DATA PROTECTION & PRIVACY LAWS - huntonak.com€¦ · annual review • data protection & privacy...

DATA PROTECTION & PRIVACY LAWS

A N N UA L R E V I E W 2 0 1 5

Published by

Financier Worldwide

23rd Floor, Alpha Tower

Suffolk Street, Queensway

Birmingham B1 1TT

United Kingdom

Telephone: +44 (0)845 345 0456

Fax: +44 (0)121 600 5911

Email: [email protected]

www.financierworldwide.com

Copyright © 2015 Financier Worldwide

All rights reserved.

Annual Review • November 2015

Data Protection & Privacy Laws

No part of this publication may be copied, reproduced, transmitted or held in a

retrievable system without the written permission of the publishers.

Whilst every effort is made to ensure the accuracy of all material published in

Financier Worldwide, the publishers accept no responsibility for any errors or

omissions, nor for any claims made as a result of such errors or omissions.

Views expressed by contributors are not necessarily those of the publisher.

Any statements expressed by professionals in this publication are understood to

be general opinions and should not be relied upon as legal or financial advice.

Opinions expressed herein do not necessarily represent the views of the author’s

firm or clients or of any organisations of which the author is a member.

DATA PROTECTION & PRIVACY LAWSN O V E M B E R 2 0 1 5 • A N N U A L R E V I E W

F i n a n c i e r Wo r l d w i d e c a n v a s s e s t h e o p i n i o n s o f l e a d i n g p r o f e s s i o n a l s a r o u n d t h e w o r l d o n t h e l a t e s t t r e n d s i n d a t a p r o t e c t i o n & p r i v a c y l a w s .


UNITED STATES ..................................................... 08Daniel Farris POLSINELLI

CANADA ............................................................... 12Raymond Doray LAVERY, DE BILLY, LLP

MEXICO ................................................................ 16Fernando Roman Sandoval PWC MEXICO

UNITED KINGDOM ................................................ 20Bridget Treacy HUNTON & WILLIAMS

FRANCE ................................................................ 24Claire François HUNTON & WILLIAMS LLP

BELGIUM ............................................................... 28Wim Nauwelaerts HUNTON & WILLIAMS LLP

LUXEMBOURG ....................................................... 32Alain Grosjean BONN & SCHMITT

DENMARK ............................................................. 36Elsebeth Aaes-Jørgensen NORRBOM VINDING

Contents


www.financierworldwide.com


ITALY .................................................................... 40Alfredo Gallistru PWC ITALY

JAPAN ................................................................... 44Takashi Nakazaki ANDERSON MORI & TOMOTSUNE

CHINA .................................................................. 48Manuel Maisog HUNTON & WILLIAMS LLP

TAIWAN ................................................................ 52Chin-Jui Chang PWC TAIWAN

AUSTRALIA ........................................................... 56Grace Guinto PWC AUSTRALIA

NEW ZEALAND ..................................................... 60Steve McCabe PWC NEW ZEALAND

SOUTH AFRICA ..................................................... 64Busisiwe Mathe PWC SOUTH AFRICA

Contents

A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S 2 0 1 5

INTRODUCTION

A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S 2 0 1 5

If all continues to plan, the end of 2015 will welcome the most significant piece of privacy legislation in 20 years. The EU’s General Data Protection Regulation is poised to supplant the Directive of 1995 and put in place an EU-wide scheme that would see vastly increased powers for data protection authorities, new requirements for data breach notification and, perhaps, new working definitions of things like ‘purpose limitation’ and ‘data minimisation’.

Of course, that ‘perhaps’ looms large. We won’t know until after the trilogue negotiations are finished just which definition or regulation we’ll need to comply with going forward. That has much of industry on pins and needles, and rightly so.

Further, many companies on both sides of the Atlantic have just been stunned by the Schrems ruling and the invalidation of Safe Harbor by the European Court of Justice. When the Austrian law student decided to demand that Facebook be investigated by the Irish Data Protection Commissioner, on something of a lark, very few observers saw a complete undoing of a 15-year-old data-transfer mechanism in the offing.

Now some 4500 companies are left scrambling to put new measures in place to either find a new path for the transfer of data to the US or find ways to make sure the data doesn’t go there in the first place. Will the US and EU be able to hammer out a Safe Harbor 2.0 in the near future? Would such an agreement simply be invalidated by another lawsuit brought by another privacy activist? Is it possible that model contractual clauses and binding corporate rules could be invalidated in similar fashion?

These are, quite simply, uncertain times; and not only for the US and the EU. Companies around the world are struggling with the very real privacy issues springing up every day with the Internet of Things, Big Data, targeted advertising, location tracking and personalisation. On the one hand, some customers love it when your app knows where they are and recommends a good coffee shop just down the road. Others find it creepy if you use their desktop browser history to deliver an app on their mobile device.

HOW’D THEY KNOW THAT?You know more about your customers than ever before. That means opportunity. But, increasingly, it also means risk. Understanding the privacy and data protection landscape is vital for the future of business. This past year has been a rollercoaster, but there may be more twists and loops just around the corner.

Sam Pfeifle Publications Director

IAPP – International Association of Privacy Professionals

+1 (603) 427 9209

[email protected]

A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S

8 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com


Q DO YOU BELIEVE

COMPANIES FULLY

UNDERSTAND THEIR DUTIES

OF CONFIDENTIALITY AND

DATA PROTECTION IN AN

AGE OF EVOLVING PRIVACY

LAWS?

Q AS COMPANIES INCREASE

THEIR DATA PROCESSING

ACTIVITIES, INCLUDING

HANDLING, STORAGE

AND TRANSFER, WHAT

REGULATORY, FINANCIAL

AND REPUTATIONAL RISKS

DO THEY FACE IN THE US?

FARRIS: In the US, companies are confused. Led again by California,

13 US states have passed new privacy-related laws, and 52 other

bills were introduced in state legislatures during 2015 alone. Two

different bills – the Protecting Cyber Networks Act and the National

Cybersecurity Protection Advancement Act – passed the federal House

of Representatives, and the Senate recently passed the Cybersecurity

Information Sharing Act, which now must be reconciled. Most

importantly, however, the effects of the EU Court of Justice’s Schrems

decision have US companies reeling. The current environment is

characterised by anxiety and confusion. Most companies are investing

in data security and privacy compliance, and most want to be good

corporate citizens, but regulators are making that an increasingly

difficult task.

FARRIS: Since 2013, the majority of high profile breaches have occurred

in the United States, or involved US companies. Not surprisingly, the

US has the highest cost of breach in the world, double the next closest

jurisdiction at more than $15m per incident for companies with at least

1000 users. Companies that experience a breach in the US can expect

to be subject to litigation involving consumer class actions, shareholder

derivative suits and claims by financial institutions and partners to

recover for fraud-related losses, regulatory enforcement campaigns and

significant bad press. Reputational damage and lost profits can exceed

$100m for larger incidents.

UNITED STATESDANIEL FARRISPOLSINELLI

A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW SA N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S

NOVEMBER 2015 • F INANCIER WORLDWIDE • 9 8www.f inancierworldwide.com

Q WHAT PENALTIES MIGHT

ARISE FOR A COMPANY THAT

BREACHES OR VIOLATES

DATA OR PRIVACY LAWS IN

THE US?

Q WHAT INSIGHTS CAN WE

DRAW FROM RECENT CASES

OF NOTE? WHAT IMPACT

HAVE THESE EVENTS HAD

ON THE DATA PROTECTION

LANDSCAPE?

FARRIS: Penalties may vary depending on the scope and size of a

breach, the type of information involved and the regulatory regime in

the relevant industry. Breaches involving protected health information,

as defined by HIPAA, carry the most risk for companies. Last year, the

federal Department of Health and Human Services’ Office of Civil

Rights settled charges against two New York healthcare organisations

for $4.8m. Conversely, the Securities and Exchange Commission has

issued fines against financial advisers and financial institutions ranging

from approximately $15,000 to $75,000 in recent months. In addition

to fines, however, companies may be required to undertake corrective

action plans, which may include completing a risk analysis, developing

a risk management plan, revising policies and procedures, training staff

and providing progress reports.

FARRIS: There may be no more important takeaway from recent

cases than this: companies should prepare, test and refine data breach

response plans, including the development of multidisciplinary response

teams. Most US CISOs and privacy professionals recognise the need

for flexible and adaptive policies and technological security measures

developed through collaboration between technology, business and

legal leads. In fact, the National Institute of Standards and Technology

(NIST) Framework for Improving Critical Infrastructure Cybersecurity

expressly recognises the need for a range of privacy and security

measures along the passive to adaptive spectrum. The important thing

is to start somewhere, and to engage in exercises, drills and testing of

your policies and systems. Companies that do not have, or do not follow,

UNITED STATES • DANIEL FARRIS • POLSINELLI





Q IN YOUR EXPERIENCE,

WHAT STEPS SHOULD

A COMPANY TAKE TO

PREPARE FOR A POTENTIAL

DATA SECURITY BREACH,

SUCH AS DEVELOPING

RESPONSE PLANS AND

UNDERSTANDING

NOTIFICATION

REQUIREMENTS?

Q WHAT CAN COMPANIES DO

TO MANAGE INTERNAL RISKS

AND THREATS ARISING FROM

THE ACTIONS OF ROGUE

EMPLOYEES?

a breach plan are usually caught on their heels, and their response to

a breach is usually driven by fear and panic. With the prevailing view

that breach is inevitable, it’s not only guarding against a breach that’s

important, but rather what you do and how you respond when a breach

occurs that is of paramount importance.

FARRIS: Practice and update the breach plan regularly. In the US, there

are anywhere from 1.4 million to 1.6 million fires per year, and, as a

result, virtually all companies have fire prevention and suppression

systems, and most practice fire drills periodically. In 2014, there were

42.8 million cyber incidents, and the number is expected to have been

higher in 2015. Yet most companies do not engage in data breach

exercises. All critical personnel, including all or most of the executive

suite, should know what his or her role is in the event of a breach. The

breach plan needs to be rigid enough to stand up to the majority of

your ‘run of the mill’ breach situations, but flexible enough to allow key

stakeholders to make decisions when the breach situation changes in

unexpected ways.

FARRIS: Employees remain the single largest threat to corporate privacy

and data security initiatives. Limiting employee access to sensitive

information using the principles of least privilege and role-based access

is the critical first step to managing internal threats. Companies that

implement controls to limit employee access to information are able to

manage and mitigate internal risk better than companies that do not.

Increasingly, companies are also using not only active, but predictive

monitoring to analyse their own data flows, not just potential threats.


NOVEMBER 2015 • F INANCIER WORLDWIDE • 11www.f inancierworldwide.com

“ All critical personnel, including all or most of the executive suite, should know what his or her role is in the event of a breach.”


Q WOULD YOU SAY THERE

IS A STRONG CULTURE

OF DATA PROTECTION

DEVELOPING IN THE US? ARE

COMPANIES PROACTIVELY

IMPLEMENTING APPROPRIATE

CONTROLS AND RISK

MANAGEMENT PROCESSES?

Daniel Farris

Shareholder

Polsinelli

+1 (312) 463 6323

[email protected]

Daniel Farris is a former software engineer and network administrator in the telecommunications industry. He offers his clients real-world experience in fibre optic networking, cloud computing, mobile app development and data privacy and security. His practice is founded upon understanding how technology can strengthen and expand upon the core missions of his clients’ businesses. Mr Farris is a shareholder and co-chair of Polsinelli’s data privacy and security team.

FARRIS: It is difficult to say that there is a strong culture of data

protection in the US. Companies increasingly view privacy and data

security as core to their business, or as something that can create

competitive advantage, but the rapidly evolving and sometimes

conflicting regulatory environment makes it difficult for most. There are

rising calls at many large corporations to ‘get ahead’ of the regulators

on issues related to privacy and data security, but for many small and

mid-sized companies, data protection remains a lagging index and an

area where a significant amount of catch up work is required.




Q DO YOU BELIEVE

COMPANIES FULLY





LAWS?




HANDLING, STORAGE

AND TRANSFER, WHAT



DO THEY FACE IN CANADA?

DORAY: The main challenge for companies operating in Canada results from

the Canadian legislative structure under which privacy matters are regulated by

federal and provincial statutory regulations, both broad and focused. For example,

the federal Personal Information Protection and Electronic Documents Act (PIPEDA)

applies to personal information collected, used and communicated in the course of

commercial activities within those provinces and territories that have not enacted

substantially similar legislation, and across Canada, to exterritorial transfers of data.

It does not apply to employee personal information, unless it is held by a federal

undertaking. The Québec, British Columbia, Alberta and Manitoba (not yet in

force) acts respecting the protection of personal information in the private sector,

on the other hand, provide equivalent, if not much more stringent, requirements

for employee and customer data alike. Similarly, Alberta, Manitoba, Ontario,

Saskatchewan, New Brunswick, Nova Scotia, and Newfoundland and Labrador

have legislation specifically governing the collection, use and communication

of personal health information. In addition, Canada has recently enacted one of

the world’s most rigorous and potentially broad pieces of anti-spam legislation.

Because of this dramatically eclectic privacy landscape, it is not surprising that

companies do not fully understand their duties of confidentiality and data

protection.

DORAY: The courts, in addition to various government organisations and agencies,

are responsible for overseeing compliance with the laws in Canada that govern

privacy rights. Risks range from damage to reputation, substantial economic loss,

misuse of confidential information and even public safety issues. A growing trend,

caused by robust privacy legislation and the possibility of punitive damages, is

privacy class actions that are costly and time-consuming. In addition, as the

amount of personal information collected, used and communicated by companies

continues to increase exponentially, and security breaches receive more and more

media attention, regulators are also calling for more in depth privacy audits,

mandatory breach notifications and stronger enforcement powers.

CANADARAYMOND DORAYLAVERY, DE BILLY, LLP







CANADA?






LANDSCAPE?

DORAY:There are various types of penalties that may apply depending on the

context. These range from non-enforceable recommendations to orders requiring

companies to correct their practices. Several acts provide for specific fines and in

some cases, director and officers liability. In Québec, for example, a company is

liable to a fine of up to C$50,000 for a first offence and, for subsequent offences,

up to C$100,000. In addition, administrators, directors or representatives of a

company may be held personally liable for the payment of the fine. That said,

the courts can also award damages following a breach of privacy. The amount

for damages that can be awarded in this context has no ceiling, and can include

punitive damages, since the right of privacy is a fundamental right in many

jurisdictions.

DORAY: Most cases decided this past year relate to new technologies. Mobile

applications, targeted advertising, cloud based computing, social networking,

biometrics and spam were at the top of most Canadian regulators’ to do lists,

and resulted in tighter controls and more elaborate guidelines for the industry.

The Safe Harbour Framework invalidation, although arguably the most important

privacy case this year, is unlikely to have serious impacts for companies operating in

Canada since the European Commission, which is granted the authority to decide

whether a particular non-EU country ensures an adequate level of protection “by

reason of its domestic law or of the international commitments it has entered

into”, previously recognised Canada as providing adequate protection. That said, it

is worth noting that PIPEDA was amended this year to introduce new requirements

for a company’s collection, use and disclosure of personal information in the

course of its commercial activities. Perhaps the most important of the proposed

amendments relates to breach notifications which, when it comes into force, will

require companies operating in Canada to report the loss of, unauthorised access

to, or unauthorised disclosure of personal information resulting from a breach of

its security safeguards, or its failure to establish such safeguards.

CANADA • RAYMOND DORAY • LAVERY, DE BILLY, LLP






WHAT STEPS SHOULD

A COMPANY TAKE TO



SUCH AS DEVELOPING

RESPONSE PLANS AND

UNDERSTANDING

NOTIFICATION

REQUIREMENTS?





EMPLOYEES?

DORAY: Building strong privacy practices is key to preparing for a potential

data security risk, and most importantly, to prevent one. Appointing a privacy

officer, creating and implementing a general privacy policy, and meeting the

other direct requirements of the Canadian privacy legislation may no longer

be sufficient. With regard to privacy breach procedures, a company should

adopt a specific policy which includes the obligation to immediately report

actual and potential breaches to the appropriate internal office or person,

and details the steps to be taken in response to a breach, namely how to

promptly contain the breach, assess the risk of harm, determine whether

notification is required and develop remedial strategies. It is important to

have a policy that is both enforceable and current to ensure that it responds

adequately to the company’s needs.

DORAY: There are several measures that companies can utilise to prevent

privacy breaches caused by rogue employees. For example, companies should

consider having a records management structure which identifies and governs

its business records that contain personal information, and limits access to

sensible documents and information through security classifications. In

managing human resources, companies should further recognise the need

to address the privacy challenge through measures necessary to ensure the

protection of the personal information collected, used, communicated, kept

or destroyed, and that are reasonable given the sensitivity of the information,

the purposes for which it is to be used, the quantity and distribution of the

information and the medium on which it is stored. Appropriate actions may

include pre-employment screening, confidentiality agreements, orientation

and training, monitoring, random intrusion detection and security audits.

Finally, companies should manage the risk of loss or theft of personal

information by following a departing employee protocol which provides for

access termination, an exit interview and a return of property checklist. The

use of remote destruction of personal information devices to make sure that

employees who have lost their computers or refuse to return them should

also be contemplated.



“ It is important to have a policy that is both enforceable and current to ensure that it responds adequately to the company’s needs.”


Q WOULD YOU SAY THERE IS

A STRONG CULTURE OF DATA

PROTECTION DEVELOPING

IN CANADA? ARE



CONTROLS AND RISK


Raymond Doray

Partner

Lavery, De Billy, LLP

+1 (514) 877 2913

[email protected]

Raymond Doray, Ad.E. and Fellow of The American College of Trial Lawyers has been a member of the Québec Bar since 1982. He founded the information and privacy law sector of the firm almost 30 years ago. Since 2002, he publishes and updates a more than 2000-page book on this topic that has been frequently cited with approval by the courts. Over the years, Mr Doray has represented many public and private organisations before the trial and appellate courts as well as the Supreme Court of Canada in cases involving privacy, and the confidential nature of documents and information.

DORAY: Canada has always been at the forefront of privacy protection in the

private sector. Canadian companies have therefore developed practical skills

enabling them to embed privacy into the products, services and processes

they offer and employ. Although comprehensive, the legislative structure

previously described leaves ample room for companies to let business

and risk-related considerations govern what, when and how to implement

appropriate controls and risk management processes. However, given

Canada’s distinctive approach to privacy, companies that wish to enter the

Canadian market for the first time are likely to face a significant challenge.

A proactive approach is therefore almost compulsory and should include a

voluntary privacy audit by a recognised privacy expert in order to reduce

liability, mitigate risks and ensure compliance.




Q DO YOU BELIEVE

COMPANIES FULLY





LAWS?




HANDLING, STORAGE

AND TRANSFER, WHAT



DO THEY FACE IN MEXICO?

ROMAN: The Mexican privacy law was issued in July 2010, but after

five years many companies still do not understand the impact and

importance of the law and privacy. We have seen over the last year

that companies are being more conscious about the financial and

reputational impact of this law because the authorities are establishing

high monetary penalties for non-compliance in all types of business and

sectors. Previously, companies in Mexico believed that privacy simply

involved notifying data owners of the purpose for which their data was

being used. However, they are now becoming more aware that privacy

involves many different aspects including technical, physical and

administrative security measures, and also involves making changes to

their processes and how data is handled to mitigate risks such as data

loss, leakage or malicious usage.

ROMAN: Mexicans are facing more and more privacy issues

encompassing topics such as identity theft and fraud. The more

frequently people hear about a database leakage or that their data has

been stolen, the more they quickly start to lose trust in companies

and how those firms will use and protect their customer data. We can

see in the media that data breaches are increasingly becoming a big

issue in Mexico, and companies are facing more cyber security risks.

Accordingly, companies are facing significant reputational risks. More

firms are being talked about not for the services they provide or for

their competitive advantages, but for their security issues, or because

of the latest breach they have suffered.

MEXICOFERNANDO ROMAN SANDOVALPWC MEXICO







MEXICO?






LANDSCAPE?

ROMAN: The Mexican privacy law has two types of penalties. The first

is a fine of up to MXN 21m and the second is imprisonment from

six months up to five years. Both can be doubled if the case involves

sensitive data. In 2014, the authorities handed down penalties of around

MXN 66m for non-compliance to 26 different companies. The main

sectors that have been sanctioned are the financial and health sectors.

The penalties have been related to non-compliance issues such as not

executing the data owners’ rights, not establishing adequate privacy

notices, incorrect data transfers without the data owners’ consent and

database vulnerabilities.

ROMAN: Currently one of the biggest privacy issues in Mexico relates

to firms not having adequate security measures in place to protect

data. This often results in data leakage or misuse. In our experience, one

of the biggest problems is that companies don’t understand and do

not have a complete vision of how data flows inside the company. Due

to the increase in news about data privacy penalties and the security

issues companies are facing, in the coming years companies’ main

focus will likely be related to data governance and good information

security practices to ensure that data is protected during its lifecycle

by establishing adequate controls related to technical controls and

administrative policies, procedures and processes.

MEXICO • FERNANDO ROMAN SANDOVAL • PWC MEXICO




“ In Mexico, we are just beginning to understand the idea of what privacy is and what it involves.”



WHAT STEPS SHOULD

A COMPANY TAKE TO



SUCH AS DEVELOPING

RESPONSE PLANS AND

UNDERSTANDING

NOTIFICATION

REQUIREMENTS?





EMPLOYEES?

ROMAN: In our experience, the first step is to establish the whole

data flow cycle – how the company obtains data, where they store

it and how they transfer or destroy it. This can help to identify all the

risks that companies face and what controls are necessary to protect

the data. Then they should be able to establish controls to monitor

how the data is handled, and have a good incident response plan to

detect any data issues they are facing, stop the vulnerability and start

adequate remediation plans. One of the key issues is how to analyse

the incident, develop the root-cause analysis and have a good response

team integrated by the key stakeholders that can make the decisions

and take actions to resolve the issue. A good practice is to integrate

the incident respond plan into the business continuity plan. Also, one

of the key aspects in an incident response plan is to have remediation

services to soften the blow of a data breach, by facilitating good

communications with the parties involved, such as a call centre.

ROMAN: Most companies are starting to create their own privacy

and security cultures by issuing an internal privacy policy where they

establish the company’s missions and objectives related to privacy

and how personal data must be handled. Also, they are establishing

privacy clauses and obligations in employee contracts. The main aspect

is creating awareness and consciousness among employees on the

importance and impact of protecting personal data by providing annual

training and having good communication strategies to constantly

remind employees of the importance of executing and following

security and privacy practices established by the company.

ROMAN: In Mexico, we are just beginning to understand the idea of

what privacy is and what it involves. The issuing of the law was the

first step the country took in developing a data protection culture. The

National Institute of Information Access (INAI) has initiated strong







IN MEXICO? ARE COMPANIES

PROACTIVELY IMPLEMENTING

APPROPRIATE CONTROLS

AND RISK MANAGEMENT

PROCESSES?

Fernando Roman Sandoval

Cyber Security and Data Privacy Partner in Risk Assurance

PwC Mexico

+52 55 526 5898

[email protected]

Fernando Roman Sandoval is an Information Security and Technology Partner in PwC Mexico within the IT Risk Assurance area. During the last 10 years, he has developed PwC Mexico’s information security and technology services portfolio, through which he has provided support to clients concerning the strengthening of their risk management and compliance with different regulations which they are subject to. Mr Roman has participated in and managed numerous projects in different industry sectors: financial sector, public sector, and consumer, among others. Mr Roman is the coordinator responsible for the IT Risk Assurance Innovation Group for PwC Mexico.

campaigns to create a privacy culture. This year, Mexicans are starting

to understand more about the law and are becoming more conscious

of their constitutional privacy laws. In the coming years, privacy will

become more important and people will take better precautions when

protecting their personal data. According to our June 2015 study on

Cyber Security in Mexico, going forward companies in Mexico will be

challenged by the constant movement of sensitive and confidential

information and transactions in the digital space, and will likely be much

more vulnerable to attack. Organisations today face unprecedented

cyber and insider threats to data and the information technologies

that store, process and transmit it. Because of these threats, we are

seeing a paradigm shift in the way companies are approaching cyber

security. Companies across all sectors need to create good information

security strategies according to their industry, to build an environment

to protect and enforce the security measures around their data and

generate more trust from their customers.


Q DO YOU BELIEVE

COMPANIES FULLY





LAWS?




HANDLING, STORAGE

AND TRANSFER, WHAT



DO THEY FACE IN THE UK?

TREACY: The degree to which different companies understand their

privacy and data protection compliance obligations varies considerably. In

general, companies that operate in highly regulated industries, or routinely

process large volumes of personal data – such as banks, pharmaceutical

companies, search engines, or insurance companies – are the most likely

to have well-structured risk management procedures deeply embedded

within their respective corporate cultures. Many other companies,

however, do not fully understand their data protection obligations, or focus

their attention too narrowly on data security while neglecting broader

compliance requirements. For example, the Information Commissioner’s

Office (ICO) recently issued a £200,000 fine – the largest ever issued for

direct marketing offences in the UK – to a company that had failed to

understand its compliance obligations. In a world of big data analytics, the

cloud, and the internet of things, the businesses that flourish are those

that understand how to fulfil their compliance obligations, and use their

data assets strategically to build trust and confidence among consumers.

TREACY: The risks associated with failures to comply with data protection

law are increasing markedly. The proposed General Data Protection

Regulation will bring with it greater enforcement powers for regulators

and significantly higher fines of up to €100m or between 2 and 5

percent of global turnover. In addition, the reputational risks of non-

compliance are significant. The results of investigations by the ICO are

generally made public and are permanently maintained on the ICO’s

website, potentially causing substantial and long-lasting public relations

damage to the investigated company. Serious failures to process personal

data responsibly can also damage consumer trust, and may have a long-

lasting negative impact upon customer relationships. There is also a

danger of being excessively risk-averse, as such an approach may restrict a

company’s ability to exploit business opportunities arising out of its data

UNITED KINGDOMBRIDGET TREACYHUNTON & WILLIAMS








THE UK?






LANDSCAPE?

processing operations. Striking the right balance between these risks is key

to succeeding in this area.

TREACY: Any applicable penalty depends on the nature and scale of the

relevant violation, and the ICO has a range of enforcement powers, and

wide ranging discretion, available to it. In the first instance, the ICO is

likely to contact the company to request information about the suspected

violation. Following a failure to provide the requested information, the

ICO may serve an ‘Information Notice’, which is a legally binding demand

for information. If the ICO determines that a violation has occurred, it can

issue an ‘enforcement notice’, which may require the company to make

changes to its data processing operations or cease certain processing

activities altogether. The ICO can also impose fines of up to £500,000.

In a few limited cases, for example, where personal data are unlawfully

obtained, or where the company fails to fulfil its obligation to register

as a data controller where applicable, the ICO may pursue a criminal

prosecution against the company.

TREACY: The overall trend in recent case law has been that the privacy

rights of individuals are paramount, and take precedence over the

business interests of companies. In particular, the CJEU has demonstrated

a willingness to adopt flexible interpretations of the law in order to give

effect to the data protection rights of individuals and in Schrems has

invalidated the European Commission’s US Safe Harbor decision in order to

protect the privacy of individuals. In a similar vein, the English courts have

shown a willingness in cases such as Vidal Hall to create new categories

of civil wrongs in order to protect individuals and, in some cases such as

Mulcahy, they have directly overruled guidance from the ICO. The message

for companies is that the courts take data protection rights seriously, and

UNITED KINGDOM • BRIDGET TREACY • HUNTON & WILLIAMS







WHAT STEPS SHOULD

A COMPANY TAKE TO



SUCH AS DEVELOPING

RESPONSE PLANS AND

UNDERSTANDING

NOTIFICATION

REQUIREMENTS?





EMPLOYEES?

they consider the commercial interests of companies to be of secondary

importance where the two conflict.

TREACY: First and foremost, companies should take steps to implement

appropriate security measures, in order to minimise the risk of a security

breach. However, even the best security measures can be breached,

and companies should therefore put careful thought into creating and

implementing a clear data breach policy, and ensuring that employees are

trained in the application of the policy. At a minimum, a data breach policy

should explain to employees what they should do in the event that they

discover a data breach. It is important to designate an individual or team, in

advance, to act as the primary contact point in the event of a data breach.

The data breach policy should also address the steps that the company

should take in response to a breach. These include investigating the

breach to establish its extent and possible consequences, and establishing

whether it is appropriate to report the breach to any regulators or affected

individuals.

TREACY: Companies should ensure that they provide regular and

comprehensive data protection training to those employees that process

personal data, ensuring that such employees understand that the

company’s ability to comply with the law depends on those employees.

If the company fosters a strong culture of data protection compliance,

and employees have a good level of awareness of their responsibilities,

then rogue behaviour is more likely to be noticed. In addition, companies

should implement strong internal data security measures, including

limiting logical and physical access to systems containing personal data,

implementing network logging to record which employees access those

systems and, where appropriate, using data loss prevention techniques to

prevent data being taken outside the company’s systems without proper

authorisation. If the company suspects that an employee has breached

its data protection or data security policies, it should carefully investigate

that suspected breach and take disciplinary action where necessary.



“ Many companies are beginning to use a consumer-friendly approach to privacy as a business differentiator.”



IS A STRONG CULTURE

OF DATA PROTECTION

DEVELOPING IN THE UK? ARE



CONTROLS AND RISK


Bridget Treacy

Partner

Hunton & Williams

+44 (0)20 7220 5731

[email protected]

Bridget Treacy leads Hunton & Williams’ UK Privacy and Cyber security team. For more than 14 years her practice has focused on all aspects of privacy and information governance for multinational companies, including big data analytics and the internet of things, behavioural targeting, cloud computing, cross-border data transfers and BCRs, and data breach. Ms Treacy is top ranked in Chambers, which describes her as “one of the leading thinkers on data protection, providing practical solutions to thorny legal issues”.

TREACY: There is a growing culture of data protection compliance in the

UK because companies are finding that trust is a key factor in persuading

consumers to use their services. As companies continue to invest in

technologies to enable them to better monetise data, through data

sharing and ‘big data’ analytics, they are increasingly keen to be seen to be

doing the right thing when it comes to protecting individual privacy. Many

companies are beginning to use a consumer-friendly approach to privacy

as a business differentiator, illustrating the ways in which their products

and services are more privacy-focused than those of their competitors.

Companies are also reviewing, assessing and updating their compliance

structures in preparation for the proposed General Data Protection

Regulation, which will materially increase the data protection compliance

burden on most companies.




Q DO YOU BELIEVE

COMPANIES FULLY





LAWS?




HANDLING, STORAGE

AND TRANSFER, WHAT



DO THEY FACE IN FRANCE?

FRANÇOIS: Companies are getting a better understanding of their data

protection obligations under the current regulatory framework. This may

be explained by a number of factors, including the fact that the French

data protection authority (CNIL) regularly publishes guidance. For

example, on 19 February 2015, the CNIL published practical information

to remind companies of best practices related to Bring Your Own Device

programmes. On 2 September 2015, the CNIL released new guidance to

help child-directed website publishers comply with French data protection

law. However, the CNIL has not taken an official position in every instance

and companies are constantly developing new technologies involving the

processing of personal data, which may raise questions on how to reach

compliance in these new circumstances. Finally, the proposed EU General

Data Protection Regulation will impose new accountability obligations and

companies are figuring out the impact of these new obligations for their

organisation.

FRANÇOIS: Companies face high reputational risks due to the increased

publicity around data protection. The CNIL may make its sanctions public

and order their publication in newspapers or other media at the expense

of the company that breaches French data protection law. The CNIL may

also publish the formal notice it serves on a company to cease its non-

compliance. Formal notices do not constitute a sanction but they may

lead to a fine if the company does not comply with the notice served.

The CNIL regularly uses this power by publishing its decisions, including its

formal notices, which results in adverse publicity for companies. Turning

to financial risks, such risks are currently medium. The CNIL generally

imposes administrative fines that do not exceed €40,000 and only in a

second stage, but there is also a risk of criminal proceedings and higher

fines in this context. Financial risks will be increased under the new EU

FRANCECLAIRE FRANÇOISHUNTON & WILLIAMS LLP







FRANCE?






LANDSCAPE?

regulatory framework, with fines of up to 2 or 5 percent of a company’s

annual worldwide turnover.

FRANÇOIS: The CNIL may impose an administrative sanction on a company

that acts as a data controller for breaching French data protection law. These

sanctions may include a warning, a fine of up to €150,000 or €300,000 in

the event of a repeat breach within five years, if the CNIL has served formal

notice on the company to cease its non-compliance within a given deadline

and the company does not comply with the notice served, an injunction

to cease data processing, and withdrawal of any authorisation granted. In

addition, CNIL may refer the case to the French public prosecutor or a data

subject may raise a criminal complaint and a French judge may impose a

criminal sanction which may lead to up to five years’ imprisonment and

a fine of up to €300,000 for individuals or €1.5m if the company is held

liable. Data subjects who suffered damage as a result of a breach of data

protection law could also claim compensation in civil law proceedings.

FRANÇOIS: On 3 January 2014, the CNIL imposed a record fine of €150,000

on Google Inc. for various breaches of French data protection law, including

cookie law requirements. The CNIL started inspections in October 2014 to

verify whether companies were complying with these requirements. On

30 June 2015, the CNIL published the results of these inspections, which

revealed that, in general, websites do not sufficiently inform web users of

the use of cookies and do not obtain their consent before placing cookies

on their devices. The CNIL also observed that websites often invite users

to adjust their browser settings to refuse cookies. According to the CNIL,

however, browser settings constitute a compliant opt-out mechanism

FRANCE • CLAIRE FRANÇOIS • HUNTON & WILLIAMS LLP






WHAT STEPS SHOULD

A COMPANY TAKE TO



SUCH AS DEVELOPING

RESPONSE PLANS AND

UNDERSTANDING

NOTIFICATION

REQUIREMENTS?





EMPLOYEES?

only in very limited circumstances. The CNIL, therefore, served a formal

notice on approximately 20 web publishers to comply with French cookie

law requirements within a prescribed period of time. The first responses

provided by web publishers show their willingness to comply.

FRANÇOIS: Irrespective of their notification requirements, companies

should develop a data breach response plan. That plan should at least specify

the types of information to be conveyed to the data protection officer

(DPO), if any, or the president or CEO in less than 24 hours of detecting the

breach, and elements to help determine the nature of the breach. It should

cover all the steps to handle a data security breach, from the detection of

the breach to the implementation of corrective measures and a revision

of the previous risk analysis, if appropriate. Upstream, companies should

conduct a risk analysis or privacy impact assessment (PIA) when creating

new products, services or other data processing activities. On 2 July 2015,

the CNIL published its methodology to conduct PIAs. On that occasion, the

CNIL stressed the importance of monitoring changes over time – changes

in the context of which data processing takes place, controls to comply

with legal requirements and address privacy risks, and updating the PIA

whenever a significant change occurs.

FRANÇOIS: Companies can first manage these risks and threats by having

an internal privacy policy that defines the role and responsibility of each

actor involved in the implementation of data processing operations. This

policy should explain how the organisation protects personal data and

contain the organisation’s primary data protection principles. Companies

should raise employee awareness about the policy and the risks associated

with data protection through appropriate training activities. They should

also ensure that they have the proper data processing agreements in

place. Further, they should conduct periodic audits, internal or external,

of the processing operations that pose the highest risk, to ensure that

employees and subcontractors process personal data in compliance with

data protection requirements.



“ A rather strong culture of data protection is indeed developing in France.”





IN FRANCE? ARE COMPANIES



AND RISK MANAGEMENT

PROCESSES?

Claire François

Associate

Hunton & Williams LLP

+32 (0)2 643 58 00

[email protected]

Claire François is a French qualified lawyer and advises a broad spectrum of clients on EU and French data protection and cyber security matters, including implementation of global data management strategies, international data transfers, and local data compliance. She also regularly represents clients before the French Data Protection Authority.

FRANÇOIS: A rather strong culture of data protection is indeed developing

in France. Since 2011, the CNIL has granted more than 50 seals to companies

that comply with the requirements laid down in one of its four standards.

In January 2015, the CNIL published its 4th standard on Data Protection

Governance to assist organisations that have appointed a DPO in France to

implement appropriate controls and improve accountability in light of the

proposed EU General Data Protection Regulation. Companies complying

with the 25 requirements set out in this standard may obtain a seal for

their data privacy governance procedures. The CNIL had previously adopted

standards on procedures such as data processing audits and data protection

training programmes as well as a standard on digital safety boxes.




Q DO YOU BELIEVE

COMPANIES FULLY





LAWS?




HANDLING, STORAGE

AND TRANSFER, WHAT



DO THEY FACE IN BELGIUM?

NAUWELAERTS: The ongoing discussions about the proposed

EU General Data Protection Regulation (GDPR), the more active

enforcement approach taken by certain Data Protection Authorities,

as well as some major data incidents, have made privacy and data

protection compliance a recurrent topic in the press. This has moved

compliance up the agenda of many companies, which are increasingly

investing significant efforts to fully understand and comply with their

obligations under data protection laws. This is especially the case for

businesses that handle massive volumes of data, such as cloud service

providers, or routinely deal with ‘sensitive’ personal data, such as

health-related information. In addition, a lot of companies are closely

monitoring the discussions on the proposed GDPR and have started

preparing for the changes that the GDPR is expected to bring. In the

aftermath of the EU Court of Justice ruling of 6 October 2015 in the

Schrems case, the focus of many companies previously relying on

the EU-US Safe Harbor framework has shifted to finding alternative

solutions for legitimately transferring personal data to the US.

NAUWELAERTS: Although the Belgian Commission for the Protection

of Privacy (CPP) does not have the power to impose sanctions, it

can investigate complaints, perform audits and initiate proceedings

before national Courts in case of alleged violations of the Belgian

Data Protection Act. In practice, the CPP will typically offer companies

the possibility to take remediation measures before initiating court

proceedings. The financial risk companies are currently facing in

Belgium is therefore rather low. However, investigations by the CPP can

result in media coverage, in which case the company’s reputation can

be severely damaged. Restoring trust among consumers and other ‘data

subjects’ following reports about a CPP investigation can be difficult

and time consuming. The financial risks companies are facing will most

BELGIUMWIM NAUWELAERTSHUNTON & WILLIAMS







BELGIUM?






LANDSCAPE?

likely increase significantly in the near future as the proposed GDPR

provides for fines up to 2 percent or even 5 percent of a company’s

global annual turnover. Furthermore, the Belgian Secretary of State for

Privacy Matters announced earlier this year that a new law enabling

the CPP to impose administrative fines on data controllers will be

introduced.

NAUWELAERTS: Belgian Courts may impose criminal fines of up to

€600,000 for violations of the Belgian Data Protection Act. Furthermore,

Courts can order the confiscation of media containing personal data,

the erasure of the personal data processed, a prohibition to process any

personal data for a period of up to two years and the publication of their

judgment in one or more newspapers. In addition, any repeated violation

of the Act or violation of the prohibition to process personal data for a

certain period of time may be sanctioned with imprisonment of up to

two years. Individuals who have suffered damages due to a violation of

the Belgian Data Protection Act may also claim compensation for these

damages in civil proceedings, including via class actions.

NAUWELAERTS: There is limited case law on privacy and data protection

matters in Belgium. However, at EU level, the EU Court of Justice (CJEU)

recently issued a number of rulings that have significantly changed the

data protection landscape in the EU and beyond. For instance, in the

Schrems case, the CJEU invalidated the EU-US Safe Harbor framework,

which has served as a key mechanism for data transfers from the EU

to the US for thousands of companies over the last 15 years. Further,

the CJEU’s ruling in the Costeja case, which recognises the right to be

delisted from search engines, and the Weltimmo case, applying a broad

interpretation to the territorial scope of EU data protection law, will

BELGIUM • WIM NAUWELAERTS • HUNTON & WILLIAMS




“ Stronger enforcement has certainly increased the focus and awareness of companies on the importance of data protection compliance.”



WHAT STEPS SHOULD

A COMPANY TAKE TO



SUCH AS DEVELOPING

RESPONSE PLANS AND

UNDERSTANDING

NOTIFICATION

REQUIREMENTS?





EMPLOYEES?

have an important impact on companies doing business online. These

rulings demonstrate a strong willingness to strengthen the protection

of individuals’ privacy rights, including by reinforcing the national data

protection authorities’ powers.

NAUWELAERTS: Companies should, in the first place, take measures to

prevent data security breaches to the extent possible. These measures

include performing Privacy Impact Assessments to detect and evaluate

possible privacy risks and identify appropriate measures to mitigate

those risks. Further, companies should have a documented incident

response procedure that is duly communicated to their employees.

The procedure should clearly identify who employees should contact,

on a technical and management level, in the event of a data security

breach, and should also clearly identify the relevant stakeholders’ roles

and responsibilities. Further, companies should also consider preparing

template communications that can be used to expeditiously inform

the CPP and, in some cases, the affected individuals in the event of a

breach.

NAUWELAERTS: Companies should inform their employees of their

responsibilities in terms of privacy and data protection, and the

associated risks, especially for the company as a ‘data controller’, in the

case of non-compliance. This can be done by implementing clear policies

and providing training on how to handle personal data. Companies

should also implement security measures that limit access to personal

data on a need-to-know basis and prevent unlawful technical and

physical access to data processing systems. Further, companies may

also consider implementing monitoring solutions to prevent, detect

and investigate behaviour of employees that may be harmful for the

company. When implementing such monitoring solutions companies

should, however, carefully assess the legal restrictions on the use of such

solutions, both from a data protection and labour law perspective.







IN BELGIUM? ARE



CONTROLS AND RISK


Wim Nauwelaerts

Partner

Hunton & Williams

T: +32 02 643 5800

E: [email protected]

Wim Nauwelaerts leads Hunton & Williams’ Privacy and Cyber Security team in Brussels. His practice focuses on European data protection matters, with a particular emphasis on privacy issues in the areas of new media and communication technologies, financial services, healthcare and life sciences. Mr Nauwelaerts is recognised as a leading privacy practitioner by Chambers Global, The Legal 500 (Belgium), and The International Who’s Who of Technology Lawyers. He has written and spoken widely on privacy-related topics, such as cloud computing.

NAUWELAERTS: There is a trend toward stronger enforcement of data

protection rules in Belgium. The Secretary of State for Privacy Matters,

Mr Bart Tommelein, has played an active role in raising awareness

concerning the importance of data protection compliance and has

expressed the need for stronger enforcement on several occasions.

In addition, the CPP has recently initiated court proceedings against

Facebook for failure to comply with the CPP’s recommendations. This

trend towards stronger enforcement has certainly increased the focus

and awareness of companies on the importance of data protection

compliance and the respect of their employees’, customers’ and other

individuals’ privacy rights.




Q DO YOU BELIEVE

COMPANIES FULLY





LAWS?




HANDLING, STORAGE

AND TRANSFER, WHAT


AND REPUTATIONAL

RISKS DO THEY FACE IN

LUXEMBOURG?

GROSJEAN: Companies usually see data protection and all its binding

rules as an impediment to their development. On the contrary, a real

programme for data protection should be perceived as a commercial

argument, a real asset. The European Regulation that will come

into force next year will impose on companies a certain number of

protective measures. The European Regulation proposal contains

important sanctions for non-compliance with its provisions. Companies

will, in any case, have to comply with principles like accountability that

will completely change the way they process data. It is up to them to

turn these obligations into a positive policy consisting of protection,

security, trust and transparency. I do believe that companies can clearly

benefit from this age of evolving laws.

GROSJEAN: Luxembourg companies face several risks in relation to

personal data breaches. Losing data, regardless of its causes, can have

disastrous consequences for any company. These consequences can be

even more serious for companies dealing with particularly sensitive

data such as banks, insurance companies and audit firms, in matters of

reputation and liability toward their clients. Luxembourg has witnessed

some breaches arising from human faults. Even through most of these

cases did not reach a courtroom, the loss of a good reputation is not

something that can easily be regained. With the European Regulation

proposal, there will be an obligation to notify regulatory authorities

and concerned persons. That is why companies need to question their

policies and the nature of their data processes.

LUXEMBOURGALAIN GROSJEANBONN & SCHMITT







LUXEMBOURG?






LANDSCAPE?

GROSJEAN: The Luxembourg law of 2 August 2002 related to the

protection of individuals with regard to the processing of personal data,

which was subsequently modified, sets, for a company which illegally

processes personal data or breaches any legal obligation, sanctions

ranging up to one year of imprisonment and a €125,000 fine. The last

version of the European Regulation proposal provides that a controller

which illegally processes personal data or breaches any legal obligation

will be subject to sanctions ranging up to a €1m fine, or for a company

up to 2 percent of its turnover.

GROSJEAN: One of the major lessons we can learn from recent

notable cases is that we should improve employee training in relation

to the protection of personal data. The human element may be the

most important aspect of a data protection policy because it is the

one with the least ability to control. In most cases, the employee at

fault is not aware of the potential risks of their actions. The European

Regulation proposal and its principle of accountability establishes

improved awareness and training in relation to the mechanisms of data

protection, complaints procedures, internal audit schemes as well as

corrective measures in the event of incidents, attacks and failures.

LUXEMBOURG • ALAIN GROSJEAN • BONN & SCHMITT








IN LUXEMBOURG? ARE



CONTROLS AND RISK



WHAT STEPS SHOULD

A COMPANY TAKE TO



SUCH AS DEVELOPING

RESPONSE PLANS AND

UNDERSTANDING

NOTIFICATION

REQUIREMENTS?





EMPLOYEES?

GROSJEAN: A company must establish an explicit list, which creates a

hierarchy of each threat, and then map the risks with respect to their

seriousness and the likelihood of their occurrence in order to create

priorities. Once the priorities have been evaluated and identified, they

can be processed to establish adequate means of reducing them.

The company should then implement security failure and incident

management protocols. A set of preparatory actions, which define the

strategy that the company has to adopt in order to effectively control

the threats and incidents surrounding personal data, must be put in

place.

GROSJEAN: Regular awareness campaigns, training, complaints

management and internal audits are the key measures to undertake.

Companies will have to implement internal transparency rules, which

should be concise and clear, and easily accessible in relation to personal

data protection processes and the ability of people affected by it to

exercise their rights. Codes of conduct, good practice, charters and

labels are tools that can be used to enhance awareness and improve

staff training.

GROSJEAN: Luxembourg, with its deep experience in finance and

banking, has a strong culture of data protection. The banks, regulated

by the Luxembourg Commission for the Supervision of the Financial

Sector, need to adopt strong measures for the protection of their

clients’ data. Outsourcing providers, data centres, electronic signature

and data portability control are all elements that make Luxembourg a

prominent country in relation to personal data protection. With the law

of 25 July 2015, Luxembourg is one of the leading European countries

on electronic storage, creating three statuses of certified service

providers for specialised archiving companies: the Conservation Service

Provider (PSDC-C), the Dematerialisation Service Provider (PSDC-D)



“ Luxembourg, with its deep experience in finance and banking, has a strong culture of data protection.”


Alain Grosjean

Partner

Bonn & Schmitt

+352 27 855

[email protected]

Alain Grosjean is a partner at Bonn & Schmitt and a member of the Luxembourg Bar Council. He was admitted to the Mediation Centre of the Luxembourg bar as a mediator and was nominated in October 2015 as Deputy Secretary-General of the International Association of Lawyers (UIA). He is specialised in new technologies, information and communication, data protection, e-commerce, electronic signature, electronic storage and intellectual property.

and the Conservation and Dematerialisation Service Provider (PSDCD-

DC). If you decide to use the services of a certified service provider for

the conservation of your electronic documents, you will benefit from

a presumption of conformity to the original hard copies. Otherwise,

you will have to prove their conformity. The shift of the new European

Regulation will be an interesting and informative turning point for

Luxembourg companies.




Q DO YOU BELIEVE

COMPANIES FULLY





LAWS?




HANDLING, STORAGE

AND TRANSFER, WHAT



DO THEY FACE IN DENMARK?

AAES-JØRGENSEN: Companies tend to focus on their primary business

with customer needs as their first priority. Their second priority is

complying with accounting principles and tax regulation. Generally

speaking, efforts are dedicated to other administrative procedures only

to the extent that companies have the time and manpower to do so.

For many years, data protection was regarded as one of the things that

would be given attention when time permitted. But in the last few years,

the understanding of, and focus on, data protection and privacy have

grown tremendously, and efforts related to complying with the data

protection legislation are increasing. And there is no doubt that – with

the new General Data Protection Regulation (GDPR) on the horizon

– data protection will be given even higher priority in the future.

AAES-JØRGENSEN: So far companies have mainly focused on keeping

their essential business data secure rather than on the privacy-related

risks of customers, employees or patients. However, today the media

frequently focuses on companies’ lack of privacy awareness, so

reputational risks seem to be on the rise. Obviously, the bigger the brand,

the bigger the financial damage a breach of data protection legislation

may cause. In Denmark, the level of compensation for a breach of data

protection legislation is quite low – and the same goes for the level of

fines. Thus, if a company is the target of the attention of the Danish

Data Protection Agency (DPA), the real risk is the reputational risk

related to the DPA making its decision public.

DENMARKELSEBETH AAES-JØRGENSENNORRBOM VINDING







DENMARK?






LANDSCAPE?

AAES-JØRGENSEN: If a company breaches the data protection

legislation, the affected employee may be entitled to compensation

of up to DKK 25,000, approximately £2450. Likewise, if charges are

filed for breach of the data protection legislation, and the company

in question is found guilty on the charges, the level of the fine will be

quite low. However, the proposed GDPR is expected to change that

situation substantially, as one of the draft proposals is to increase the

level of fines to up to €100m, or up to 5 percent of the group’s annual

global turnover.

AAES-JØRGENSEN: Danish case law on data protection is still very

limited. So far only a few cases have reached the Supreme Court.

Nevertheless, it is becoming increasingly common that personal

data issues pop up in ‘classic’ employment law cases. Thus, in recent

years focus has, for example, been given to employers’ monitoring of

employees, including access to emails, and we have also seen an increase

in the number of companies implementing whistleblower schemes. In

early 2015, the DPA issued more specific guidelines for companies’

HR administration and this has encouraged many companies to re-

examine their HR procedures.

DENMARK • ELSEBETH AAES-JØRGENSEN • NORRBOM VINDING






WHAT STEPS SHOULD

A COMPANY TAKE TO



SUCH AS DEVELOPING

RESPONSE PLANS AND

UNDERSTANDING

NOTIFICATION

REQUIREMENTS?





EMPLOYEES?

AAES-JØRGENSEN: Obviously, companies that have internal

procedures in place, that train their employees to comply with the

procedures and make sure that their employees do in fact comply

with such procedures, are in a much better position when it comes to

avoiding data security breaches than companies paying less attention

to data security. That said, companies should also have procedures

in place for handling data security breaches. Such procedures should

regulate how to stop or minimise the breach, how to identify the

extent of the breach and how to handle the necessary communication

on the breach. Thus, companies should have procedures for providing

information to the affected individuals, notifying the relevant authorities

and communicating via the media.

AAES-JØRGENSEN: Everything starts with awareness – especially

if awareness is followed by policies and procedures. The challenge is

that technological developments happen so fast that it is practically

impossible for companies to keep up-to-date when it comes to having

the right procedures in place. But companies that have implemented

policies and communicate these to their employees, who must then

comply with such policies, certainly have a better starting point than

companies that do not have the same focus on data security. However,

even if companies do minimise the risks by implementing policies,

it is impossible to completely eliminate the risk of rogue – or even

indiscreet or malicious – employees acting in a way that may pose

a threat to privacy and data security. In such situations, the usual

remedies under Danish employment law become relevant, with the

most severe sanction possible being termination with immediate effect.

If the company’s brand is damaged, such a remedy may, however, prove

insufficient.



“ More and more companies want to be at the ‘cutting edge’ of data protection.”





IN DENMARK? ARE



CONTROLS AND RISK


Elsebeth Aaes-Jørgensen

Partner

Norrbom Vinding

+45 3525 3940

[email protected]

Elsebeth Aaes-Jørgensen advises on all aspects of labour and employment law but has a special interest in public law in general, including municipal and administrative law, data protection, business immigration, pensions, the private practice sector as well as litigation in the civil courts, the Danish Labour Court and industrial tribunals. Ms Aaes-Jørgensen is frequently involved in teaching activities and is a regular speaker in various contexts on all aspects of labour and employment law, including data protection. In addition, she heads Norrbom Vinding’s data protection team and is a member of the International Association of Privacy Professionals (IAPP) and the Copenhagen Data Protection Forum.

AAES-JØRGENSEN: More and more companies want to be at the

‘cutting edge’ of data protection. Data protection has moved from

being an issue for the minority to being considered a genuine business

risk if not properly handled. This is not likely to change moving forward.

Until recently, consumers largely looked for convenient solutions and

were less concerned about data security. With increasing media focus

on privacy breaches, we might see a movement toward data security as

a competition parameter, especially for companies labelling themselves

as CSR-dedicated.




Q DO YOU BELIEVE

COMPANIES FULLY





LAWS?




HANDLING, STORAGE

AND TRANSFER, WHAT



DO THEY FACE IN ITALY?

GALLISTRU: In order to have a better understanding of the local context,

it is worth highlighting the limited number of large-size operators

and high number of medium and small-size enterprises operating in

Italy. However, large operators represent a significant portion of the

country’s competitive potential, so the degree of awareness of privacy

issues varies. Large companies operating in Italy have a satisfactory

understanding of privacy issues, as the officers in charge work constantly

to ensure their company follows the most recent decisions and guidance

of the authorities. Possible areas for improvement include appointing

a responsible officer, such as a privacy officer, capable of overseeing a

holistic approach, better communication among corporate functions

such as legal and IT, and better enforcement of system requirements. By

contrast, SMEs find it difficult to remain up-to-date and fully compliant

with applicable requirements. The growing exposure to privacy risks is

unavoidable, resulting in these organisations shifting from a traditional

approach to a more proactive approach when addressing data security,

protection and management issues. In general, the economic community

is concerned about these issues and anxiously awaits the adoption

of new European regulations. With more new technologies having a

significant impact, and the threats increasing, the new regulations

promise to revolutionise data protection in Italy.

GALLISTRU: Local regulations on personal data protection are

characterised by a general primary rule accompanied by specific

requirements for each segment. Given the exponential increase in

information and data processed by organisations, this reference

background is characterised by user expectations for greater safeguards

and protection as well as increased transparency due to social media

diffusion. When negative circumstances arise, besides the conceivable

damage to reputation, the financial impact should also be taken into

ITALYALFREDO GALLISTRUPWC ITALY







ITALY?






LANDSCAPE?

account. To date, these are mainly connected with penalties and

sanctions. In practice, class actions are relatively uncommon at a local

level. In the event of an attack on third party data, local regulations

affecting corporate liability can result in monetary sanctions, as well

as interdiction measures including suspension of a company’s business

operations.

GALLISTRU: Current legislation provides for fixed administrative

sanctions in addition to possible penal sanctions. Under these

circumstances, at least with reference to larger enterprises, the negative

consequences are mainly operational and reputational. The possible

future introduction of administrative sanctions, proportional to

turnover, could result in businesses reviewing their risk assessments.

GALLISTRU: The most recent legislative provisions, case law judgements

and privacy authority measures address issues such as cookies, the

obligation to report potential data attacks to the authorities, the new

labour laws regarding remote control for employees, enforcement of

the deontology code on the treatment of personal data for commercial

purposes, and the new safe harbour issues. These innovations require

organisations to review their business processes to adequately respond

to the new requirements impacting data processing and protection,

including implementation and control measures to verify compliance.

More mature organisations consider such innovations as an opportunity

to implement ‘privacy by design’ processes. Attacks suffered by

companies, even those operating in the security business, emphasise

the need to strengthen and increase security measures, starting with a

review of the effectiveness of prevention measures through appropriate

vulnerability assessments. The increasing use of outsourcers in business

ITALY • ALFREDO GALLISTRU • PWC ITALY






WHAT STEPS SHOULD

A COMPANY TAKE TO



SUCH AS DEVELOPING

RESPONSE PLANS AND

UNDERSTANDING

NOTIFICATION

REQUIREMENTS?





EMPLOYEES?

processes, particularly in environments where privacy issues are

significant, such as telemarketing and information technology, makes

it necessary to protect such data through independent assessments

and strong internal controls. In general, potential vulnerabilities in a

company’s processes could damage a company’s reputation with huge

consequences for the organisation’s value. This means it is necessary to

deal with these issues, not just to achieve compliance, but primarily to

manage this important element of business strategy.

GALLISTRU: Critical issues for companies to consider include timeliness,

how to identify a data security breach, and how to ascertain that the

breach concerns privacy data. It is also necessary to define escalation

procedures to report the matter to data protection authorities and

to identify countermeasures to stop the attack. The response plan

should be periodically tested to verify its effectiveness, timeliness and

stakeholder awareness. Records of incidents, root cause analysis and

security issues should be maintained to identify potential vulnerabilities

and data breaches that are not detected by existing alert tools.

GALLISTRU: Risk responses should reflect a balanced combination of

prevention and detection. Effective prevention starts with the selection,

recruitment and dismissal of personnel, including background checks,

specific contractual clauses, exit procedures, training and awareness

programmes outlining expected conduct, measures to be carried out,

and the use of whistleblowing mechanisms. Data protection and

security systems should be subjected to a structured and formalised

process of risk detection, control assessment and identification of

corrective actions. When designing prevention measures, aside from

the rules governing data classification and protection measures,

particular attention should be paid to identifying specific sources of

risk. Data access rules and segregation of duties must be considered.

Besides specific privacy audits, significant added value could result

from a system log analysis and the ability to analyse relevant available



“ The response plan should be periodically tested to verify its effectiveness, timeliness and stakeholder awareness.”



IS A STRONG CULTURE

OF DATA PROTECTION

DEVELOPING IN ITALY? ARE



CONTROLS AND RISK


Alfredo Gallistru

Partner

PwC

+39 02 7785 483

[email protected]

Alfredo Gallistru is a partner at PwC Italy. Within the risk assurance services practice he leads the IT risk assurance solution set. Mr Gallistru is a certified information systems auditor (CISA), certified internal auditor (CIA), certified information security manager (CISM), certified in the governance of enterprise IT (CGEIT) and certified in risk and information systems control (CRISC). He is vice president of the local ISACA Chapter in Milan. Mr Gallistru has more than 20 years of experience in information system auditing, privacy and information security consulting, compliance review and in the assessment and implementation of IT governance and IT controls.

information. However, the system’s overall effectiveness must include

a crisis management programme to deal with possible incidents.

GALLISTRU: Our 2015 Global State of Information Security Survey

noted that 29.6 percent of European board of directors actively

participated in a review of current security and privacy risk, while 44.2

percent participated in defining the overall security strategy. In prior

years, board and top management concerns for these issues was less

focused, so this trend reflects the development of a stronger risk culture

and a more mature approach to creating lines of defence.




Q DO YOU BELIEVE

COMPANIES FULLY





LAWS?




HANDLING, STORAGE

AND TRANSFER, WHAT



DO THEY FACE IN JAPAN?

NAKAZAKI: Large Japanese companies are aware of their duties of

confidentiality and data protection under the Act on the Protection of

Personal Information (APPI). However, many small and medium-sized

companies are unaware of their duties, since private businesses which

have less than 5000 individuals listed in their electronic or manual

database at any time in the past six months are exempt under the APPI’s

small business exception. This exception will be abolished under the

amendments to the APPI which will come into force in 2017, and as a

result, small and medium-sized companies must be prepared to achieve

compliance with their new confidential obligations and ensure protection

of personal data and privacy. Large companies must also reconsider their

privacy policies, internal data protection rules and information security

systems following the 2017 amendments.

NAKAZAKI: In the 10 years that have passed since the enactment of

the APPI, remarkable progress has occurred in the field of information

and communications technology, such that it is now possible to store

and analyse what has come to be called Big Data. Despite the need for,

and the high value of, the use of Big Data, many Japanese companies

are hesitant to make use of the same, particularly personal data, due

to the apparent ambiguities of the rules under the APPI framework and

the reputational risks that flow from the growing privacy concerns of

consumers. In addition, companies face the risk that data that is stored

and handled in bulk may be leaked or hacked. As a result, companies now

expend significant financial resources to protect such data. Moreover,

the amendments to the APPI herald stricter regulations on the transfer

of personal data to third parties and in respect of international transfers

out of Japan.

JAPANTAKASHI NAKAZAKIANDERSON MORI & TOMOTSUNE







JAPAN?






LANDSCAPE?

NAKAZAKI: Under the APPI, criminal penalties may be imposed if a person

fails to comply with any order issued by the relevant ministry, subject to

penal servitude of six months or less or a criminal fine of ¥300,000 or

less. Failure to submit reports, or submitting untrue reports, as required

by the governmental ministry, carries a criminal fine of ¥300,000 or less. A

company may also be liable to pay a criminal fine in the event that these

offences are committed by an officer or employee of the company. Under

the new APPI, criminal penalties will be introduced to target employees or

former employees who steal personal data. As to civil liability, companies

which become the subjects of personal data leaks may become liable

to pay compensation under the Civil Code, provided that individuals

successfully file a claim in the courts. There have not been many such

cases in the courts thus far, and the ceiling for civil liability is ¥35,000 per

affected individual.

NAKAZAKI: Several large incidents in relation to leaks of personal data

have been publicly announced recently in Japan. In the Benesse case

involving one of the largest companies in the education industry, the

personal data of some 23 million people was leaked from a subsidiary

by a systems engineer. He stored the data in a smartphone and sold it to

a number of data brokers. The case illustrates the potentially significant

impact of allowing companies to store large quantities of personal data.

Many industry-specific and sector-specific administrative guidelines

of the APPI have been compiled by governmental ministries to amend

and strengthen personal data protection rules. The new measures

introduced include stricter guidelines on the supervision of employees

and subcontractors and the implementation of stronger technical and

systematic protection measures.

JAPAN • TAKASHI NAKAZAKI • ANDERSON MORI & TOMOTSUNE




“ Many Japanese companies have either suspended or improved their business plans to utilise anonymised personal data for business purposes.”



WHAT STEPS SHOULD

A COMPANY TAKE TO



SUCH AS DEVELOPING

RESPONSE PLANS AND

UNDERSTANDING

NOTIFICATION

REQUIREMENTS?





EMPLOYEES?

NAKAZAKI: Companies should consider a number of steps to avoid a

potential data security breach. Systematic security control measures

should be implemented including clearly establishing rules surrounding

the responsibility and authority of workers regarding security control,

preparing and enforcing regulations and procedure manuals, and confirming

the status of implementation. Human security control measures should

be employed including concluding nondisclosure agreements in relation

to personal data, specifying such data as constituting an operational

secret kept by workers and educating and training such workers on the

protection of the privacy of such data. Companies should also consider

improved physical security control measures, including measures that

control entrance into, and departure from, a given location – and prevent

the theft of personal data. Further, companies should factor in technical

security control measures, including measures that provide for the security

control of personal data by limiting access to certain data.

NAKAZAKI: Companies should consider several measures to manage

internal risks and threats arising from the actions of rogue employees.

They should consider employee education, as it is important to ensure

that employees recognise and understand the potential risks and threats,

both to themselves and the company, that result from the improper

use of personal data. This may, for instance, involve making employees

aware of the significant damage that can arise from such improper use

of personal data and the potential termination of employment that may

result. It may also include more proactive measures such as employee

training, including e-learning and the requirement to periodically obtain

a letter of commitment to avoid a security breach. Companies must also

take systematic measures into account, which are useful for keeping

potential rogue actors away from customer data. Technical measures are

also important, such as minimising the number of persons to whom the

authority is granted to access personal data and implementing access

control measures based on identification authentication, such as ID and

password or biometric authentication.





IS A STRONG CULTURE

OF DATA PROTECTION

DEVELOPING IN JAPAN? ARE



CONTROLS AND RISK


Takashi Nakazaki

Special Counsel

Anderson Mori & Tomotsune

+81 3 6888 1101

[email protected]

Takashi Nakazaki has been engaged in an extensive range of TMT matters at Anderson Mori & Tomotsune, including telecom regulations, computers, software development, e-commerce, platform service, domain name disputes, drones and digital forensics. His experience also includes legal advice in several fields of intellectual property and licensing, including traditional copyright, digital copyright, trademark, open source, cross-border licensing and biochemical. Mr Nakazaki has also assisted many start-up clients with general corporate advice. He is a member of the editorial board of AIPPI Japan and KnowledgeNet co-chair of IAPP Japan.

NAKAZAKI: Many Japanese people have become highly sensitive to

privacy concerns and there is public concern about the collection and

utilisation of personal data by the private sector for business purposes. This

public sensitivity was brought to light in the Super Urban Intelligent Card

(Suica) case in 2013. A Suica card is a rechargeable smart card that can

be used as a fare card on trains in Japan. The East Japan Railway Company

(JR East) decided to sell the processed travel record information and

purchase history recorded on customers’ Suica cards to a third party. JR

East planned to delete each person’s name and telephone number before

transferring the information so that the third-party recipient could not

identify the person. However, a number of objections and opposing views

were raised by consumers, who contended that personal identification

may be possible, and that their privacy would be infringed even if there

were no direct violation of the APPI. JR East consequently abandoned the

plan. Following the Suica case, many Japanese companies have either

suspended or improved their business plans to utilise anonymised personal

data for business purposes to avoid such disputes with consumers.




Q DO YOU BELIEVE

COMPANIES FULLY





LAWS?




HANDLING, STORAGE

AND TRANSFER, WHAT



DO THEY FACE IN CHINA?

MAISOG: The frequency and extent of abusive uses of personal

information, such as unwanted text advertising messages, in China

suggests that companies are not as aware of the risks and duties

associated with personal information as they should be. Repeated

enforcement campaigns, in which suspects are rounded up for

investigations – seemingly in wholesale waves – as well as repeatedly

reactive rulemaking in which regulations are promulgated only after

and in response to an event or crisis, seem to suggest weaknesses in the

overall attitude with which privacy related risks are regarded in China.

MAISOG: Since there is no comprehensive or uniform personal data

protection law in China, there are no requirements generally applicable

to all processing of personal data. Some requirements apply on a

sector-by-sector basis. There are requirements scattered throughout

various Chinese laws and regulations under which different entities

that may have access to personal information must keep such personal

information and the private matters of individuals confidential. Some

of these provisions provide for punishment for a violation of this

obligation of confidentiality.

MAISOG: In China, government authorities are paying more and more

attention to privacy and data protection. In newly promulgated data

protection rules, data breach activities can be subject to substantial

monetary compensation, administrative penalties and even criminal

liability. For example, the 9th Amendment to the PRC Criminal Law,

which became effective on 1 November 2015, prohibits the sale

or provision to others in violation of law, or the theft of or illegally





CHINA?

CHINAMANUEL MAISOGHUNTON & WILLIAMS LLP








LANDSCAPE?

obtaining personal information by any individual or entity. If an entity

commits any of these crimes, it will be subject to a fine and the persons

directly in charge and other persons directly liable will be subject to

fixed-term imprisonment or criminal detention and concurrently or

separately may also be subject to a fine. Entities which sell or provide

personal information obtained during their performance of duties and

provisions of services, in violation of law, would be subject to even

heavier punishment.

MAISOG: The general insight appears, so far, to be that government

authorities in China have started to give a higher level of priority to

cyber security and personal data protection on the internet. Government

authorities appear to be responding to the rapid development of

internet technology and the resulting surge in the number of users of

internet services.

MAISOG: Probably the best step is to take measures to achieve a level

of technical security at which a security breach becomes unlikely. A

security breach incident is better avoided in the first place. It constitutes

a cost centre and a distraction from a company’s generation of its

core products and services. It is rarely a profitable experience, other

than from the lessons learned, and mostly delivers only risk to the

company’s reputation and to its relationship with clients. Beyond the

priority of prevention, it is important to have a clear understanding of

breach notification requirements. In China, only four industry sectors

are subject to mandatory breach reporting requirements. Companies

in one of these sectors should prepare and rehearse security incident

CHINA • MANUEL MAISOG • HUNTON & WILLIAMS LLP


WHAT STEPS SHOULD

A COMPANY TAKE TO



SUCH AS DEVELOPING

RESPONSE PLANS AND

UNDERSTANDING

NOTIFICATION

REQUIREMENTS?









EMPLOYEES?

response plans because once a breach occurs they will be under immense

time pressure to satisfy all requirements and to do so accurately and

correctly. Companies not in one of these sectors should also prepare

and rehearse security incident response plans, but their plans may not

have to reflect or anticipate the same level of extreme time pressure.

Aside from preparation and rehearsal of security incident response

plans, preparations that could mitigate liability for a breach incident,

when and if one occurs, can be undertaken simply by adopting and

consistently applying best practices during the ordinary course of day-

to-day data processing.

MAISOG: The best approach is not a legal approach, but an organisational

and even moral one. That is, a company can best manage internal risks

and threats arising from the actions of rogue employees by promoting

and protecting an internal corporate culture that is rooted securely

in honesty and integrity. The company should hire only persons of

integrity and trustworthiness, and should quickly terminate employees

who show a willingness to undertake illegal or unethical actions at the

workplace, or to tolerate these actions among others. A team that is

made up of honest people will not have any difficulty in managing

internal risks and threats arising from the actions of rogue employees,

because it will not have any rogue employees in the first place. Subject

to the foregoing, in China it is also possible to undertake employee

monitoring campaigns. In the context of Mainland China, there are very

few general rules on privacy and personal information protection in

an employment context. As such, there is no prohibition on employee

monitoring and no particular rules on how employee monitoring should

be conducted.



“ It is probably true that companies in Mainland China are not as aware of the risks and duties associated with personal information as they should be.”



IS A STRONG CULTURE

OF DATA PROTECTION

DEVELOPING IN CHINA? ARE



CONTROLS AND RISK


Manuel Maisog

Partner

Hunton & Williams LLP

+86 10 5863 7507

[email protected]

Bing Maisog is the chief representative of the firm’s office in Beijing. He is a member of the firm’s Corporate practice team, and has also worked as a member of the Energy and Infrastructure team. Prior to the establishment of the Beijing office, he was resident in both Bangkok and Hong Kong, and worked on significant project finance and project acquisition transactions in many countries across Asia. In the past, he has also worked as a corporate finance lawyer, with experience in initial public offerings, private placements, and financial institution merger and acquisition transactions.

MAISOG: China’s data privacy framework is emerging on a patchwork,

sector-by-sector basis. As such, companies in some sectors are

becoming aware of the risks and duties associated with collecting and

handling personal information, while companies in other sectors have

little awareness of the same risks and little incentive to develop any

awareness of them. On the whole, however, it is probably true that

companies in Mainland China are not as aware of the risks and duties

associated with personal information as they should be.




Q DO YOU BELIEVE

COMPANIES FULLY





LAWS?




HANDLING, STORAGE

AND TRANSFER, WHAT



DO THEY FACE IN TAIWAN?

CHANG: Taiwan passed the Personal Data Protection Act (PDPA) in

April 2010 and it came into force in October 2012. The PDPA applies to

all companies, individuals and public organisations and is a milestone

piece of legislation. After three years of PDPA enforcement, the

awareness of data protection in Taiwan varies by sector. The Taiwanese

authorities enforce the data protection order to those companies who

hold a large amount of personal data, such as firms in the telecoms,

e-commerce and especially the financial services industry. Accordingly,

those companies have committed considerable resources to boosting

cyber security under the PDPA, particularly compared to companies in

other industries. Most firms have implemented Personal Information

Management Systems (PIMS) in order to comply with the regulation.

Recently the Ministry of Education has conducted privacy and data

protection supervision for a number of higher education institutions

and is pushing the higher education sector to adopt PIMS. Though

many other industries in Taiwan don’t pay enough attention to the

risks associated with data protection, the emergence of a new digital

economy will eventually force them to do so.

CHANG: The increase in cyber crime in Taiwan is something we have

to take into serious consideration; no company can escape from cyber

attack. The increased utilisation of data processing, and the country’s

newly developed reliance on third party vendors, has increased the

complexity of data protection in Taiwan. In turn, this has exposed

companies to cyber risk. Companies face a maximum fine of NT $200m

for a data breach according to the PDPA, and the speed at which news

spreads on the internet and across traditional and social media increases

reputational risk.

TAIWANCHIN-JUI CHANGPWC TAIWAN







TAIWAN?






LANDSCAPE?

CHANG: Failure to comply with the PDPA can result in the imposition

of civil liabilities in the range of approximately US$16 to $680 for

each record, and up to a maximum of approximately US$6.8m in total,

depending on the circumstances of infringement. Private entities in

breach may face administrative fines of up to approximately US$16,000

for each violation. Breach of certain provisions, such as those relating

to the processing of sensitive personal data, constitutes a criminal

offence and, if the private entity violates the restrictions relating to

the processing of sensitive personal data with intent to make profits,

such a violation carries a maximum sentence of five years in prison

in addition to or instead of fines of up to approximately US$33,000.

Representatives of a company may be subject to the same amount of

administrative penalties when the company violates the PDPA.

CHANG: The impact of the data breach is not only an IT operation event

but also a corporate reputation risk. In Taiwan, the greatest privacy risk

for organisations is reputational risk, and the reward for compliance with

the PDPA is building trust with stakeholders. Compared to companies

that do not pay attention to the PDPA, trust building companies have

more advantage in terms of customer confidence and loyalty.

TAIWAN • CHIN-JUI CHANG • PWC TAIWAN






WHAT STEPS SHOULD

A COMPANY TAKE TO



SUCH AS DEVELOPING

RESPONSE PLANS AND

UNDERSTANDING

NOTIFICATION

REQUIREMENTS?





EMPLOYEES?

CHANG: The best practice for dealing with privacy risk is to adopt

a compliance program, a PIMS and appoint a chief privacy officer

(CPO), a C-suite officer responsible for communicating privacy and

data protection issues to board members and employees. In order to

reduce the privacy risk, company should implement all the necessary

processes for data protection. Data breach response plans should

include notification procedures that comply with PDPA and related

regulations.

CHANG: In order to manage internal privacy risk, education and

training to raise the awareness of privacy and data protection is a

must. Companies should apply their privacy and data protection rules

to all employees’ daily tasks. Violation of these rules should result in

termination. In order to have a clear picture of the compliance levels of

both the company and employees with privacy and data protection rules,

proper internal audit and maturity measure should be implemented.

Technical data protection solutions, such as DLP, are another option

companies have to reduce the risk faced from malicious employees.



“ Data breach response plans should include notification procedures that comply with PDPA and related regulations.”





IN TAIWAN? ARE COMPANIES



AND RISK MANAGEMENT

PROCESSES?

Chin-Jui Chang

Partner

PricewaterhouseCoopers Taiwan

+886 2 27296916

[email protected]

Chin-Jui is a partner in the risk assurance practice of PricewaterhouseCoopers Taiwan and leads the firm’s Privacy and Cyber Security services. He focuses on all aspects of privacy and security in a range of industries. He also specialises in the establishment of compliance systems, particularly in regard to Information Security Management System (ISMS) and Personal Information Management System (PIMS). Mr Chang is active in public affairs and is also a supervisor of the Institution of Internal Auditors, ROC (Taiwan).

CHANG: Government authorities have increased their supervision

and enforcement with respect to privacy and data protection in some

sectors. This makes companies aware of data protection and enables

them to embed data protection into their corporate governance and

management processes. Companies within these sectors will benefit

from implementing PIMS, as internal and external audit provides

a chance for a proactive review of appropriate controls and risk

management.




Q DO YOU BELIEVE

COMPANIES FULLY





LAWS?




HANDLING, STORAGE

AND TRANSFER, WHAT


AND REPUTATIONAL

RISKS DO THEY FACE IN

AUSTRALIA?

GUINTO: Australian organisations are playing catch-up with the rest of

the world. However, the amendments that were made to federal privacy

legislation 18 months ago, together with recent high profile enforcement

actions taken by the Office of the Australian Information Commissioner

(OAIC) against organisations that were deemed to have violated the privacy

of their consumers, has raised the profile of this topic to the board and C-

suite executives. There are still varying degrees of privacy maturity across

Australian organisations. Some believe a simple update to their market-

facing privacy statement is enough to satisfy their duties of confidentiality

and data protection, while others have used their privacy compliance efforts

to drive forward their responsibilities and build a competitive advantage by

engendering consumer trust.

GUINTO: As organisations continue to engage with their consumers in a

digital ecosystem, there is an increasing amount of personal data that is

collected, handled, stored and transferred within and outside of Australia to

the organisation’s related entities and third party service providers. With this

comes the increasing expectation from consumers that these organisations

will be responsible and accountable for its safekeeping. This is reflected

in the significant increase in privacy complaints received by the OAIC in

recent years. Those Australian organisations that have breached the privacy

of consumer data can find themselves being investigated by the privacy

commissioner, be burdened with significant financial costs involved with

fines and remediation activities and face the erosion of the organisation’s

reputation, resulting in consumer churn and loss of new business.

AUSTRALIAGRACE GUINTOPWC AUSTRALIA







AUSTRALIA?






LANDSCAPE?

GUINTO: Within Australia, both public sector and private sector

organisations, with some exceptions, are bound by the Privacy Act. The OAIC

is responsible for bringing enforcement action against those organisations

that violate a privacy law. Serious or repeated privacy breaches can attract

fines from the OAIC of up to AUD$1.7m for organisations and AUD$340,000

for individuals. To offset the costs of a privacy breach, Australian organisations

have been investing increasingly in insurance products to help protect

against financial losses that result from security incidents, for example cyber

insurance. In our recently released 2016 Global State of Information Security

Survey (GSISS), 56 percent of respondents indicated that they have taken

out cyber insurance to offset the costs associated with penalties that might

arise following a breach or violation of data or privacy laws in their region.

However, the cyber insurance offering is still maturing, can be expensive

and does not always cover all possible costs that can be imposed on an

organisation that has experienced a data or privacy breach.

GUINTO: Recent cases have demonstrated that the OAIC has the ability

to bring enforcement actions against organisations that have violated

the Privacy Act, irrespective of whether they are operating in Australia or

are headquartered elsewhere. The OAIC has taken recent actions against

two global technology organisations following a security breach of their

consumer accounts, which included Australian-based individuals. These

recent cases have also demonstrated the consultative role that the privacy

commissioner has played in the Australian data protection landscape. The

OAIC has sought to balance their enforceable actions with helping entities

to ensure they have the right privacy governance frameworks in place to

meet their privacy obligations to Australian consumers.

AUSTRALIA • GRACE GUINTO • PWC AUSTRALIA




“ While an organisation can outsource their data handling processes, they cannot outsource their responsibilities when that data is breached.”



WHAT STEPS SHOULD

A COMPANY TAKE TO



SUCH AS DEVELOPING

RESPONSE PLANS AND

UNDERSTANDING

NOTIFICATION

REQUIREMENTS?





EMPLOYEES?

GUINTO: In Australia, despite the absence of the mandatory data breach

notification, the OAIC has issued guidance to help entities governed by the

Privacy Act to understand the key steps in preparing and responding accordingly

to a data security breach. However, one of the key steps that we find Australian

organisations often forget to undertake as part of this process is to first

understand what data they actually hold and where it’s located. According to

the GSISS, security events ascribed to current and former third-party partners

jumped 22 percent over the previous year. As such, organisations must invest

time in understanding the personal information it maintains for its customers,

suppliers, shareholders, employees and other stakeholder groups, including the

data stored on their behalf by third-party service providers. This is a critical first

step in building a breach management plan, as it then allows organisations to

clearly consider the responsibilities of their third-party service providers. As

we have seen with the recent spate of privacy breaches, while an organisation

can outsource their data handling processes, they cannot outsource their

responsibilities when that data is breached.

GUINTO: The GSISS reports that employees, both current and former, remain

the most cited source of compromise, but incidents attributed to business

partners are up substantially. To mitigate this risk, organisations need to

adopt a multi-faceted approach – including establishing robust privacy and

security governance framework policies and procedures, rolling out training

and awareness campaigns and implementing controls around employees’

user access and security to data. This is important in building a corporate

culture and approach that acknowledges and respects the role of employees

in protecting and safeguarding the personal information they hold. As risks

and threats rise, the GSISS also reports that organisations have significantly

boosted investments in information security by 24 percent in 2015, which

includes funds allocated for hardware, software, services, education and

information security staff. It will be interesting to see whether this boost in

information security spending will translate to a drop in detected security

incidents in future years, or actually result in an increase, as organisations

seek to adopt more sophisticated tools and services to manage their internal

risk and threats. This includes the use of cloud-based security services and







IN AUSTRALIA? ARE



CONTROLS AND RISK


Grace Guinto

Director

PwC Australia

+61 (3) 8603 1344

[email protected]

Grace Guinto is the national privacy leader for PwC Australia’s Digital Trust practice. Ms Guinto advises clients on how to assess and build sustainable and repeatable privacy programs, respond to regulatory orders and build confidence among consumers and other stakeholders through their privacy and data security efforts. She has considerable experience in both Australia and the US working with clients to increase their transparency with investors, regulators, business partners and customers, enhancing trust and creating competitive advantages through their data protection and privacy compliance efforts.

the employment of Big Data analytics to model for and identify information

security incidents.

GUINTO: Due to the global impact of many recent data security breaches

experienced in the US and EU, coupled with the recent security breaches

experienced by Australian organisations, we are seeing more organisations

take steps to ensure that appropriate controls and risk management

processes are in place. However, more can be done in this space. Australian

organisations should not allow the uncertainty of the future privacy

regulatory role of the OAIC to hold them back from complying with the

Privacy Act and fulfilling the privacy commitments they have made to their

consumers. They should recognise that privacy is a fundamental element

in building trust with their consumers, especially in the digital world where

they will collect, hold and store more personal information about their

consumers than ever before.




Q DO YOU BELIEVE

COMPANIES FULLY





LAWS?




HANDLING, STORAGE

AND TRANSFER, WHAT



DO THEY FACE IN NEW

ZEALAND?

MCCABE: The gap in New Zealand understanding is due to the speed of

digital change rather than evolving privacy laws. New Zealand privacy

legislation is more than 20 years old, and while there have been some

amendments over time, it is not comprehensively equipped to govern

and regulate privacy in a rapidly changing digital landscape. Recognising

this, privacy law reform was signalled by the Minister of Justice in

2014, with proposals to address some of the shortcomings following

an earlier Law Commission review, although there is yet to be a bill

before parliament. We are seeing improvements in the understanding of

privacy laws, especially in the public sector, yet there is still a great deal

of variation in the maturity of privacy practices across organisations,

and their understanding of their obligations, especially in areas such

as offshore cloud services, outsourcing and cross-border information

transfers and disclosures.

MCCABE: As in most regions, there is a great deal of concern over

the consequences of inappropriate disclosure of personal information,

in both the public and private sectors. The loss of public and customer

confidence in a brand, service or government can be extremely damaging

and this type of reputational risk is often quoted as a prime concern.

Public trust and confidence in the ability of the government to safely

manage personal information is critical to the delivery of better digitally-

enabled public services. In the private sector, where personal information

is often a valuable and core asset to the business model, a loss of public

trust often translates into a loss of shareholder or company value, and

the financial implications of this can be crippling to a business. The

absence of mandatory disclosure of personal information breaches in

New Zealand and the very limited powers of the privacy commissioner

mean that regulatory risks are generally considered to be minor, although

we expect the pending legislation reform will change this position.

NEW ZEALANDSTEVE MCCABEPWC NEW ZEALAND







NEW ZEALAND?






LANDSCAPE?

MCCABE: The privacy commissioner has very limited powers under

legislation in New Zealand and cannot impose penalties for privacy

breaches. Yet, following an investigation, the privacy commissioner

can refer cases to the director of human rights proceedings who may

then take it to tribunal, which does have the power to award damages

and compel a company to take action. This year, a complainant was

awarded NZ$168,000 in damages for a significant breach of personal

privacy, the highest amount ever awarded for a breach of the Privacy

Act in New Zealand. Another notable penalty available to the regulator

is the ‘name and shame’ approach where the threat of public exposure

is considered to be a useful tool – when used sparingly – to encourage

organisations to adopt good privacy practices. The privacy commissioner

has recently published policy which clarifies the circumstances under

which organisations may be named that have breached the Privacy

Act.

MCCABE: The cases that have had the biggest impact on the data

protection landscape in New Zealand occurred in 2012 which the

privacy commissioner described as the ‘year of the breach’ in her annual

report. The Accident Compensation Corporation and the Ministry of

Social Development – both government agencies – suffered personal

information breaches in close proximity resulting in the government

taking unprecedented action to raise the maturity and effectiveness

of privacy and security practices across the public sector. Both a

government chief information officer and a government chief privacy

officer were appointed to govern and drive a quantum shift in privacy

and security practices and maturity, and the office of the privacy

commissioner was awarded an additional NZ$7m in funding from

2014 to 2018. There has been recognition that good privacy practices

are less about legal interpretation of the Act and more about the risk

NEW ZEALAND • STEVE MCCABE • PWC NEW ZEALAND






WHAT STEPS SHOULD

A COMPANY TAKE TO



SUCH AS DEVELOPING

RESPONSE PLANS AND

UNDERSTANDING

NOTIFICATION

REQUIREMENTS?





EMPLOYEES?

of harm to individuals and the consequences to them should personal

information be mismanaged.

MCCABE: Educating your people about what is sensitive and how to

handle it appropriately is your best defence. However, you also need to be

ready for an incident and the first step is to determine how you are going

to detect and identify one. Ensure that you have clearly communicated

channels for reporting incidents and near misses. Develop education

and training programmes that build a culture of transparency where

reporting is encouraged and rewarded. Demonstrate through your

actions that this leads to better responses, not witch hunts. Develop

your communications strategy and be prepared to communicate

clearly and often with your customers, the public and the media. Build

a multi-disciplinary response team that encompasses all key business

functions, align this with your disaster recovery and business continuity

plans and response teams. Most importantly, practice your response

thoroughly and often.

MCCABE: There is a substantial market for personal information and

companies must recognise that this threat is significant. Companies must

ensure that the employment process includes robust vetting procedures

proportionate to the value of the information that employees will

handle. Manage your digital identities carefully by controlling access

and entitlements, limiting system privileges and ensuring employee

accounts are disabled on termination or exit. Educate and train your

employees, as insiders are less likely to act maliciously if there is a

strong security culture. Focus your detective efforts on characterising

and identifying abnormal behaviours such as large movements of data

or login activity at unusual times of the day. As for any risk management

exercise, prioritise your efforts on your most important assets.



“ There is a substantial market for personal information and companies must recognise that this threat is significant.”





IN NEW ZEALAND? ARE



CONTROLS AND RISK


Steve McCabe

Partner

PwC New Zealand

+64 4 462 7050

[email protected]

Steve McCabe is a partner in the cyber security practice at PwC New Zealand. For more than 15 years he has practiced in consulting, management and leadership roles across all aspects of privacy and security, both in New Zealand and the UK. He advises public and private sector clients on security and privacy strategies, governance, risk management, transformation and assurance and is passionate about enabling organisational success through the effective management of digital risk to information assets. He has worked with many of New Zealand’s largest public and private sector organisations on the enhancement of privacy in large digital initiatives.

MCCABE: This is a work in progress. In our 2016 Global State of

Information Security Survey, we saw a significant dip in the confidence

that New Zealand respondents have in the effectiveness of their

security controls from previous years. We think this is a maturity

step and reflects the realisation that there is limited, comprehensive

controls assurance in most organisations to substantiate higher

confidence levels. Having said this, the public sector is improving in its

risk management processes and privacy maturity, and new tools and

documentation from the privacy commissioner are helping companies

understand how to assess impacts to privacy when handling, processing

and storing personal information. There is still some way to go but we

are certainly making progress.




Q DO YOU BELIEVE

COMPANIES FULLY





LAWS?




HANDLING, STORAGE

AND TRANSFER, WHAT



DO THEY FACE IN SOUTH

AFRICA?

MATHE: Most South African companies are familiar with confidentiality

requirements, but privacy and the requirements for lawful processing of

personal information is a relatively new concept to many. Exceptions to this

include financial institutions, among others, which have been preparing for the

commencement of South African privacy law since 2009 and before, resulting

in a greater understanding of privacy and data protection requirements. In

addition, awareness among South African companies in general has been

steadily increasing since the Protection of Personal Information Act was

signed into law in 2013, and certain sections of the Act commenced in April

2014. Another factor in rising levels of awareness has been the increased

pressure being experienced by South African companies to provide evidence

of compliance with data protection requirements in their dealings with both

local and international counterparts, trading partners, clients and vendors.

All of this has resulted in the initiation of privacy compliance efforts and

programmes to implement compliance.

MATHE: In South Africa, the Protection of Personal Information Act is not

fully effective yet. Only those sections dealing with the definitions, the

establishment of the Information Regulator, its powers, duties and functions,

and the powers of the Minister of Justice to make Regulations in terms

of the Act are currently effective. The Information Regulator is yet to be

appointed and the commencement date of the remainder of the Act is still

to be announced. Therefore, regulatory and financial risk in terms of the Act

does not yet apply, however companies may face reputational risk if they

experience a breach of personal information or if they fail to demonstrate

that they are serious about protecting the personal information of their

employees, customers and vendors. There is also the potential civil liability

that may be incurred through violation of existing common law. In addition,

companies with both a local and international footprint, whose international

group entities are subject to privacy laws of other jurisdictions, may expose

SOUTH AFRICABUSISIWE MATHEPWC SOUTH AFRICA







SOUTH AFRICA?






LANDSCAPE?

the group to regulatory, financial and reputational risk if they don’t adhere

to group privacy policies.

MATHE: Once the South African privacy law is fully in place, any person who

feels that their rights as a data subject have been infringed may submit a

complaint to the Information Regulator, in writing. Companies may attract

liability if they violate the privacy of data subjects. This may be civil liability

for patrimonial and non-patrimonial damages, for interference with personal

information regardless of whether or not there is intent or negligence. Or it

may be criminal liability of up to 10 years in prison or the payment of a fine.

Or it may be administrative liability for an administrative penalty payable to

the Information Regulator up to a maximum of R10m.

MATHE: There have been breaches of personal information locally, however,

these have not been subject to litigation, and most instances are not reported.

However, from the reaction of regulators in other jurisdictions it is clear that

data breaches are taken seriously by the regulators and those regulators will

not hesitate to demonstrate their powers in cases where companies have

not implemented or did not comply with procedures that could or should

have prevented such a breach. It is also clear that consumers are becoming

more aware of their privacy rights and are losing trust in those companies

that don’t take the protection of their personal information seriously. Recent

global breaches have highlighted the need to consider reactive measures,

such as cyber liability insurance, to protect companies against the financial

losses that could result from a personal information or data security breach.

The effect of a cyber attack or other security breach could be devastating,

from both a financial and reputational perspective. One method of mitigating

the financial risk is to ensure that you have extensive insurance against cyber

liability.

SOUTH AFRICA • BUSISIWE MATHE • PWC SOUTH AFRICA




“ Where companies allow employees to use personal devices to access the company network, they should have a clearly defined Bring Your Own Device policy.”



WHAT STEPS SHOULD

A COMPANY TAKE TO



SUCH AS DEVELOPING

RESPONSE PLANS AND

UNDERSTANDING

NOTIFICATION

REQUIREMENTS?





EMPLOYEES?

MATHE: Companies need to have adequate security and privacy breach

procedures in place and must implement effective processes to identify

affected data subjects and promptly report the breach – or suspected breach

– to each data subject, as well as the regulator. Companies should at the

very least ensure that they clearly define what events or actions constitute a

data or personal information breach, implement controls and procedures to

detect such breaches, and ensure that such breaches are reported internally.

They should define forensic procedures to analyse the breach and identify

affected data subjects, develop a response plan to ensure that the breach

is promptly contained, and develop communication and media protocols,

to govern the dissemination of information. They should also identify

notification requirements imposed by law and implement procedures for

notifying the relevant regulator and, where necessary, the data subjects

that have been affected, and ensure that the contracts with third parties

that process personal information on their behalf, require the third party to

promptly notify the company of any breach or suspected breach of the data

that they have under their control, and define penalties in the event of a

failure to notify within a predetermined time period.

MATHE: Companies should address privacy and confidentiality requirements

in employment contracts for both permanent and temporary employees.

Actions that the company will take in the event of violation must be clearly

specified. This should be accompanied by targeted awareness training so that

employees understand what constitutes personal or confidential information,

and the data protection requirements that need to be applied when they

handle personal information in the course of their duties, via email, or by

any means. South African privacy legislation has a very broad definition of

personal information and it applies to the personal information of both

natural and juristic persons. Until such time as they undertake awareness

training or are involved in a privacy project, most employees are not aware

of this. In addition, companies must ensure that their controls around the

administration of user access and system rights are tight, are tested and

updated regularly to ensure that risks are continuously identified and







IN SOUTH AFRICA? ARE



CONTROLS AND RISK


Busisiwe Mathe

Director & Partner

PricewaterhouseCoopers

+27 11 797 4875

[email protected]

Busisiwe Mathe is a partner & director at PwC in South Africa – Gauteng Region. She is responsible for cyber security, privacy and business continuity management competencies within PwC’s Risk Assurance Services division. Ms Mathe is a member of the South African Institute of Chartered Accountants, Independent Regulatory Board for Auditors and is the South African Chapter Agent of the Information Security Forum (ISF). She has over 10 years experience in leading teams undertaking reviews and providing services including cyber security assessments, privacy reviews, internal audits and external audits across different sectors and industries. She has managed large scale transformational ICT projects.

addressed. This is especially relevant when employees leave the organisation,

and when third party contractors are allowed to have access to a company’s

systems. Access rights should be promptly revoked when employment

contracts end. Where companies allow employees to use personal devices to

access the company network, they should have a clearly defined Bring Your

Own Device policy, and apply strict controls such as remote wipe technology

should devices be lost or stolen, or if any foul play is suspected.

MATHE: Although awareness about data protection and privacy is increasing,

many companies have not yet embarked on programmes to embed controls

and risk management processes that will ensure the protection of personal

information. A lot of work still needs to be done across most sectors of

business in South Africa.

FWS U P P L E M E N T

www.fi nancierworldwide.com

A N N U A L R E V I E W

Date post:	30-May-2020
Category:	Documents
Upload:	others
View:	5 times
Download:	0 times