Progressive approach to GDPR could benefit Guernsey

31 March 2017

The advent of the EU’s General Data Protection Regulation is putting business on high alert. Much work needs to be done, but Richard Field and Mark Dunster of law firm Carey Olsen believe that the island is generally preparing well.

The EU’s General Data Protection Regulation provides Guernsey with the opportunity to underpin its position at the front end of the regulatory curve.

The island can build on its reputation for being a reliable and secure jurisdiction in which to do business, and can capitalise on its third-country status with Europe by being ahead of the GDPR game.

Richard Field, counsel to the dispute resolution and litigation team at Carey Olsen, said there was no need for Guernsey businesses to panic, providing they invest sufficient time and resource now to consider the impact of GDPR on their operations.

Work has begun on drafting a Guernsey law which will be broadly equivalent to the EU Regulation. This is designed to assist in maintaining its current adequacy status, based on an earlier European Commission decision.

Adequacy allows for data flows between the island and Europe with minimal barriers. The local law will be drafted with input from an industry working party and taking on board feedback from businesses.

“As a non-EU country GDPR isn’t automatically part of our law, but even if we don’t have our own legislation, a lot of business here will still be caught by GDPR. Our approach in adopting similar legislation can be a positive for Guernsey and the Channel Islands,” Advocate Field said.

“The feeling is that we are ahead of many European countries in terms of our preparations. We engaged with the EU from a very early stage, they can see we are making progress and we have had positive feedback.”

Partner Mark Dunster added: “The future of regulatory standards across Europe is uncertain, so we want to be at the front of the queue to maintain adequacy and keep our good reputation.”

He said that uncertainties around Brexit could encourage businesses outside the island, wanting to trade with Europe, to establish structures locally, using the island’s long-standing third country relationship.

“The island has long been somewhere where we pride ourselves at being at the top end of the regulatory track,” he added. “People can rely on us for secure transactions and good standards of business.”

GDPR legislation will apply to anybody doing business in Europe which involves processing or holding people’s personal data, or profiling them, for example when a website offers a product based on a customer’s previous shopping habits.

It potentially affects all businesses.

The bigger risks will involve businesses transferring data internationally, or where highly sensitive or important data such as medical records or bank details are held.

“There’s a seismic shift in how personal data is treated,” said Advocate Dunster. “GDPR will involve more thought about what you are doing with the data, where you are storing it and who gets access to it.”

Advocate Field added: “If you are not thinking about GDPR already, you really ought to now. Businesses will need guidance on both the legal and technology fronts. We have a team of experts and are happy to work with businesses to prepare and put them in touch with other providers if the issue requires a technology solution.

“GDPR requires collaborative working across sectors to ensure Guernsey remains adequate. As a member of the working party, I’m also keen to hear of any issues so we can take these into account and feed them back to government.”

Advocate Dunster said: “While it’s not necessarily time to panic, it is definitely time to think about it and work out how you are going to approach it.”

The original version of this article was published in the Guernsey Press’ Q1 Business Review, March 2017.

Download Find a related practitioner