Actions we've taken

Openness, transparency and accountability are important in all aspects of legal and regulatory action.

Our Strategic Plan sets out our regulatory focus:

We believe that we can be an effective regulator by ensuring we take action in four areas in relation to data harms:

  1. Predict

    Intelligence gathered from our 'detect' and 'enforce' helps us predict where the potential for harm is.

  2. Prevent

    Knowing where there is potential for harm allows us to raise awareness and empower citizens to try to prevent harms from happening. We do this awareness-raising via

  3. Detect

    When data harms have occurred we must have effective mechanisms for individuals affected to make a formal complaint about an organisation, and we must have a mechanism that allows controllers/processors to report a data breach to us.

  4. Enforce

    Enforcement action is the last resort, and cannot undo the harm that has occurred. Where we find that an organisation has not complied with their statutory obligations, our findings will be made public here on this page* as this allows other organisations to learn from what went wrong.

    * unless to do so would cause further harm to the complainants

    There are four sanctions available under the Law: Reprimand, Warning, Enforcement Order, and Administrative Fine. The chart below shows sanctions issued by the Authority since 2019:

REPRIMAND = A formal recognition that an organisation has breached the Law in some way.
WARNING = A formal signal to an organisation to not proceed with certain proposed action as it is likely to breach the Law if it goes ahead.
ENFORCEMENT ORDER = An instruction that compels an organisation to take specific action to address shortcomings in specific areas of the Law.
ADMINISTRATIVE FINE = An order that compels an organisation to pay a financial penalty in recognition of harm caused by a specific breach of the Law.

Below is a list of public statements issued by the Authority under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017. Public statements are usually issued at the conclusion of an investigation or an inquiry but, where appropriate, can be issued to advise of the commencement of an investigation or inquiry or to confirm that a matter has been reported in accordance with the Law.