Blog PostAssurance Services
Data Protection project – done and dusted?
  1. Privacy policy on the website updated – Tick
  2. Data protection policy updated – Tick
  3. Communications sent to staff about data protection – Tick
  4. Training rolled out to staff – Tick

Cue the sigh of relief on 25th May 2018 as GDPR is done with, right? Not quite…

The EU legislation, as well as the local Guernsey and Jersey legislation, impacts all organisations regardless of size. Many organisations are still uncovering processes and platforms that require an overhaul as a result of the new legislation.

What has happened to your organisation’s GDPR project? For a number of organisations the impact of Data Protection changes has seen a number of new projects and changes materialise, such as:

  • Process reviews 
    • Ongoing monitoring
    • IT processes
    • Starters/leavers process
  • Embedding behavioural changes 
    • Aligning to group standards and processes
    • Link to any information security projects and initiatives
  • System implementations/changes
    • Records management
    • Data management
    • Knowledge management
  • Third-party service provider management
    • Risk classification of third parties
    • Security reviews of third parties

Are you in that position? At the end of a GDPR/Data Protection project and you are now adding more and more projects and changes to your portfolio of projects? Below are some steps to incorporate into that process that may help you:

  1. Scope the projects and changes properly – take your time to understand the objectives of what you want to achieve, the potential costs, the risks from the outset and the resource requirements. Rushing the discovery stage often leads to project challenges further down the line.
  2. Re-prioritise your projects – get your senior execs and stakeholders in a room and review the entire portfolio of projects. This will give you the opportunity to understand if any projects require de-prioritising in light of the new projects being added to the list and which align to the organisation strategy and/or legislation or regulatory obligations.
  3. Manage expectations and communicate – a portfolio review is likely to be followed by the need to reset expectations regarding overall project delivery and priorities. A key part of this is to communicate effectively to stakeholders, the project team and the wider organisation. Getting comms out early (and in plain English) will help manage expectations across the organisation.

You can also find out more about our Data Protection and GDPR Health Checks and understand how one of our health checks can help you understand your data protection posture.

More assurance services articles

Case Study
CBO support Ravenscroft with Risk Management Framework

Context Ravenscroft engaged CBO’s assurance services to help them mature their Risk Management Framework (“RMF”) to ensure that it was fit for purpose to demonstrate effective risk management and risk oversight. Ravenscroft’s Chief Risk Officer (“CRO”) had a desire to mature the RMF, thereby documenting and evidencing how the elements of the RMF work together […]

Blog Post
Data Protection: Five years on from GDPR

Since GDPR and the Channel Islands data protection legislation were implemented 5 years ago, personal data has become increasingly valuable and its protection more critical than ever before. Getting it wrong can be costly – for your reputation and your pockets. We sat down with Ed Mason-Smith, data protection expert and director here at CBO, […]

Case Study
Operational Resilience project supports First Central Group to achieve regulatory compliance

Context In March 2021 the Financial Conduct Authority (FCA) issued its final rules requiring firms within the UK’s financial sector to ensure operational resilience. CBO supported First Central Group, a Guernsey-based UK motor insurance provider, to achieve and evidence compliance with the FCA’s rules. Approach CBO provided project management and business analysis resource to support […]

Case Study
Client data project helps financial services business meet regulatory requirements

CBO supported a locally-based independent fiduciary and fund administration business to deliver a project driven by regulatory requirements. After a period of sustained growth, the business identified the need to enhance the efficiency of its existing processes, policies and systems relating to client data management and reporting capabilities. Identifying an opportunity, the client engaged CBO […]

Case Study
The Medical Specialist Group

The Medical Specialist Group The Medical Speciality Group (MSG) is a Guernsey-based organisation providing secondary health care and services to islanders across a broad range of specialisms. In the provision of these medical services, the MSG processes a large volume of extremely sensitive personal data where adequate controls of data and processes are needed to […]

Case Study
Data protection health check for Guernsey Mind

Guernsey Mind Guernsey Mind is an independent mental health charity, promoting positive mental health for the community by providing free mental health services as well as raising overall awareness. In the day-to-day running of the charity, Guernsey Mind processes and holds a wide range of personal data. The effective protection, security, and controls over of […]

Fancy a chat? Get in touch with CBO today to discuss how we can help