Guidance

The Law includes provisions that promote accountability and governance. These complement the Law’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection compliance, the Law’s emphasis elevates their significance.

As artificial intelligence (AI) systems advance and play an increasingly significant role in various sectors, it is essential to understand how data protection law applies to the use of personal data within AI systems.

Closed Circuit Television (CCTV) is used extensively throughout the Bailiwick of Guernsey. Read our guidance to ensure your CCTV use is in accordance with local data protection law.

Consent is one of the most misunderstood aspects of data protection law - read our simple guidance to find out what it really means.

With cyber attacks on the rise and phishing attempts ever more sophisticated, here are some recommended actions you can take to keep your organisation’s data safe.

The Law allows the ODPA to conduct data protection audits. All organisations who handle data should consider conducting their own internal audits at regular intervals.

Read our simple guide that helps you collect personal data from individuals in a way that complies with the data protection law's principles.

Data protection legislation has an important ethical dimension. Find out more about how we work to incorporate conversations about ethics into our own approach as well as more broadly for the regulated community.

Read our simple guidance to find out how to share information about people in an appropriate and lawful way.

When you collect personal data from anyone, whether online or offline, you need to ensure that you provide detailed information about how their data is going to be handled. Data Processing and Privacy notices need to be clear and relevant.

Section 32 of the Law requires data controllers to establish and carry out proportionate technical and organisational measures to effectively comply with the seven data protection principle.

If you employ people you will be using information about them (‘personal data’) to make decisions and manage the employment relationship.

Properly supported DPOs can add a huge amount to any organisation’s compliance standards. For some organisations, there will be a legal requirement to have a DPO. Find out more about this important role here.

Individuals (aka ‘data subjects’) are at the heart of data protection legislation. One of the most commonly used rights exercised by individuals is the right of access (also sometimes referred to as a ‘subject access request’ (SAR), or ‘data subject access request’ (‘DSAR’).

Read our guidance to find out how to ensure your direct marketing adheres to local data protection law and related privacy legislation.

Data Protection Impact Assessments (DPIAs) are an important compliance tool when you are embarking on new processing or making changes to existing processes. In some cases it will a legal requirement.

Read our detailed guidance to help you comply with the Law when you are using third parties to do certain tasks with people’s data.

There are many exemptions and exceptions with the Law available to controllers/processors, below is a technical update on these and how they might be applied.

Whether you are handling a small or large volume of data, you need to understand the steps that must be taken to ensure compliance.

You may be required to report a data breach to us. Find out about your responsibilities and how to put in place an effective breach response strategy for your organisations.

Read our guidance to understand the importance of quickly sharing necessary and proportionate information about an employee experiencing a health emergency.

Key information to support those who are using personal data for law enforcement purposes.

Before you start to collect or use people's data, you need to identify and document a 'lawful processing condition' (or 'lawful basis') that you can rely on. Doing this is part of your obligation under the 'lawfulness, fairness & transparency' principle.

'Special category data' is a sub-set of 'personal data' which is considered more sensitive, and therefore needs greater protection around its use.

If you work with data about or related to identified (or identifiable) living people you are legally obliged to maintain an annual registration with us. 

Read a step by step guide to applying Section 16 of the Law to respond to an individual’s ‘data subject access request’ in the specific circumstances where the information the individual is requesting includes information about other people.

The data protection principles sit at the core of the compliance requirements of the Law. They set out how personal data must be handled, ensuring that individuals rights are respected. Learn more about the principles and how they are applied.

There are a number of specific areas in the Law that provide for the Authority to be consulted, give approval or accreditation in certain limited circumstances. Some of these areas will be developed further in the months and years ahead and if you have any questions, please do get in touch.

Data protection compliance will look different for different organisations and it does not lend itself well to a tick box approach. Templates should be used as part of a wider governance programme and will need to be adapted for your own organisation’s needs.

If you are based in the Bailiwick of Guernsey and process data about, or related to, people you need to be aware of your legal obligations under the Data Protection (Bailiwick of Guernsey) Law, 2017 including if you are considering transferring any data outside of the Bailiwick.