Up to 18 August 2018, there have been 32 self-reported, personal data breaches, most of which are very low-level and require no further action.
The Office of the Data Commissioner confirms that within the steady number of breaches reported, a small number were more significant or involved more than one jurisdiction necessitating coordination with other regulatory authorities. On these cases, the ODPC continues to be actively engaged with the data controller.
The reporting of data breaches is in line with section 42 of the Data Protection (Bailiwick of Guernsey) Law, 2017, which requires organisations processing personal data to notify the ODPC of any personal data breach.
This new statutory obligation for data controllers, which has been in force for three months, aims to provide the ODPC with timely information, as well as ensuring transparency and accountability for those handling personal data. In response to the new law, the ODPC aims to utilise and publish the information that is reported as much as possible.
Data Protection Commissioner, Emma Martins, confirmed that the breach reports are already proving helpful for the ODPC to gain insights in to real-world risks and to raise awareness within the community to help them mitigate and respond to those risks going forward.
“It is vital that we build a strong, respectful and constructive relationship with the regulated community. We recognise that reporting breaches requires them to trust us to do our job with absolute integrity. This is not about naming and shaming organisations when things go wrong. It is about building a positive and meaningful relationship; one which recognises that that our collective learning about the very real risks to individuals of poor data handling allows us to take important, preventative action and significantly improve our outcomes,” said Mrs Martins.