Context 

The General Data Protection Regulation (GDPR) became legally effective from 25 May 2018 in all EU member states with equivalent legislation in Jersey and Guernsey. Carey Olsen – a leading offshore law firm who advise on Bermuda, British Virgin Islands, Cayman Islands, Guernsey and Jersey law across a global network of nine international offices – engaged CBO to lead a project to ensure that the firm was compliant with the GDPR in all jurisdictions before the enforcement date.  

CBO’s Approach 

The project was split into the following stages: scope and definition, detailed planning and analysis, implementation and project closure. CBO ensured that: 

• all data flows and data locations where identified; 
• all relevant policies, procedures and processes were in place; 
• all necessary application changes were identified and implemented; 
• compliant supplier agreements were reviewed and updated; and 
• staff training was rolled out to deliver awareness of the impact of GDPR and what they must do to ensure compliance.  

CBO worked with practice and business areas in all jurisdictions to deliver the above and supported the changes required to ensure ongoing compliance beyond the enforcement date. 

CBO also ensured that all appropriate project governance was in place from the outset of the project which played a key part in achieving delivery on time and on budget. The project approach also included a detailed operational handover to the Carey Olsen Data Protection Officer.  

CBO’s Impact 

As a result of the project Carey Olsen has a clear understanding of the personal data it holds and has identified and sufficiently mitigated risks to GDPR non-compliance. Carey Olsen can be confident that ongoing management and governance of data protection is robust and aligned to the regulatory requirements.