30 July 2020

Forthcoming changes to the Guernsey Data Protection Registration Regime

The Office of the Data Protection Authority (ODPA) has provided more detail regarding its new registration and funding model.

What are businesses required to do?

Guernsey's data protection regime requires all controllers and processors established in the Bailiwick to register with the ODPA [footnote section 39 of the Data Protection (Bailiwick of Guernsey) Law, 2017 (as amended)].   At present, this statutory requirement is subject to a limited exemption which means that certain categories of organisations and businesses are not obliged to register with the ODPA, such as charities and not for profit organisations which are able to rely on a charitable exemption.

With effect from 1 January 2021 this exemption from the requirement to register is being removed and will no longer be available. From that date all organisations, businesses and sole-traders which are established in the Bailiwick will be subject to a requirement to register with the ODPA, thereby bringing charities and not for profits into the scope of the new regime. The new regime applies to any person who processes personal data about any individual (whether that individual(s) is / are customers, clients, third parties or employees) for any purpose other than a household/domestic purpose. Such persons will be required to:

  1. register with the ODPA by March 2021; and
  2. pay and annual fee (unless they are a charity or not for profit organisation).

In practice, this is likely to capture the majority of businesses on Island. The new registration forms will be available online via the ODPA's website (https://odpa.gg) from January 2021 and will require each applicant to provide additional (as yet unspecified) information.  The ODPA has also announced that, for entities who are required to complete an annual validation with the Guernsey Registry, the Registry's online validation system will generate a 'prompt' to such entities at the end of the validation process, reminding them to register with the ODPA. 

The register will not be publicly available to search on the ODPA's website.

What are the new fees and how are they calculated?

The new fee structure is based on head count. In particular, the fee is based on the number of full-time equivalent (FTE) employees employed by the business.  We await further details of how the FTE will be calculated, but anticipate that the ODPA may look to methods used by, for example, the Director of Tax in relation to calculating FTE for the purposes of the economic substance regime. There are two levels of fees:

  • For organisations with 1-49 FTE employees - £50 per annum; or
  • For organisations with 50 or more FTE employees - £2,000 per annum.

 

Why are these changes necessary?

Currently, the ODPA is reliant on a mixture of government funding of approximately £300,000 per year and funding from registration fees.   The new fees model is designed to be simple and streamlined whilst ensuring that the ODPA has sufficient funds to remain adequately resourced and fully independent. On this latter point, independence is important both from a legal perspective but also politically to further the Bailiwick's digital strategy. The ODPA considers this to be essential, given that it has oversight over both private and public entities in Guernsey, including the States of Guernsey itself.

The changes will likely affect some more than others. Whilst charities will have the additional administrative burden of registering with the ODPA, they will continue to be exempt from the annual fee charge.  However, as a consequence of the announcement, in theory a large corporate services provider (CSP) employing over 50 FTE staff will be subject to the higher annual fee, whilst a corporate vehicle administered by the CSP will be subject to a £50 annual fee.  This is likely to generate a large volume of 'bulk' registrations for such administered entities, who in practice process very little personal data by virtue of the fact that they delegate many of their obligations to a separately regulated CSP. 

As yet the ODPA has not provided any information regarding how they will service the additional workload generated from the new regime, but has confirmed that more information will be available shortly in this regard.

What should you consider next?

There are certain key steps you need to take, regardless of whether (a) you have an existing registration with the ODPA or (b) you have not previously registered with the ODPA because you have been relying on one of the exemptions. In summary, you should consider the following:

  1. Set a calendar reminder to register with the ODPA early in the new year under the new registration regime.  You may also be prompted to do this when you renew your annual validation with the Guernsey Registry.  You will have a three-month window (January – March 2021) within which to comply.
  2. The ODPA has indicated that organisations and businesses will need to provide more information at the point of registration, although the precise details are yet to be confirmed.  As a minimum, this is likely to include confirmation of the number of FTE staff you employ, given that this will dictate which level of fee you will be required to pay.
  3. If your business administers a large volume of administered entities you will need to ensure that you have information available on all entities requiring registration.  The ODPA has committed to releasing more information on how they will process 'bulk' registrations like this.  In the meantime, to the extent that such entities fall within 0 – 49 FTE employee threshold, it looks likely that a £50 fee will be required per entity.   You should consider proactive steps to factor such costs into your administrative costs, including any appropriate notifications to clients etc.
  4. The ODPA has clarified that when considering whether an "entity" is processing personal data, businesses should have regard to the fact that banks, schools, online retailers, social media platforms, employers, politicians acting in an official capacity, GP practices and insurers will constitute controllers for the purposes of Guernsey's data protection law. It is, therefore, logical to assume that the individual professional trustees who make decisions about data subjects in the exercise of their trustee duties will also be caught by the registration regime and will, therefore, need to register in 2021. However, if in doubt, advice should be sought.
  5. Whilst the ODPA has helpfully pre-empted certain questions by providing an FAQ for businesses and organisations, given the wide variety of controllers and processors in the Bailiwick across all sectors there are, inevitably, outstanding questions to be addressed.

The ODPA has confirmed that further information will be available in due course - businesses should watch this space.

 

Our people