How well do you comply with data protection law? A self-assessment for small business owners and sole traders

This self-assessment tool has been created with small business owners and sole traders in mind. It is also suitable for small membership organisations, such as sports clubs. Good information handling makes good business sense. You'll enhance your business' reputation, increase customer and employee confidence, and by making sure personal information is accurate, relevant and safe, save both time and money.

Use our self-assessment tool to improve your understanding of data protection and find out what you need to do to make sure you are keeping people’s personal information secure. Once you have completed the checklist a short report will be created suggesting some practical actions you can take and providing links to additional guidance you could read that will help you improve your data protection knowledge and compliance.

Every business, club, or association that processes (uses) personal information (including names and addresses) is required to register with our office. You must do this before you start processing (using) any personal information. You must also pay a fee to the Jersey Office of the Information Commissioner, unless exempt. If you are registering with the Jersey Office of the Information Commissioner for the first time, you will need to create a user profile.

Before you start, you may want to read the following introductory guidance notes.

For each question, you will find more information in a tick box. You may want to look at this before you answer the question.

 

Data Protection Jargon Buster

Personal Information Checklist

Duties of Data Controllers

Duties of a Data Processor

 

1. Do you have a record of what personal information you hold? Do you know what you use it for? Do you know where you're getting it from and where it's going?

More Information

Click the box to view more information on this question

 

  • Have you thought about what information comes into, through, and out of your business?
  • Does this information include personal information about your customers? This could include names and addresses of people you deliver goods to, contacts you use for telemarketing, and members’ enrolment details.
  • Do you know why you collect and hold personal information?
  • Why are you legally allowed to do so?
  • Have you made a record of the personal information you hold, what you do with it and why you hold it?

 

Do your records include the following information?

  • The type of personal information you have, such as names and email addresses.
  • How you got the personal information, such as on paper forms or through your website.
  • Why you have the personal information.
  • How long you’ve had the personal information or will keep it.
  • If you share the personal information and if so who with.
  • If the personal information is ‘special category data’ or sensitive data, such as medical information.

2. Do people know you have their personal information and understand how you use it?

More Information

Click the box to view more information on this question

 

  • Do you tell people how you use their personal information?
  • Do you tell people if you’re sharing their personal information?
  • Do you tell people what you plan to do with their personal information either in paper form, such as using leaflets or posters, or online through a privacy notice or statement?

The Law says you must tell people how you're using their information.

 

Do you have a statement (sometimes called a privacy policy or privacy notice) that includes all the below information?

  • The name of your business and the person responsible for data protection.
  • Why you hold the personal information (your lawful basis) and what you do with it.
  • Where you got the personal information from.
  • Who you share the personal information with and how you do this, including any sharing outside Jersey.
  • How long you keep the personal information for.
  • How people can request access to, or correction or deletion of, their personal information.
  • How to complain to the JOIC.
  • Whether you make automated decisions or do profiling based on the personal information you hold.

3. Do you only collect the personal data you need?

More Information

Click the box to view more information on this question

 

  • Do you only collect the personal information you need to work with and use?
  • Do you make sure people know the difference between information they need to provide and information that is optional?

 

For example:

Dave is a window cleaner. He collects his customers’ names and addresses, which he needs to be able to clean their windows.

Dave would also like to collect his customers’ email addresses so he can email their bills instead of posting them through their front doors. As this is not necessary for him to carry out his services, he tells his customers that giving him this information is optional.

4. Do you only keep personal information for as long as it is needed?

More Information

Click the box to view more information on this question

 

  • Have you decided and documented how long you will hold the personal information you collect?
  • Do you refresh or destroy personal information after specified periods of time?
  • Do you securely delete or destroy personal information as soon as you no longer need it?

Some information might need to be kept longer than others, therefore you might have different retention periods for different bits of information.

 

For example:

Sandy is a newsagent. She collects the name, address and phone number of her customers, as well as their weekly newspaper orders and details of their payments.

Sandy creates a document that details what personal information she collects and how long she holds it (the retention period).

Sandy needs to keep her accounting information for longer than some of the other information. At the end of the retention period, she securely destroys the personal information by deleting it.

She also annually checks the personal information she holds to make sure everything has been deleted at the end of its retention period.

5. Do you keep personal information accurate and up to date?

More Information

Click the box to view more information on this question

 

• Do you regularly check that the personal information you hold is accurate and up to date?

 

For example:

Ashley is the manager of a local football team. Every month he emails the team about upcoming matches. Ashley should regularly check with the team members that the email addresses are still accurate.

 

  • Consider, can you update information quickly if asked by an individual?

6. Do you keep personal information secure?

More Information

Click the box to view more information on this question

 

  • Do you keep personal information secure, for example by using lockable filing cabinets and locking or logging off computers when away from your desk? Or returning it to a safe place when it's not in use. 
  • Do you take steps to keep personal information secure before you take it out and about or send it somewhere else? For example, do you only take with you the data you need or send it in advance by secure methods?
  • Do you keep paper documents secure, say by using lockable storage and disposing of paper records securely?
  • Do you keep electronic data secure, say by encrypting mobile devices, using passwords and backing up the data?

7. Do you have a way for people to exercise their rights regarding the personal data you hold about them?

More Information

Click the box to view more information on this question

 

Do you know about the rights individuals have under the Data Protection (Jersey) Law 2018?

 

In summary these are as follows:

a. Right to be informed – being told what personal information you hold about them and what you do with it.

b. Right to subject access (sometimes referred to as a 'Right of access request, Subject access request (a 'SAR') or Data subject access request (a DSAR) – being able to request a copy of their information you hold.

c. Right to rectification – being able to have inaccurate data corrected.

d. Right to erasure – being able to ask you to delete/destroy their data.

e. Right to restriction of processing – being able to limit the amount or type of data used.

f. Right to data portability – requesting to move their data electronically to another business.

g. The right to object to processing for the purpose of public functions or legitimate interests, for direct marketing purposes and for historical or scientific purposes.

h. Right regarding automated individual decision-making and profiling.

  • Do you have plans in place so you can deal with any requests?
  • Do you know that a request can be made in writing or verbally, in person or on the phone?

A request could be made over the phone, in an email, face to face or via a social media message. It doesn’t have to be made formally in writing by letter. If you can, treat requests that are easily dealt with as routine matters, in the normal course of business.

For example: Rob, a local football-team manager, receives a call from a player asking for details of all the matches he has played in the last year. This can be dealt with as business as usual.

Sylvia (a newsagent) is asked by a customer in the shop for the balance of her account. This can be dealt with as business as usual.

You would probably want to treat the following requests in a more formal way:

One of Susan’s ex-employees requests a copy of the reference she gave about him to a prospective new employer.

Bradley manages the under-10s football team and receives a request from one of the children’s parents for a copy of the information held on their child.

 

Sometimes you might not be able to do what the data subject wants you to do with their data e.g. erasure or rectification. This could be for reasons such as you have to keep information for certain periods of time, by law.

8. Do you and your staff (if you have any) know your data protection responsibilities?

More Information

Click the box to view more information on this question

 

  • Have you trained all your staff who handle personal information on their data protection responsibilities?

For example:

Craig is a builder and employs two office staff. He has briefed them about keeping personal information safe and secure, explained to them what data protection information he has given his clients, and told them what to do if anything goes wrong or records go missing. He also displays a poster in the office and does an office sweep every week to check that personal information is locked away securely.

  • Do you know what to do if something goes wrong, including a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information.

This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal information.

  • Do you know which breaches to report to the JOIC?

A breach can have a range of adverse effects on individuals, which include emotional distress and physical and material damage. You need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. You must notify the JOIC unless it is unlikely there is a risk to them.

  • Do you know which breaches you have to inform individuals of?

If a breach is likely to result in a high risk to the rights and freedoms of individuals, the Data Protection (Jersey) Law 2018 says you must inform those concerned directly and without undue delay. In other words, as soon as possible.

loading...

Small Organisation and Sole Trader Self Assessment

Overall rating

RED: not in place

AMBER: partially in place

GREEN: in place

1. Do you have a record of what personal information you hold? Do you know what you use it for? Do you know where you're getting it from and where it's going?

Suggested actions:

You should:

  • read our guidance to help you identify your lawful basis.
  • create a record, such as a spreadsheet, of the personal information you hold, what you do with it and your lawful basis for processing it.

Note: You don’t need to record every piece of personal information you hold, just the type of information. For example, recording ‘email addresses’, rather than a list of all the email addresses you hold.

 

2. Do people know you have their personal information and understand how you use it?

Suggested actions:

If you don’t have a privacy policy currently, you must create one that includes:       

  • the name of your business and the person responsible for data protection
  • why you hold the personal information (your lawful basis) and what you do with it
  • where you got the personal information from
  • who you share the personal information with and how you do this (including any sharing outside Jersey)
  • how long you keep the personal information for
  • how people can request access to, or correction or deletion of, their personal information
  • how to complain to the JOIC
  • whether you make automated decisions or do profiling based on the personal information you hold
  • whether you publish this information on any leaflets, posters or websites you use

Suggested reading:

Privacy Policy Checklist

Privacy Policy Template (SME)

 

3. Do you only collect the personal data you need?

Suggested actions:

Things you should do now:

  • Review all the personal information you hold and decide what you need to operate your business and what is nice to have.
  • Securely destroy anything that you don’t need to use or keep.

In the future:

  • When you collect personal information, tell the person what information they need to provide and what is optional.
  • Regularly check the personal information you are collecting to make sure you're only collecting what you need and that you still need it.

Suggested reading:

Data Protection Principles

4. Do you only keep personal information for as long as it is needed?

Suggested actions:

You should:

  • decide and record how long you should be holding the personal information you collect. This will vary depending on the personal information and why you have it
  • destroy information you have been holding for longer than the times you have identified, and
  • regularly check you are not keeping personal information longer than you need to.

Suggested reading:

Do We Need a Retention Policy?

5. Do you keep personal information accurate and up to date?

Suggested actions:

You should:

  • regularly check the personal information you hold to make sure it is still accurate and up to date (how regularly you check depends on what you are processing and why), then
  • make sure you can easily and quickly update any information you have.

6. Do you keep personal information secure?

Suggested actions:

You should review (and improve, if necessary) your current security arrangements in your office or home working environment. Here are some ways you can do this:

  • Use computer passwords and don’t share them. If you think someone may know your password, change it.          
  • Lock or log off computers when you are away from your desk.
  • Dispose of confidential paper waste securely by shredding it.
  • Dispose of IT equipment securely and make sure there is no personal information left on any hard drives.
  • Take care when opening emails and attachments or visiting new websites in case of malicious links and malware.
  • Make sure paper copies of personal information are securely stored when not being used.
  • Make visitors sign in and out of the premises. Accompany them in areas normally restricted to staff.
  • Encrypt any mobile devices and only use secure wi-fi.
  • Encrypt personal information being taken out of the office, especially if it would cause damage or distress if lost or stolen.
  • Be aware of your surroundings when working outside the office, say in a cafe. Make sure people can’t inadvertently see any personal information you are working on.
  • Make sure you back up your data.
  • Limit access to personal information to those who really need it.
  • Minimise paper information taken out of the office.
  • Don't leave things in unsecure areas e.g. cars overnight.

Suggested reading:

A Practical Guide to IT & Cyber Security

7. Do you have a way for people to exercise their rights regarding the personal data you hold about them?

Suggested actions:

You should:

  • ensure that all staff are aware of these rights
  • train your staff about what requests might come in from individuals and what to do if this happens and who will be dealing with those requests, and,
  • make sure you could act on the requests. For example, make sure your computer programs allow you to delete or amend information.
  • Make sure you know how long you have to respond to a request

8. Do you and your staff (if you have any) know your data protection responsibilities?

Suggested actions:

You should:

  • train all your staff handling personal information on their data protection responsibilities and update the training regularly
  • use awareness to keep reminding your staff about keeping personal information safe and secure
  • make sure your staff know what to do if you have a breach or if something goes wrong

Suggested reading:

How To Report a Breach

Do I Need a Data Protection Officer?