Introduction
This briefing is part of a Walkers series on the Data Protection (Bailiwick of Guernsey) Law, 2017 ("the DPL") was drafted to reflect the EU's General Data Protection Regulation (the "GDPR"). The DPL came into effect on 25 May 2018.
Click here to view article
A related briefing on the object of the DPL, some of the key concepts used in the DPL, and the rights of data subjects is available here.
There are seven principles which are set out in the DPL (and also in the GDPR) which Guernsey organisations are legally required to adhere to. Those seven principles are as follows:
1. Lawfulness, fairness and transparency
Those who process personal data must have a valid reason for doing so under the Law. The personal data must be used in a way that is fair and it must be clear precisely what the data is being used for.
2. Purpose limitation
Personal data must be used for only for the reasons the data subject was advised at the outset that the data would be used for.
3. Data minimisation
The personal data obtained from a data subject must be limited to what is necessary for the stated purpose.
4. Accuracy
The personal data which is held must be accurate and, where necessary, updated.
5. Storage Limitation
Personal data must not be kept for longer than it is necessary. This will depend on the basis upon which the data is being held.
6. Integrity and confidentiality
Appropriate security measures must be put in place and maintained in order to ensure that personal data is not accidentally deleted, altered or disclosed to anyone who is not permitted access to it.
7. Accountability
An organisation must take responsibility for what it does with personal data. They must be able to demonstrate that requisite systems and measures have been put in place to ensure compliance with the Law.
[View source.]
