Guernsey data protection series - the seven data protection principles

• The seven data protection principles are at the core of data protection in the Bailiwick of Guernsey.

• Controllers and Processors must ensure all processing of personal data complies with the seven data protection principles.

• The data protection principles should always be referred to and considered when issues with data protection arise.

This briefing provides an overview of the seven data protection principles contained within the  Data Protection (Bailiwick of Guernsey) Law, 2017 ("the DPL"). The DPL was drafted to reflect the EU's General Data Protection Regulation (the "GDPR"). The DPL came into effect on 25 May 2018. 

A related briefing on the object of the DPL, some of the key concepts used in the DPL, and the rights of data subjects is available here.

There are seven principles which are set out in the DPL (and also in the GDPR) which Guernsey organisations are legally required to adhere to. Those seven principles are as follows:

1. Lawfulness, fairness and transparency

Those who process personal data must have a valid reason for doing so under the Law. The personal data must be used in a way that is fair and it must be clear precisely what the data is being used for. The conditions for lawful processing are set out in Schedule 2 to the DPL.

2. Purpose limitation

Personal data must be used for only for the reasons the data subject was advised at the outset that the data would be used for. Personal data must not be collected without a specific and legitimate purpose.

3. Data minimisation

The personal data obtained from a data subject must be limited to what is necessary for the stated purpose.

4. Accuracy

The personal data which is held must be accurate and, where necessary, updated. Reasonable steps must also be taken to erase or correct inaccurate personal data.

5. Storage Limitation

Personal data must not be kept for longer than it is necessary. This will depend on the basis upon which the data is being held.

6. Integrity and confidentiality

Appropriate security measures must be put in place and maintained in order to ensure that personal data is not accidentally deleted, altered or disclosed to anyone who is not permitted access to it.

7. Accountability

An organisation must take responsibility for what it does with personal data. They must be able to demonstrate that requisite systems and measures have been put in place to ensure compliance with the Law.

About Walkers’ Guernsey regulatory team

Walkers’ Guernsey regulatory team can advise on all aspects of Guernsey data protection, including data protection policies, procedures, privacy notices, data subject access requests and data protection audits.

We have a team of regulatory experts spanning all practice areas who regularly advise on all aspects of Guernsey regulation, including financial services, AML, sanctions, data protection, consumer protection, competition, tax, economic substance, FATCA and the CRS. Our team can also provide training to staff on a broad range of topics.

This article was updated on 28 November 2024.