The Data Protection Authority (Jersey) Law 2018 gives JOIC the power to either conduct data protection audits of any part of the operations of the controller or processor itself, or to require the controller/processor to appoint a person (approved by us) to conduct a data protection audit on any part of the operations of the controller/processor and report to us on those findings.
The aims of our audit process are to assess a controller/processor’s policies and procedures and the level of compliance with the Data Protection (Jersey) Law 2018, to highlight any areas of potential risk, and set a timeframe for any necessary remedial work.
We see auditing as a constructive process with real benefits for data controllers/processors and we aim to establish a participative approach whether the audit is conducted on a compulsory or consensual basis.
We conduct two forms of audit ‘Virtual’ and ‘Full’.
1. Virtual audits are part of our rolling programme, consisting of specific, thematic reviews aimed at particular sectors of Jersey business.
2. Full audits are part of our more targeted programme and may be conducted on a compulsory or consensual basis. These will tend to include a Virtual audit as part of the initial stages of the audit programme, followed up by an on-site visit which usually includes meetings with key members of staff, including the Board of the controller/processor.