Clarium
Back to blog
JDPA 2018JOICJerseyChannel Islandsdata protectionGDPRcompliance

Data Protection in Jersey: A Guide to the JDPA 2018

29 June 2026Will Wilson

Jersey is not part of the UK, not part of the EU, and not covered by the UK GDPR or EU GDPR. It has its own data protection law — the Data Protection (Jersey) Law 2018 (JDPA 2018) — and its own regulator, the Jersey Office of the Information Commissioner (JOIC). For any organisation operating in or serving Jersey, treating data protection as "GDPR-compliant, so we are covered" is a mistake with regulatory consequences.

The JDPA 2018 is closely aligned with the GDPR in structure and principles, but the alignment is not identical. This guide explains what the JDPA 2018 requires, how it differs from the UK GDPR and EU GDPR, and what practical steps organisations should take to achieve and demonstrate compliance.

What is the JDPA 2018?

The Data Protection (Jersey) Law 2018 came into force on 25 May 2018 — the same day the GDPR took effect across the EU. The timing was not coincidental. The JDPA 2018 was designed to provide a data protection framework equivalent to the GDPR so that Jersey could secure an EU adequacy decision, which it received in 2021.

The law governs the processing of personal data by controllers and processors established in Jersey, and it also applies to organisations outside Jersey that offer goods or services to individuals in the island or monitor their behaviour. The territorial scope mirrors the GDPR's Article 3 and reaches organisations well beyond the Channel Islands.

Structurally, the JDPA 2018 covers the same terrain as the GDPR: data protection principles, lawful bases for processing, data subject rights, controller and processor obligations, security requirements, breach notification, international transfers, and regulator powers. But the text diverges in several important places, and those divergences are where compliance gaps most often appear.

Jersey's Constitutional Position: A Brief History

To understand why Jersey has its own data protection law — rather than simply inheriting UK or EU legislation — it helps to understand the island's unusual constitutional position.

Jersey is a Crown Dependency, not part of the United Kingdom. It has been self-governing since the 13th century, with its own legislature (the States Assembly), legal system, and fiscal autonomy. The island's relationship with the Crown dates back to 1066, when the Duke of Normandy — William the Conqueror — became King of England. Jersey and the other Channel Islands remained part of the Duchy of Normandy when continental Normandy was lost to France in 1204, and their loyalty to the English Crown has shaped their constitutional status ever since.

This history gives Jersey a position that is neither British nor European in the conventional sense. The UK government is responsible for Jersey's defence and international representation, but domestic policy — including data protection — is set by the States Assembly. Jersey is not, and has never been, a member of the EU, and it was not part of the UK's membership during the UK's decades within the European Community.

The practical consequence for data protection is that Jersey legislates independently. When the EU adopted the GDPR in 2016, Jersey chose to pass its own equivalent — the JDPA 2018 — rather than having it imposed through extension. This deliberate alignment was the route to securing EU adequacy, which Jersey achieved in 2021. The UK, post-Brexit, separately granted Jersey adequacy under the UK GDPR.

That adequacy story — and what it means for data flowing between Jersey, the UK, the EU, and the wider world — is a topic that deserves its own treatment. For now, the key point is this: Jersey's data protection regime is shaped by a constitutional history that explains both why it is separate and why it tracks the GDPR so closely.

How the JDPA 2018 Differs from the EU GDPR and UK GDPR

Organisations that assume JDPA compliance is automatic because they are already GDPR-compliant overlook specific provisions where the Jersey law is different.

Registration requirement. Unlike the EU GDPR and UK GDPR — which have moved away from general registration — the JDPA 2018 retains a notification and registration system. Controllers in Jersey must register with the JOIC, and processors in Jersey may also be required to register depending on the nature of their processing. The JOIC maintains a public register of data controllers and the registration requirement carries an annual fee. This is closer to the pre-GDPR Data Protection Act 1998 registration model than to the accountability-led approach that now applies in the UK and EU.

Exemptions and derogations. Jersey has made different use of the permitted national derogations under the GDPR framework. The JDPA 2018 includes specific exemptions for crime and taxation, regulatory functions, journalism and the arts, and legal professional privilege that do not map directly to the equivalent exemptions in the UK Data Protection Act 2018. Organisations with parallel operations in Jersey and the UK should not assume a lawful basis that works in one jurisdiction will work in the other.

Enforcement and sanctions. The JOIC has the power to serve enforcement and information notices, conduct investigations, and impose financial penalties. While the penalty framework is structured differently from the UK ICO's approach, the JOIC has signalled increasing regulatory activity and expects organisations to demonstrate compliance proactively rather than after an incident.

Adequacy status. Jersey has EU adequacy, meaning personal data can flow freely from the EU to Jersey without additional safeguards. It also has UK adequacy. This is a significant operational advantage for organisations that handle cross-border data flows, but it is contingent on Jersey maintaining equivalent standards. If the JDPA 2018 diverges further from the GDPR in future, adequacy could be revisited.

Who Needs to Register with the JOIC?

The registration requirement is one of the most concrete differences between the JDPA regime and the UK GDPR. Under the JDPA 2018, every controller established in Jersey must notify the JOIC of its processing activities unless a specific exemption applies.

The JOIC publishes guidance on which organisations must register, and the categories include most businesses, professional firms, charities, and public bodies that process personal data relating to individuals in Jersey. The exemptions are narrower than many organisations expect: processing employee data for administrative purposes, for example, does not necessarily qualify for an exemption if the processing extends beyond basic payroll and HR records.

Controllers outside Jersey that are captured by the territorial scope — for example, a UK or EU business offering services to Jersey residents — should seek specific advice on whether registration is required. The JDPA 2018 does not grant an automatic pass to non-Jersey entities that fall within its jurisdiction.

Key Obligations Under the JDPA 2018

For organisations already familiar with the GDPR, many of the core obligations will be recognisable. The differences lie in the detail and in the regulatory expectation that compliance is demonstrated to a Jersey standard.

Records of Processing Activities. Like Article 30 of the EU and UK GDPR, the JDPA 2018 requires controllers and processors to maintain written records of processing activities. The record must include the purpose of processing, categories of data subjects and personal data, categories of recipients, details of international transfers, retention periods, and a description of security measures. For a detailed breakdown of what should go into those records, see our complete guide to Article 30 Records of Processing Activities.

Data Protection Officers. The JDPA 2018 requires DPO appointment in circumstances that closely mirror the GDPR thresholds, and the JOIC expects DPOs to be properly resourced and independent. The DPO's contact details must be provided to the JOIC, and the DPO should be notified as part of the registration process.

Data Protection Impact Assessments. DPIAs are required for processing likely to result in high risk, following the same principle as Article 35 of the GDPR. Organisations deploying new technologies, processing sensitive personal data at scale, or conducting systematic profiling of Jersey data subjects should ensure a DPIA is completed before processing begins.

Breach notification. The JDPA 2018 requires controllers to notify the JOIC of a personal data breach without undue delay and, where feasible, within 72 hours. The standard mirrors the GDPR's Article 33 and 34 requirements, but the notification is to the JOIC rather than to a different supervisory authority — a detail that catches organisations with pan-jurisdictional breach response plans.

Common Compliance Pitfalls

The JDPA 2018 is not new law, but it is often treated as secondary to GDPR compliance, and that attitude creates predictable gaps.

Assuming GDPR compliance covers Jersey. This is the most frequent error. An organisation that has invested heavily in UK GDPR compliance and assumes Jersey is covered is likely missing the registration requirement, may have documentation that references the wrong regulator and legal framework, and may not have assessed whether Jersey-specific derogations affect its processing.

Overlooking registration entirely. Organisations that are not registered with the JOIC but are required to be are in breach of the law regardless of how robust their operational compliance is. Registration is a gateway obligation — non-compliance is visible and easily detected through the public register.

Copying UK documentation without adaptation. Policies, privacy notices, and data-sharing agreements drafted for the UK GDPR often contain references to UK-specific provisions that have no equivalent under the JDPA 2018. Telling a Jersey data subject they have a right to complain to the ICO is both incorrect and unhelpful.

Treating the JOIC as a passive regulator. The JOIC has been increasing its enforcement activity and has signalled that it expects proactive compliance demonstration. Organisations that wait for a complaint or a breach before addressing JDPA obligations are taking a risk that is increasingly likely to crystallise.

Practical Steps for Compliance

The path to JDPA 2018 compliance is not fundamentally different from GDPR compliance, but it requires Jersey-specific attention at several points.

  1. Determine whether you are caught. If your organisation is established in Jersey, or offers goods or services to Jersey residents, or monitors their behaviour, you are likely within territorial scope.

  2. Register with the JOIC if required. Check the JOIC's published guidance on registration categories and register as a data controller. This is a public obligation and one of the first things the JOIC will check.

  3. Maintain a Jersey-aware RoPA. Your Record of Processing Activities should identify any processing activities that involve Jersey personal data and should reference the JDPA 2018 as the applicable legal framework. The structure is the same — what changes is the need to identify Jersey as a distinct jurisdiction within your compliance documentation.

  4. Review your policies and privacy notices. Ensure any Jersey-facing documentation references the JDPA 2018 and the JOIC rather than (or in addition to) the UK GDPR and the ICO. Jersey data subjects should be directed to the JOIC for complaints.

  5. Map your international data flows. Jersey's adequacy status is an operational asset, but it should not be taken for granted. Document which data flows rely on adequacy and ensure you are monitoring any developments that could affect that status.

  6. Run a Jersey-specific DPIA cycle. For high-risk processing involving Jersey data subjects, complete DPIAs that reference the JDPA 2018 framework and are ready for JOIC review if required.

Maintaining Compliance as Both Regimes Evolve

Data protection law in Jersey does not stand still. The JOIC issues periodic guidance, and the States Assembly has the power to amend the JDPA 2018 through regulations. As the EU continues to develop its data protection acquis — including the AI Act and evolving guidance on automated decision-making — Jersey will face pressure to maintain equivalent standards to preserve adequacy.

Organisations with operations in both the UK and Jersey should treat the two regimes as related but distinct. Shared documentation, shared processes, and shared compliance tools make operational sense, but the jurisdictional differentiation must be explicit, not assumed.

Jersey's data protection law deserves the same structured attention as the UK GDPR and EU GDPR. For organisations that take it seriously, the compliance burden is incremental — the fundamentals are the same, and the differences are manageable. For organisations that ignore it, the risk is concentrated and avoidable.

If your organisation needs to build and maintain Records of Processing Activities that cover Jersey alongside the UK GDPR and EU GDPR, Clarium provides visual, structured RoPA tools designed for multi-jurisdictional compliance. Get started free.

Ready to simplify your GDPR compliance?

Try Clarium free — no credit card required.

Start Free Trial