ODPA to pursue legal action for failure to register

The Office of the Data Protection Authority (ODPA) will shortly, as a last resort, start to pursue the most serious cases of registration non-compliance through the Magistrate’s Court Petty Debt process.

Engaging and educating the regulated community about the benefits of treating people’s data well is at the heart of the ODPA’s strategy. Predicting and preventing harm by encouraging the responsible use of personal information is vital to achieve the best possible outcomes in our society.

But enforcement powers are also an important tool for The Data Protection (Bailiwick of Guernsey) Law, 2017 which serves to protect people’s rights over their own data as well as facilitate free movement of personal information. 

It is a legal requirement for any organisation (including sole traders) that handles people’s personal information during the course of their business activities – even if this is just names and addresses – to register with the ODPA.  

This registration takes place in January and February every year. Registration costs £50 for organisations with fewer than 50 staff and £2,000 for those with more. Charities and non-profits register free of charge. Most of the regulated community take their responsibilities very seriously and understand the value of people’s personal data, as well as the potential harm if it is not handled properly. Unfortunately, a very small minority have consistently failed to register and have been unresponsive to the ODPA’s numerous attempts to resolve this.

Organisations that fail to respect their legal requirement to register divert the ODPA’s limited resources away from carrying out other activities: helping people navigate the law, providing guidance, dealing with enquiries, investigating personal data breaches and mitigating damage in the aftermath of incidents.

A considerable amount of time and effort is put into responding to registration non-compliance by those who should be registered but have failed to do so. As a final resort, the ODPA will pursue the most serious cases of non-compliance through the Petty Debt process in the Magistrate’s Court. 

Emma Martins, the Bailiwick’s Data Protection Commissioner, commented: 

“Registration is a legal requirement. Most people wouldn’t dream of driving without a valid licence. So, by the same token, no-one should be handling people’s personal information without first registering with the ODPA. Organisations need to take their legal responsibilities seriously and individuals have the right to expect them to do so. I would, without question, prefer the limited resources we have to be used to support our community to get data protection right, but it would be entirely unfair on all those who engage positively with their legal duties for us to ignore the small number that do not.”

A letter will shortly be sent to a small number of non-compliance cases as a first step in a formal debt recovery process. If you have received a previous communication regarding non-registration, you are urged to contact the Authority without delay to prevent further action now being taken. 

If you are not sure if you need to register, the ODPA has set out these three criteria to make this as clear as possible:

1. You (whether you are a sole trader, organisation, business, charity, landlord, business association etc.) are established in the Bailiwick of Guernsey.
2. You are working with personal data (i.e. any information that may identify individual people, such as your staff members, your clients, your business contacts, your service users, your tenants etc.) either as a ‘controller’ or a ‘processor’.
3. The activity you are performing is not part of your personal/household affairs.

Find out more about the ODPA registration requirement here.