Building bridges with the British, Irish and Islands DPA Network

Cooperation between the British, Irish and Islands Data Protection Authorities (BIIDPA) Network gives the member DPAs benefits of working towards a consistent approach to common issues. This is clearly useful for them, but I suggest that a consistent approach would also be useful for companies.

At the Caribbean session at the Global Privacy Assembly in Bermuda in October 2023, moderated by Laura Linkomies, Editor, PL&B Reports, and me, the most urgent request from the audience was a common approach across the region to international transfers of personal data.

Likewise, in my opinion, there is potential benefit for companies from engaging with the BIIDPA Network on a systematic basis to avoid repeating the same implementation questions with each regulator. Even if it is not possible to achieve unanimity, it would be helpful for both sides, at least in the smaller jurisdictions, to reach a workable consensus.

Issues could include for example, the design of standard enquiries that DPAs make with financial services companies, or the type of audits carried out by DPAs, or procedures involved in investigations they conduct. What would be the trigger points for such actions?

Anti-Money Laundering and data protection rules as a good place to start

There is a longstanding tension between ‘Know Your Customer’ (KYC) regulations and data protection law. This tension between AML and KYC (to verify identities, and check screening lists) relates to the need to collect data as required by Anti Money Laundering legislation compared against the need for data minimisation, purpose limitation under data protection law. A tension which continues to exist.

The BIIDPA members who are also EU members, Cyprus, Ireland and Malta, could share with the others how the EU is interpreting AML Rules. An example is EU wide rules that payments above 10,000 Euros in cash are prohibited. Obliged entities will be required to verify and identify their customers for cash payments of 3,000 Euro or more. This measure aims to enhance transaction traceability and discourage the illicit use of cash. The BIIDPA members want to be regarded as well-regulated. But they also want to demonstrate that they are independent and attractive as financial services hubs and jurisdictions, and distinctive from the EU norm.

Such a united approach should, in principle, reduce forum shopping in cases where companies could make a credible case for choosing more than one jurisdiction in which to base their operations.

Next steps

The host of the BIIDPA Annual Meeting, most recently held in Guernsey in June, takes the lead in setting the agenda. So, any exploration and discussion of contact between financial services companies and BIIDPAs should start by engaging with these DPAs.

Brent Homan, Commissioner, Office of the Data Protection Authority Guernsey, explained his perspective to me as follows:

“I set the agenda for this year’s BIIDPA meetings based on consultations with my BIIDPA colleagues and reflection on the key privacy priorities and operational challenges facing our members today. Given that a large proportion of BIIDPA’s membership is comprised of Global Financial Hubs in smaller European jurisdictions (Guernsey, Jersey, the Isle of Man, Gibraltar, Cyprus and Malta), one priority subject matter discussed was 'regulation and cooperation in Financial Services jurisdictions'. While the next host will be responsible for setting the agenda for BIIDPA 2026, it will also likely be in consultation with other members.

Coordinated DPA engagement with companies operating in global financial hubs is a natural extension of our efforts to promote compliance with data protection obligations in financial service-focused jurisdictions. In fact, to the extent that such companies can boast elevated data protection standards I believe that can prove a competitive advantage in the hyper-competitive financial services industry, where security and confidentiality are of paramount importance for clients.”

Due to the fact that they operate on a different scale from the others, the smaller jurisdictions, including Bermuda and the Cayman Islands, may or may not wish that the UK and Ireland be involved in these discussions.

Suggestions for an agenda would logically include to:

1. Identify priority issues.
2. Arrange to put specific issues to the BIIDPA group
3. Hold an initial meeting in-person or online to increase confidence that this is an initiative which is likely to be viable.

Privacy Laws & Business could take on a facilitator role to establish whether BIIDPA is interested in pursuing these discussions. A more specialised organisation, such as an industry representative body, could then pick up the baton.

Action point

If you are interested in this plan, please contact me during September, listing your priority subjects for discussion with British, Irish and Islands Data Protection Authorities.

Best regards,

Stewart Dresner
Publisher, Privacy Laws & Business

September 2025