Data Protection by Design and Default, and Data Protection Impact Assessments

What is Data Protection by Design and Default?

1. The DPJL 2018 says that organisations must build data protection into their processes by design and default. This means that you must think about data protection from the very beginning of any project - not as an afterthought. As a controller you are the one responsible for complying with these requirements and it applies to everything you do with personal data.

2. By design: This means that you think about data protection issues from the design phase of any system, service, product or process through to implementation and operation. This includes when you amend, update or terminate the system or process. Examples include:

• Developing new IT systems, services, products and processes that involve processing personal data.
• Developing organisational policies, processes, business practices and/or strategies that have privacy implications.
• Physical design.
• Embarking on data sharing initiatives, or
• Using personal data you already have for something new.

3. By default: This means that you adopt a ‘privacy first’ approach with any default settings of systems, applications or processes. For example, you only collect/use as much data that is necessary for your specific purpose (you don’t get more than you need), don’t share data unless someone chooses to, and you turn off tracking unless it's needed.

What if you use other organisations/software providers?

4. If you use a product, piece of software, or another organisation to help you (e.g. an external IT provider, outsourced payroll, accountancy or HR) you need to make sure that those things/organisations comply with data protection requirements. You are ultimately responsible, for the products, software, and organisations you choose.

5. You might choose certain software or apps to help you run your business. You will need to make sure that any organisation and/or software provider you choose complies with data protection principles and you will need to have appropriate legal arrangements in place. You can find out more about this topic in our guidance note on Processors, software providers, software and other applications.

What do you need to do?

6. You need to take the right steps - both with your tech and your way of working -to protect people’s personal data and their rights. There’s no single solution that works for everyone. What you need to do depends on your situation.

7. What really matters is that you think about protecting people’s data before you start using it, and you set things up in a way that follows the rules and keeps data safe by default. Here are a few examples of how you can do that.

• Only collect and use the personal data you really need
• Hide people’s identities using techniques like fake names or codes
• Be clear and honest about what you're doing with their data
• Let people check how their data is being used
• Add and improve security to stop data from being stolen or misused

8. These are just some ideas - you might need to do more, depending on what kind of data you're dealing with. We can’t give you every possible answer here, so if you're doing something complicated with personal data, you might need expert help.

When should you think about this?

9. Data protection by design means you should start thinking about how to protect people’s personal data right from the beginning - before you build or launch a system, app, product, or way of working. You need to think about:

• What you’re planning to do with the data
• What risks this might create for the people whose data you’re using
• What steps you can take to follow the rules and protect their rights
• When doing this, you should also think about:
• What tools and tech are available, and how much they cost
• What kind of data you're collecting, how much, why, and in what situation
• How your use of data might affect people’s rights and freedoms

10. This is like doing a safety check or risk assessment and making sure something works in the way you intend it to before it’s used. Next, you actually set up the tools and rules (both technical and ways of working) that help you protect the data and follow the law.

11. Because everyone’s situation is different, there’s no single answer that works for every company or project, but there are some general things that most people need to think about and the DPJL 2018 says that:

• You need to think about data protection when you're planning how to use personal data (before you start); and
• Keep protecting that data the whole time you’re using it

How should you do this?

12. One way to put all these data protection ideas into action is to create some clear, practical rules or guidelines for your organisation to follow. These should be based on the risks involved and the tools you have to deal with them. How you do this will depend on things like:

• What kind of organisation you are
• What kind of work you do
• What data you’re dealing with
• How much money and resources you have

13. You might not need lots of paperwork or strict policies, but sometimes you do need to have certain documents ready to show how you’re handling personal data. What really matters is having a solid plan that makes sure:

• You think about protecting data from the start when designing any new system, service, or product
• Data protection is built into how your system works - not added later
• You only collect and use the personal data you actually need, and only for the purpose you said you would
• Privacy is automatically protected in your tech or services, without users having to do anything extra
• People in your organisation (and the public) know who’s in charge of data protection
• Any documents meant for the public are written in plain language, so anyone can understand them
• You give people tools to see what’s being done with their data and check that you’re sticking to your own rules
• You offer strong privacy settings by default, easy-to-use controls, and you respect people’s choices

14. One helpful tool for this is a Data Protection Impact Assessment (DPIA). It’s a checklist or process you follow to look at what risks your data use might create and how to reduce them. It helps you spot problems before they happen and show that you’ve thought things through properly. We have more guidance below and checklists and templates you can use to help you.

What is a DPIA?

15. A DPIA is a tool that helps you spot and fix risks when you're using people's personal data in a new project. Think of it like a safety check, but for privacy. It’s a way to check if your project (e.g. the piece of software you want to use) could impact on someone’s privacy rights and supports you in making sure that you have built data protection into your processes right from the start.

16. You do not have to eradicate all risk, but a DPIA should help you minimise and determine whether or not the level of risk is acceptable in the circumstances, taking into account the benefits of what you want to achieve.

When do you need to do a DPIA?

17. You do it before you start collecting or using personal information, so you don’t cause harm or break the law by accident.

18. A DPIA is not a one-off exercise to file away. A DPIA is a ‘living’ process to help you manage and review the risks of the processing and the measures you’ve put in place on an ongoing basis. You need to keep it under review and reassess if anything changes.

19. In particular, if you make any significant changes to how or why you process personal data, or to the amount of data you collect, you need to show that your DPIA assesses any new risks. An external change to the wider context of the processing should also prompt you to review your DPIA. For example, if a new security flaw is identified, new technology is made available, or a new public concern is raised over the type of processing you do or the vulnerability of a particular group of data subjects.

20. You must do a DPIA when your project might be high risk to people’s privacy. This could happen if you:

• Use CCTV or facial recognition in public places
• Collect sensitive data (like health or religion) for lots of people
• Track what people do online or through apps (like GPS tracking)

Make decisions automatically, including using AI or automated systems (like job offers or credit scores)

Example 1 Company A is a parcel delivery company, and it wants to install trackers on its vehicles so it can monitor routes, fuel use and delivery performance throughout the working day. Some of the employees are allowed to take their vehicles home at night and use them for their own purposes. Company A wants to understand how the trackers will work in practice and make sure that the tracker (and its software) works as intended. This creates a privacy risk so a DPIA is needed, and they should assess:

• Whether tracking can be turned on/off or pre-set to only collect information during certain time
• How to avoid collecting information about private (out-of-hours) activity
• How long information is kept for, where it is stored and who has access to it
• Whether employees will be told about the trackers and, if so, whether they understand what the information is going to be used for

Step 1: Use a Pre-Screener First

21. You don’t always need to do a full DPIA, but you should start by using a pre-screener – it's like a checklist that helps you decide if you need a full DPIA. If you answer YES to one or more of these, you probably need a full DPIA:

• Are you collecting sensitive data (like health, race, religion)?
• Are you monitoring people (like CCTV, GPS tracking)?
• Are you making decisions about people using AI or automation?
• Are you going to be using a new technology or system that collects personal data (e.g. facial recognition)?
• Are you going to be sharing the information with organisations or people that have not had access to that information before?
• Could the data use cause serious harm or upset if the system goes wrong?

If you're not sure, ask your Data Protection Officer (DPO) if you have one or the JOIC for advice.

22. Keep a record of your decision, even if it’s that you don’t need to do a full DPIA. This is important if something happens and you need to explain what steps you took and why.

Step 2: How to Do a DPIA – Easy Steps

23. Here’s how to carry out a DPIA in 6 simple steps:

Describe the project

• What are you doing? Why? What personal data are you using? How? What are the systems and software you will be using?

List the risks

• How could this use of data affect people? Could it be lost, leaked, misused, or misunderstood? Could it end up in an unsafe place (like a country that has poor data protection safeguards)

Find ways to reduce the risks

• What can you do to protect the data better? (E.g. use passwords, collect less data, set shorter time limits, limit access to certain people, pick software that was developed in Jersey/the EU, store information only in Jersey or somewhere that offers the same level of safety/security)

Write it down

• Fill out a DPIA form or template. Be clear and honest. We have a template you can use here.

Ask for advice

• Talk to your DPO, team, or managers. You might even ask the people affected. You need to involve the right people in your project. You can also get in touch with us.

Decide if you can go ahead

• If there's still a big risk to people after all your fixes, you must ask the JOIC to check your DPIA before you start. You will not be able to start processing until the JOIC have carried out a review.

You can send us your DPIA via our website here.

What to include in your DPIA

• What you're doing and why (sometimes diagrams help)
• What types of data you’re using
• Who the data is about
• What risks you’ve identified
• What steps you’ll take to keep data safe
• Who you’ve spoken to for advice
• A plan to check and update the DPIA later

When should you do a DPIA?

24. BEFORE THE PROJECT STARTS - when you’re still planning. This is so you can make smart changes before anything goes wrong.

Where Can You Get Help?

25. Use the JOIC's DPIA pre-screener checklist and template

26. Ask your DPO/data protection lead

27. Contact the JOIC if you’re unsure or think there are big risks that you’ve not been able to manage (mitigate), and the risks remain.

Consulting with the JOIC

28. You must submit your DPIA for consultation with the JOIC for “high risk” processing. It is a legal requirement, and you can submit this via a secure portal on our website here.

29. We will review the notification submitted and may ask you for clarification or further information and will give written advice within eight (8) weeks or fourteen (14) weeks in complex cases.

30. If we consider that the risk/harms to the individual are low, and/or that you have taken appropriate steps to deal with the risks, we may conclude that no further formal action is necessary.

31. We may, however, undertake further investigations and can commence a formal Inquiry under Art.21 of the Data Protection Authority (Jersey) Law 2018 (DPAJL 2018). This could result in our making formal findings that what you want to do is likely to contravene the DPJL 2018 and we issue a formal warning not to process the data or an order that you are not allowed to process the data in the way you want to.

What is data protection by design and default?

1. The DPJL 2018 requires you to consider data protection issues for every aspect of your processing activities. This is called “data protection by design and default”. The DPJL 2018 has a risk-based approach and the focus on this principle is on accountability and allows you to show how you are complying with this requirement.

2. Arts.15(1) and 15(2) of the DPJL 2018 set out the requirements for data protection by design and say that:

A controller must, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures that are designed to.

implement the data protection principles in an effective manner; and integrate the necessary safeguards into the processing to meet the requirements of this Law and protect the rights of data subjects.

In determining whether or not a measure is appropriate for the purposes of this Article, regard must be had to the state of technological development, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.

3. Arts.15(3) and 15(4) of the DPJL 2018 set out the requirements for data protection by default and say that:

*The technical and organizational measures must ensure as far as practicable that, by default –

only personal data that are necessary for each specific purpose of the processing are processed; and personal data are not made accessible to an indefinite number of natural persons without the data subject’s consent or other lawful authority.

Paragraph (3) applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

4. Art.15(5) says that if you adhere to a code or certification scheme, this may provide evidence of compliance with the by design and default requirements.

5. The European Data Protection Board (EDPB) adopts guidelines for complying with the requirements of the EU GDPR. It has adopted guidelines on Data Protection by Design and Default. EDPB guidelines are not directly relevant to Jersey’s data protection regime, but they may provide helpful guidance on certain issues.

What is data protection by design?

6. Data protection by design is ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle. It is about considering data protection and privacy issues upfront in everything you do and can help you ensure that you comply with the fundamental principles and requirements of the law and forms part of the focus on accountability.

7. The DPJL 2018 requires you to:

• put in place appropriate technical and organisational measures designed to implement the data protection principles effectively; and
• integrate safeguards into your processing so that you meet the DPJL 2018’s requirements and protect individual rights.

8. This means you must integrate or ‘bake in’ data protection into your processing activities and business practices from the design stage, right through its lifecycle.

9. Data protection by design has broad application. Examples include:

• Developing new IT systems, services, products and processes that involve processing personal data;
• Developing organisational policies, processes, business practices and/or strategies that have privacy implications;
• Physical design;
• Embarking on data sharing initiatives; or
• Using personal data for new purposes.

What is data protection by default?

10. Data protection by default requires you to ensure that you only process the data that is necessary to achieve your specific purpose. It links to the fundamental data protection principles of data minimisation and purpose limitation.

11. You have to process some personal data to achieve your purpose(s). Data protection by default means you need to specify this data before the processing starts, appropriately inform individuals and only process the data you need for your purpose. It does not require you to adopt a ‘default to off’ solution. What you need to do depends on the circumstances of your processing and the risks posed to individuals.

12. Nevertheless, you must consider things like.

• Adopting a ‘privacy-first’ approach with any default settings of systems and applications;
• Ensuring you do not provide an illusory choice to individuals relating to the data you will process;
• Not processing additional data unless the individual decides you can;
• Ensuring that personal data is not automatically made publicly available to others unless the individual decides to make it so; and
• Providing individuals with sufficient controls and options to exercise their rights.

Who is responsible for complying with data protection by design and by default?

13. Art.15 of the DPJL 2018 specifies that, as the controller, you have responsibility for complying with data protection by design and by default. Depending on your circumstances, you may have different requirements for different areas within your organisation. For example:

• Your senior management, e.g. developing a culture of ‘privacy awareness’ and ensuring you develop policies and procedures with data protection in mind;
• Your software engineers, system architects and application developers, e.g. those who design systems, products and services should take account of data protection requirements and assist you in complying with your obligations; and
• Your business practices, e.g. you should ensure that you embed data protection by design in all your internal processes and procedures.

14. This may not apply to all organisations, of course. However, data protection by design is about adopting an organisation-wide approach to data protection, and ‘baking in’ privacy considerations into any processing activity you undertake. It doesn’t apply only if you are the type of organisation that has your own software developers and systems architects.

15. Recital 78 of the EU GDPR gives further guidance on how controllers can demonstrate compliance with the by design and default requirements:

“The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.”

16. In considering whether to impose a penalty, the JOIC will consider the technical and organisational measures you have put in place in respect of data protection by design. Additionally, under the DPJL 2018 we can issue sanctions against you for any failings in respect of Art.15.

What about data processors?

17. If you use another organisation to process personal data on your behalf, then that organisation is a data processor under the DPJL 2018.

18. Art.15 does not mention data processors specifically. However, Art.19 specifies the considerations you must take whenever you are selecting a processor. For example, you must only use processors that provide:

“sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of this Law and ensure the protection of the rights of the data subject”

19. This requirement covers both data protection by design in Article 15 as well as other aspects (e.g. your security obligations under Art.21). Your processor cannot necessarily assist you with your data protection by design obligations (unlike with security measures), however you must only use processors that provide sufficient guarantees to meet the DPJL 2018’s requirements.

What about other parties?

20. Data protection by design and by default can also impact organisations other than controllers and processors. Depending on your processing activity, other parties may be involved, even if this is just where you purchase a product or service that you then use in your processing. Examples include manufacturers, product developers, application developers and service providers.

21. Recital 78 of the EU GDPR extends the concepts of data protection by design to other organisations, although it does not place a requirement on them to comply – that remains with you as the controller. It says: “When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.”

22. Therefore, when considering what products and services you need for your processing, you should look to choose those where the designers and developers have taken data protection into account. This can help to ensure that your processing adheres to the data protection by design requirements.

23. If you are a developer or designer of products, services and applications, the DPJL 2018 places no specific obligations on you about how you design and build these products. (You may have specific obligations as a controller in your own right, e.g. for any employee data.) However, you should note that controllers are required to consider data protection by design when selecting services and products for use in their data processing activities – therefore if you design these products with data protection in mind, you may be in a better position.

What do you need to do?

24. You must put in place appropriate technical and organisational measures designed to implement the data protection principles effectively and safeguard individual rights. There is no ‘one size fits all’ method to do this, and no one set of measures that you should put in place. It depends on your circumstances.

25. The key is that you consider data protection issues from the start of any processing activity and adopt appropriate policies and measures that meet the requirements of data protection by design and by default. Some examples of how you can do this include:

• Minimising the processing of personal data.
• Pseudonymising personal data as soon as possible.
• Ensuring transparency in respect of the functions and processing of personal data.
• Enabling individuals to monitor the processing.
• Creating (and improving) security features.

26. This is not an exhaustive list. Complying with data protection by design and by default may require you to do much more than the above but we cannot provide a complete guide to all aspects of data protection by design and by default in all circumstances. This guidance identifies the main points for you to consider. Depending on the processing you are doing, you may need to obtain specialist advice that goes beyond the scope of this guidance.

When should you do this?

27. Data protection by design starts at the initial phase of any system, service, product, or process. You should begin by considering your intended processing activities, the risks that these may pose to individuals, and the possible measures available to ensure that you comply with the data protection principles and protect individual rights. These considerations must cover:

• The state of the art and costs of implementation of any measures.
• The nature, scope, context and purposes of your processing.
• The risks that your processing poses to the rights and freedoms of individuals.

28. This is similar to the information risk assessment you should do when considering your security measures.

29. These considerations lead into the second step, where you put in place actual technical and organisational measures to implement the data protection principles and integrate safeguards into your processing.

30. This is why there is no single solution or process that applies to every organisation or every processing activity, although there are a number of commonalities that may apply to your specific circumstances as described below.

31. The DPJL 2018 requires you to take these actions. “at the time of the determination of the means of the processing” – i.e. when you are at the design phase of any processing activity; and “at the time of the processing itself” – i.e. during the lifecycle of your processing activity.

What are the underlying concepts of data protection by design and by default?

32. You should take a proactive approach to data protection and anticipate privacy issues and risks before they happen, instead of waiting until after the event. This doesn’t just apply in the context of systems design – it involves developing a culture of awareness across your organisation.

33. You should design any system, service, product, and/or business practice to protect personal data automatically. With privacy built into the system, the individual does not have to take any proactive steps to protect their data.

34. Embed data protection into the design of any systems, services, products and business practices. You should ensure data protection forms part of the core functions of any system or service and so that it is integral to these systems and services.

35. Put in place strong security measures from the beginning and extend this security throughout the ‘data lifecycle’ – i.e. process the data securely and then destroy it securely when you no longer need it.

36. Ensure that whatever business practice or technology you use operates according to its premises and objectives and is independently verifiable. It is also about ensuring visibility and transparency to individuals, such as making sure they know what data you process and for what purpose(s) you process it.

37. Keep the interest of individuals paramount in the design and implementation of any system or service, e.g. by offering strong privacy defaults, providing individuals with controls, and ensuring appropriate notice is given.

How do you do this in practice?

38. One means of putting these concepts into practice is to develop a set of practical, actionable guidelines that you can use in your organisation, framed by your assessment of the risks posed and the measures available to you.

39. However, how you go about doing this depends on your circumstances – who you are, what you are doing, the resources you have available, and the nature of the data you process. You may not need to have a set of documents and organisational controls in place, although in some situations you will be required to have certain documents available concerning your processing.

40. The key is to take an organisational approach that achieves certain outcomes, such as ensuring that.

• You consider data protection issues as part of the design and implementation of systems, services, products and business practice.
• You make data protection an essential component of the core functionality of your processing systems and service
• You only process the personal data that you need in relation to your purposes(s), and that you only use the data for those purposes.
• Personal data is automatically protected in any IT system, service, product, and/or business practice, so that individuals should not have to take any specific action to protect their privacy.
• The identity and contact information of those responsible for data protection are available both within your organisation and to individuals.
• You adopt a ‘plain language’ policy for any public documents so that individuals easily understand what you are doing with their personal data.
• You provide individuals with tools so they can determine how you are using their personal data, and whether you are properly enforcing your policies.
• You offer strong privacy defaults, user-friendly options and controls, and respect user preferences.

41. Many of these relate to other obligations in the DPJL 2018, such as transparency requirements, documentation, Data Protection Officers and DPIAs. This shows the broad nature of data protection by design and how it applies to all aspects of your processing. Our guidance on these topics will help you when you consider the measures you need to put in place for data protection by design and by default.

Data Protection Impact Assessments

What is a DPIA?

42. You must carry out a DPIA before carrying out types of processing likely to result in high risk to individuals’ rights and freedoms. If your DPIA identifies a high risk you cannot mitigate, you must consult us.

43. A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks.

44. DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material.

45. To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals.

46. A DPIA does not have to indicate that all risks have been eradicated. But it should help you document them and assess whether any remaining risks are justified.

47. DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.

48. A DPIA may cover a single processing operation or a group of similar processing operations. A group of controllers can do a joint DPIA.

49. It’s important to embed DPIAs into your organisational processes and ensure the outcome can influence your plans. A DPIA is not a one-off exercise. You should see it as an ongoing process that is subject to regular review.

When do you need a DPIA?

50. You must do a DPIA before you begin any type of processing that is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk, you need to screen for factors that point to the potential for a widespread or serious impact on individuals.

51. Although the DPJL 2018 sets out specific circumstances when a DPIA must be conducted, it is considered best practice to user DPIAs for any new initiative involving the processing of personal data by a controller. Incorporating a DPIA into your organisation’s processes will help embed the principle of privacy by design and default into your culture.

What is meant by “high risk to the rights and freedoms of natural persons”

52. There is no definition of what constitutes a “high risk to the rights and freedoms of natural persons” in the DPJL 2018, however risk in this context is about the potential for any significant physical, material or non-material harm to individuals.

53. The term “risk” implies that there is more than a remote chance of some harm occurring. “High risk” implies a higher degree or threshold of risk, either because the harm is more likely, or the potential harm is more severe, or a combination of both.

54. The question for such initial screening purposes is whether the processing is of a type likely to result in a high risk. You should look at whether there are features in the proposed process, operation, plan or service that suggest that there is the potential for high risk. You should look at the likelihood and severity of the potential harm.

Are there any specific processing activities which require a DPIA to be conducted?

55. Art.16 of the DPJL 2018 says you must do a DPIA in certain circumstances and specifically if you plan to:

1. use systematic and extensive profiling personal aspects relating to natural persons that is based on automated processing, and on which decisions are based that produce legal effects concerning, or similarly significantly affecting, those persons.

Examples

• A local bank wants to use AI-driven credit scoring to automatically approve or reject mortgages and other loan applications without any human involvement.
• An offshore investment firm uses automated risk profiling tools to determine client suitability and decide whether individuals can access certain investment products.
• A recruitment company plans to use AI software to screen job applicants and automatically reject those who don’t meet certain personality or behaviour criteria.
• An insurance provider deploys a digital platform that automatically assesses claims and rejects or flags them based on algorithmic fraud detection, with little or no human input.

2. process special category data on a large scale; or

Examples

• Jersey’s main hospital digitises all patient records, including mental health, sexual health, and genetic test results, for the entire population.
• A group of financial services companies adopts a shared biometric access system that uses facial recognition for all employees across multiple offices in multiple jurisdictions.
• A local wellness or private health provider offers an app that tracks users’ physical and mental health, storing data for a substantial portion of the population.
• Jersey’s health department partners with researchers to study the prevalence of chronic illness in the island's population using special category data like ethnicity, disability status, and health history.

3. systematically monitor publicly accessible areas on a large scale.

Examples

• The island’s government installs high-definition CCTV and facial recognition software in the airport, ferry terminal, in the Royal Square, and in other key public spaces for national security and public order purposes.
• A major financial district introduces an integrated surveillance system with AI-based motion tracking and license plate recognition across all building exteriors and public walkways.
• A tech firm deploys drones to monitor public events (e.g., regattas, Liberation Day celebrations, or protests) and uses video analytics to identify incidents in real time.
• A commercial landlord installs smart surveillance cameras in a large retail or business park, continuously recording and analysing customer or employee movements across multiple tenants.

56. There may be times when a DPIA isn’t strictly mandatory by law but is still strongly recommended due to the potential risks to individual rights and freedoms. For example, where the intended processing.

• Isn’t particularly risky or highly sensitive on its own but combined factors make it risky.
• Could erode trust or have unintended consequences.
• Is novel, intrusive or opaque/hard to explain in how it impacts individuals.

Examples

• A finance firm wants to use a new AI tool to assist with client investment advice. It doesn’t make automated decisions, but the logic is opaque and may influence important choices.
• An HR department rolls out an employee productivity monitoring app (e.g., tracking time spent on apps, keystrokes, or screenshots), even if it's only used for performance reviews, not automatic decisions.
• The Government of Jersey decides to merge housing, welfare, and social care data to better target services. Individually these systems aren’t high risk, but combined profiling raises privacy issues, particularly if the data is compromised.
• A banking group links internal customer data with data from social media or external sources to enhance client risk scoring or marketing.
• A charity collects data on elderly or disabled residents for care coordination from multiple service providers.
• A private school uses an online mental health survey for students to flag pastoral concerns — this may involve special category data and minors.
• A large company outsources payroll and HR data processing to a third-party vendor — the data may not be special category, but if mishandled, could lead to identity theft or employment discrimination.
• A marketing firm wants to collect biometric data for in-person event access using facial recognition, with “opt-in” consent. Even with consent, the sensitivity and novelty warrant a DPIA.

What needs to be in a DPIA

57. The DPJL 2018 doesn’t mandate any specific format, but we have a template DPIA you can use which can be found here. We also have a checklist to keep you on track that can be found here.

58. Art.16(6) of the DPJL 2018 says that a DPIA must contain the following minimum requirements:

1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller.

• You should clearly explain what personal data you plan to collect and use, how you will process it, and why you are doing it. This includes describing the steps involved (e.g., collecting, storing, analysing, sharing), and if you're relying on “legitimate interests” as your legal basis you need to explain what those interests are and why they are necessary. In short – you should be able to explain exactly what you’re doing with people’s data, and why.

2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes.

• You need to explain why the data processing is necessary to achieve your goal, and whether you're doing only what’s needed — no more than that. In other words, ask yourself: Do we really need to process this personal data to meet our purpose? Are we using the least intrusive approach possible to get the job done? This is about making sure your data processing is reasonable, appropriate, and not excessive for the purpose you've described.

3. an assessment of the risks to the rights and freedoms of natural persons referred to above.

• You need to identify and explain the possible risks to people’s privacy, rights, or freedoms that could come from your data processing. This includes things like: The risk of a data breach (someone’s personal information being lost, stolen, or exposed) People being unfairly treated or profiled Individuals feeling like they have no control over how their data is used Any risk of harm, stress, or discrimination It’s about looking at what could go wrong and how that could negatively impact individuals.

4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the DPJL 2018, taking into account the rights and legitimate interests of any person.

• What are you planning to do to handle the risks? This includes things like: Steps you’ll take to keep personal data safe (like passwords, encryption, etc.) Rules or systems you’ll use to protect people’s data Ways to show that you’re following the law (the Data Protection (Jersey) Law 2018) And while doing all this, you also need to think about what’s fair and respectful to the people whose data you’re using—their rights and what’s in their best interest.

Who do you need to consult with to complete a DPIA?

59. The DPJL 2018 does not specify exactly who must be consulted during the DPIA process, but it is good practice to involve stakeholders who and help identify and assess data protection risks. You may wish to consider consulting with internal teams such as IT, legal, compliance, HR and Information Security.

60. Where appropriate, input from employees, customers and members of the public can also help ensure that the DPIA accurately captures and deals with the likely impact of the processing on individuals. Art.16(8) of the DPJL 2018 confirms that there is an expectation that appropriate consultation will be carried out, involving relevant stakeholders:

“Where appropriate, the controller must seek the views of data subjects or their representatives on the intended processing, without limiting the protection of commercial or public interests or the security of processing operations.”

61. Additionally, if your organisation has appointed a Data Protection Officer, their involvement is required under Art.26(1)(g) of the DPJL 2018, as their duties include advising on:

• Whether to carry out the DPIA.
• The methodology that should be followed in carrying it out.
• Whether to carry it out in-house or outsource it.
• What safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of data subjects.
• Whether or not the assessment has been carried out correctly and whether its conclusions (whether to go ahead with the processing and what safeguards are to apply) are in compliance with the DPJL 2018.
• Any mandatory consultation with the Authority under Art.17 or 18 is required.

Consulting Obligations

62. Art.17 of the DPJL 2018 says that you need to submit a DPIA to us before you start processing personal data if the DPIA shows that your planned processing is likely to result in a high risk to people's rights and freedoms and you can’t reduce or remove that risk.

63. We provide a secure notification web form for data controllers to submit a DPIA for consultation. You need to answer the questions on the form and follow the requirements of Art.17(2) which says that:

“Before starting the processing, the controller must consult the Authority giving the following information in writing – (a) where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the proposed processing, in particular for processing within a group of undertakings; (b) a copy of the data protection impact assessment; (c) the contact details of any data protection officer; and (d) any other information required by the Authority.”

What happens once a DPIA has been submitted for consultation

64. We will consider the information provided. If the risk is high and unavoidable, the JOIC can:

Give advice Tell you what changes you need to make Say you can’t go ahead until the risks are addressed

65. If we think that the proposed processing would be in contravention of the DPJL 2018 (in particular where you have insufficiently identified or mitigated the risk) we must give written notice of our opinion to the controller (and, where applicable, the processor) without undue delay and, in any event, within eight (8) weeks of receiving your submission. We can extend that initial period by a further six (6) weeks in complex matters.

66. Please note that if we request further information from you during the process, the clock pauses until you respond (i.e. it doesn’t count towards the eight (8) or six (6) week limit).