One month on from the change in data protection laws, local organisations are responding to the higher standards expected of them under the new legislation.

When data protection is done well, it builds and maintains trust between organisations and the individuals whose data they hold. We are encouraged that local organisations are extending that trust to us as the regulator by letting us know when things haven’t gone to plan.

Under the new legislation (the Data Protection (Bailiwick of Guernsey) Law, 2017) local organisations have a legal obligation to report a data breach to us within 72 hours of them becoming aware of it.

In the four weeks since the law changed, we have received reports of seven low-risk data breaches. We are encouraged by this as it is clear evidence that these local organisations take their responsibilities in respect of the new legal obligations seriously, they know how to respond accordingly, and that they are confident that we as the regulator will respond constructively.

Guernsey’s Data Protection Commissioner, Emma Martins commented on breach reporting’s role in improving data protection practices:

‘The key message for local organisations is that we will work positively and constructively with you in the event of a data breach, to improve compliance, for the benefit of everyone.

Statutory breach reporting is new and we are here to support local organisations through the process. The breach reporting obligation exists to ensure that organisations recognise the importance of compliance and invest in systems that provide maximum protection for what is probably the most valuable asset they hold – personal data.

We have been encouraged by the preparedness of local organisations, particularly by those who have evidenced an effective data breach response plan.

We are grateful for the insight that breach reports provide us, as they alert us to issues early, and provide invaluable insight into the risk environment. This helps us to target our resources to support better compliance across the Bailiwick.’

What is a breach?

A personal data breach is defined in section 111(1) of the Law as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. There will likely be a breach whenever any personal data (including any special category data) is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

Breach reporting

One of the key differences between the previous law and the new law is that breach reporting is now mandatory, rather than voluntary.

We categorise each breach we receive depending on severity – the seven breach reports we have received in the month since the law changed have been ranked as low risk. This means that the breaches are unlikely to cause harm to the person whose data has been disclosed accidentally.

The breach reports we have received predominantly relate to organisations unintentionally sending personal data to the wrong recipient (for example, by software autocompleting an email address and the user not checking before they send the email).

https://odpc.gg/data-protection-law-change-local-organisations-meeting-their-new-obligations/