JOIC roadmap for the next three years reinforces PROMPT ENFORCEMENT action where risks are identified

JOIC has said

• It’s been almost eight years (which is 2,920 days and 70,080 hours)
• 8 years is how long organisations in Jersey have had to get to grips with the Island’s updated data protection law
• Information Commissioner Paul Vane reinforced his office’s stance that enforcement action will be taken without delay or hesitation, where warranted and where risks to Islanders are identified.

Paul Vane said

• The ink dried on the data protection law years ago. If you’re not compliant, you’re leaving yourself open to enforcement action

In support of the above, in January 2026, the JOIC launched the Commissioner roadmap for the next three years to industry representatives and highlighted the  following Strategic Priorities:

• Children’s Privacy
• Artificial Intelligence
• Cyber Security

The Strategic Priorities will be delivered using a ‘Triple A’ approach of:

• ADVISE – Developing and disseminating focused guidance, providing advice and running awareness sessions.
• ASSESS – Assessing how organisations have embedded privacy protections for children, AI guidance into organisational processes, and the policies and procedures of data controllers in respect of data security and cybersecurity prevention and reporting.
• ACT – Applying clear enforcement actions to ensure compliance, prevent repeat behaviours and uphold data protection standards. Enforcement action will be taken for clear non-compliance.

The JOIC’s 2026-2028 Strategic Plan

• Children’s Privacy
• Enhances its proactive approach to regulation.
• Their focus on Children’s Privacy is to foster a safer digital environment by ensuring children’s personal data is safeguarded, setting clear standards for organisations, promoting responsible, age-appropriate design of digital services, and taking strong enforcement action when risks to children are identified.
• Artificial Intelligence
• JOIC focuses on Artificial Intelligence, and specifically the use of AI systems in Human Resources.
• Using AI tools to make decisions about employees comes with inherent privacy risks.
• For example, the misuse of personal information, excessive surveillance, data security issues and insufficient transparency around data processing.

Information Commissioner Paul Vane, in a speech [see Appendix 1 below], highlighted the following points:-

THE LAW

• The ink dried on data protection law years ago, and time for excuses is long gone.
• Data protection laws have stood the test of time and for good reason, because privacy is a fundamental human right. Islanders have the right to have their personal information protected and not be caused unnecessary harm or distress as a result of poor data handling.
• Cybersecurity is integral to compliance with any data protection regime, and the Data Protection (Jersey) Law 2018 is clear on the requirements for data controllers and processors, including when and how they should log and report data breaches.
• Organisations choosing to ignore data protection law are neglecting their legal obligations and are warned that, where warranted, enforcement action will follow.

JOIC STRATEGIC PRIORITIES

• JOIC Strategic Priorities protect Jersey citizens' personal data and privacy rights by combining focused education and awareness with timely, proportionate, and evidence-based enforcement actions.
• Collaboration with all relevant stakeholders, including NSPCC Jersey, the Children’s Commissioner for Jersey, Digital Jersey, and the Jersey Cyber Security Centre, is key.

• JOIC strategy promotes responsible local use, development, adoption and deployment of AI-driven technologies by ensuring compliance with data protection laws and principles, thereby safeguarding individuals’ rights, fostering innovation, and establishing a trusted framework for ethical AI use in Jersey. 
• JOIC data shows that unauthorised access and unauthorised disclosure are the two main underlying causes of data breaches in Jersey.
• JOIC will be seeking to understand whether data controllers are adopting a ‘Data Protection Impact Assessment’ philosophy to support their processes, what mitigations organisations have in place to reduce/limit the risks of unauthorised access and levels of staff training with data protection impact assessments and data breach handling.

IT'S AN ECONOMIC PRIORITY

• Most Island businesses rely on the secure flow of personal data between Jersey and countries in the European Economic Area to operate effectively.
• These data flows are possible because Jersey has received an 'Adequacy' decision from the European Commission, allowing personal data to move freely between Jersey and European Economic Area countries.
• This is critical for the operation of our financial services industry, the mainstay of our economy, which relies on data transfers to do business.
• The maths is simple. Lose our [EU] adequacy = lose our economy.

Source  JOIC - 28 January 2026

• https://jerseyoic.org/news/the-ink-dried-on-data-protection-law-years-ago-if-you-re-not-compliant-you-re-leaving-yourself-open-to-enforcement-action

Appendix 1

Information Commissioner Paul Vane, speech