Data Protection
The new laws
The General Data Protection Regulation (‘GDPR’) was issued by the EU on 4 May 2016 and came into effect on 25 May 2018, giving a two year implementation period.
The Data Protection (Bailiwick of Guernsey) Law 2017 was approved by the States of Guernsey on 26 April 2017 and also came into effect on 25 May 2018.
The first year following the issue of the GDPR seemed to slip past with few organisations paying it much attention. The publicity surrounding the new Guernsey data protection law in the spring of 2017 created local interest and lawyers started to provide some overview seminars. The remaining one year to the implementation deadline meant that there was a relatively short period in which to consider and respond to the requirements of the new law.
The project
Andrew was an early responder, recognising that significant effort would be involved to meet the requirements of the new law by the deadline of 25 May 2018. There were going to be a number of key project requirements:
Analysis of the legal & regulatory requirements, to be confirmed by consultation with local lawyers & the then Office of the Data Commissioner
Designing a project plan and adapting it as understanding of the requirements improved, and challenges arose, during the project
Creation and management of a project team
A communication strategy to inform company boards of the new obligations on them and how we would enable them to meet those obligations
Systematic application of the project steps, monitoring progress and responding to feedback from the team and company boards of directors
Regular reporting on project progress
Meeting capacity challenges by keeping the approach resource lean (including by designing a simple but comprehensive data processing record in house)
Cascading education and training down through the project team to the rest of the organisation
Key elements
Identification of controllers and processors of personal data
Disclosures to data subjects – privacy statement
Terms with third parties – data protection provisions in legal agreements
IT systems and security review
Production of a data audit & processing record (in house simple but comprehensive model)
Identification of cross border transfers of personal data
Procedures for Data Protection Impact Assessments
Appointment of a Data Protection Officer where required
Procedures to address any data subject requests
Procedures & documentation to address any data incidents and breach responses
Communications
Preliminary Briefing Paper – July 2017
Project Overview – September 2017 with graphics to show the key requirements of the law and the project structure & timetable
Revised Data & Cyber Security Briefing Paper – September 2017
Data Protection Policy Statement – October 2017
Briefing Paper update – March 2018
Briefing Paper update – July 2018
Outcome
The management company and its clients were compliant by the deadline at modest cost, with effective communication of the legal and regulatory requirements and project progress throughout. A significant one-off income stream was generated for the management company.
Happy customers - validated by the observation made in a client board meeting:
“Local lawyers are impressed with the GDPR progress which Andrew has made”.
Client NED June 2018
Analysis | Commitment | Results