For those who’ve been on this journey for some years, this was a time to take a short breather, before steeling ourselves for the road ahead. GDPR is but one part of a regulatory wave sweeping Europe and beyond – ePrivacy, PSD2, MIFID2, NISD, 5th AML Directive, the list goes on. Data impacts so many areas of life (both private and professional) that it was always going to be impossible to effect change via one piece of legislation.
Many jurisdictions outside the EU have enacted new data protection legislation, aimed at achieving varying levels of equivalence with GDPR. Change is being driven on a global level.
Guernsey, Jersey and the Isle of Man have all enacted new laws to ensure they maintain “adequacy” (the European Commission decision which enables the free flow of information between jurisdictions deemed to have equivalent levels of protection for personal data). This is vital to protecting the islands’ economic position, but is also a key element of the continuing focus on being “well regulated”. Trust is a vital part of today’s digital economy, and being at the cutting edge of this area of regulation will stand us in good stead for years to come.
The new regime is an evolution, rather than a revolution, but for those who were not fully aware of their duties under the previous regime, stiffer challenges lie ahead. Both Guernsey and Jersey have new regulatory bodies (albeit that a number of the “faces” will look familiar to islanders), but the message is very much “business as usual”.
For example, the members of Guernsey’s new Data Protection Authority focused on opportunity, collaboration and innovation at their launch event – using nimble regulation to lead from the front, to educate and collaborate. Enforcement is seen as a last resort, or as an appropriate response to repeated or deliberate infringements.
Demonstrating that you have a plan in place and are working to mitigate the core risks is much less likely to lead to sanctions. In a world where fresh guidance appears regularly, showing you have “a clue” as opposed to “no clue” and that you are adapting your culture is a good place to be.
That message will provide some comfort to businesses, as will the limited domestic transitional provisions which extend the deadline for compliance with certain areas of the new laws until May 2019.
Maintaining adequacy is clearly crucial. The message from Europe is positive in that regard. The efforts of the Crown Dependencies have been noted and each will retain adequacy, at least for the time being. The guidance on adequacy should not give us cause for concern, but we must accept that the concept of “adequacy” is under review by the European Commission and maintain focus on it.
Transparency is a key component of GDPR and the regulators’ approach and that theme flows through the new domestic laws. If you identify a problem, work to rectify it and/or take advice – do not wait for the regulator to uncover it.
Similarly, be transparent with customers – consider what data you collect and why, review the lawful basis for processing and make sure you’ve informed customers about your use of their data. Not only is this an opportunity to build relationships with your customers, but as we have seen from the deluge of (frequently unnecessary) “consent” emails, getting it wrong can lose you business.
The next step of the journey begins now; it is similar to reaching the start line of a marathon. We are working with clients and industry partners to develop best practice and shape the debate for the future, when AI and robotics will redefine “well regulated”. The time for a “breather” is over; the race has just begun.