Click cover to download

(Subscriber-only password access)

Not a subscriber?

Click here to join the FREE mailing list and receive password access

Given the increasing quantity and sensitivity of data companies produce, store and utilise, data protection is not just a legal necessity, it is crucial to protecting and maintaining profitability in the digital age. As the ambition and technological capability of malicious actors continues to grow, valuable data is being targeted frequently, and companies must be in a position to protect it from attack. Be it employee personally identifiable information, customer details or intellectual property, among others, cyber criminals are using sophisticated tools to breach cyber defences and steal data for nefarious purposes.

UNITED STATES

Paul Collier

Kirkland & Ellis

“Most US companies are aware that they have obligations with respect to confidentiality and data protection, but they face a challenge to understand all those obligations under the myriad federal, state and international regulations that potentially apply. Fortunately, federal legislation on data privacy and security has remained largely unchanged in recent years, and federal agencies responsible for enforcing those laws, such as the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau, have published helpful guidelines for compliance with those laws. But confidentiality and data security obligations in the US do not end with federal regulations.”

MEXICO

Rodrigo Méndez Solís

Hogan Lovells BSTL, S.C.

“Although the Mexican Data Protection Law was enforced seven years ago, many Mexican companies are still not fully aware of their privacy and data protection responsibilities. Regardless, the Mexican regulatory authorities have implemented many measures to increase awareness among data controllers, processors and individuals regarding their data protection obligations and rights. However, some companies still believe that the only step they need to take to achieve compliance is to have a privacy notice in place – this is completely wrong.”

BELGIUM

Laurent De Muyter

Jones Day

“There has been a clear increase in company awareness and understanding of duties under privacy laws. The adoption of the General Data Protection Regulation (GDPR) was heavily reported in the Belgian press, and the new accountability obligations introduced by the GDPR have attracted companies’ attention. Of course, some companies are more advanced than others in completing their gap analysis, but the GDPR’s complexity means that even the more advanced companies still need to fine-tune their compliance programmes, for example to take into consideration the recommendations regularly published by the Article 29 Working Party and the Belgian Privacy Commission.”

NETHERLANDS

Elisabeth Thole

Van Doorne NV

“In my practice we are seeing that awareness of data protection in general is growing significantly. This is especially in view of the General Data Protection Regulation (GDPR) that will apply as of per 25 May 2018. However, in-depth knowledge about the content, applicability and reach of specific data protection obligations is often still lacking. Here, we can distinguish between two sorts of companies. On the one hand, we encounter companies that are aware of their lack of knowledge regarding the specific content and application of the data protection rules. These are companies that mostly only ask for advice before they, for example, implement a new scheme with a related privacy impact.”

GERMANY

Dr Jochen Lehmann

GÖRG

“Companies’ awareness and understanding of data protection and confidentiality has developed greatly in recent years. Until about 10 years ago, data protection was not taken seriously, fines were rare and low and regulators were greatly under-staffed. However, this has changed of late. Companies that persistently fail to comply face the risk of fines that run into the millions of euros. Data protection issues and, data breaches in particular, have garnered much public attention and the loss of data is now a serious threat to a company’s reputation. Companies have responded to these changing circumstances by putting a lot of effort into achieving compliance and by regarding it as an important issue.”

ITALY

Francesco De Biasi

Cleary Gottlieb Steen & Hamilton LLP

“We have noticed that Italian companies have started to pay more attention to confidentiality and, more generally, data protection issues, in part due to the risk of considerable fines for non-compliance under the European General Data Protection Regulation (GDPR), which will come into force on 25 May 2018. Indeed, these fines are much higher than those provided for in the Italian Data Protection Code. Moreover, as a consequence of the GDPR, companies in Italy are becoming more aware of the fact that obligations under data protection law are not simply limited to paperwork and often require a structural reorganisation of roles and responsibilities within an organisation and changes to personal data processing procedures.”

TURKEY

Onur Küçük

KPMG Turkey

“The Law on the Protection of Personal Data (PPDL) was published on 7 April 2016 and was fully enforced on 7 October 2016. Although the PPDL foresaw the formation of the personal Data Protection Authority (DPA) on 7 October 2016 and the enforcement of the secondary regulations by the DPA until 7 April 2017, the delay in the incorporation of the DPA resulted in a delay in enforcing the secondary regulations. This delay caused a de facto extension of the deadline for companies to achieve compliance with the requirements of the PPDL and companies took this opportunity to increase awareness both within their organisations and among their customers.”

RUSSIAN FEDERATION

Sergey V. Medvedev

Gorodissky & Partners

“Data protection and cyber security have become the trendiest and most discussed topics in the information technology (IT) sector worldwide in the last few years. Russian jurisdiction is not an exception in this regard. Indeed, in the age of the development of the digital economy and evolving privacy laws, companies, including those that are present in the Russian market as well as foreign investors, tend to generally assess their data protection strategies in order to mitigate the associated risks. In my personal opinion, not all of them are fully aware of their rights and obligations in this particular area, especially their confidentiality duties when processing personally identifiable information (PII).”

INDIA

Suhail Nathani

Economic Laws Practice

“Many organisations collect the personal data of their employees. However, not many are aware of the extent and nature of the duty upon them to protect the privacy and confidentiality of this data. Currently, India does not have comprehensive data protection legislation. The main enactment that deals with protection of data is the Information Technology Act and the rules framed thereunder. As per the Act, if an employer stores the personal information of its employees on a computer, it is required to have in place a comprehensive, documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures commensurate with the information assets being protected.”

CHINA & HONG KONG

Jennifer Ho

PwC Hong Kong

“Under the ‘one country, two systems’ approach, Hong Kong is a separate jurisdiction from mainland China, and Hong Kong is one of Asia’s earliest adopters of comprehensive data privacy regulation. The Personal Data (Privacy) Ordinance (PDPO) came into force in 1996. Mainland China does not have a uniform data protection law; instead it regulates data privacy issues through a number of industry-specific laws. Also, mainland China does not have a centralised data protection authority. Data protection is an increasingly key priority for companies in Hong Kong; however, in mainland China, the landscape is divergent.”

JAPAN

Takashi Nakazaki

Anderson Mori & Tomotsune

“Most Japanese companies fully understand their duties regarding confidentiality and data protection, but the number of data breaches involving confidential information and personal data continues to increase each year. Advances in technology are responsible for many of the breaches. For example, large capacity USB drives enable a malicious employee to easily steal trade secrets. Furthermore, a lack of employee loyalty and insufficient control of subcontractors and third parties, such as data processing service providers, also bear some responsibility for the increase in breaches.”

AUSTRALIA

Sylvia Ng

PricewaterhouseCoopers Australia

“Companies are being forced to have a better understanding of their duties with the introduction of the Notifiable Data Breach (NDB) regime in Australia and the EU’s General Data Protection Regulation (GDPR), both of which come into effect in 2018. The threat of penalties and fines for non-compliance with these new laws, cyber threats and increasing public awareness of privacy has heightened the need and put data protection on the agenda of many Australian businesses. In particular, cyber security has become a hot topic for boards. However, current understandings and maturity levels vary.”

ISRAEL

Haim Ravia

Pearl Cohen

“It would be presumptuous to say that companies, across the board, fully understand their data protection duties. Companies that face international clientele and that are exposed to foreign data protection and privacy laws usually exhibit an appreciable effort to comply with the evolving data protection and privacy laws, particularly the forthcoming European General Data Protection Rule (GDPR) and comparable sector-specific laws, such as the US Children’s Online Privacy Protection Act (COPPA). They do so mainly because they understand that they must take steps toward compliance.”

CONTRIBUTORS

Anderson Mori & Tomotsune

Cleary Gottlieb Steen & Hamilton LLP

Economic Laws Practice

GÖRG

Gorodissky & Partners

Hogan Lovells BSTL, S.C.

Jones Day

Kirkland & Ellis

KPMG Turkey

Pearl Cohen

PricewaterhouseCoopers Australia

PwC Hong Kong

Van Doorne NV