Are you relying on IT support or website developers for data protection compliance? Here’s why you might be falling short.
When organisations in the Third sector, SMEs, and larger companies turn to website developers or IT support providers for their data protection notices, privacy policies, or other compliance documentation, they often assume these professionals know how to align with legal requirements under the Data Protection (Jersey) Law 2018 (DPJL) or the General Data Protection Regulation (GDPR).
However, based on our experience at Propelfwd, this approach frequently results in documents that fail to meet the basic legal standards for data protection compliance.
The common misconception
Website developers and IT support providers are experts in their respective fields—building functional websites, managing infrastructure, or implementing technical solutions.
While they may have a basic understanding of data protection, they are not specialists in data protection law. This leads to privacy notices, terms, and policies that lack the essential elements required to comply with the DPJL or GDPR. This will put some organisation in a position of non-compliance with the requirements of the DPJL and GDPR, if required.
The importance of accountability and demonstrating compliance
Under the DPJL and GDPR, organisations are not only required to comply with data protection laws but must also demonstrate their compliance. This is known as the principle of accountability. It means that organisations must be able to show regulators, stakeholders, customers, and employees that they have taken appropriate steps to protect personal data and uphold individuals’ rights.
This goes beyond simply having a privacy notice on your website. It includes having proper data protection policies, maintaining records of processing activities, conducting data protection impact assessments (DPIAs) where necessary, and training staff on their data protection responsibilities. If your privacy notice or other data protection documentation is non-compliant, it can indicate wider issues with your organisation’s overall approach to compliance.
The privacy notice: the front window to your compliance
Think of your privacy notice as the front window to your organisation’s data protection compliance. It’s often the first point of contact individuals have with your approach to data protection and privacy, and if it’s poorly drafted or fails to meet the requirements of Article 12 of the DPJL, it reflects badly on the rest of your compliance efforts.
A compliant privacy notice must be:
- Transparent: Clearly explain who you are, what personal data you collect, and how it is processed.
- Comprehensive: Include information about data processors, data transfers, data retention, and individuals’ rights.
- Easy to Understand: Written in clear, plain language to ensure that it is accessible to all individuals, regardless of technical knowledge.
Real-world issues we have seen
At Propelfwd, we’ve seen many examples where privacy notices and other compliance documents fail to meet legal requirements.
Here are some common issues:
- Incorrect Response Times for Data Subject Rights: Organisations often state incorrect timeframes for responding to data subject access requests (DSARs), such as claiming responses will be provided in 20 to 45 days. Under the DPJL, responses should generally be provided within 4 weeks, or under GDPR, one month.
- Charging for Access Requests: Some organisations claim they will charge for DSARs, either a flat rate or their hourly rate, even though these must be provided free of charge unless the request is excessive or repetitive.
- Missing Contact Details: Many documents fail to include the contact details of the data controller or data protection lead, leaving individuals unclear about whom to contact with queries or concerns. In some cases, the email address provided bounces back, so it has not even been set up.
- Lack of Information on Data Processors: Organisations often fail to disclose details about the data processors they use, such as IT service providers, cloud services, or marketing agencies. Transparency on how data is shared is essential.
Building trust through good data protection compliance
Proper data protection compliance isn’t just about avoiding regulatory fines—it’s about building trust. A strong commitment to data privacy demonstrates to your customers, employees, and other stakeholders that you take their rights seriously and that you have robust measures in place to protect their personal information.
When individuals see that your organisation is transparent and committed to safeguarding their data, they are more likely to trust you, remain loyal, and recommend your services to others. Good data protection practices can be a significant competitive advantage in today’s digital world.
How Propelfwd can help
At Propelfwd, we specialise in data protection compliance and work closely with organisations to ensure that all privacy notices, data protection policies, and other compliance documents meet the requirements of the DPJL and GDPR. We understand that every organisation is unique, and we take a tailored approach to ensure your documents accurately reflect your data processing activities.
If your organisation has relied on an IT support provider or website developer to draft your compliance documents, it’s worth reviewing them to ensure they meet the legal requirements. If you need assistance in bringing your documents into compliance, get in touch with us at Propelfwd today.
Don’t leave data protection to chance—let the experts help you get it right.