With the direct application of the European regulation on general data protection (GDPR), data protection compliance and thus cybersecurity have become, and are still, a hot topic and central concern for companies, regardless of their size. We asked Astrid Wagner, Partner in the IP, Communication & Technology practice area at Arendt & Medernach, to share her thoughts about the topic and the issues at stake.
(Featured Image: Astrid Wagner, Partner in the IP, Communication & Technology practice area at Arendt & Medernach / Image Credit © Anna Katina / Silicon Luxembourg)
How do you manage the cybersecurity aspects in your files?
Since 25 May 2018 and even before, special attention is being paid to data protection and privacy issues generally. All of our clients are affected by such topics, from the startup in the process of being incorporated to bigger players, such as banks and insurance and multinational companies.
We offer various services relating to data protection including to proceed to a mapping of the data processed by our clients, to make a gap analysis and to put in place the necessary procedures and contractual documentation and information to close such gaps in order for our clients to become GDPR compliant. In that respect, we work in close collaboration with Arendt Regulatory & Consulting, which takes care of the management of the project and the initial phase of the exercise while we, as lawyers, implement the more legal aspects of it but also with our specialists in the various relevant fields of expertise, including banking, insurance and investment funds. The global, full value chain solution we can provide is quite unique in the market.
Integrity and confidentiality of personal data is one of the principles relating to processing of personal data provided for under the GDPR and cybersecurity is key to protect such data.
Cybersecurity is a race against hackers who are constantly innovating to reach their goals. Therefore, just like our clients, we must constantly innovate and strengthen internal collaboration between our departments and with our internal IT team. The human factor is an important element but also the main source of vulnerability of the security of premises and IT systems. The dynamic collaboration among team members can however also represent a competitive advantage in the fields of security innovation. Companies shall therefor invest time and resources in their employees to make sure they can benefit from the best possible support.
“The GDPR foresees administrative fines up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding year.”
What are the risks encountered by non-compliant companies?
The main change since the coming into force of GDPR last May is the reality of the risks faced by companies, compared to rather theoretical sanctions before.
The GDPR foresees administrative fines up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding year.
This financial threat is new for our clients. They are very well informed about the risk and data protection issues are now part of the initial discussions in any transaction, including in M&A deals where it may even have an impact on the identification of target companies, the acquisition price and the structuring of the acquisition (share deal vs. asset deal). A weak cybersecurity strategy and the occurrence of data breaches in the past may considerably drop the price of a target.
How, in practice, all your departments work together on the cybersecurity issues?
Data protection, and thus cybersecurity, affects everyone.
It is therefore unavoidable, not to say indispensable, that we work closely with all our teams of the various practice areas.
If we face highly technical issues in a file, we discuss with our own IT department. It is valuable to work with them to apprehend correctly the problems, and to understand if the legal solutions we intend to implement can work from an IT perspective. Over the time, we have established a constructive communication with our IT team and especially with our Chief Information Security Officer who is handling all IT security questions and makes an ongoing monitoring of the data shared inside and outside our firm.
We are solution driven and endeavor not only to put our clients in a position where they comply with GDPR and any applicable data protection laws but also to advise them as to the most practical solutions for them.
“The main source of breaches are the results of human errors.”
What’s your assessment of GDPR, 6 months after its implementation?
On this cybersecurity’s aspect, we are in a long-term job rather than a one-shot intervention on our part.
We are now in the phase of bringing all our clients in conformity with the GDPR before year-end, but our work shall not stop there. Clients start contacting us for data breaches requiring a notification to the CNPD.
We know that the main source of breaches are the results of human errors, therefore we assist our clients by holding training sessions on data protection to teach them the appropriate reflexes and to guide them to establish best practices in their internal organization. Meeting regularly with our clients at such training sessions gives us a concrete feeling of the practical issues they face.