Current Issue Headlines
Vol. 4, No. 13 (May 23, 2018)
Print This Issue
-
CSLR Webinar: How to Maintain Effective and Secure Long-Term Vendor Relationships
Please join The Cybersecurity Law Report on June 4, 2018, from 12:00 to 1:00 p.m. EDT for another practical webinar. As data security risks and regulations shift, it is critical to ensure vendor relationships and agreements are continually reviewed and updated. In this complimentary webinar The Cybersecurity Law Report’s Editor-in-Chief Amy Sheehan will discuss how to effectively monitor, manage, update and maintain long-term third-party relationships with input from three experts: Kristina Bergman, CEO and founder of Integris Software; Karen Hornbeck, Consilio senior manager; and Aaron Tantleff, partner at Foley & Gardner. See also “How to Move Beyond a Checklist Approach to Third-Party Oversight” (Dec. 6, 2017); and “Developing an Effective Third-Party Management Program” (Mar. 14, 2018).
Read full article … -
Ten Actionable Articles on GDPR Compliance
With the much-anticipated General Data Protection Regulation coming into effect this week, The Cybersecurity Law Report is revisiting some of our most-read analysis of the regulation and how companies are preparing. These articles will provide you with relevant guidance for ongoing compliance efforts, including insight on specific provisions and enforcement expectations, as well as operational advice on setting up efficient compliance mechanisms. Our regular publication schedule will resume on Wednesday, May 30, 2018.
Read full article … -
Direct From the Irish Data Commissioner: Supervising Facebook and GDPR Enforcement Priorities
Some companies still think the GDPR can be ignored, Irish Data Protection Commissioner Helen Dixon told The Cybersecurity Law Report, but enforcement will come from multiple fronts and companies should be ready. And while Facebook’s privacy policies have been under a brighter spotlight than ever before, these issues are not new to Dixon. In part one of this candid conversation, Dixon provided her perspective on recent privacy disputes regarding Facebook and how her office coordinates with other jurisdictions. In the second installment, Dixon explained how GDPR enforcement will work, her office’s enforcement priorities and what companies should prioritize in their final preparations. See also our previous conversation with Dixon, “A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part One of Two)” (Mar. 22, 2017); Part Two (Apr. 5, 2017).
Read full article … -
Countdown to GDPR Enforcement: Final Steps and Looking Ahead
In the short time before the GDPR goes into effect, what are the last-minute steps that companies should be taking to prepare themselves for this sea change in privacy rules? In this guest article, O’Melveny & Meyers attorneys Scott Pink, Mallory Jensen and Amanda Bradley discussed these steps and ongoing obligations for companies subject to the GDPR, including measures companies may not have thought to take, and how companies can remain vigilant and continue improving their privacy procedures after the GDPR takes effect. See also “One Year Until GDPR Enforcement: Five Steps Companies Should Take Now” (May 31, 2017).
Read full article … -
A Practical Look at the GDPR’s Data Breach Notification Provision
The GDPR introduces specific breach notification obligations for data controllers and processors. To help covered entities better understand when notification is required and what processes they should have in place in order to meet their obligations, the Article 29 Working Party issued Guidelines on Personal Data Breach Notification at the end of 2017. In this article, with advice and perspective from a former Special Agent with the FBI’s Cyber Division and current head of Nardello & Co.’s digital investigations and cybersecurity practice, we covered key concepts of the WP29 guidance, processes organizations should have in place to comply with the GDPR’s breach notification provisions, and strategies to balance global notification requirements. We also looked at the GDPR’s overall effectiveness in addressing cyber risk. See also “Understanding Australia’s Strengthened Breach Notification Scheme” (Mar. 14, 2018).
Read full article … -
Getting to Know the DPO and Adapting Corporate Structure to Comply With the GDPR (Parts One and Two)
While the position of data protection officer is not novel, the GDPR introduces new requirements and the DPO will have a key role in ensuring compliance with the regulation. We spoke with experienced DPOs and counsel from around the world to clarify and shed light on the GDPR provisions and recent Article 29 Working Party guidelines relevant to the DPO role. The first part of our two-part series on the topic examined when appointing a DPO is mandatory, how to select a DPO and the requisite skillsets and responsibilities of the role, including the difference between the DPO and other privacy compliance roles. In part two, DPOs and counsel from around the world examined how the DPO best fits in the corporate structure, and offered considerations for determining whether the role should be fulfilled internally or externally and five steps companies can proactively take to ensure compliance. See also “How to Successfully Incorporate the Role of the Chief Technology Officer” (Oct. 11, 2017).
Read full article … -
Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers
The process of preparing for GDPR enforcement has been complex and companies often identify questions and concerns as they move toward implementation. In this guest article, Scott Pink, Hayley Ichilcik and Mallory Jensen, attorneys at O’Melveny & Myers, identified and responded to common key questions companies are raising and tackling during their GDPR preparations. See also “The GDPR’s Data Subject Rights and Why They Matter” (Feb. 28, 2018).
Read full article … -
How Will the GDPR Affect Due Diligence?
Among the many provisions of the GDPR with which companies are grappling is Article 10, which affects the processing of personal data relating to criminal activity. This kind of data collection is a core part of many different types of diligence and investigations. Article 10 “will basically put companies subject to both the GDPR and non-E.U. laws between a rock and a hard place,” potentially subjecting them to “the wrath of the U.S. Department of Justice,” for example, Alja Poler De Zwart, counsel at Morrison Foerster in Brussels, told The Cybersecurity Law Report. This article discussed how companies can approach Article 10 and the patchwork of applicable member-state laws. See also “The Arc of the Deal: Tips for Cybersecurity Due Diligence Advisors in Mergers & Acquisitions From Beginning to End” (Jun. 28, 2017); and “Essential Cyber Due Diligence Considerations in M&A Deals Raised by Yahoo Breach” (Oct. 5, 2016)
Read full article … -
EY Global Data Analytics Survey Finds Lack of GDPR Preparedness and Need for Cross-Functional Collaboration
Despite an increasing number of technical and automated tools, organizations continue to be challenged by the large volume of data collected from disparate sources. GDPR compliance is only highlighting the need to understand, map and protect all that data. Shockingly, two-thirds of respondents in the 2018 EY Global Forensic Data Analytics Survey were either not familiar with GDPR, have heard of it but had taken no action, or were studying it. Certainly, “one surprise from the survey was the general lack of readiness as it relates to data privacy and GDPR,” Todd Marlin, a principal at Ernst & Young, told The Cybersecurity Law Report. The article took a closer look at the survey results and what companies might do to improve their operational approach and their use of forensic data analytics while meeting the requirements of GDPR and other privacy and security regulations. See also “Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers” (Dec. 20, 2017).
Read full article … -
Using Technology to Comply With the GDPR
Organizations covered by GDPR know that they need make compliance effective, sustainable and feasible without draining human and financial resources. We spoke to Theresa Beaumont, a legal data governance and technology expert at Groupe Beaumont; Kenneth N. Rashbaum, a partner at Barton; and Matthew Nelson, vice president of data liaison services and associate general counsel at DiscoverReady, regarding the benefits of using technology for six specific areas of GDPR compliance and how to choose the right technologies. These experts also addressed the topic at a Legaltech panel where they discussed how technology can assist companies wrestle with sprawling stored data to meet the ongoing requirements. See our three-part series on when and how legal and information security should engage on cyber strategy: “It Starts With Governance” (Mar. 28, 2018); “Assessments and Incident Response” (Apr. 11, 2018); “Vendors and M&A” (Apr. 18, 2018).
Read full article … -
The GDPR’s Data Subject Rights and Why They Matter
Privacy rights, once more obscure, are now common topics both within and beyond legal circles. The European “right to be forgotten” is at the forefront of these discussions and it raises certain questions. What are the individual “data subject” rights under the E.U. General Data Protection Regulation? And why should U.S. organizations care? In this guest article, Frankfurt Kurnit partner Tanya Forsheit reviewed the GDPR’s application to U.S. organizations, explained how the GDPR defines and treats “data subjects” and “data subject rights,” and addressed how requests by E.U. data subjects to exercise some of their new rights might surface here in the U.S. – and how they may impact the daily lives of corporate lawyers and customer service departments. See also “The Right to Be Forgotten: English High Court Details When Google Must Delist Links to Crimes “ (May 9, 2018).
Read full article … -
Five Steps Companies Should Take to Comply With the GDPR
The GDPR has a vast reach, applying not only to E.U. companies that process personal data, but also non-E.U. companies that process personal data in connection with offering goods and services to individuals in the E.U. It likely applies to companies, regardless of location, that process data in the course of monitoring or profiling individuals in the E.U. In this guest article, Kiran Raj, Mallory Jensen and Sara Zdeb, attorneys at O’Melveny & Myers, detailed five key steps companies should take to ensure compliance with the GDPR’s transformative requirements, avoid significant penalties and improve their overall data-management practices. See also “Evaluating Cybersecurity Coverage in Light of the GDPR” (Mar. 28, 2018).
Read full article …