What’s new under the Data Protection (Jersey) Law 2018?
The Data Protection (Jersey) Law 2018 (DPJL) introduces a new obligation to do a DPIA before carrying out types of processing likely to result in high risk to individuals’ rights and freedoms. If your DPIA identifies a high risk you cannot mitigate, you must consult us.
This is a key part of the new focus on accountability and data protection by design.
Some organisations already do privacy impact assessments (PIAs) as a matter of good practice. If so, the concept will be familiar, but you still need to review your processes to make sure they comply with GDPR requirements. DPIAs are now mandatory in some cases, and there are specific legal requirements for content and process.
If you do not already have a PIA process, you need to design a new DPIA process and embed it into your policies and procedures.
You also need to review your existing processing operations and decide whether you need to do a DPIA, or review your PIA, for anything that is likely to be high risk. You do not need to do a DPIA if you have already considered the relevant risks and safeguards in another way, unless there has been a significant change to the nature, scope, context or purposes of the processing since that previous assessment.
What is a DPIA?
A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks.
DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material.
To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals.
A DPIA does not have to indicate that all risks have been eradicated. But it should help you document them and assess whether or not any remaining risks are justified.
DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.
A DPIA may cover a single processing operation or a group of similar processing operations. A group of controllers can do a joint DPIA.
It’s important to embed DPIAs into your organisational processes and ensure the outcome can influence your plans. A DPIA is not a one-off exercise. You should see it as an ongoing process that is subject to regular review.
When do we need a DPIA?
You must do a DPIA before you begin any type of processing that is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk, you need to screen for factors that point to the potential for a widespread or serious impact on individuals.
In particular, the DPJL says you must do a DPIA if you plan to:
See Articles 15 and 16 of the Data Protection (Jersey) Law 2018.
When considering if your processing is likely to result in high risk, you should consider the relevant European guidelines. These define nine criteria of processing operations likely to result in high risk. While the guidelines suggest that, in most cases, any processing operation involving two or more of these criteria requires a DPIA, you may consider in your case that just meeting one criterion could require a DPIA.
You should also think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.
Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data. You can use or adapt the checklists to help you carry out this screening exercise.
How do we carry out a DPIA?
A DPIA should begin early in the life of a project, before you start your processing, and run alongside the planning and development process. It should include these steps:
You must seek the advice of your data protection officer (if you have one). You should also consult with individuals and other stakeholders throughout this process.
The process is designed to be flexible and scalable.
Do we need to consult the JOIC?
You don’t need to send every DPIA to the JOIC and we expect the percentage sent to us to be small. But you must consult the JOIC if your DPIA identifies a high risk and you cannot take measures to reduce that risk. You cannot begin the processing until you have consulted us.