Context

The General Data Protection Regulation (GDPR) became legally effective from 25 May 2018 in all EU member states with equivalent legislation in the Channel Islands. Mourant – an offshore law firm advising on the laws of Hong Kong, London, the BVI, the Cayman Islands, Guernsey and Jersey – asked CBO to manage a project to ensure that the firm was compliant with the GDPR in all jurisdictions before the enforcement date.

CBO’s Approach

The project was split into three stages: detailed planning and analysis, implementation and project closure. CBO ensured that:

• all relevant policies, procedures and processes were in place;
• all necessary system and application changes were identified and completed;
• compliant supplier agreements were in place; and
• Mourant staff were aware of the impact of GDPR and what they must do to ensure compliance.

CBO worked with practice and business areas in all jurisdictions to support the above, and put the appropriate measures in place to ensure ongoing compliance beyond the enforcement date.

CBO’s Impact

The project has resulted in Mourant employees having a good understanding of their role in data protection compliance, and across the firm Mourant has identified and sufficiently mitigated its risks of GDPR non-compliance. GDPR-compliant agreements with third-party processors of data are in place and all necessary policy/procedure changes are complete. Mourant can be confident that ongoing management and governance of data protection are robust.