Guidance

The data protection principles sit at the core of the compliance requirements of the Law. They set out how personal data must be handled, ensuring that individuals rights are respected. Learn more about the principles and how they are applied.

If you work with data about or related to identified (or identifiable) living people you are legally obliged to maintain an annual registration with us. 

 

Whether you are handling a small or large volume of data, you need to understand the steps that must be taken to ensure compliance.

The Law allows the ODPA to conduct data protection audits. All organisations who handle data should consider conducting their own internal audits at regular intervals.

When you collect personal data from anyone, whether online or offline, you need to ensure that you provide detailed information about how their data is going to be handled. Data Processing and Privacy notices need to be clear and relevant.

Before you start to collect or use people's data, you need to identify and document a 'lawful processing condition' (or 'lawful basis') that you can rely on. Doing this is part of your obligation under the 'lawfulness, fairness & transparency' principle. 

You may be required to report a data breach to us. Find out about your responsibilities and how to put in place an effective breach response strategy for your organisations.

Data protection legislation has an important ethical dimension. Find out more about how we work to incorporate conversations about ethics into our own approach as well as more broadly for the regulated community.

If you employ people you will be using information about them (‘personal data’) to make decisions and manage the employment relationship.

Read our guidance to find out how to ensure your direct marketing adheres to local data protection law and related privacy legislation.

With cyber attacks on the rise and phishing attempts ever more sophisticated, here are some recommended actions you can take to keep your organisation’s data safe:

Properly supported DPOs can add a huge amount to any organisation’s compliance standards. For some organisations, there will be a legal requirement to have a DPO. Find out more about this important role here. If you are a DPO we would encourage you to browse our information hub.

4 items

Data Protection Impact Assessments (DPIAs) are an important compliance tool when you are embarking on new processing or making changes to existing processes. In some cases it will a legal requirement.

Data protection compliance will look different for different organisations and it does not lend itself well to a tick box approach. Templates should be used as part of a wider governance programme and will need to be adapted for your own organisation’s needs.

There are a number of specific areas in the Law that provide for the Authority to be consulted, give approval or accreditation in certain limited circumstances. Some of these areas will be developed further in the months and years ahead and if you have any questions, please do get in touch.

If you are based in the Bailiwick of Guernsey and use data about, or related to, people you need to be aware of legal issues surrounding transferring that data outside of the Bailiwick.

Find information specific to your sector here, including tools to help raise awareness and engagement.

There are many exemptions and exceptions with the Law available to controllers/processors, below is a technical update on these and how they might be applied.

We have put together this area to answer some questions we have received that may be of use to you, if you have a question please email enquiries@odpa.gg.