Data Protection

The new laws

The General Data Protection Regulation (‘GDPR’) was issued by the EU on 4 May 2016 and came into effect on 25 May 2018, giving a two year implementation period. 

The Data Protection (Bailiwick of Guernsey) Law 2017 was approved by the States of Guernsey on 26 April 2017 and also came into effect on 25 May 2018. 

The first year following the issue of the GDPR seemed to slip past with few organisations paying it much attention. The publicity surrounding the new Guernsey data protection law in the spring of 2017 created local interest and lawyers started to provide some overview seminars. The remaining one year to the implementation deadline meant that there was a relatively short period in which to consider and respond to the requirements of the new law.

The project

Andrew was an early responder, recognising that significant effort would be involved to meet the requirements of the new law by the deadline of 25 May 2018. There were going to be a number of key project requirements: 

  • Analysis of the legal & regulatory requirements, to be confirmed by consultation with local lawyers & the then Office of the Data Commissioner

  • Designing a project plan and adapting it as understanding of the requirements improved, and challenges arose, during the project

  • Creation and management of a project team

  • A communication strategy to inform company boards of the new obligations on them and how we would enable them to meet those obligations

  • Systematic application of the project steps, monitoring progress and responding to feedback from the team and company boards of directors

  • Regular reporting on project progress 

  • Meeting capacity challenges by keeping the approach resource lean (including by designing a simple but comprehensive data processing record in house)

  • Cascading education and training down through the project team to the rest of the organisation

 Key elements

  • Identification of controllers and processors of personal data

  • Disclosures to data subjects – privacy statement 

  • Terms with third parties – data protection provisions in legal agreements

  • IT systems and security review

  • Production of a data audit & processing record (in house simple but comprehensive model)

  • Identification of cross border transfers of personal data

  • Procedures for Data Protection Impact Assessments 

  • Appointment of a Data Protection Officer where required

  • Procedures to address any data subject requests

  • Procedures & documentation to address any data incidents and breach responses

Communications

  • Preliminary Briefing Paper – July 2017

  • Project Overview – September 2017 with graphics to show the key requirements of the law and the project structure & timetable

  • Revised Data & Cyber Security Briefing Paper – September 2017

  • Data Protection Policy Statement – October 2017

  • Briefing Paper update – March 2018 

  • Briefing Paper update – July 2018

Outcome 

The management company and its clients were compliant by the deadline at modest cost, with effective communication of the legal and regulatory requirements and project progress throughout. A significant one-off income stream was generated for the management company.

Happy customers - validated by the observation made in a client board meeting: 

“Local lawyers are impressed with the GDPR progress which Andrew has made”. 

Client NED June 2018

Analysis | Commitment | Results