Financial Services Toolkit Factsheet

The financial services toolkit has been shaped and developed as part of a collaborative project between the Jersey Office of the Information Commissioner (JOIC) and representatives from the financial services industry.

The toolkit guidance is intended to explain what best practice looks like for organisations across the sector and in particular, compliance and operational teams who are responsible for overseeing the day-to-day management of data protection matters within their organisation.

The tailored toolkit now provides finance industry professionals with easy access to a ‘one-stop-shop’ portal of selected data protection guidance and checklists.


A steering committee including the main financial services associations and a separate working group comprising representatives from the below relevant associations as well as representatives from a large international bank and global financial services business, have supported the creation and implementation of the Jersey Office of the Information Commissioner Financial Services Data Protection Toolkit.

Channel Islands Treasurers Association
Jersey Bankers Association
Jersey Finance Limited
Jersey Funds Association
The Chartered Institute for Securities & Investment
The Jersey Association of Trust Companies
The Jersey Branch of the Society of Trust and Estate Practitioners
The Jersey Compliance Officers Association
The Jersey Society of Chartered and Certified Accountants


The toolkit is part of a suite of data protection ‘one-stop-shop’ resources for data controllers and processors. The financial services toolkit sits alongside kits for small, medium and large organisations, charities and non-executive directors.

Each toolkit is sub-divided into relevant topical categories. The financial services toolkit is divided into the following six categories as selected by industry representatives.

  1. Overview

This category highlights:

  • Funds and data protection FAQs.
  • Private wealth and data protection FAQs.
  • General regime for administered Controllers / Processors under the Regulations and the Law.
  1. Data Controllers and Processors

This category highlights:

  • Definitions of a controller and processor and guidance relevant to those roles.
  • Appointing a data processor.
  • Guidance on what and how to complete a processor/supplier review.
  • Elements of a good data protection policy.
  1. Embedding Data Protection into your business operations

Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the Data Protection (Jersey) Law 2018's fundamental principles and requirements, and forms part of the focus on accountability.

This category highlights:

  • Guidance on a record of processing activity.
  • Guidance on data protection impact assessments.
  1. Data Security and Breaches

A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about ‘losing’ personal data.

This category highlights:

  • Guidance on data breaches and security requirements.
  • Breach reporting (when it’s required and how to do it).
  • Surveillance and CCTV.
  1. Personal Information and Individual Rights

Data protection is about the fair and lawful use of information about people. It’s about treating people fairly, being transparent about how you’re using their information, recognising their right to have control over their own information and their interactions with others, and striking a balance between the rights of the individual and the interests of the business using that information.Part 6 of the Data Protection (Jersey) Law 2018 gives rights to individuals in respect of personal data held about them by others.

This category highlights:

  • Guidance on handling personal information.
  • Guidance on individual rights and how to respond to requests made by individuals seeking to exercise those rights
  1. Data Protection Officer/Lead

The primary role of the data protection officer (DPO) is to ensure that the organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the Data Protection (Jersey) Law 2018.

This category highlights:

  • When a formal DPO is legally required
  • Guidance on the responsibilities of a DPO or responsible person.

*See the 'Financial Services Data Protection Toolkit Contents' pdf in the red box to the right of this page, for the full list of contents.


The toolkit is accessed via the website. To view the toolkit, you will need an individual user profile.

Follow all of the steps below.

If you ARE the Data Protection Officer or Data Protection Lead for your organisation, you will already have the login details you require. Click here to visit the toolkit page.

If you are NOT the Data Protection Officer or Data Protection Lead for your organisation, you will need to follow these steps:

1 - Create an individual ‘user profile’ for yourself using your work email address.
2 – Then contact your organisation’s Data Protection Officer, Data Protection Lead or the person who is listed as the main contact for the Jersey Office of the Information Commissioner (JOIC), at your organisation. Your Data Protection Officer, Data Protection Lead or main contact for JOIC must then advise the JOIC office via of your eligibility to access the financial services toolkit, providing JOIC with your email address. You will receive an email notification to confirm your request has been actioned.


Each time you log in and visit the toolkit, you will have the opportunity to provide instant feedback via a short survey.

Please note the Toolkit documents are purely for guidance and do not constitute legal advice or legal analysis. Organisations may need to seek independent legal advice when renewing, enhancing or developing their own processes and procedures or for specific legal issues and/or questions.