While all the media’s attention in the last six months has been lavished on Brexit and President Trump, there’s one particular news story that is still not getting a huge amount of attention but which is going to affect businesses across Jersey - regardless of the UK’s position within the EU and regardless of US foreign policy - sooner than you might think.
The General Data Protection Regulation (the GDPR) is an EU-wide reform of privacy and data protection legislation that is due to take effect from 25 May 2018. It is a major update of Europe's data privacy laws that has been born from the era of Big Data and mobile technology. At its heart, the GDPR is about:
- Giving new rights for members of the public to control their data (including the much-discussed “Right to be Forgotten”);
- Imposing new and enhanced responsibilities on companies and other organisations for safeguarding the data they process; harmonising standards across the EU and beyond to help create a “single digital market”.
From our perspective here in Jersey, the "beyond" element is critical for two reasons:
- The EU reforms are wide-ranging – they affect not just European countries, regulators and governments but any firms who want to trade into the EU, setting out key standards for the collection, retention and use of data. Because the changes to the law effectively spread beyond the borders of the EU, they are going to have an impact on businesses here in Jersey.
- In addition, our existing data protection legislation – the Data Protection (Jersey) Law 2005 - is based on the 1998 UK Data Protection Act. This means our law effectively predates the widespread use of smartphones and social media, and 20 years of increasingly rapid and fundamental changes in the way we live and do business. Legislation in the island will therefore need to be updated to align with the GDPR so that Jersey can maintain its “adequacy” status – formal recognition that our laws here match the reformed legislation and higher standards in the EU.
Jersey’s regulator – the Information Commissioner – has already warned that any failure to adequately prioritise and resource the necessary preparation for the GDPR reforms could have a seriously detrimental effect on the island’s financial and digital sectors, both of which rely on seamless and rapid flows of information across jurisdictional borders.
Among the changes brought about by the GDPR which are likely to affect Jersey’s business community are:
- New criteria for obtaining consent to process personal data – under the GDPR, the consent of an individual must be freely given, specific, informed and unambiguous, so simple “opt-out” mechanisms will no longer be sufficient, and silence or inactivity cannot be taken to demonstrate consent.
- A “right to be forgotten” which will enable individuals to demand the deletion of their data.
- New protection for children, requiring parental consent before their personal information can be processed.
- Mandatory requirements for firms to notify national regulators, typically within 72 hours, if they are hacked and, where high-risk breaches take place, to notify the individuals concerned.
- A new requirement for many businesses to employ appropriately-qualified Data Protection officers, responsible for ensuring data protection compliance.
- The potential for fines of up to 20 million euro – almost £16 million – or 4% of global annual turnover for serious contraventions of the rules.
That final bullet point underlines the seriousness of the reforms. However unlikely it may be for a fine to be levied for a “first offence” or a minor breach, the law allows for punitive fines for a reason – this is something that the EU is taking very seriously indeed.
So what should organisations in Jersey be doing?
Fundamentally, you need to ensure that your business is compliant with the new regulations when they come into force in May 2018. That means starting work now - not in a year's time – to:
- Assess how the GDPR will affect you
- Decide what changes you need to make to ensure compliance
- Resource and implement those changes in line with published guidance
- Take steps to ensure you can document and demonstrate compliance
It is particularly important to bear in mind that the GDPR is based on the concept of data protection “by design” - simply put, this means that data privacy risk and compliance needs to be “built in” to all your systems, processes and procedures right across your organisation. Working to ensure you are ready for May 2018 will not just be an IT project; it will require accountability and engagement from Board level down through all levels of the business to achieve these objectives.
If your organisation has not yet started to engage seriously with the GDPR reforms, you are almost certainly behind at least some of your competitors. But speed and competitive edge are not really what is at stake here: compliance is what matters. Take it seriously and do it right.
For help with preparing for GDPR, please contact Sara Johns (Partner) or another member of the Ogier data team.