As well as providing training and a GDPR Toolkit (details below) I also provide extended support to people who have attended training, bought the toolkit, or just need some friendly guidance. The GDPR Toolkit can be found here http://www.adaptconsultingcompany.com/gdprtoolkit/ Jersey Business as supporting the GDPR Training and they can be found at https://www.jerseybusiness.je/get-advice/it-office-systems/data-protection-small-business/

Wednesday, 31 January 2018

How does GDPR affect consent for taking photographs/film footage of people?


 The more detailed element of this question for us is that we currently gain written consent from people when taking photographs at things like events so that we can use them in promotional material, on our website etc. Another point is the longevity of the consent. Photos are invariably used more than once and it is difficult to have a one size fits all because it depends on the medium of publication, type of event etc. What about withdrawal of consent?


This is not a simple question with a short answer, so let’s break it down. With a few worked examples, with the overriding caveat that GDPR is not about stopping businesses or photos, nor preventing twitter, Facebook, websites or Instagram. It is just making sure that you follow necessary steps to assure people’s reasonable privacy.

Guidance on Photography and video equipment

It is useful to be clear when you are providing a service and when you own the product. If I pay a plumber to install a sink in my house he is providing a service. He doesn’t own the sink, or my house! As a photographer you might take a fee for your service, but the photos belong to the other person. Unless you reach an agreement.

The most important thing is who owns the photo. If I pay you to take my photo then it is implicit that I own the photo, and control everything about it. If you are an artist and you take a photo then you own the photo, and can for example, put it in a frame and sell it.

Clearly if they own the photos they can give consent or withdraw consent. If you own the photos (example photo of surfers and sunset) then you don’t need consent.


If you have a written contract with someone to do photographs/film footage then you must do only what is in that agreement (which can include many options and cover all the issues). You may not, for example, share those photos with anyone else, or publish them without agreement.

There is nothing to stop you seeking agreement. Some people might love the fact that their photos are on your website (others might not).


If photographing children, for example, I would seek parental approval and not share the photos without agreement.

Guidance for personal school photos


There is guidance on-line about photographs/film footage at a public event. In effect if it is a public event then you can take a photo of a rock concert, sailing race, fairground etc.

Guidance for things like public graduation photos (and some useful forms/agreements)

Photographers Rights - Street shooting, people, privacy & children


There is nothing wrong with tweeting a photo of the audience at an event. I did this for the Charity presentation. However to avoid potential issues I took a photo from the back and therefore the only recognisable people are the organisers who are facing forward.


I have actually done some modelling once. Not all models are beautiful! In these circumstances you sign a contract that specifically says that you hand-over all rights to the agency so that they can use the photos howsoever they choose. They took about 100 photos and paid me £100, but they now have a big stock of photos that they can use on their corporate website.

Taking a modelling approach is useful for the scenario where you want to keep the photos and be able to use them for web, print, broadcast etc., You can build all these into the modelling agreement.


If you need more specific support (for example a meeting) I know the Jersey Community Partnership and Association of Jersey Charities are looking to co-ordinate some resources with various local suppliers.


Jersey Data Protection Association

There is a list of Jersey Data Protection events here

For a general understanding of GDPR I highly recommend the guidance of Jersey’s Data Protection Authority

Friday, 26 January 2018

Breach policy templates or breach notification contracts


Have you come across any breach policy templates or breach notification contracts with suppliers and processors that are simple and straightforward by any chance?




This is a really great question. There are a number of samples and template available on-line and a number of businesses who offer consultancy and support. In the links section below I have included some potential documents.

However whilst these can be a good starting point be aware of the following.

It is really important to write something that reflects the way your organisation works. Moreover the type of breach, circumstances, data and impact will necessitate very different content. Consider the following as examples…

Scenario 1 The loss of an encrypted + password protected laptop that had the name and address of all your members.

Scenario 2 The hacking of your Cloud-IT provider, with the result that all their customer data (including yours) is now available on-line to any criminal or hacker. This is made worse by the fact that your data was not encrypted and included financial, banking and medical details and you never did any checks on the Cloud-IT provider before you put the data there.

I understand the Jersey Information Commission Office is looking to develop a system that you can update and which then notifies all the appropriate agencies, including the JFSC in the case of Financial Institutions. My understanding is that this is still ”on the drawing board” but it will be useful to the Information Commission  Office to be able to receive breach notification quickly and efficiently and in a standard format. Especially given the 72 hour deadline.


I recommend any organisation to start first with a data-mapping exercise to understand the step-by-step process and who does what, when, where, how and why.

If having completed the step-by-step process you note any risks or if the data is “special category data” [race; ethnic origin; politics; religion; trade union membership; genetics; biometrics; health; sex life; or sexual orientation].

If necessary you should do a risk assessment (Data Processing Impact Assessment DPIA) on the possible implications for the data-subject and the measures necessary to protect them

When you have all this information then you have the basic information needed to answer a subject-access-request “…what information do you hold about me and why…” and also compete a breach notification to the regulator or data-subject “…we have lost personal data, these are the implications, and this is what we are doing…”

It is sensible to have a rehearsed process and some pre-prepared statements but as you may appreciate the format and content may vary significantly depending on circumstances.

You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.
When reporting a breach, the GDPR says you must provide:
  • a description of the nature of the personal data breach including, where possible:
    • the categories and approximate number of individuals concerned; and
    • the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
Note that if the information is unintelligible (example encrypted) then you only have to tell the regulator. If however personal data has leaked and is legible or usable then you have to tell your data-subject (eg staff, customer supplier etc.)


If you receive data from another organisation and processes it on their behalf, or your give data to another organisation and they processes it on your behalf you should have a contract that clearly explains responsibilities, roles, goals and controls.

Controller and processor contracts checklist
the subject matter and duration of the processing;
the nature and purpose of the processing;
the type of personal data and categories of data subject;
the obligations and rights of the controller.

Contracts include the following terms:
the processor must only act on the written instructions
the processor must ensure duty of confidence;
the processor must ensure the security of processing;
the processor must only engage a sub-processor with the prior consent of the data controller
the processor must assist on subject access
the processor must assist on data breaches and DPIA
the processor must delete or return all personal data
the processor must submit to audits and inspections,

It would be prudent that this includes rehearsed process and some pre-prepared statements so that both organisations can be co-ordinated and meet the 72 hour deadline for breach notifications.


Breach Notification under existing Data Protection Act

Breach Notification form for existing Data Protection Act

GDPR Personal data breaches

Contracts and liabilities between controllers and processors


I am working with Jersey Community Partnership and Association of Jersey Charities to possibly set-up a presentation / workshop to talk about GDPR for local Charities and Not-for-Profit.

In the meantime, for January, I have proposed a useful approach to help local charities might be if organisations pick a question or topic and I offer general advice on best approach which we can publish and share with other charities and not-for-profit organisations.

You can email with your question or topic at timhjrogers@gmail.com


+447797762051 Skype: timhjrogers TimHJRogers@gmail.com

Tuesday, 23 January 2018

Do I need a Privacy Notice and what should be in it?


Do I need a Privacy Notice and what should be in it?


Simple answer: YES

More detail:  There is a lot of guidance available on-line about what should be in a Privacy Notice. However it is important to tailor this to your needs. In some cases the Privacy Notice may be part of a contract or membership agreement.

Decide what to include by working out:
·        what personal information you hold;
·        what you do with it and what you are planning to do with it;
·        what you actually need;
·        whether you are collecting the information you need;
·        whether you are creating new personal information; and
·        whether there are multiple data controllers.

Also consider including:
·        the links between different types of data you collect and the purposes that you use each type of data for;
·        the consequences of not providing information;
·        what you are doing to ensure the security of personal information;
·        information about people’s right of access to their data; and
·        what you will not do with their data.

Privacy notices under the EU General Data Protection Regulation


If you go to https://gdprjersey.blogspot.com/ you’ll see a lot of Q&As, and down the right column lots of links to advice from Jersey Data Protection Association, Jersey Information Commission Office, as well as Jersey Community Partnership and the Association of Jersey Charities. We are also organising a number of presentations and workshops.

Sports Clubs and data: Is it OK to keep all my data on a PC?


Sports Clubs and data: Is it OK to keep all my data on a PC?


Simple answer: YES

More detail:  Data should be accurate, private and safe. This means that only people who need access can get the data, and the data is up-to-date, and secure. There are other issues, but in summary the following procedures will help meet the needs of GDPR. Be aware that the data-subject (You or Me) have rights to know what personal information is held and why, so don’t keep more than you need or more than is agreed.


Make sure paperwork is locked-away and only people who are authorised have access. When the paperwork has passed its “sell-by-date” make sure it is secure shredded.

If “snoopy Shiela” is going through your files you are responsible!

Computer Files

Make sure PCs are password protected and encrypted so that if you loose the PC the person finding it (or stolen it) does not have any access to the data on it. Make sure you have up-to-date software and adequate protection against malware. If you share data, or back-it-up make sure they have all the right authority and projections too. When the paperwork has passed its “sell-by-date” make sure it is deleted, and that there are no copies anywhere.

If you give data to or share data with  “dodgy Dave” you are responsible!


If you go to https://gdprjersey.blogspot.com/ you’ll see a lot of Q&As, and down the right column lots of links to advice from Jersey Data Protection Association, Jersey Information Commission Office, as well as Jersey Community Partnership and the Association of Jersey Charities. We are also organising a number of presentations and workshops.