The General Data Protection Regulation (GDPR) is rightly forcing companies to think ethically about their approach to customer data, according to Carey Olsen partner Mark Dunster.
Speaking after Carey Olsen’s GDPR and e-Privacy conference in Guernsey earlier this week, Mr Dunster said GDPR, which comes into effect on Friday 25 May, was bringing about a much-needed and deep-seated behavioural change relating tothe responsibility of data ownership and processing.
“If you want to have a successful business you need to have a business where people think they are treated fairly as a customer. GDPR is simply regulation catching up with that expectation,” said Mr Dunster.
The primary focus of GDPR is to protect the personal data of citizens of the European Union (EU) wherever it is held, processed or transferred. While the Channel Islands stand outside the EU, the legislation affects all local companies undertaking business in the EU or profiling EU citizens. The Data Protection (Bailiwick of Guernsey) Law, 2017, which reflects the new requirements of GDPR, comes into force the same day that GDPR comes into effect across all EU Member States.
Mr Dunster said: “If you have an over-reliance on rules, you generate an industry trying to find a way around those rules and it leads to a moral bankruptcy. You need to stick to core values, which is what GDPR does. It might sound like a biblical reference, but other people’s data should be treated in the same way as you would want them to treat your data.”
Carey Olsen counsel Carly Parrott, who spoke at the event on the risks, opportunities and challenges of managing data protection and employees, said HR departments would be under some of the most intense scrutiny following the introduction of GDPR and Guernsey’s law.
“HR departments are a goldmine of personal data, which in GDPR terms means they are a compliance landmine,” said Ms Parrott.
“The human element of GDPR extends beyond the vast volume of often unstructured and informal personal data that organisations continually collect from a variety of sources and regularly process about their employees into the often catastrophic impact that an organisation’s most valuable resource, its people, can have on the security of that data.
“Compliance with the data protection laws and, by extension, reducing the risk of security breaches demands a holistic approach to be adopted by organisations, led from the top and permeated throughout the whole organisation. This is because an educated workforce is an engaged workforce and an engaged workforce is much better equipped to navigate the landmine of GDPR compliance.”
Other speakers at the event, which was attended by 200 representatives from Guernsey’s business community, included Carey Olsen partner Elaine Gray, counsel Huw Thomas and associate Alexandra Gill. They were joined by Matt Thornton, co-founder of IT consultancy Cortex, and Emma Martins, Guernsey’s Data Protection Commissioner.
Ms Martins shared the Office of the Data Protection Commissioner’s strategic aims for 2018 and said Guernsey’s new Data Protection Law was not designed to stifle innovation or progress.
“Regulation in the data world we live in is a positive thing, a desirable thing. We are starting a journey of compliance; 25 May is not the end of something, it is the beginning of something,” said Ms Martins, who stressed that the Office of the Data Protection Commissioner was open for dialogue and to assist local businesses where possible.
“What we are trying to do with this reform is recognise how fundamental data protection is to each and every one of us, and to our society as a whole. We recognise that we have rights and are entitled to have these rights respected, upheld and enforced. It recognises, importantly, that innovation should go hand-in-hand with data protection if we are in it for the long-term and want to embrace the sustainable economic advantages that come with a successful and well-regulated data economy.”
Other topics relating to GDPR covered at the event included measures that must be in place ahead of 25 May, the technological standards required to achieve and maintain GDPR compliance and reforms to the e-Privacy Directive.
Ms Gill said that while GDPR had dominated the headlines, little had been made of the forthcoming e-Privacy reforms.
“In light of the Facebook and Cambridge Analytica scandal, these reforms are coming at an important time. With the European legislation still being drafted, now is a good time for local businesses to familiarise themselves with the current Guernsey regime, which has been in place since 2004. Not only will this help to demonstrate a commitment to implementing robust GDPR practices, but it will hold you in good stead before the new e-Privacy reforms bite.”
The event at St Pierre Park Hotel was the second GDPR conference hosted by Carey Olsen in the Channel Islands since the beginning of May. An event in Jersey on 1 May was attended by 180 representatives of Jersey’s business community.