The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: GDPR

  • From Vol. 4 No.13 (May 23, 2018)

    Direct From the Irish Data Commissioner: Supervising Facebook and GDPR Enforcement Priorities

    Some companies still think the GDPR can be ignored, Irish Data Protection Commissioner Helen Dixon told The Cybersecurity Law Report, but enforcement will come from multiple fronts and companies should be ready. And while Facebook’s privacy policies have been under a brighter spotlight than ever before, these issues are not new to Dixon. In part one of this candid conversation, Dixon provided her perspective on recent privacy disputes regarding Facebook and how her office coordinates with other jurisdictions. In the second installment, Dixon explained how GDPR enforcement will work, her office’s enforcement priorities and what companies should prioritize in their final preparations. See also our previous conversation with Dixon, “A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part One of Two)” (Mar. 22, 2017); Part Two (Apr. 5, 2017).

    Read Full Article …
  • From Vol. 4 No.13 (May 23, 2018)

    Countdown to GDPR Enforcement: Final Steps and Looking Ahead

    In the short time before the GDPR goes into effect, what are the last-minute steps that companies should be taking to prepare themselves for this sea change in privacy rules? In this guest article, O’Melveny & Meyers attorneys Scott Pink, Mallory Jensen and Amanda Bradley discussed these steps and ongoing obligations for companies subject to the GDPR, including measures companies may not have thought to take, and how companies can remain vigilant and continue improving their privacy procedures after the GDPR takes effect. See also “One Year Until GDPR Enforcement: Five Steps Companies Should Take Now” (May 31, 2017).

    Read Full Article …
  • From Vol. 4 No.13 (May 23, 2018)

    A Practical Look at the GDPR’s Data Breach Notification Provision 

    The GDPR introduces specific breach notification obligations for data controllers and processors. To help covered entities better understand when notification is required and what processes they should have in place in order to meet their obligations, the Article 29 Working Party issued Guidelines on Personal Data Breach Notification at the end of 2017. In this article, with advice and perspective from a former Special Agent with the FBI’s Cyber Division and current head of Nardello & Co.’s digital investigations and cybersecurity practice, we covered key concepts of the WP29 guidance, processes organizations should have in place to comply with the GDPR’s breach notification provisions, and strategies to balance global notification requirements. We also looked at the GDPR’s overall effectiveness in addressing cyber risk. See also “Understanding Australia’s Strengthened Breach Notification Scheme” (Mar. 14, 2018).

    Read Full Article …
  • From Vol. 4 No.13 (May 23, 2018)

    Getting to Know the DPO and Adapting Corporate Structure to Comply With the GDPR (Parts One and Two)

    While the position of data protection officer is not novel, the GDPR introduces new requirements and the DPO will have a key role in ensuring compliance with the regulation. We spoke with experienced DPOs and counsel from around the world to clarify and shed light on the GDPR provisions and recent Article 29 Working Party guidelines relevant to the DPO role. The first part of our two-part series on the topic examined when appointing a DPO is mandatory, how to select a DPO and the requisite skillsets and responsibilities of the role, including the difference between the DPO and other privacy compliance roles. In part two, DPOs and counsel from around the world examined how the DPO best fits in the corporate structure, and offered considerations for determining whether the role should be fulfilled internally or externally and five steps companies can proactively take to ensure compliance. See also “How to Successfully Incorporate the Role of the Chief Technology Officer” (Oct. 11, 2017).  

    Read Full Article …
  • From Vol. 4 No.13 (May 23, 2018)

    Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers

    The process of preparing for GDPR enforcement has been complex and companies often identify questions and concerns as they move toward implementation. In this guest article, ­­Scott Pink, Hayley Ichilcik and Mallory Jensen, attorneys at O’Melveny & Myers, identified and responded to common key questions companies are raising and tackling during their GDPR preparations. See also “The GDPR’s Data Subject Rights and Why They Matter” (Feb. 28, 2018).

    Read Full Article …
  • From Vol. 4 No.13 (May 23, 2018)

    How Will the GDPR Affect Due Diligence?

    Among the many provisions of the GDPR with which companies are grappling is Article 10, which affects the processing of personal data relating to criminal activity. This kind of data collection is a core part of many different types of diligence and investigations. Article 10 “will basically put companies subject to both the GDPR and non-E.U. laws between a rock and a hard place,” potentially subjecting them to “the wrath of the U.S. Department of Justice,” for example, Alja Poler De Zwart, counsel at Morrison Foerster in Brussels, told The Cybersecurity Law Report. This article discussed how companies can approach Article 10 and the patchwork of applicable member-state laws. See also “The Arc of the Deal: Tips for Cybersecurity Due Diligence Advisors in Mergers & Acquisitions From Beginning to End” (Jun. 28, 2017); and “Essential Cyber Due Diligence Considerations in M&A Deals Raised by Yahoo Breach” (Oct. 5, 2016)

    Read Full Article …
  • From Vol. 4 No.13 (May 23, 2018)

    EY Global Data Analytics Survey Finds Lack of GDPR Preparedness and Need for Cross-Functional Collaboration

    Despite an increasing number of technical and automated tools, organizations continue to be challenged by the large volume of data collected from disparate sources. GDPR compliance is only highlighting the need to understand, map and protect all that data. Shockingly, two-thirds of respondents in the 2018 EY Global Forensic Data Analytics Survey were either not familiar with GDPR, have heard of it but had taken no action, or were studying it. Certainly, “one surprise from the survey was the general lack of readiness as it relates to data privacy and GDPR,” Todd Marlin, a principal at Ernst & Young, told The Cybersecurity Law Report. The article took a closer look at the survey results and what companies might do to improve their operational approach and their use of forensic data analytics while meeting the requirements of GDPR and other privacy and security regulations. See also “Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers” (Dec. 20, 2017).

    Read Full Article …
  • From Vol. 4 No.13 (May 23, 2018)

    Using Technology to Comply With the GDPR

    Organizations covered by GDPR know that they need make compliance effective, sustainable and feasible without draining human and financial resources. We spoke to Theresa Beaumont, a legal data governance and technology expert at Groupe Beaumont; Kenneth N. Rashbaum, a partner at Barton; and Matthew Nelson, vice president of data liaison services and associate general counsel at DiscoverReady, regarding the benefits of using technology for six specific areas of GDPR compliance and how to choose the right technologies. These experts also addressed the topic at a Legaltech panel where they discussed how technology can assist companies wrestle with sprawling stored data to meet the ongoing requirements. See our three-part series on when and how legal and information security should engage on cyber strategy: “It Starts With Governance” (Mar. 28, 2018); “Assessments and Incident Response” (Apr. 11, 2018); “Vendors and M&A” (Apr. 18, 2018).  

    Read Full Article …
  • From Vol. 4 No.13 (May 23, 2018)

    The GDPR’s Data Subject Rights and Why They Matter

    Privacy rights, once more obscure, are now common topics both within and beyond legal circles. The European “right to be forgotten” is at the forefront of these discussions and it raises certain questions. What are the individual “data subject” rights under the E.U. General Data Protection Regulation? And why should U.S. organizations care? In this guest article, Frankfurt Kurnit partner Tanya Forsheit reviewed the GDPR’s application to U.S. organizations, explained how the GDPR defines and treats “data subjects” and “data subject rights,” and addressed how requests by E.U. data subjects to exercise some of their new rights might surface here in the U.S. – and how they may impact the daily lives of corporate lawyers and customer service departments. See also “The Right to Be Forgotten: English High Court Details When Google Must Delist Links to Crimes “ (May 9, 2018).

    Read Full Article …
  • From Vol. 4 No.13 (May 23, 2018)

    Five Steps Companies Should Take to Comply With the GDPR

    The GDPR has a vast reach, applying not only to E.U. companies that process personal data, but also non-E.U. companies that process personal data in connection with offering goods and services to individuals in the E.U. It likely applies to companies, regardless of location, that process data in the course of monitoring or profiling individuals in the E.U. In this guest article, Kiran Raj, Mallory Jensen and Sara Zdeb, attorneys at O’Melveny & Myers, detailed five key steps companies should take to ensure compliance with the GDPR’s transformative requirements, avoid significant penalties and improve their overall data-management practices. See also “Evaluating Cybersecurity Coverage in Light of the GDPR” (Mar. 28, 2018).

    Read Full Article …
  • From Vol. 4 No.12 (May 16, 2018)

    Countdown to GDPR Enforcement: Final Steps and Looking Ahead

    In the short time before the GDPR goes into effect, what are the last-minute steps that companies should be taking to prepare themselves for this sea change in privacy rules? In this guest article, O’Melveny & Meyers attorneys Scott Pink, Mallory Jensen and Amanda Bradley discuss these steps and ongoing obligations for companies subject to the GDPR, including measures companies may not have thought to take, and how companies can remain vigilant and continue improving their privacy procedures after the GDPR takes effect. See also CSLR’s two-part interview with the Irish Data Commissioner: “Supervising Facebook” (April. 25, 2018); and “GDPR Enforcement Priorities” (May 2, 2018); and “A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part One of Two)” (Mar. 22, 2017); Part Two (Apr. 5, 2017).

    Read Full Article …
  • From Vol. 4 No.12 (May 16, 2018)

    How to Ensure GDPR-Compliant Third-Party Relationships

    The GDPR is changing how organizations manage third-party relationships, including how third-parties are onboarded and monitored. For example, controllers may only use processors that provide sufficient guarantees of GDPR compliance and the relationship must be documented by contract. During a recent Bristows webinar, Robert Bond, a partner at Bristows, and Allan Matheson, CEO of Blue Umbrella, a compliance research firm, spoke about best practices for third-party relationships in the context of GDPR and other laws, and how technology can be used to make monitoring third parties more effective. See also “Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers” (Dec. 20, 2017).

    Read Full Article …
  • From Vol. 4 No.11 (May 9, 2018)

    The Right to Be Forgotten: English High Court Details When Google Must Delist Links to Crimes

    Information about a person’s criminal history remains online long after many serve their time. But in what circumstances must a search engine comply with an individual’s demand to delist those links? That was the central question in the closely watched case of NT1 & NT2 v. Google LLC, the first consideration of the “right to be forgotten” by English courts. Decided on the cusp of the GDPR’s effective date, the High Court used a balancing test from the E.U.’s 2014 Google Spain case. Kelly Hagedorn, a partner in Jenner & Block’s London office, told The Cybersecurity Law Report that the decision was “a very carefully reasoned judgment” that, even in the new regime of the GDPR, would be “a useful reference point for those considering the balancing of the right to erasure and the right to freedom of speech.” See “The GDPR’s Data Subject Rights and Why They Matter” (Feb. 28, 2018).

    Read Full Article …
  • From Vol. 4 No.10 (May 2, 2018)

    Direct From the Irish Data Commissioner: GDPR Enforcement Priorities (Part Two of Two)

    Some companies still think the GDPR can be ignored, Irish Data Protection Commissioner Helen Dixon told The Cybersecurity Law Report, but enforcement will come from multiple fronts and companies should be ready. In this candid conversation, Dixon discusses how GDPR enforcement will work, her office’s enforcement priorities and what companies should prioritize in their final preparations. In the first article of this two-part series, Dixon provided her perspective on recent privacy disputes regarding Facebook and how her office coordinates with other jurisdictions. See also “A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part One of Two)” (Mar. 22, 2017); Part Two (Apr. 5, 2017).

    Read Full Article …
  • From Vol. 4 No.9 (Apr. 25, 2018)

    Direct From the Irish Data Protection Commissioner: Supervising Facebook (Part One of Two)

    Since the public revelation that Cambridge Analytica harvested personal data of millions of Facebook users, Facebook’s privacy policies have been under a brighter spotlight than ever before. But these issues are not new to Irish Data Protection Commissioner Helen Dixon – her office has been working with Facebook on privacy issues and GDPR preparations for quite some time. Dixon sat down with The Cybersecurity Law Report and gave her frank perspective on recent privacy disputes regarding Facebook, which has its European operations based in Ireland, and a range of other issues regarding the imminent implementation of the GDPR. In part one of our series, she discusses supervising Facebook, talks about how her office coordinates with other jurisdictions and discusses how that coordination will change under the GDPR. In part two, Dixon will discuss how GDPR enforcement will work, her office’s enforcement priorities and what companies should prioritize in their final preparations. See also our previous conversation with Dixon, “A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part One of Two)” (Mar. 22, 2017); Part Two (Apr. 5, 2017).

    Read Full Article …
  • From Vol. 4 No.6 (Mar. 28, 2018)

    EY Global Data Analytics Survey Finds Lack of GDPR Preparedness and Need for Cross-Functional Collaboration

    Despite an increasing number of technical and automated tools, organizations continue to be challenged by the large volume of data collected from disparate sources. GDPR compliance is only highlighting the need to understand, map and protect all that data. Shockingly, two-thirds of respondents in the 2018 EY Global Forensic Data Analytics Survey are either not familiar with GDPR, have heard of it but taken no action, or are studying it. Certainly, “one surprise from the survey was the general lack of readiness as it relates to data privacy and GDPR,” Todd Marlin, a principal at Ernst & Young, told The Cybersecurity Law Report. The article takes a closer look at the survey results and what companies might do to improve their operational approach and their use of forensic data analytics while meeting the requirements of GDPR and other privacy and security regulations. See also “Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers” (Dec. 20, 2017).

    Read Full Article …
  • From Vol. 4 No.6 (Mar. 28, 2018)

    Evaluating Cybersecurity Coverage in Light of the GDPR

    As companies are integrating the requirements of new regulations focused on cyber risk into their enterprise programs, they are increasingly turning to cyber insurance. Insurers will be looking at compliance with those regulations, such as the GDPR, when reviewing and pricing policy requests. In this guest article, Kirsten Bay, president and CEO of Cyber adAPT, discusses why businesses should be exploring cyber insurance as well as the factors insurers will consider when writing cyber insurance policies, including GDPR compliance. See also “How to Make an Informed Policy Selection in the Dynamic Cyber Insurance Market” (Aug. 9, 2017).

    Read Full Article …
  • From Vol. 4 No.5 (Mar. 14, 2018)

    How Will the GDPR Affect Due Diligence?

    Among the many provisions of the GDPR with which companies are grappling is Article 10, which affects the processing of personal data relating to criminal activity. This kind of data collection is a core part of many different types of diligence and investigations. Article 10 “will basically put companies subject to both the GDPR and non-E.U. laws between a rock and a hard place,” potentially subjecting them to “the wrath of the U.S. Department of Justice,” for example, Alja Poler De Zwart, counsel at Morrison Foerster in Brussels, told The Cybersecurity Law Report. This article discusses how companies can approach Article 10 and the patchwork of applicable member-state laws. See “The GDPR’s Data Subject Rights and Why They Matter” (Feb. 28, 2018).

    Read Full Article …
  • From Vol. 4 No.4 (Feb. 28, 2018)

    The GDPR’s Data Subject Rights and Why They Matter

    Privacy rights, once more obscure, are now common topics both within and beyond legal circles. The European “right to be forgotten” is at the forefront of these discussions and it raises certain questions. What are the individual “data subject” rights under the E.U. General Data Protection Regulation? And why should U.S. organizations care? In this guest article, Frankfurt Kurnit partner Tanya Forsheit reviews the GDPR’s application to U.S. organizations, explains “data subjects” and “data subject rights” under the GDPR, and addresses how requests by E.U. data subjects to exercise some of their new rights might surface here in the U.S. and impact the daily lives of corporate lawyers and customer service departments. See also “Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers” (Dec. 20, 2017).

    Read Full Article …
  • From Vol. 4 No.3 (Feb. 14, 2018)

    Dynamic Regulations and Shareholder Actions Guide the Board’s Shifting Role in Cyber (Part Two of Two)

    As large-scale data breaches become regular occurrences, and new regulations are implemented, shareholder derivative suits are increasingly being used by investors seeking to be made whole after data breaches. Boards of directors need to take note and understand the increasing costs and risks these suits pose. In this second part of a guest article series, Shearman & Sterling attorneys Jeewon Kim Serrato, Marc Elzweig and David Lee draw on the recent cases examined in part one and identify five lessons that boards may learn from these suits – lessons that are applicable to companies seeking to assess litigation risks related to data breaches and that also provide a practical starting point for managing cybersecurity risks in general. See “Key Post-Breach Shareholder Litigation, Disclosure and Insurance Selection Considerations” (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 4 No.3 (Feb. 14, 2018)

    Using Technology to Comply With the GDPR

    Organizations preparing for the GDPR’s upcoming effective date know that they need make compliance effective, sustainable and feasible without draining human and financial resources. We spoke to Theresa Beaumont, a legal data governance and technology expert at Groupe Beaumont; Kenneth N. Rashbaum, a partner at Barton; and Matthew Nelson, vice president of data liaison services and associate general counsel at DiscoverReady, regarding the benefits of using technology for six specific areas of GDPR compliance and how to choose the right technologies. These experts also addressed the topic at a recent Legaltech panel where they discussed how technology can assist companies wrestle with sprawling stored data to meet the ongoing requirements. See also “Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers” (Dec. 20, 2017).

    Read Full Article …
  • From Vol. 4 No.2 (Jan. 31, 2018)

    Dynamic Regulations and Shareholder Actions Guide the Board’s Shifting Role in Cyber (Part One of Two)

    Post-breach litigation can be costly and the rise of one type in particular shareholder derivative suits filed against boards of directors of companies that have suffered data breaches merits further attention. Regulatory changes, including the GDPR, may make such suits more frequent in addition to creating other data breach response expenses. Boards of directors need to take note and understand these increasing costs and risks. In part one of this guest article series, Jeewon Kim Serrato, David Lee and Marc Elzweig, attorneys at Shearman & Sterling, review the evolving understanding of the board of directors’ responsibility for cybersecurity and consider several shareholder derivative suits filed in the wake of data breaches as case studies. In part two, they will consider some of the lessons that boards may learn from these suits. See “Key Post-Breach Shareholder Litigation, Disclosure and Insurance Selection Considerations” (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 4 No.1 (Jan. 17, 2018)

    A Practical Look at the GDPR’s Data Breach Notification Provision 

    The E.U. General Data Protection Regulation introduces specific breach notification obligations for data controllers and processors. To help covered entities better understand when notification is required and what processes they should have in place in order to meet their obligations, the Article 29 Working Party issued Guidelines on Personal Data Breach Notification at the end of 2017. In this article, with advice and perspective from a former Special Agent with the FBI’s Cyber Division and current head of Nardello & Co.’s digital investigations and cybersecurity practice, we cover key concepts of the WP29 guidance, processes organizations should have in place to comply with the GDPR’s breach notification provisions, and strategies to balance global notification requirements. We also look at the GDPR’s overall effectiveness in addressing cyber risk. See also “Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers” (Dec. 20, 2017).  

    Read Full Article …
  • From Vol. 3 No.25 (Dec. 20, 2017)

    Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers

    With the GDPR’s effective date of May 25, 2018 approaching, most companies that will be affected by the E.U.’s General Data Protection Regulation have preparations well underway. However, the process is complex and companies often identify questions and concerns as they move toward implementation. In this guest article, ­­Scott Pink, Hayley Ichilcik and Mallory Jensen, attorneys at O’Melveny & Myers, identify and respond to common key questions companies are raising and tackling during their GDPR preparations. See also “One Year Until GDPR Enforcement: Five Steps Companies Should Take Now” (May 31, 2017).

    Read Full Article …
  • From Vol. 3 No.23 (Nov. 22, 2017)

    Five Steps Companies Should Take to Comply With the GDPR

    The GDPR will have a vast reach, applying not only to E.U. companies that process personal data, but also non-E.U. companies that process personal data in connection with offering goods and services to individuals in the E.U. It will likewise apply to companies, regardless of location, that process data in the course of monitoring or profiling individuals in the E.U. In this guest article, Kiran Raj, Mallory Jensen and Sara Zdeb, attorneys at O’Melveny & Myers, discuss five key steps companies should take now to ensure compliance with the GDPR’s transformative requirements, avoid significant penalties and improve their overall data-management practices.

    Read Full Article …
  • From Vol. 3 No.23 (Nov. 22, 2017)

    Getting to Know the DPO and How to Adapt Corporate Structure to Comply With GDPR Requirements for the Role

    The GDPR, which takes effect May 25, 2018, introduces the statutory position of the data protection officer (DPO), which will be a key role in ensuring compliance with the regulation. But where and how does this position function within the company? Many organizations preparing for compliance are focused on answering these questions. While the position is not novel, the GDPR introduces new requirements. We spoke with experienced DPOs and counsel from around the world to clarify and shed light on the GDPR provisions and recent Article 29 Working Party guidelines relevant to the DPO role. The first article in our two-part series on the topic examined when appointing a DPO will be mandatory, how to select a DPO and the requisite skillsets and responsibilities of the role, including the difference between the DPO and other privacy compliance roles. Part two covered how the DPO best fits in the corporate structure, how to manage the budget for this role and steps companies can proactively take to ensure they are prepared to comply with the GDPR’s DPO requirements. See also “Navigating the Early Months of Privacy Shield Certification Amidst Uncertainty” (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 3 No.23 (Nov. 22, 2017)

    A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies

    With the effective date of the GDPR fast-approaching, Ireland – the site of the European headquarters of tech giants such as Apple, Google and Facebook – is at the forefront of data protection and privacy enforcement. Leading the effort is Helen Dixon, Ireland’s Data Protection Commissioner. In January 2017, we spoke to Commissioner Dixon about the “game-changing” nature of the GDPR. The first installment of our two-part series includes her views on the most challenging compliance issues for companies, strategies to get buy-in from the C-suite for compliance resources (including the threat of the heavy fines the Commissioner can levy), and successful compliance models she has seen. In the second article in our series, she discusses compliance with the non-harmonized areas of the GDPR, its enforcement structure, enforcement challenges for the data protection authorities, and answers criticism of the law's penalties.

    Read Full Article …
  • From Vol. 3 No.23 (Nov. 22, 2017)

    European Data Protection Supervisor Offers Advice on Privacy Shield Review and GDPR Preparation

    With the first annual E.U.-U.S. joint review of the Privacy Shield complete and the sweeping GDPR legislation coming in May 2018, Europe is looking to the U.S. for signals that government and company data practices meet the requirements and expectations of both regimes. Giovanni Buttarelli, the European Data Protection Supervisor, spoke to The Cybersecurity Law Report about lingering concerns European institutions have about U.S. practices, and steps that the U.S. government and companies should take to comply with these new laws.

    Read Full Article …
  • From Vol. 3 No.23 (Nov. 22, 2017)

    E.U. Data Regulators Weigh in on GDPR Prep in Asia and Across the Globe

    How should companies outside the E.U. prepare for the GDPR’s impact? Our sister publication PaRR recently sat down with three senior European data protection regulators to discuss what the forthcoming law means for companies in Asia and beyondGDPR marks a big change for companies and a mindset change is required, Dale Sunderland, Deputy Commissioner of Ireland’s Data Protection Authority, told PaRR. Sunderland along with other regulators explain GDPR’s reach and lead supervisory authority provision and discuss the intersection with other jurisdictional rules such as APEC’s Cross Border Privacy Rules system. 

    Read Full Article …
  • From Vol. 3 No.22 (Nov. 8, 2017)

    E.U. Data Regulators Weigh in on GDPR Prep in Asia and Across the Globe

    How should companies outside the E.U. prepare for the GDPR’s impact? Our sister publication PaRR recently sat down with three senior European data protection regulators to discuss what the forthcoming law means for companies in Asia and beyond. GDPR marks a big change for companies and a mindset change is required, Dale Sunderland, deputy commissioner of Ireland’s data protection authority, told PaRR. Sunderland along with other regulators explain GDPR’s reach and lead supervisory authority provision and discuss the intersection with other jurisdictional rules such as APEC’s Cross Border Privacy Rules system. See “One Year Until GDPR Enforcement: Five Steps Companies Should Take Now” (May 31, 2017).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    New Criteria for Employee Monitoring Practices in Light of ECHR Decision

    The Grand Chamber of the European Court of Human Rights has laid out new criteria for national courts to consider when evaluating whether companies have safeguarded employees’ right to privacy. The court sided with an employee who claimed his privacy rights were violated when his messages were recorded. In light of this decision, some companies operating in the 47 member states may want to revisit their policies on monitoring communications, experts told The Cybersecurity Law Report. We analyze the implications of the decision and how it aligns with other national laws. See “Effective and Compliant Employee Monitoring (Part One of Two)” (Apr. 5, 2017); Part Two (Apr. 19, 2017).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    FTC Settlements in Privacy Shield Cases and With Lenovo Over Use of “Man-in-the-Middle” Software Highlight Vigorous Enforcement Efforts

    Despite operating with only two of five Commissioners, the FTC has continued its data-privacy-enforcement efforts. It recently struck a major settlement with Lenovo over adware that was pre-installed on laptops and, unbeknownst to consumers, acted as a “man-in-the-middle,” with the ability to capture all of the data users transmitted to e-commerce websites they visited. It also reached settlements with three companies based on allegedly false claims of compliance with the U.S.-E.U. Privacy Shield framework. We explain the facts and circumstances that gave rise to the FTC enforcement actions and the terms of the settlements. See also “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.17 (Aug. 23, 2017)

    Implications and Analysis of the E.U.-Canada Data Sharing Agreement Rejection

    The Court of Justice of the European Union has struck down a major air passenger data sharing agreement between the E.U. and Canada. In a guest article, John Magee, a partner at William Fry, and Alex Cameron, a partner at Fasken Martineau, discuss the ruling and its potential repercussions, including the impact on similar agreements with Australia and the U.S., post-Brexit E.U data transfer, as well as on Canadian data protection laws. See also “Key Requirements of the Newly Approved Privacy Shield” (Jul. 20, 2016).

    Read Full Article …
  • From Vol. 3 No.15 (Jul. 26, 2017)

    International Law Playing Cybersecurity Catch-Up (Part Two of Two)

    Cybersecurity threats are global, and both public- and private-sector cybersecurity efforts require international coordination. Despite an acute need for cybersecurity-specific laws and treaties, these have been slow to develop, and in this vacuum, most countries are trying to adapt and apply existing legal frameworks to combat and address cybersecurity threats. In this second part of a two-part guest article series addressing the intersection of cybersecurity and international law, Hughes Hubbard attorneys Seth Rothman and Andreas Baum explore laws related to cyber crimes and international laws that regulate business activities, including recent E.U. legislative efforts. Part one provided insight on cyber warfare and the relevant laws and treaties that address the shifting threats. See also “Prosecuting Borderless Cyber Crime Through Proactive Law Enforcement and Private Sector Cooperation” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 3 No.11 (May 31, 2017)

    One Year Until GDPR Enforcement: Five Steps Companies Should Take Now

    The European Union’s General Data Protection Regulation (GDPR) will be enforceable on May 25, 2018, with consequences for global businesses far broader than those of the decades-old European Data Protection Directive it replaces. The GDPR will have a vast reach, applying not only to E.U. companies that process personal data, but also non-E.U. companies that process personal data in connection with offering goods and services to individuals in the E.U. It will likewise apply to companies, regardless of location, that process data in the course of monitoring or profiling individuals in the E.U. In this guest article, Kiran Raj, Mallory Jensen and Sara Zdeb, attorneys at O’Melveny & Myers, discuss five key steps companies should take now to ensure compliance with the GDPR’s transformative requirements, avoid significant penalties, and improve their overall data-management practices. See also “A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part One of Two)” (Mar. 22, 2017); Part Two (Apr. 5, 2017).

    Read Full Article …
  • From Vol. 3 No.10 (May 17, 2017)

    Tracking Data and Maximizing Its Potential

    How companies use and store data can be in conflict with regulations, notably the GDPR. Kristina Bergman, CEO and founder of Integris Software, and David Ray, Integris vice president, privacy, product and services, recently spoke to The Cybersecurity Law Report about using new technological tools to gain critical knowledge about companies’ data. That understanding not only facililates compliance, but can also provide evidence for regulators, output concrete illustrations for a board or executive presentation, and assist in identifying the best data sets for marketing efforts. See “A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: From Data Mapping to Evaluation (Part One of Three)” (Apr. 27, 2016).

    Read Full Article …
  • From Vol. 3 No.9 (May 3, 2017)

    European Data Protection Supervisor Offers Advice on Privacy Shield Review and GDPR Preparation

    With the first annual E.U.-U.S. joint review of the Privacy Shield scheduled for September and the sweeping GDPR legislation coming in May 2018, Europe is looking to the U.S. for signals that government and company data practices meet the requirements and expectations of both regimes. Giovanni Buttarelli, the European Data Protection Supervisor, spoke to The Cybersecurity Law Report about lingering concerns European institutions have about U.S. practices, and steps that the U.S. government and companies should take to comply with these new laws. See also “A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part One of Two)” (Mar. 22, 2017); Part Two (Apr. 5, 2017).

    Read Full Article …
  • From Vol. 3 No.9 (May 3, 2017)

    Practical and Innovative Permissioning Within the Framework of Europe’s Upcoming Data Protection Regulations

    Securing customers’ permission to collect and use their data can be challenging, and it will become all the more important with the GDPR and the ePrivacy Directive, set to come into effect in the E.U. in May 2018. The laws will focus on how consumer data is collected and transferred, with steep fines for noncompliance. At a recent conference in Prague, Robert Bond, a partner at Bristows, along with Michael Bond, glh Hotels’ data protection officer, discussed the current E.U. regulatory landscape and its compliance issues, and advised on practical ways companies can approach compliance with these new regulations to not only save money, but also to generate profits. See also “Getting to Know the DPO and Adapting Corporate Structure to Comply With the GDPR (Part One of Two)” (Jan. 25, 2017); Part Two (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.8 (Apr. 19, 2017)

    Effective and Compliant Employee Monitoring (Part Two of Two)

    Experts agree that network monitoring is a critical proactive cybersecurity measure. But complexities arise that require cross-department coordination and deep understanding of numerous privacy limitations and other legal requirements. The second installment of this two-part series provides operational guidance on implementing monitoring programs and navigating contrasting rules in Europe, as well as issues surrounding individual monitoring, monitoring for non-security purposes, and data controlled by third parties. The first part tackled the role of data monitoring, effective notice, legal considerations, and specific policy considerations. See also “Do You Know Where Your Employees Are? Tackling the Privacy and Security Challenges of Remote Working Arrangements” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.7 (Apr. 5, 2017)

    A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part Two of Two)

    The E.U.’s General Data Protection Regulation, a sweeping law with harsh fines, is set to take effect in May 2018. Ireland, the European home of many large multinationals, is expected to be at the center of enforcement. We spoke to Helen Dixon, Ireland’s Data Protection Commissioner, about the upcoming changes and how companies can prepare for them. In this second article in our series, she discusses compliance with the non-harmonized areas of the GDPR, the GDPR's enforcement structure, enforcement challenges for the data protection authorities, and answers criticism of the law's penalties. The first article in the series contained her views on the most challenging compliance issues for companies, strategies to get buy-in from the C-suite for compliance resources and successful compliance models she has seen. See also “Getting to Know the DPO and Adapting Corporate Structure to Comply With the GDPR (Part One of Two)” (Jan. 25, 2017); Part Two (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part One of Two)

    With the effective date of the GDPR fast approaching, Ireland – the site of the European headquarters of tech giants like Apple, Google and Facebook – is at the forefront of data protection and privacy enforcement. Leading the effort is Helen Dixon, Ireland’s Data Protection Commissioner. We spoke to Commissioner Dixon about the “game-changing” nature of the GDPR. This first part of our two-part series includes her views on the most challenging compliance issues for companies, strategies to get buy-in from the C-suite for compliance resources (including the threat of the heavy fines the Commissioner can levy), and successful compliance models she has seen. See also “Getting to Know the DPO and Adapting Corporate Structure to Comply With the GDPR (Part One of Two)” (Jan. 25, 2017); Part Two (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    Marsh and FireEye Take the Pulse of European Cybersecurity Climate

    FireEye, Inc. and Marsh & McLennan Companies recently released their joint 2017 European cyber risk report, which is based in part on data collected by Marsh in a survey of 750 of its European clients. It analyzes the current European threat environment, benchmarks companies’ cyber perceptions, discusses coming regulations that should provide increased transparency on cyber attacks and provides best practices for cybersecurity preparedness. For more insight from FireEye, see “How the Financial Services Industry Can Manage Cyber Risk” (Jul. 20, 2016). For more from Marsh, see our two-part series: “Building a Strong Cyber Insurance Policy to Weather the Potential Storm (Part One of Two)” (Nov. 25, 2015) and Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    Getting to Know the DPO and How to Adapt Corporate Structure to Comply With GDPR Requirements for the Role (Part Two of Two)

    The GDPR introduces the statutory position of the Data Protection Officer, who will have a key role in ensuring compliance with the regulation. But where and how does the DPO position function within the company? In this second installment in our two-part article series on the role, DPOs and counsel from around the world discuss how the DPO best fits in the corporate structure, and offer considerations for determining whether the role should be fulfilled internally or externally and five steps companies can proactively take to ensure they are prepared to comply with the GDPR’s DPO requirements. Part one examined when appointing a DPO is mandatory, how to select a DPO, and the requisite skillsets and responsibilities of the role, including the difference between the DPO and other privacy compliance roles. See also “Navigating the Early Months of Privacy Shield Certification Amidst Uncertainty” (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    Getting to Know the DPO and Adapting Corporate Structure to Comply With the GDPR (Part One of Two)

    Looking toward the GDPR’s May 25, 2018 implementation date, many organizations preparing for compliance are focused on the DPO role. While the position is not novel, the GDPR introduces new requirements. We spoke with experienced DPOs and counsel from around the world to clarify and shed light on the GDPR provisions and recent Article 29 Working Party guidelines relevant to the DPO role. This first part of our two-part series on the topic examines when appointing a DPO is mandatory, how to select a DPO, and the requisite skillsets and responsibilities of the role, including the difference between the DPO and other privacy compliance roles. Part two will discuss how the DPO best fits in the corporate structure, how to manage the budget for this role and steps companies can proactively take to ensure they are prepared to comply with the GDPR’s DPO requirements. See also “Navigating the Early Months of Privacy Shield Certification Amidst Uncertainty” (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    Ten Cybersecurity Priorities for 2017

    Even companies that have mature information security practices in place must exercise constant vigilance by reevaluating their needs and improving their approaches. The Cybersecurity Law Report spoke with several experts to find out what companies should be focusing on and how they should allocate time and resources when setting cybersecurity priorities for 2017. In this article, we outline the resulting top ten cybersecurity action items for companies to tackle to ensure a more secure new year. See also “Cybersecurity Preparedness Is Now a Business Requirement” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    Advice From Compliance Officers on Getting the C-Suite to Show You the Money for Your Data Privacy Program

    The end of the year is often when companies evaluate their budgets, and it is a crucial time to make sure the CEO is educated about data privacy legislation and its potential repercussions. So, how can privacy officers best advocate for system-wide buy-in and budget support of their data privacy programs? At a recent panel at IAPP’s Practical Privacy Series 2016 conference, compliance leaders from Shire, CBRE and InterSystems discussed their three different operational approaches and practical tactics for making sure the compliance office has the tools and the budget it needs to comply with dynamic global data privacy regulations, including the GDPR. See also “Privacy Leaders Share Key Considerations for Incorporating a Privacy Policy in the Corporate Culture” (Oct. 19, 2016).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    Navigating Data Privacy Laws in Cross-Border Investigations

    Conducting a cross-border investigation or performing global due diligence each has its own set of unique challenges, which only become more formidable when coupled with a government inquiry. In the E.U. in particular, issues range from confusing and often conflicting privacy laws, to language and cultural barriers, to custodian access and local coordination. According to more than half of those who responded to a recent BDO survey, disparate data privacy laws are the biggest challenge to managing cross-border e-discovery. In a guest article, Deena Coffman and Nina Gross, managing directors at BDO, provide insight on the data privacy landscape in the E.U. and how to comply with competing demands during a cross-border investigation. See also “Foreign Attorneys Share Insight on Data Privacy and Privilege in Multinational Investigations” (May 25, 2016).

    Read Full Article …
  • From Vol. 2 No.22 (Nov. 2, 2016)

    Navigating the Early Months of Privacy Shield Certification Amidst Uncertainty

    Over two hundred companies have become Privacy Shield-certified and hundreds more have begun the process. Others are taking their time and weighing their options, particularly because a challenge to the Privacy Shield has already been filed in Europe. “This is a serious privacy program . . . that we intend to have implemented and administered in a way that maintains the confidence of data protection authorities and stakeholders in Europe,” Ted Dean, Assistant Secretary for Services at the Department of Commerce said. During a recent webinar hosted by Data Guidance, Dean and attorneys at Sidley Austin discussed how to approach the self-certification process and whether this mechanism for transatlantic data transfer is the right choice for all companies. For more on the Privacy Shield’s specific requirements, see “Key Requirements of the Newly Approved Privacy Shield” (Jul. 20, 2016).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    Key Requirements of the Newly Approved Privacy Shield

    The European Union formally adopted the long-awaited Privacy Shield last week, which replaces the Safe Harbor framework as a mechanism to comply with E.U. data protection requirements for the E.U.-U.S. transfer of personal data. Companies can begin to self-certify compliance with the framework on August 1, 2016. “Companies cannot take the Privacy Shield lightly. It’s a much more detailed framework with more accountability” than Safe Harbor, Sidley Austin senior counsel Cam Kerry told The Cybersecurity Law Report. We review the Privacy Shield’s background, its key requirements and examine whether, when and how to join. See also “Deal Struck to Maintain the Transatlantic Data Flow” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.14 (Jul. 6, 2016)

    How Will Brexit Affect U.K. Data Protection and Privacy Laws?

    The U.K.’s historic vote to exit the E.U. – the Brexit – raises a myriad of legal and business questions. Among those is whether the U.K. will adopt the E.U.’s General Data Protection Regulation. The law takes effect in May 2018 and will usher in a host of regulatory changes. The Cybersecurity Law Report spoke to Eduardo Ustaran, a partner in the London office of Hogan Lovells, about how Brexit may impact how certain companies handle their data. See also “Making Sense of Cybersecurity and Privacy Developments in the E.U.” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.6 (Mar. 16, 2016)

    Making Sense of Cybersecurity and Privacy Developments in the E.U.

    Two years after the European Commission set out its Cybersecurity Strategy, the data security and privacy landscape in the European Union is being reshaped. In this guest article, Eduardo Ustaran and Nick Westbrook, respectively a partner and associate in the London office of Hogan Lovells, explain why four new developments – the NIS Directive, the GDPR, PSD2 and the eID Regs – merit particular attention for companies. See also “The E.U.’s New Rules: Latham & Watkins Partner Gail Crawford Discusses the Network Information Security Directive and the General Data Protection Regulation” (Jan. 20, 2016).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    The E.U.’s New Rules: Latham & Watkins Partner Gail Crawford Discusses the Network Information Security Directive and the General Data Protection Regulation

    December was a busy month in Europe for data security and breach reporting with representatives of the European Parliament, Council and Commission agreeing to a sweeping new data protection regulation, the General Data Protection Regulation (GDPR) in the “trilogue” process. The GDPR toughens European data privacy law, already at odds with U.S. privacy law, by issuing heavier fines for non-compliance and by imposing more stringent obligations for both data controllers and processors. It also expands the territorial scope to apply to any company processing data in the E.U. and companies outside the E.U. who offer goods and services to, or monitor the behavior of, E.U. residents. European Justice Commissioner Vera Jourova said that E.U. citizens and businesses “will profit from [these] clear rules that are fit for the digital age,” but many companies claim that the new law is less clear than originally hoped. The trilogue also announced its agreement on the proposed Network Information Security Directive, which is aimed at improving cybersecurity capabilities and mandating breach reporting in certain sectors. Latham & Watkins partner Gail Crawford explains the key points of each of these legal developments and what they mean for companies. See also “Seeking Solutions to Cross-Border Data Realities” (Aug. 26, 2015).

    Read Full Article …