JOIC roadmap for next three years reinforces prompt enforcement action from the regulator where risks are identified

"The ink dried on data protection law years ago. If you’re not compliant, you’re leaving yourself open to enforcement action"

It’s been almost eight years (which is 2,920 days and 70,080 hours) – that’s how long organisations in Jersey have had to get to grips with the Island’s updated data protection law and at his address to industry to mark international Data Protection Day 2026, Information Commissioner Paul Vane reinforced his office’s stance, that enforcement action will be taken without delay or hesitation, where warranted and where risks to Islanders are identified.

The Commissioner launched his office’s roadmap for the next three years to industry representatives at the Pomme d’Or Hotel this morning. It focuses on the following Strategic Priorities:

• Children’s Privacy
• Artificial Intelligence
• Cyber Security

The Strategic Priorities will be delivered using a ‘Triple A’ approach of:

ADVISE – Developing and disseminating focused guidance, providing advice and running awareness sessions.

ASSESS – Assessing how organisations have embedded privacy protections for children, AI guidance into organisational processes, and the policies and procedures of data controllers in respect of data security and cybersecurity prevention and reporting.

ACT – Applying clear enforcement actions to ensure compliance, prevent repeat behaviours and uphold data protection standards. Enforcement action will be taken for clear non-compliance.

Information Commissioner Paul Vane said: “The ink dried on data protection law years ago and time for excuses is long gone. Data protection laws have stood the test of time and for good reason, because privacy is a fundamental human right. Islanders have the right to have their personal information protected and not be caused unnecessary harm or distress as a result of poor data handling. Organisations choosing to ignore data protection law are neglecting their legal obligations and are warned where warranted, enforcement action will follow. Most Island businesses rely on the secure flow of personal data between Jersey and countries in the European Economic Area to operate effectively. These data flows are possible because Jersey has received an 'Adequacy' decision from the European Commission, allowing personal data to move freely between Jersey and European Economic Area countries. This is critical for the operation of our financial services industry, the mainstay of our economy, who rely on data transfers to do business. The maths is simple. Lose our adequacy = lose our economy.

Our Strategic Priorities exist to protect the personal data and privacy rights of Jersey citizens by balancing focused education and awareness with meaningful enforcement actions that are timely, proportionate, and evidence based. Collaboration with all relevant stakeholders including NSPCC Jersey, Children’s Commissioner for Jersey, Digital Jersey and Jersey Cyber Security Centre, that were all part of this morning’s launch and discussion, is key. My office values the opportunity to seek clarification and understand how we can further work better together for the benefit and protection of Islanders. As the African proverb suggests, if you want to go fast, go alone. If you want to go far, go together.”

The JOIC’s 2026-2028 Strategic Plan enhances their proactive approach to regulation. Their focus on Children’s Privacy is to foster a safer digital environment to ensure children’s personal data is safeguarded by setting clear standards for organisations, promoting responsible age-appropriate design of digital services, and taking strong enforcement action where risks to children are identified.

The strategy will also see the JOIC focus on Artificial Intelligence, and specifically the use of AI systems in Human Resources. Using AI tools to make decisions about employees comes with inherent privacy risks. For example, the misuse of personal information, excessive surveillance, data security issues and insufficient transparency around data processing.

Commissioner Vane continued: “Our strategy promotes responsible local use, development, adoption and deployment of AI-driven technologies by ensuring compliance with data protection laws and principles, thereby safeguarding individuals’ rights, fostering innovation, and establishing a trusted framework for ethical AI use in Jersey. Cyber Security is integral to compliance with any data protection regime and the Data Protection (Jersey) Law 2018 is clear on requirements for data controllers and processors, including when and how they should log and report data breaches. Our data shows that unauthorised access and unauthorised disclosure are the two main underlying causes of data breaches in Jersey. We will be seeking to understand whether data controllers are adopting a ‘Data Protection Impact Assessment’ philosophy to support their processes, what mitigations organisations have in place to reduce/limit the risks of unauthorised access and levels of staff training with data protection impact assessments and data breach handling.”

The JOIC provides advice and guidance to Islanders to help them navigate the data protection landscape. Islanders can visit www.jerseyoic.org, speak to the JOIC team in person at their office at 5 Castle Street, email enquiries@jerseyoic.org or call the JOIC on 716530. They can also subscribe to the JOIC's Stay in Touch newsletter.