we will be able to recruit the employees necessary to fulfil our mandate.

JOIC needs to be an independent and effective data protection regulator to ensure that businesses continue to enjoy unimpeded access to cross border flows of personal data from Europe. GDPR prevents cross border flows to non-member states that do not have an adequate level of data protection. The European Commission gave Jersey adequacy standing under the previous data protection regime, and that status will continue temporarily under the new regime. However, Jersey will be subject to a new adequacy assessment soon, and it is important for businesses that it is successful. Businesses can help by complying with the Law and providing the highest level of data protection.

The prospect of a No Deal Brexit also poses a serious challenge to Jersey businesses. Without a deal, the United Kingdom would become upon leaving the EU a third country without an adequacy designation. This means the free flow of personal data from Europe would end, requiring the development of new administrative mechanisms to permit some of the data to flow. It would also mean that, under the Jersey Law, businesses would no longer be able to transfer data freely to the United Kingdom, without new contractual provisions, binding corporate rules or obtaining the consent of data subjects. Having to deal with this type of red tape would be bad for business.

Going forward, JOIC will strive to be a partner in compliance with Jersey businesses in a way that respects our independence. Our goal will be to provide the highest level of data protection for the people of Jersey in a way that promotes their economic interests. I encourage any business that has questions about data protection to contact the JOIC.