Navigating trusts in a data-driven world: Developments in Guernsey's regulatory landscape

• Trustees need to know what data they hold and what that data is used for.
  
  
• Trustees need to prevent and manage risks of data breaches.
  
  
• Trustees need to ensure that relevant entities are registered with the ODPA, annual returns filed, and the appropriate levies paid.

We explore what trustees need to be aware of when dealing with data and complying with their obligations under the Data Protection (Bailiwick of Guernsey) Law, 2017 and related legislation (the "DP Law"). 

In the first two articles in this series (available here and here) we looked at some of the key terms and concepts when applying data protection law in the context of trusts as well as the proactive steps a trustee needs to think about in relation to the personal data they hold and how they might best respond to a data subject access request.

This article considers recent developments in Guernsey’s data protection landscape and how these may impact on trustees. 

Developments in Guernsey's data protection landscapes

Following the introduction of Guernsey’s registration and levy regime, a controller or processor established in the Bailiwick must not cause or permit personal data to be processed unless the controller or (as the case may be) processor is registered in accordance with the DP Law or is exempt from registration. Once registered, and in respect of each year for which the controller or processor is registered, an annual levy must be paid to the Office of the Data Protection Authority ("ODPA").  

Whether a controller or processor (e.g., a trustee) is "established in the Bailiwick" requires careful consideration of the nature of the entity and the processing activity. Whether a controller or processor is exempt from registration depends on whether they satisfy the conditions prescribed by the DP Law. 

As discussed in more detail in the first article in this series trustees are likely to be both controllers and processors and are therefore highly likely to need to register with the ODPA. Trustees are also unlikely to be regarded as being exempt from registration owing to the nature of their processing activities. Trustees must also consider whether any of the entities within the trust structures they are involved with are caught by the regulations and need to register separately. However, in many instances, these entities may appoint the trustee as a levy collection agent ("LCA") who is permitted to declare and pay the ODPA levies on their behalf.

When making an application for registration, the trustee will need to pay a registration fee. The applicable registration fee depends on whether the trustee is considered a large organisation. A large organisation means an entity (or person) that employs 50 or more full-time equivalent employees ("FTE"). The DP Law provides that an FTE is:

1. an employee who works, or who under his contract of service is required to work, for the employer (i.e. the trustee entity) 27 hours or more per week; or 
   
   
2. a number of employees who do not individually fall within subparagraph (1) but who collectively work or who collectively under their contracts of service are required to work for the employer, 27 hours or more per week in the aggregate.

If the trustee is considered a large organisation and needs to be registered, it will pay £2,400 upon registration. However, if it is not considered a large organisation then it will only have to pay £60 upon registration. The registration fee is payable each year as an annual levy.  For completeness, there isn’t a registration fee or annual levy for charities and non-profit organisations, but they are still required to register and renew their registration annually. 

As set out above, some organisations may authorise an LCA to pay the levies on their behalf, however not every organisation can use an LCA. Some organisations must register directly with the ODPA, including: 

1. those that employ 50 or more FTEs;
   
   
2. those acting as an LCA; and
   
   
3. all charities and non-profit organisations.

It is worth noting that the ODPA has the power to take action in relation to the registration and levy regime and earlier this year successfully took six companies to court for the non-payment of registration fees.

For trustees the following points are key: 

1. trustees and trust companies will almost certainly be required to register with the ODPA, file an annual return, and pay an annual levy; 
   
   
2. trustees should also consider whether any underlying companies, charities, or organisations in the trust structures within which they are involved are required to do the same. If so, trustees will need  ensure the registration and payment obligations are met; and
   
   
3. trustees and trust companies must ensure they pay the correct fee/levy and ensure it is paid timeously.

ODPA findings 

The ODPA has reported that, in Q1, Q2, and Q3 of 2024, a total of 121 personal data breaches were reported, with more than 18,392 people affected. Noticeably, the 42 personal data breaches in Q1 were the highest number ever reported in one quarter and, although less people were being affected by data breaches in Q3, twice as many people were affected by high-risk breaches in Q3 compared to Q2.

There are several key takeaway points for trustees to take from these recent breach reports. 

Firstly, wayward emails continue to be the most common reported breach. 36 of the 121 incidents reported happened due to emails containing personal data being sent to the wrong person. The ODPA suggests that organisations can take steps to reduce this risk by fostering an environment that allows staff sufficient time and space to work in a considered and calm way, avoiding a blame culture, and encouraging staff to take a moment before sending emails. This is especially important for trustees who may be dealing with highly sensitive data.

The second key point from the ODPA reports is that people working with personal data need to understand how to assess the risk posed by data breaches. In Q3 of 2024, 517 individuals' data was affected by incidents that the ODPA assessed as being high risk. If a trustee becomes aware of a data breach, they need to assess what the risk to the people whose data is affected is. Sensitivity can be context-specific, and so for example a wayward email identifying tennis club members would be less sensitive than one identifying individuals participating in a cancer treatment program.

A breach of even one individual’s personal information can be high risk given the potential for financial, reputational or psychological damage and so trustees need to understand how to assess risk.

Finally, organisations need to rely on their people and heed system warning signs. The vast majority of breaches reported during Q1 and Q2 were discovered by people while just 2 incidents out of the 81 reported were detected through digital systems. It is therefore important to nurture a culture where people are encouraged to internally report any breaches. This gives the best possible chance of acting quickly to contain a breach and mitigate its effects.

Three priorities for trustees managing data risks

Firstly, know your data. If a trustee doesn't know what data they hold and what they do with it then they cannot properly assess or monitor their compliance with the DP Law. Every organisation should know and record:

• What personal data it holds. This is known as 'data mapping';
• What it does with that data, for example:

• does it share data and, if so, with whom and how?
• how does it ensure that data remains up-to-date?
• how long does it keep data?
• how does it destroy data?

• What does it tell data subjects; what does the organisation's privacy notice say?

Secondly, do everything you reasonably can to prevent and manage data breaches. An organisation needs to know how to respond to a data subject access request. The management of data privacy should be led by someone with a holistic view of the business and it should be clear to all staff who this person is. An organisation's response to a data breach can be planned in advance and so information security arrangements should be reviewed on a regular basis. If a breach happens, precious time can be lost working out what to do. An organisation therefore needs to know who will lead the response to a data breach and what the response plan actually is. As a starting point, the ODPA has published helpful guidance on what to do on its website.

Thirdly and as set out in more detail above, trustees need to ensure that relevant entities are registered with the ODPA, annual returns filed, and the appropriate levies paid. This needs to also filter down to entities within the trust structures.