Law: The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law) and The Data Protection (Commencement, Amendment and Transitional) (Bailiwick of Guernsey) Ordinance, 2018, (the Ordinance)

Regulator: The Office of the Data Protection Authority (ODPA)

Summary: The data protection regime in Guernsey is regulated by the Law which came into effect on May 25, 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law) is based on and broadly similar to the GDPR and provides for lawful bases of processing, data subject rights, and controller and processor duties. Furthermore, the Act establishes the Office of the Data Protection Authority (ODPA) as the supervisory authority, which is overseen by the Data Protection Commissioner, an independent public official appointed by the States of Guernsey to enforce data protection legislation in the Bailiwick. The ODPA is an active regulator, frequently publishing guidance on issues such as Data Protection Impact Assessments and children's consent, as well as monthly newsletters. The ODPA's Strategic Plan 2019-2022 outlines that the ODPA has adopted a strategy aimed at predicting and preventing data protection harms and ensuring that ODPA's detection and enforcement of activities are proportionate and effective, rather than focusing on the imposition of fines. The European Commission has recognised Guernsey as providing adequate protection for transfers of personal data to and from the EU.