First things first
Getting prepared
Getting the formalities ready
Guides & checklists
The General Data Protection Regulation (2016/679) is the new EU Regulation on Data Protection, which came into effect on the 25th May 2018.
Information relating to a living individual who is, or can be, identified by that information, including data that can be combined with other information to identify an individual. This can be a very wide definition, depending on the circumstances, and can include data which relates to the identity, characteristics or behaviour of an individual or influences the way in which that individual is treated or evaluated.
Processing means performing any operation or set of operations on personal data, including:
A Data Controller is the person (in the case of a sole trader) or organisation who decides the purposes for which, and the means by which, personal data is processed. The purpose of processing data involves ‘why’ the personal data is being processed and the ‘means’ of the processing involves ‘how’ the data is processed.
Read the Office of the Information Commissioners guidance on the Duties of Data Controllers
A person or organisation that processes personal data on the behalf of a data controller, for example, outsourced activities such as IT provision, cloud providers, human resources. They are not employees of the data controller. They can only act on the written instructions of the controller.
A Data Subject is the individual the personal data relates to.
A DPIA describes a process designed to identify risks arising out of the processing of personal data and minimisation of these risks as far and as early as possible. DPIAs are important tools for negating risk, and for demonstrating compliance, including ongoing compliance, with the DPJL and GDPR. DPIAs should be carried out before any processing of data takes place.
The Data Protection (Jersey) Law 2018, which came into force on 25th May 2018. It replaces the Data Protection (Jersey) Law 2005.
In order to process personal data you must have a lawful (legal) basis to do so. The lawful grounds for processing personal data are set out in Schedule 2 (Part 1) of the DPJL. These are:
No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
Additionally, Schedule 2 (Part 2) of the DPJL sets out the lawful bases for processing of special category (sensitive) personal data. If you want to process special category data, you need to identify the lawful basis in both parts of Schedule 2.
You need to work out the legal basis before you start processing and document your thinking.
How long will your organisation hold an individual’s personal data? This will be influenced by a number of factors. There may be legal requirements on your organisation, depending on your business type (e.g. General Medical Council or JFSC rules). Keep the data for the least amount of time that you can in accordance with the requirements of your business, store it securely while it is in your possession and make sure to delete it fully and safely at the appointed time.
This is defined in Article 1 of the DPJL as data ‘which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or data relating to a person’s criminal record or alleged criminal activity’. If you want to process Special Category Data you need to be able to also identify one of the lawful bases in Schedule 2 Part 2 of the DPJL.
Article 11 of the DPJL has increased the conditions needed for consent as a legal basis for data processing to be valid. It is now necessary to consider whether consent was unambiguous, informed and freely given and the data subject must have the opportunity to withdraw consent for processing at any time.
Consent should not be assumed (no more pre-ticked boxes) and must be obtained before data processing begins (e.g. through Privacy Notices). There must be a positive, affirmative action by the data subject for consent to be valid. It also requires individual (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
If you offer online information services to children (i.e. purchasing of apps), it is necessary to ensure that you can verify their age and the consent of someone having “parental responsibility” must be obtained if the child is under the age of 13. Things to Know About Consent
Operations
Becky Hill, the founder of HR Now, shares her positive experience with Jersey Business's Leading Growth and Business Improvement programs, highlighting their impact on her business's success and continuous improvement.
Operations
Puritas undertook the Business Improvement Programme, it’s resulted in an estimated £100,000 of savings for the company.
Growth
GR8, a successful recruitment agency in Jersey, has grown significantly since its inception five years ago. We caught up with founder, Lee Madden, to discover how GR8 navigated its way through the pandemic and beyond.
Ready to talk?
"We thrive on delivering clear/realistic/straight-thinking, street-smart advice that propels our clients towards reaching their business goals."
Click on the button below and a member of our friendly team will be in touch shortly.
ContactFinance
Insights & News
20/12/2024
Find out moreOperations
Growth
People
Blog
03/12/2024
Find out morePeople
Insights & News
28/11/2024
Find out moreKeep up-to-date with business information, news and events
sign up for the Jersey Business newsletter.
No Content Set
Exception:
Website.Models.ViewModels.Blocks.SiteBlocks.CookiePolicySiteBlockVm