1. Get those registrations sorted!
If you, or any entity which you are responsible for managing, are not currently required to register with the ODPA because you benefit from one of the limited exemptions available, those exemptions expire on 31 December 2020 (the only exception remaining is the use of personal data for purely domestic or household purposes). You therefore need to register and pay a registration fee during January-February 2021. If you are currently registered with the ODPA, you will need to confirm your registration and pay the appropriate levy during January-February 2021, irrespective of when you registered in 2020. This timing was intended to marry up with the timing of corporate annual returns here in Guernsey though those have been pushed back for 2021.
2. Review policies
GDPR compliance and corporate privacy policies should never be static. As businesses evolve, so will their operations and processing of personal data. Businesses will now have had circa 18 months of bedding in of their policies and processes since GDPR became effective on May 25th 2018 and the same amount of time for some of them to become outdated due to changes in business practice. For anyone who hasn't done a review, or at least a recent review, now is a great time to consider what's being done, what could be done better and to generally update, fine-tune or adjust processes for managing and processing data use. Ensure you document the outcome of any reviews, and any action taken as a result.
3. Tighten up on breach risks
Guernsey's ODPA publishes breach reporting data fairly regularly (roughly every two months) as well as reporting on applied sanctions. A huge number of locally reported breaches relate not to nefarious cyber hacking or other high profile issues but to simple human error with misdirected emails being by far the biggest cause of breach reporting. Reviewing your office infrastructure with your IT and operations team is an excellent way to strip out potential failure points or apply checks that may prevent these issues arising. Focussing on the "human firewall" with regular training both on the importance of data protection and in the form of penetration testing are also key to reducing risk and increasing the capability of your workforce to spot issues.
4. Risk Registers
Review your data protection risk in your risk registers, to ensure that your assessment remains accurate, and that your mitigating controls represent a true reflection of your real world controls. Ensure that your Compliance Monitoring Programme is being deployed effectively, to monitor compliance with your policies and procedures, having regard to the assessed risk, and that the CMP Board Reporting is sufficient.
5. Consider a role as Levy Collection Agent
CSPs should also be considering their position as regards managed entities. This doesn't just include registration but also whether those entities for whom CSP directors are responsible are appropriately set up in terms of privacy policies and data processor agreements among other issues. One way to at least simplify part of this may be to take on the role of Levy Collection Agent to allow submission of annual fees to the ODPA on behalf of all managed entities.
To learn more about putting any (or all) of the above resolutions into practice next year, contact Wayne Atkinson or Sandra Lawrence.