ODPA publishes new guidance on data transfers

The Office of the Data Protection Authority (ODPA) has published three new updates to help protect people’s data when it is transferred outside of the Bailiwick of Guernsey.

A ‘data transfer’ occurs when you send people’s data outside of the Bailiwick, for example by using online products or services such as Mailchimp (US-based) to send your subscribers a newsletter, or communicating with your customers via your organisation’s Facebook page, or employing a company in another jurisdiction to provide customer services.

The Bailiwick has high standards of protection of people’s data, thanks to the local data protection law which is considered essentially equivalent to the European Union’s data protection legislation. However, many jurisdictions around the world do not offer the same legal protections. This mismatch of legal protections means that anyone working with people’s data in the Bailiwick must take special care whenever they transfer that data to areas of the world where there is less protection.

The updated guidance and resources published by the ODPA has been produced to help local organisations and businesses navigate the very complex legal landscape around data transfers: 

• The first update, ‘Guidance on International Data Transfers’ is a step-by-step guide to the things you need to think about before you transfer people’s data outside the Bailiwick.
• The second update is ‘Guidance and a self-assessment tool for Transfer Impact Assessments’ which contains a series of questions to help you make a self-assessment of the risk posed by a transfer of someone’s data outside of the Bailiwick of Guernsey.
• Finally, the third update is ‘The Bailiwick of Guernsey Addendum for the EU Commission’s Standard Contractual Clauses (SCCs)’ which is a legal document you can make restricted amendments to in order to protect people’s data by using it in conjunction with the EU Commission’s Standard Contractual Clauses.

The Bailiwick’s Data Protection Commissioner, Emma Martins, commented on the updates,

“It’s important to recognise that the legal landscape around data transfers is incredibly fast-moving, and can be complex. The first step is always to understand what data you have and where that data are located. It is essential for all organisations to understand the risks as well as the opportunities around data transfers. We must all be proactive in ensuring people’s data continues to be looked after if it leaves the Bailiwick. The people whose data it is retain their legal rights over it, and your organisation remains responsible for ensuring it is protected.”

Find out more about transferring people's data outside the Bailiwick.