Press Release:

Lessons learned 5 years on

Published: 26 May 2023

To mark the fifth anniversary of The Data Protection (Bailiwick of Guernsey) Law, 2017 which came into force on 25 May 2018, there are some key lessons ODPA staff would like to share with you: 
  1. Start with why.
    Myths, confusion and misunderstandings swirl around data protection. But at its heart, it’s very simple indeed – data protection is about treating people well. Data protection legislation provides a framework for achieving that. If you work with information about people make sure you never lose sight of this ‘why’, and encourage others to see it too.
    If you don’t know where to start, here’s some signposts to help you along the way.   
  2. Don’t wait for it to get personal.
    Data protection isn’t on most people’s radar until things go wrong and it affects you personally. If you are responsible for how information about other people is used, invest some time in understanding what your legal obligations are. A small investment of time now could help you avoid a lot of heartache and hard work down the line. This is important because it is a legal requirement, but also because it goes to the heart of your business success.
    Here are some some suggested steps you can take to protect your business by protecting people’s data.

  3. Establish and build trust early on.
    When you first start working with people’s information make sure you engage with them so they understand how you are looking after their interests by adhering to the data protection law. This can help your business build trust with your clients/staff/service users (and any other people) and to get the most out of your data. If things don’t go to plan, and an individual is not happy, effective engagement is often all it takes to alleviate their concerns.
    Read ‘The Feel-Good Guide to Data Protection’ (page 10) to find out how your organisation benefits from treating people’s information well.

  4. Keep an eye on the time.
    One of the most common things that go wrong when people ask an organisation about what personal information they have about them is that the organisation does not positively engage with the individual, or respond quickly enough. For example, the Law gives one month to respond to a straightforward ‘data subject access request’ – one calendar month goes surprising quickly. Get the most out of it by dealing with data subject rights requests as soon as you can. And don’t wait till the last day if you can get it done and out the door earlier.
    Find out more about individuals’ 10 rights under local data protection law.

  5. Take a principled approach.
    The Law is based on seven common sense principles. People’s data must be handled in accordance with principles of: Lawfulness, Fairness & Transparency / Purpose Limitation / Minimisation / Accuracy / Storage Limitation / Integrity & Confidentiality / Accountability. The accountability principle is the bedrock, without it, everything else falls apart. It is the place everyone should start their compliance work.
    Find out more about the seven data protection principles.

  1. Caring for people’s data is not rocket science.
    Anyone handling people’s data should do everything in their power to treat people with respect and dignity, and ensure that they understand what is being done with information about them.
    Find out more about data ethics and how to explain to people what you’re doing with their information.

  1. Data protection is not always built on consent.
    You can use information about someone as long as you have a valid ‘lawful processing condition’ (consent is the most well know of these, but there are others which may be more appropriate) and are adhering to the Law’s principles.
    Find out more about the Law’s other lawful processing conditions.

  1. Education is key.
    You can have the best piece of legislation, built on worthy principles, with the best of intentions. But is no-one understands it, or cares enough to put the effort in to try to understand it then that law will fail to achieve its purpose.
    Find out more about our social education initiative Project Bijou which aims to engage people on a cultural level rather than simply on a legal/compliance one, on the basis that if more people understand what data protection legislation seeks to achieve then compliance with the Law will improve.


    About The Data Protection (Bailiwick of Guernsey) Law, 2017

    The Data Protection (Bailiwick of Guernsey) Law, 2017 came into effect on 25 May 2018. The Bailiwick's law was drafted to reflect the EU's General Data Protection Regulation (GDPR). This approach is designed to ensure our citizens have important rights in this digital era and to ensure the continued free flow of data to and from the Islands which is vital for our economy.