Guidance

As artificial intelligence (AI) systems advance and play an increasingly significant role in various sectors, it is essential to understand how data protection law applies to the use of personal data within AI systems.

Closed Circuit Television (CCTV) is used extensively throughout the Bailiwick of Guernsey. Read our guidance to ensure your CCTV use is in accordance with local data protection law.

Find information specific to your sector here, including tools to help raise awareness and engagement.

Consent is one of the most misunderstood aspects of data protection law - read our simple guidance to find out what it really means.

With cyber attacks on the rise and phishing attempts ever more sophisticated, here are some recommended actions you can take to keep your organisation’s data safe:

Individuals (aka ‘data subjects’) are at the heart of data protection legislation. One of the most commonly used rights exercised by individuals is the right of access (also sometimes referred to as a ‘subject access request’ (SAR), or ‘data subject access request’ (‘DSAR’).

When you collect personal data from anyone, whether online or offline, you need to ensure that you provide detailed information about how their data is going to be handled. Data Processing and Privacy notices need to be clear and relevant.

The Law allows the ODPA to conduct data protection audits. All organisations who handle data should consider conducting their own internal audits at regular intervals.

Data protection legislation has an important ethical dimension. Find out more about how we work to incorporate conversations about ethics into our own approach as well as more broadly for the regulated community.

If you employ people you will be using information about them (‘personal data’) to make decisions and manage the employment relationship.

Properly supported DPOs can add a huge amount to any organisation’s compliance standards. For some organisations, there will be a legal requirement to have a DPO. Find out more about this important role here. If you are a DPO we would encourage you to browse our information hub.

4 items

Data Protection Impact Assessments (DPIAs) are an important compliance tool when you are embarking on new processing or making changes to existing processes. In some cases it will a legal requirement.

Read our simple guidance to find out how to share information about people in an appropriate and lawful way.

Read our guidance to find out how to ensure your direct marketing adheres to local data protection law and related privacy legislation.

Read our guidance if you are collecting personal data as part of monitoring environmental, social, and governance (ESG) factors.

There are many exemptions and exceptions with the Law available to controllers/processors, below is a technical update on these and how they might be applied.

Whether you are handling a small or large volume of data, you need to understand the steps that must be taken to ensure compliance.

You may be required to report a data breach to us. Find out about your responsibilities and how to put in place an effective breach response strategy for your organisations.

Key information to support those who are using personal data for law enforcement purposes.

Before you start to collect or use people's data, you need to identify and document a 'lawful processing condition' (or 'lawful basis') that you can rely on. Doing this is part of your obligation under the 'lawfulness, fairness & transparency' principle. 

The data protection principles sit at the core of the compliance requirements of the Law. They set out how personal data must be handled, ensuring that individuals rights are respected. Learn more about the principles and how they are applied.

If you work with data about or related to identified (or identifiable) living people you are legally obliged to maintain an annual registration with us. 

 

Read a step by step guide to applying Section 16 of the Law to respond to an individual’s ‘data subject access request’ in the specific circumstances where the information the individual is requesting includes information about other people.

There are a number of specific areas in the Law that provide for the Authority to be consulted, give approval or accreditation in certain limited circumstances. Some of these areas will be developed further in the months and years ahead and if you have any questions, please do get in touch.

Data protection compliance will look different for different organisations and it does not lend itself well to a tick box approach. Templates should be used as part of a wider governance programme and will need to be adapted for your own organisation’s needs.

If you are based in the Bailiwick of Guernsey and process data about, or related to, people you need to be aware of your legal obligations under the Data Protection (Bailiwick of Guernsey) Law, 2017 including if you are considering transferring any data outside of the Bailiwick.