As well as providing training and a GDPR Toolkit (details below) I also provide extended support to people who have attended training, bought the toolkit, or just need some friendly guidance. The GDPR Toolkit can be found here http://www.adaptconsultingcompany.com/gdprtoolkit/ Jersey Business as supporting the GDPR Training and they can be found at https://www.jerseybusiness.je/get-advice/it-office-systems/data-protection-small-business/

Saturday, 30 June 2018

GDPR Jersey Update July 2018

GDPR Jersey Update

From January 2018 I provided a lot of free presentation, guidance and training for the Association of Jersey Charities. I then set-up a GDPR Toolkit of policies, procedures and paperwork ready to use. More recently I have been providing monthly workshops for SMEs at Jersey Business.

The blog GDPRJersey was originally set-up to provide a Question and Answer service. You email me a question and I anonymise the details and offer guidance and links in a response that can benefit others too.

We’ve long since passed 25 May start-line for GDPR but it is clear that people are struggling with the implementation and some of the court decisions have implications that few anticipated.

For example
Facebook fan page case leads to new understanding of “joint controllers” concept

With this in mind, I am re-starting GDPRJersey. You can view the blog or subscribe to it so that you get a notice when-ever there is an update. If you want to ask a question email me at timhjrogers@gmail.com and I will write an article on that subject. You are also able to add comments to any article.

I also welcome lawyers, consultants, technology experts and others to submit articles or comments in an effort to improve knowledge and understanding. I think this will improve our community as a whole.

Be aware, that Blogger does track some data – I don’t know your name, email or anything about you (unless you choose to include that in comments that you post). However, Blogger knows you visited and that’s how it tells me whether I have 10 views or 10,000 views.

Come and visit


I am doing a series of workshops at Jersey Business from 8am to 10am so maybe you’d like to come to these.
Wednesday 4th July
Wednesday 1st August
Wednesday 5th September
Wednesday 3rd October
Wednesday 7th November
Wednesday 5th December


I also provide bespoke training for organisations (£100/hour for businesses and £70/hour for Charities) If you don’t have all the necessary tools, training, templates, policies and procedures I provide a GDPR toolkit (£375 for Charities, £750 for businesses) If you use the link you can see both the contents and samples

Thoughts on Special Category Data v Confidential Data

The GDPR mentions Personal Data and Special Category Data

PERSONAL DATA: Name; Email; Address; Phone

SPECIAL CATEGORY DATA: Ethnic Origin; Politics; Religion; Trade Union Membership; Genetics; Biometrics (Where Used For ID Purposes); Health; Sex Life; Or Sexual Orientation.

I have always suggested that organisations should consider a middle Category called Confidential Data

CONFIDENTIAL DATA: SocSec; TaxRef; Passport; Driving Licence; Utility Bills; Bank Account;

I have also advocated perhaps have a RED, AMBER, GREEN approach to how data is classified and handled. This is simplistic, but for example, you might say GREEN can be shared within the organisation, AMBER only by approved persons and RED only by a senior manager under strict controls. This is a very simple approach to Data Processing Impact Assessment, making decisions based on the potential harm to the person.

RED = Special Category Data - likely to have significant negative impact on the data subject
AMBER = Confidential Data - likely to have a negative impact on the data subject
GREEN = Personal Data – unlikely to have a negative impact on the data subject

In Jersey the conditions for processing PERSONAL DATA are as follows
01 Consent
02 Contract
03 Vital interests
04 Public functions
05 Legitimate interests

The key thing about Special Category Data is that there are the conditions for processing special category data. The conditions are listed in Article 9(2) of the GDPR
In Jersey the conditions for processing SPECIAL CATEGORY data are as follows
06 Consent
07 Other legal obligations
08 Employment and social fields
09 Vital interests(subject to certain conditions)
10 Non-profit associations (subject to certain conditions)
11 Information made public
12 Legal proceedings, etc.
13 Public functions
14 Public interest
15 Medical purposes
16 Public health
17 Archiving and research
18 Avoidance of discrimination
19 Prevention of unlawful acts
21 Publication about malpractice and mismanagement
22 Counselling
23 Insurance and pensions: general determinations
24 Insurance and pensions: current processing
25 Functions of a police officer
26 Regulations

The point is that SPECIAL CATEGORY DATA must fit one of the conditions above.

As for CONFIDENTIAL DATA (which is not legally defined) this needs to comply with legal basis, but I would suggest merit a higher level of care, custody and safeguarding.

As noted above, this is what a Data Processing Impact Assessment is about. Ask yourself: Is there are risk? If there is perhaps give the data a special category and special treatment to make sure it is private, safe and secure.

So to be clear the law only talks about PERSONAL DATA and SPECIAL CATEGORY DATA, but I recommend that CONFIDENTIAL DATA is recognised as sensitive and treated accordingly.

Logically I would hope that any business would treat Passport; Driving Licence; Utility Bills; Bank Account; with special care and that is all I am advocating.


UK Guidance on Special Category Data


Jersey Law re Special Category Data

Working Party 29 Guidance on how to intrepret EU GDPR