Paul Byrne, managing director, PropelFwd, replies:
DATA protection compliance is not a one-off process. The Data Protection (Jersey) Law 2018 (DPJL) requires you to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individuals’ rights.
This is ‘data protection by design and by default’. In essence, this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle of the data.
As with any part of your business, risks and issues need to be assessed on a regular basis and the protection of personal data is no exception.
Once initial compliance has been achieved, then regular audits can provide management with an evaluation of how effectively DPJL is being governed, monitored and managed.
The audit should focus on data protection governance and response mechanisms, as well as supporting processes, which can help to manage the risks associated with non-compliance. It is recommended that these regular audits are conducted annually, as a minimum. There may be times when a review needs to take place sooner; for example, where there have been significant changes to the type of data held as well as the way in which data is collected, processed and stored.
Audits should:
- Provide management with an assessment of their DPJL policies and procedures and their operating effectiveness.
- Identify risks within your organisation and assist with developing an action plan to put in place mitigations against those risks.
- Evaluate the effectiveness of the organisation’s response to, and ongoing management of, DPJL.
