Cybersecurity, Privacy & GDPR
CYBERSECURITY AND PRIVACY
Information security has become an especially relevant area of law due to the importance of the requirements to keep data and information systems secure.
Protection Against Imminent Risks
These requirements first stem from public law (statutes and regulations) in order to protect user’s data collected by companies. They secondly stem from private arrangements made via contracts in order to protect the companies itself.
Large-scale Protective Measures, Domestically and Internationally
Gowper works collaboratively across disciplines and jurisdictions to advise domestic and multinational clients on legal obligations and liabilities.
But also on anticipated changes in laws and enforcement practices, strategies for managing compliance and risks, and minimizing the costs and efforts of compliance.
We provide counsel to companies on EU privacy developments and compliance strategies, including the cross-border transfer of personal data, perform an intensive review of privacy safeguards, and prepare a strategic plan for a defense contractor's privacy and data protection program.
List of Services:
- Assessment and management of data privacy and cybersecurity risks and liabilities in corporate and financial transactions.
- Assessment and drafting of codes of conduct, whistleblowing policies and portals, mandatory corporate standards and data transfer agreements at both national and international levels.
- We assist clients in everything from understanding the complexities of third party compliance questionnaires, drafting governance and compliance structures, as well as reviewing specific contracts for HR or third parties, such as new IT systems.
- Data processing and data transfer agreements.
- Data security breach preparedness and response.
- Representation and defense on disciplinary and regulatory proceedings.
LEGAL ADVICE ON GDPR
We provide discreet legal advice on GDPR, including responding to data breaches.
PRIVACY IMPACT ASSESSMENTS (PIAS)
You may be building a new IT system, developing a new application or buying a new product. Under the GDPR, you must demonstrate that you are applying a data protection approach from the beginning of the development of the new project or initiative. A PIA allows you to identify the risks to data subjects of how personal data will be used while developing the system, in order to take steps to reduce or eliminate the risks and identify those within the organisation who should be held accountable.
RESPONDING TO DATA BREACHES
From the theft of a laptop to a hack or sending an attachment to the wrong recipient, personal data breaches are inevitable. The key is how you respond to them.
We advise companies, including technology, professional services and membership organisations, on how to respond to data protection breaches; to proactively design and test breach response plans; to improve data protection policies, procedures and overall governance; and to deal with the immediate consequences of a breach in accordance with various legal and regulatory responsibilities.
STORAGE OF PERSONAL DATA
Under the GDPR, data must be used for its intended purpose and then deleted after a reasonable period of time, taking into account any other legal responsibilities.
Having an effective data retention policy that reflects the storage and deletion of different types of data sets is now essential.
SPECIFIC INFORMED CONSENT
This is essential to confirm the basis for processing personal data. Under the GDPR, personal data can only be processed under one of 6 headings:
- Specific informed consent
- Legitimate interest
- Vital interest
- Public purpose
- Legal obligation
Consent is required for each specific activity for which the data will be used, and personal data must only be used for the purpose for which they were collected.
PERSONAL DATA CANNOT LEAVE THE EEA
If you use cloud servers to host personal data, personal data of EU citizens cannot leave the European Economic Area (EEA). There are mechanisms to allow personal data to leave the EEA, such as model contractual clauses and binding corporate rules, as well as the EU/US Privacy Shield when dealing with the US, but as a general rule, personal data must remain in the EEA, hence companies such as Facebook, Apple, Microsoft and Google have extensive data storage facilities in Europe.
RIGHT TO BE FORGOTTEN
An organisation must demonstrate that it has deleted all unnecessary data relating to an individual and that the individual will not be contacted again. Where personal data is stored in multiple systems or in an infrastructure that does not allow for "final" deletion of data, effective solutions are necessary to comply with the right to be forgotten.
RIGHT TO DATA PORTABILITY
This is to ensure that the data subject can receive a complete set of his or her data in the format of his or her choice (i.e. in a usable format and on the medium of his or her choice).
SUBJECT ACCESS REQUEST (SAR)
Data subjects have the right to receive a complete copy of their personal data within 30 days of their request. Organisations must be able to manage a possible increase in the volume of SARs in time.
APPOINTMENT OF A DATA PROTECTION OFFICER (DPO)
Under the GDPR, all organisations with more than 250 employees must appoint and compulsorily register a DPO with the regulator, while smaller organisations may also need to appoint a DPO given the volume or sensitivity of the data they handle. We provide training and support for DPOs.
WEBSITE PRIVACY POLICIES
They should reflect how personal data is collected, stored, retained, transmitted and disposed of. They should also confirm how a user can make use of the various rights granted by the GDPR.
Many website cookies collect user data, such as IP addresses, and provide data to third parties. Cookies must be clearly listed on your company's website and consent must be obtained for their use, even if they are only analytical or session cookies.