Anyone who has listened to me talk about data protection will have likely heard me use the phrases ‘back to basics’, ‘keep it simple’ and ‘how would you feel if it was your personal data?'. You may also have heard me mention that ‘common sense’ plays a big part of data protection compliance.
You may also think that it’s slightly unusual for a lawyer to be uttering these words, given that we tend to have a reputation for speaking in legalese and that if data protection compliance is as simple as I am suggesting then why is there so much ‘white noise’ out there and so many reports suggesting that data protection is nothing more than a worthless (yet expensive) compliance exercise – yet another administrative hurdle that businesses have to cross?
Of course, there are some difficult concepts to grapple with, and some organisations may be dealing with complex structures or holding extremely sensitive information but I honestly believe that if organisations can block out the extraneous noise and maintain focus on the key principles underpinning data protection legislation, then data protection needn’t be the compliance behemoth that it’s been made out to be.
It’s all brand new though, isn’t it?
As most of you will know, our local revised data protection law came into force on 25 May 2018 to coincide with the date the General Data Protection Regulation (GDPR) became enforceable in the EU. A lot of reports at the time said that this was entirely new territory and suggested that organisations would have to spend significant time and resources in order to take steps towards compliance with this new piece of legislation and all the (purportedly) new obligations it contains.
The Information Commissioner has recently published a myth busting blog addressing the fact that Jersey has had data protection legislation in place since 1987 and whilst the 2018 law contains some important upgrades regarding the rights of individuals (data subjects) and takes into account processing activity in the modern technological landscape, the underlying principles have remained much the same since that time: lawfulness, fairness, transparency and safety were as much a part of data protection compliance 30 years ago as they are now.
So, if you had good practices in place previously and were compliant with the previous 2005 law, then your approach to the 2018 law should be more akin to a simple computer update than having to implement a whole new operating system.
If, however, this is new territory for you then *Spoiler alert* it’s not as difficult as it’s sometimes made out to be and if you approach compliance with the 2018 law with common sense and a back to basics approach, you will not go too far wrong.
Back to basics
The principles an organisation needs to comply with are set out at Article 8 of the 2018 law. In essence those six principles set the standards organisations need to meet in order to process personal data and stipulate that organisations processing personal data need to be able to explain how and why they are processing personal data and what they need to do to look after it properly.
The ‘W’s’ (and an ‘H’)
How can we break down these principles and make them easy to understand for organisations and individuals? Well, if you can answer the following questions and articulate them in a straightforward manner this will set you on the infinitely less noisy path to data protection Oz:
It can’t be that simple?
The simple key questions set out above help form the bedrock in order to understand exactly what personal information is flowing through your organisation. By approaching matters in this simple way, the knock on effect should be that it helps engender trust in your organisation because you can easily explain to individuals exactly what is happening with their information and allow them to exercise the rights afforded to them under the law.
Transparency with data subjects is (generally) key in data protection and as the Dalai Lama said “A lack of transparency results in distrust and a deep sense of insecurity”. If what he said is true, we must put ourselves in the shoes of the data subjects and think about what standards we expect of those dealing with our personal (often extremely sensitive) information.
On 25 May 2018, I published the following tweet on my Twitter account in celebration of the updated legislation. Whilst the word count restrictions ensured that I had to keep my comments pithy, I maintain the view that this neatly captures the key considerations for those with custody of our personal data:
Keep it simple.
“The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official position of the Jersey Data Protection Authority (including the Jersey Office of the Information Commissioner) (the "Authority"). The Authority is not responsible for the accuracy of any of the information supplied by the guest writer/bloggers and the Authority accepts no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.”