Case Study: Guernsey Water Data Protection Health Check
The General Data Protection Regulation (GDPR) became legally effective from 25 May 2018 in all EU member states with equivalent legislation in Guernsey. The Data Protection (Bailiwick of Guernsey) Law 2017 allowed some deferrals for implementation until May 2019.
Through a GDPR Health Check, led by CBO in conjunction with the States of Guernsey Data Protection team, the purpose of the project was to review Guernsey Water’s existing data protection controls and develop procedures to embed States’ policies and enable full compliance with the new legislation. The aim was to reduce all identified data protection risks from medium to low by the end of the transition period. CBO was also asked to ensure that an appropriate action plan was in place to enable ongoing compliance beyond project close.
CBO’s objectives were to ensure that:
- there was a reviewed and scored Risk Register;
- a detailed Implementation Plan was established, aiming towards May 2019;
- a high-level data audit was completed, identifying areas of non-compliance;
- ongoing project governance set-up and documentation was in place; and
- the project could be effectively handed over to internal staff for delivery.
CBO worked collaboratively with Guernsey Water and the States Data Protection team to achieve these objectives, and put the appropriate measures in place to ensure ongoing compliance beyond May 2019.
Guernsey Water has a clear understanding of the personal data it holds and has identified and sufficiently mitigated risks to GDPR non-compliance. This protects the company from the financial and reputational risks of non-compliance.