Three month update on activity since new law came into force

Published On:Thursday, November 1, 2018

IC News release.jpg

It is now three months since the new data protection legislation came into force in the Island. 

Since 1 August 2018, the Commissioner has received 47 personal data breach reports which have affected over 14500 individuals in total.  Of those reports, 34 have been resolved taking an average of 17 days per case.  No further action has been required in the majority of cases; however some controllers have been required to take action to rectify the problem and minimise the risk of similar further breaches.

Failure by controllers to comply with the principles of data protection, in particular accuracy, data minimisation, and integrity and confidentiality, has been a significant contributory factor in many of the breaches reported to date.   

One of the main types of breach reported to date has been personal data emailed to incorrect recipients.  This has been caused either by the selection of an incorrect email address through use of the autocomplete function or failure to keep email addresses up to date. Both scenarios are avoidable.

The Commissioner has also received 23 complaints, of which 17 have been resolved. This compares to an average of 9 formal complaints per quarter under the previous legislation.

There has been one application made by a data subject to the Data Protection Tribunal for an Order to progress a complaint.  The decision of the Tribunal is awaited. 

The Applied GDPR requires controllers and processors, to co-operate, on request, with the Commissioner in the performance of his tasks.  The Commissioner is pleased at the level of co-operation that has been exhibited by the majority of controllers to date.

There continues to be a requirement to have a register entry if personal data is being processed beyond the two core business purposes.  In the first three months, 220 applications have been made to be included in the new ‘register of controllers and processors’.  100 applications have been for new entries, whilst 120 controllers have transferred from the register maintained under the provisions of the Data Protection Act 2002.  The remaining 2050 controllers included in the old register will gradually transfer to the new register over the next 15 months.

Guidance on complying with the law, including reporting personal data breaches and the registration requirement, is available on the website: