Data Protection and GDPR

What are the General Data Protection Regulations (GDPR)?

For those of you who are not aware by now, an EU Regulation came into effect on 25 May 2018 which Jersey businesses will need to comply with if they wish to do or continue to do business with EU citizens that use their services or buy their goods.

In addition, Jersey passed a law in broadly similar terms to the EU Regulation and so all Jersey businesses will need to comply, whether or not they have customers in Europe.

What does GDPR change?

GDPR has similar core rules as existing legislation and continues to only deal with personal data.

There are key new features:-
• Risk based approach with additional oversight and record keeping being required by businesses.

• Greater individual rights which will include:

– The right to have all data erased from a business’ system and records.

– Reduced time for a business to respond to a request for access to the information it holds on an individual.

– The right for an individual to restrict the information a business holds about them and the need for them to give specific consent for certain types of information to be held.

• Children will be given greater protection regarding data held about them and the right to have information erased.

• Enhanced record keeping which businesses will be required to show the Information Commissioner to prove they’re monitoring their business appropriately.

• Compulsory breach reporting must be made within 72 hours of a business becoming aware of a breach. The current position is that a breach is only investigated if one of the parties involved makes a complaint to the Information Commissioner.

• Sanctions under GDPR for a breach will be high at 4% of the worldwide turnover of the business or €20m (approx £18 million) whichever is the higher figure. The Jersey law fine level is yet to be confirmed but is likely to be significant.

What essential steps should a business have taken to comply with the new law?

• Raise awareness and engagement at both senior and staff levels, including training;

• Risk assess and audit of the way data is held and processed, both by the business and others which hold its data (e.g IT providers);

• “Spring-clean” the businesses’ data and remove or archive all data which should no longer be held;

• Update policies and procedures (including Staff Handbook and employee policies) to ensure compliance;

• Review whether an individual needs to give consent for a business to hold information about them and then obtain that consent;

• Assess whether it is necessary to appoint a Data Protection Officer for the business (the law specifies when this is necessary).

What can we do to help you?

We can help you through this process, advise on what needs to happen and when, help you draft your procedures, train your staff and give you practical advice on how to interpret the Law.

Get in touch