As well as providing training and a GDPR Toolkit (details below) I also provide extended support to people who have attended training, bought the toolkit, or just need some friendly guidance. The GDPR Toolkit can be found here http://www.adaptconsultingcompany.com/gdprtoolkit/ Jersey Business as supporting the GDPR Training and they can be found at https://www.jerseybusiness.je/get-advice/it-office-systems/data-protection-small-business/

Monday, 5 February 2018

When should I write to the people who hold or process my data?


When should I write to the people who hold or process my data?



Organisations are obliged to check that where other people hold data for them (eg backups) or process it for them (eg payroll)  the other person (data-processor) keeps it private, safe and secure.

This guidance is useful

See Page 19 “This is because Article 28.1 says that you must only use a processor that can provide sufficient guarantees in terms of its resources and expertise, to implement technical and organisational measures to comply with the GDPR and protect the rights of data subjects.”

Many organisations have a “standard sheet” that explains that they have all the latest technology and certifications and company with GDPR . If they don’t you might write a letter something like this…

Dear xxxxxx

At  xxxxxxxx we are getting ready for General Data Protection Regulation (GDPR).
We have recently been mapping the step-by-step processes as people arrive, stay and eventually leave and looking at what data is held by whom, why and how it is used. Understanding this helps set-up the right roles, goals and controls to ensure that personal data is private, safe and secure.

We use your xxxxxxxxxxx system for processing xxxxxxxxxxxxxx

Can you summarise your policy, procedures and measures as regards Data Protection and Information Security? Do you have Cyber Essentials or Cyber Essentials-Plus? Or perhaps ISO 27001?

Does your contract cover Data Protection, and the data-processor arrangements as regards privacy, security and processes in relation to subject-access-requests or breach notifications?

I am keen to have something that I can refer to for GDPR Compliance.

Yours Sincerely


Jersey Community Partnership and Association of Jersey Charities are looking to co-ordinate resources and suppliers, and there may be grant funding available.
Jersey Charities Q&A

Jersey Data Protection Association list of GDPR events

Data Protection Reform in the Channel Islands


+447797762051 Skype: timhjrogers TimHJRogers@gmail.com


  1. You have discussed an interesting topic that everybody should know. Very well explained with examples. I have found a similar website gdpr, gdprupdate visit the site to know more about fileom

  2. GDPR training is important so that they do not make one silly mistake that snowballs into a hefty fine not only this but you also must have a cookie consent banner on your website.

  3. online gdpr training I’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article...