Embedding Data Protection into your business operation

The Data Protection (Jersey) Law 2018 places defined obligations on data controllers. Part 3 (15) states that…

 Data protection by design and by default

(1)    A controller must, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures that are designed to –

    (a)     implement the data protection principles in an effective manner; and

    (b)     integrate the necessary safeguards into the processing to meet the requirements of this Law and protect the rights of data subjects.

(2)    In determining whether or not a measure is appropriate for the purposes of this Article, regard must be had to the state of technological development, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.

(3)    The technical and organizational measures must ensure as far as practicable that, by default –

    (a)     only personal data that are necessary for each specific purpose of the processing are processed; and

    (b)     personal data are not made accessible to an indefinite number of natural persons without the data subject’s consent or other lawful authority.

The Data Protection (Jersey) Law 2018 requires you to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is ‘data protection by design and by default’.

In essence, this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle.

Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the Data Protection (Jersey) Law 2018's fundamental principles and requirements, and forms part of the focus on accountability.

We would appreciate your opinion