data protection & privacy laws · 2017-01-27 · annual review • data protection &...
TRANSCRIPT
DATA PROTECTION & PRIVACY LAWS
A N N UA L R E V I E W 2 0 1 5
Published by
Financier Worldwide
23rd Floor, Alpha Tower
Suffolk Street, Queensway
Birmingham B1 1TT
United Kingdom
Telephone: +44 (0)845 345 0456
Fax: +44 (0)121 600 5911
Email: [email protected]
www.financierworldwide.com
Copyright © 2015 Financier Worldwide
All rights reserved.
Annual Review • November 2015
Data Protection & Privacy Laws
No part of this publication may be copied, reproduced, transmitted or held in a
retrievable system without the written permission of the publishers.
Whilst every effort is made to ensure the accuracy of all material published in
Financier Worldwide, the publishers accept no responsibility for any errors or
omissions, nor for any claims made as a result of such errors or omissions.
Views expressed by contributors are not necessarily those of the publisher.
Any statements expressed by professionals in this publication are understood to
be general opinions and should not be relied upon as legal or financial advice.
Opinions expressed herein do not necessarily represent the views of the author’s
firm or clients or of any organisations of which the author is a member.
DATA PROTECTION & PRIVACY LAWSN O V E M B E R 2 0 1 5 • A N N U A L R E V I E W
F i n a n c i e r Wo r l d w i d e c a n v a s s e s t h e o p i n i o n s o f l e a d i n g p r o f e s s i o n a l s a r o u n d t h e w o r l d o n t h e l a t e s t t r e n d s i n d a t a p r o t e c t i o n & p r i v a c y l a w s .
DATA PROTECTION & PRIVACY LAWSN O V E M B E R 2 0 1 5 • A N N U A L R E V I E W
UNITED STATES ..................................................... 08Daniel Farris POLSINELLI
CANADA ............................................................... 12Raymond Doray LAVERY, DE BILLY, LLP
MEXICO ................................................................ 16Fernando Roman Sandoval PWC MEXICO
UNITED KINGDOM ................................................ 20Bridget Treacy HUNTON & WILLIAMS
FRANCE ................................................................ 24Claire François HUNTON & WILLIAMS LLP
BELGIUM ............................................................... 28Wim Nauwelaerts HUNTON & WILLIAMS LLP
LUXEMBOURG ....................................................... 32Alain Grosjean BONN & SCHMITT
DENMARK ............................................................. 36Elsebeth Aaes-Jørgensen NORRBOM VINDING
Contents
DATA PROTECTION & PRIVACY LAWSN O V E M B E R 2 0 1 5 • A N N U A L R E V I E W
www.financierworldwide.com
DATA PROTECTION & PRIVACY LAWSN O V E M B E R 2 0 1 5 • A N N U A L R E V I E W
ITALY .................................................................... 40Alfredo Gallistru PWC ITALY
JAPAN ................................................................... 44Takashi Nakazaki ANDERSON MORI & TOMOTSUNE
CHINA .................................................................. 48Manuel Maisog HUNTON & WILLIAMS LLP
TAIWAN ................................................................ 52Chin-Jui Chang PWC TAIWAN
AUSTRALIA ........................................................... 56Grace Guinto PWC AUSTRALIA
NEW ZEALAND ..................................................... 60Steve McCabe PWC NEW ZEALAND
SOUTH AFRICA ..................................................... 64Busisiwe Mathe PWC SOUTH AFRICA
Contents
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S 2 0 1 5
INTRODUCTION
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S 2 0 1 5
If all continues to plan, the end of 2015 will welcome the most significant piece of privacy legislation in 20 years. The EU’s General Data Protection Regulation is poised to supplant the Directive of 1995 and put in place an EU-wide scheme that would see vastly increased powers for data protection authorities, new requirements for data breach notification and, perhaps, new working definitions of things like ‘purpose limitation’ and ‘data minimisation’.
Of course, that ‘perhaps’ looms large. We won’t know until after the trilogue negotiations are finished just which definition or regulation we’ll need to comply with going forward. That has much of industry on pins and needles, and rightly so.
Further, many companies on both sides of the Atlantic have just been stunned by the Schrems ruling and the invalidation of Safe Harbor by the European Court of Justice. When the Austrian law student decided to demand that Facebook be investigated by the Irish Data Protection Commissioner, on something of a lark, very few observers saw a complete undoing of a 15-year-old data-transfer mechanism in the offing.
Now some 4500 companies are left scrambling to put new measures in place to either find a new path for the transfer of data to the US or find ways to make sure the data doesn’t go there in the first place. Will the US and EU be able to hammer out a Safe Harbor 2.0 in the near future? Would such an agreement simply be invalidated by another lawsuit brought by another privacy activist? Is it possible that model contractual clauses and binding corporate rules could be invalidated in similar fashion?
These are, quite simply, uncertain times; and not only for the US and the EU. Companies around the world are struggling with the very real privacy issues springing up every day with the Internet of Things, Big Data, targeted advertising, location tracking and personalisation. On the one hand, some customers love it when your app knows where they are and recommends a good coffee shop just down the road. Others find it creepy if you use their desktop browser history to deliver an app on their mobile device.
HOW’D THEY KNOW THAT?You know more about your customers than ever before. That means opportunity. But, increasingly, it also means risk. Understanding the privacy and data protection landscape is vital for the future of business. This past year has been a rollercoaster, but there may be more twists and loops just around the corner.
Sam Pfeifle Publications Director
IAPP – International Association of Privacy Professionals
+1 (603) 427 9209
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
8 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
Q DO YOU BELIEVE
COMPANIES FULLY
UNDERSTAND THEIR DUTIES
OF CONFIDENTIALITY AND
DATA PROTECTION IN AN
AGE OF EVOLVING PRIVACY
LAWS?
Q AS COMPANIES INCREASE
THEIR DATA PROCESSING
ACTIVITIES, INCLUDING
HANDLING, STORAGE
AND TRANSFER, WHAT
REGULATORY, FINANCIAL
AND REPUTATIONAL RISKS
DO THEY FACE IN THE US?
FARRIS: In the US, companies are confused. Led again by California,
13 US states have passed new privacy-related laws, and 52 other
bills were introduced in state legislatures during 2015 alone. Two
different bills – the Protecting Cyber Networks Act and the National
Cybersecurity Protection Advancement Act – passed the federal House
of Representatives, and the Senate recently passed the Cybersecurity
Information Sharing Act, which now must be reconciled. Most
importantly, however, the effects of the EU Court of Justice’s Schrems
decision have US companies reeling. The current environment is
characterised by anxiety and confusion. Most companies are investing
in data security and privacy compliance, and most want to be good
corporate citizens, but regulators are making that an increasingly
difficult task.
FARRIS: Since 2013, the majority of high profile breaches have occurred
in the United States, or involved US companies. Not surprisingly, the
US has the highest cost of breach in the world, double the next closest
jurisdiction at more than $15m per incident for companies with at least
1000 users. Companies that experience a breach in the US can expect
to be subject to litigation involving consumer class actions, shareholder
derivative suits and claims by financial institutions and partners to
recover for fraud-related losses, regulatory enforcement campaigns and
significant bad press. Reputational damage and lost profits can exceed
$100m for larger incidents.
UNITED STATESDANIEL FARRISPOLSINELLI
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW SA N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 9 8www.f inancierworldwide.com
Q WHAT PENALTIES MIGHT
ARISE FOR A COMPANY THAT
BREACHES OR VIOLATES
DATA OR PRIVACY LAWS IN
THE US?
Q WHAT INSIGHTS CAN WE
DRAW FROM RECENT CASES
OF NOTE? WHAT IMPACT
HAVE THESE EVENTS HAD
ON THE DATA PROTECTION
LANDSCAPE?
FARRIS: Penalties may vary depending on the scope and size of a
breach, the type of information involved and the regulatory regime in
the relevant industry. Breaches involving protected health information,
as defined by HIPAA, carry the most risk for companies. Last year, the
federal Department of Health and Human Services’ Office of Civil
Rights settled charges against two New York healthcare organisations
for $4.8m. Conversely, the Securities and Exchange Commission has
issued fines against financial advisers and financial institutions ranging
from approximately $15,000 to $75,000 in recent months. In addition
to fines, however, companies may be required to undertake corrective
action plans, which may include completing a risk analysis, developing
a risk management plan, revising policies and procedures, training staff
and providing progress reports.
FARRIS: There may be no more important takeaway from recent
cases than this: companies should prepare, test and refine data breach
response plans, including the development of multidisciplinary response
teams. Most US CISOs and privacy professionals recognise the need
for flexible and adaptive policies and technological security measures
developed through collaboration between technology, business and
legal leads. In fact, the National Institute of Standards and Technology
(NIST) Framework for Improving Critical Infrastructure Cybersecurity
expressly recognises the need for a range of privacy and security
measures along the passive to adaptive spectrum. The important thing
is to start somewhere, and to engage in exercises, drills and testing of
your policies and systems. Companies that do not have, or do not follow,
UNITED STATES • DANIEL FARRIS • POLSINELLI
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
10 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
UNITED STATES • DANIEL FARRIS • POLSINELLI
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
A COMPANY TAKE TO
PREPARE FOR A POTENTIAL
DATA SECURITY BREACH,
SUCH AS DEVELOPING
RESPONSE PLANS AND
UNDERSTANDING
NOTIFICATION
REQUIREMENTS?
Q WHAT CAN COMPANIES DO
TO MANAGE INTERNAL RISKS
AND THREATS ARISING FROM
THE ACTIONS OF ROGUE
EMPLOYEES?
a breach plan are usually caught on their heels, and their response to
a breach is usually driven by fear and panic. With the prevailing view
that breach is inevitable, it’s not only guarding against a breach that’s
important, but rather what you do and how you respond when a breach
occurs that is of paramount importance.
FARRIS: Practice and update the breach plan regularly. In the US, there
are anywhere from 1.4 million to 1.6 million fires per year, and, as a
result, virtually all companies have fire prevention and suppression
systems, and most practice fire drills periodically. In 2014, there were
42.8 million cyber incidents, and the number is expected to have been
higher in 2015. Yet most companies do not engage in data breach
exercises. All critical personnel, including all or most of the executive
suite, should know what his or her role is in the event of a breach. The
breach plan needs to be rigid enough to stand up to the majority of
your ‘run of the mill’ breach situations, but flexible enough to allow key
stakeholders to make decisions when the breach situation changes in
unexpected ways.
FARRIS: Employees remain the single largest threat to corporate privacy
and data security initiatives. Limiting employee access to sensitive
information using the principles of least privilege and role-based access
is the critical first step to managing internal threats. Companies that
implement controls to limit employee access to information are able to
manage and mitigate internal risk better than companies that do not.
Increasingly, companies are also using not only active, but predictive
monitoring to analyse their own data flows, not just potential threats.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 11www.f inancierworldwide.com
“ All critical personnel, including all or most of the executive suite, should know what his or her role is in the event of a breach.”
UNITED STATES • DANIEL FARRIS • POLSINELLI
Q WOULD YOU SAY THERE
IS A STRONG CULTURE
OF DATA PROTECTION
DEVELOPING IN THE US? ARE
COMPANIES PROACTIVELY
IMPLEMENTING APPROPRIATE
CONTROLS AND RISK
MANAGEMENT PROCESSES?
Daniel Farris
Shareholder
Polsinelli
+1 (312) 463 6323
Daniel Farris is a former software engineer and network administrator in the telecommunications industry. He offers his clients real-world experience in fibre optic networking, cloud computing, mobile app development and data privacy and security. His practice is founded upon understanding how technology can strengthen and expand upon the core missions of his clients’ businesses. Mr Farris is a shareholder and co-chair of Polsinelli’s data privacy and security team.
FARRIS: It is difficult to say that there is a strong culture of data
protection in the US. Companies increasingly view privacy and data
security as core to their business, or as something that can create
competitive advantage, but the rapidly evolving and sometimes
conflicting regulatory environment makes it difficult for most. There are
rising calls at many large corporations to ‘get ahead’ of the regulators
on issues related to privacy and data security, but for many small and
mid-sized companies, data protection remains a lagging index and an
area where a significant amount of catch up work is required.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
12 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
Q DO YOU BELIEVE
COMPANIES FULLY
UNDERSTAND THEIR DUTIES
OF CONFIDENTIALITY AND
DATA PROTECTION IN AN
AGE OF EVOLVING PRIVACY
LAWS?
Q AS COMPANIES INCREASE
THEIR DATA PROCESSING
ACTIVITIES, INCLUDING
HANDLING, STORAGE
AND TRANSFER, WHAT
REGULATORY, FINANCIAL
AND REPUTATIONAL RISKS
DO THEY FACE IN CANADA?
DORAY: The main challenge for companies operating in Canada results from
the Canadian legislative structure under which privacy matters are regulated by
federal and provincial statutory regulations, both broad and focused. For example,
the federal Personal Information Protection and Electronic Documents Act (PIPEDA)
applies to personal information collected, used and communicated in the course of
commercial activities within those provinces and territories that have not enacted
substantially similar legislation, and across Canada, to exterritorial transfers of data.
It does not apply to employee personal information, unless it is held by a federal
undertaking. The Québec, British Columbia, Alberta and Manitoba (not yet in
force) acts respecting the protection of personal information in the private sector,
on the other hand, provide equivalent, if not much more stringent, requirements
for employee and customer data alike. Similarly, Alberta, Manitoba, Ontario,
Saskatchewan, New Brunswick, Nova Scotia, and Newfoundland and Labrador
have legislation specifically governing the collection, use and communication
of personal health information. In addition, Canada has recently enacted one of
the world’s most rigorous and potentially broad pieces of anti-spam legislation.
Because of this dramatically eclectic privacy landscape, it is not surprising that
companies do not fully understand their duties of confidentiality and data
protection.
DORAY: The courts, in addition to various government organisations and agencies,
are responsible for overseeing compliance with the laws in Canada that govern
privacy rights. Risks range from damage to reputation, substantial economic loss,
misuse of confidential information and even public safety issues. A growing trend,
caused by robust privacy legislation and the possibility of punitive damages, is
privacy class actions that are costly and time-consuming. In addition, as the
amount of personal information collected, used and communicated by companies
continues to increase exponentially, and security breaches receive more and more
media attention, regulators are also calling for more in depth privacy audits,
mandatory breach notifications and stronger enforcement powers.
CANADARAYMOND DORAYLAVERY, DE BILLY, LLP
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW SA N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 13 8www.f inancierworldwide.com
Q WHAT PENALTIES MIGHT
ARISE FOR A COMPANY THAT
BREACHES OR VIOLATES
DATA OR PRIVACY LAWS IN
CANADA?
Q WHAT INSIGHTS CAN WE
DRAW FROM RECENT CASES
OF NOTE? WHAT IMPACT
HAVE THESE EVENTS HAD
ON THE DATA PROTECTION
LANDSCAPE?
DORAY:There are various types of penalties that may apply depending on the
context. These range from non-enforceable recommendations to orders requiring
companies to correct their practices. Several acts provide for specific fines and in
some cases, director and officers liability. In Québec, for example, a company is
liable to a fine of up to C$50,000 for a first offence and, for subsequent offences,
up to C$100,000. In addition, administrators, directors or representatives of a
company may be held personally liable for the payment of the fine. That said,
the courts can also award damages following a breach of privacy. The amount
for damages that can be awarded in this context has no ceiling, and can include
punitive damages, since the right of privacy is a fundamental right in many
jurisdictions.
DORAY: Most cases decided this past year relate to new technologies. Mobile
applications, targeted advertising, cloud based computing, social networking,
biometrics and spam were at the top of most Canadian regulators’ to do lists,
and resulted in tighter controls and more elaborate guidelines for the industry.
The Safe Harbour Framework invalidation, although arguably the most important
privacy case this year, is unlikely to have serious impacts for companies operating in
Canada since the European Commission, which is granted the authority to decide
whether a particular non-EU country ensures an adequate level of protection “by
reason of its domestic law or of the international commitments it has entered
into”, previously recognised Canada as providing adequate protection. That said, it
is worth noting that PIPEDA was amended this year to introduce new requirements
for a company’s collection, use and disclosure of personal information in the
course of its commercial activities. Perhaps the most important of the proposed
amendments relates to breach notifications which, when it comes into force, will
require companies operating in Canada to report the loss of, unauthorised access
to, or unauthorised disclosure of personal information resulting from a breach of
its security safeguards, or its failure to establish such safeguards.
CANADA • RAYMOND DORAY • LAVERY, DE BILLY, LLP
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
14 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
CANADA • RAYMOND DORAY • LAVERY, DE BILLY, LLP
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
A COMPANY TAKE TO
PREPARE FOR A POTENTIAL
DATA SECURITY BREACH,
SUCH AS DEVELOPING
RESPONSE PLANS AND
UNDERSTANDING
NOTIFICATION
REQUIREMENTS?
Q WHAT CAN COMPANIES DO
TO MANAGE INTERNAL RISKS
AND THREATS ARISING FROM
THE ACTIONS OF ROGUE
EMPLOYEES?
DORAY: Building strong privacy practices is key to preparing for a potential
data security risk, and most importantly, to prevent one. Appointing a privacy
officer, creating and implementing a general privacy policy, and meeting the
other direct requirements of the Canadian privacy legislation may no longer
be sufficient. With regard to privacy breach procedures, a company should
adopt a specific policy which includes the obligation to immediately report
actual and potential breaches to the appropriate internal office or person,
and details the steps to be taken in response to a breach, namely how to
promptly contain the breach, assess the risk of harm, determine whether
notification is required and develop remedial strategies. It is important to
have a policy that is both enforceable and current to ensure that it responds
adequately to the company’s needs.
DORAY: There are several measures that companies can utilise to prevent
privacy breaches caused by rogue employees. For example, companies should
consider having a records management structure which identifies and governs
its business records that contain personal information, and limits access to
sensible documents and information through security classifications. In
managing human resources, companies should further recognise the need
to address the privacy challenge through measures necessary to ensure the
protection of the personal information collected, used, communicated, kept
or destroyed, and that are reasonable given the sensitivity of the information,
the purposes for which it is to be used, the quantity and distribution of the
information and the medium on which it is stored. Appropriate actions may
include pre-employment screening, confidentiality agreements, orientation
and training, monitoring, random intrusion detection and security audits.
Finally, companies should manage the risk of loss or theft of personal
information by following a departing employee protocol which provides for
access termination, an exit interview and a return of property checklist. The
use of remote destruction of personal information devices to make sure that
employees who have lost their computers or refuse to return them should
also be contemplated.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 15www.f inancierworldwide.com
“ It is important to have a policy that is both enforceable and current to ensure that it responds adequately to the company’s needs.”
CANADA • RAYMOND DORAY • LAVERY, DE BILLY, LLP
Q WOULD YOU SAY THERE IS
A STRONG CULTURE OF DATA
PROTECTION DEVELOPING
IN CANADA? ARE
COMPANIES PROACTIVELY
IMPLEMENTING APPROPRIATE
CONTROLS AND RISK
MANAGEMENT PROCESSES?
Raymond Doray
Partner
Lavery, De Billy, LLP
+1 (514) 877 2913
Raymond Doray, Ad.E. and Fellow of The American College of Trial Lawyers has been a member of the Québec Bar since 1982. He founded the information and privacy law sector of the firm almost 30 years ago. Since 2002, he publishes and updates a more than 2000-page book on this topic that has been frequently cited with approval by the courts. Over the years, Mr Doray has represented many public and private organisations before the trial and appellate courts as well as the Supreme Court of Canada in cases involving privacy, and the confidential nature of documents and information.
DORAY: Canada has always been at the forefront of privacy protection in the
private sector. Canadian companies have therefore developed practical skills
enabling them to embed privacy into the products, services and processes
they offer and employ. Although comprehensive, the legislative structure
previously described leaves ample room for companies to let business
and risk-related considerations govern what, when and how to implement
appropriate controls and risk management processes. However, given
Canada’s distinctive approach to privacy, companies that wish to enter the
Canadian market for the first time are likely to face a significant challenge.
A proactive approach is therefore almost compulsory and should include a
voluntary privacy audit by a recognised privacy expert in order to reduce
liability, mitigate risks and ensure compliance.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
16 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
Q DO YOU BELIEVE
COMPANIES FULLY
UNDERSTAND THEIR DUTIES
OF CONFIDENTIALITY AND
DATA PROTECTION IN AN
AGE OF EVOLVING PRIVACY
LAWS?
Q AS COMPANIES INCREASE
THEIR DATA PROCESSING
ACTIVITIES, INCLUDING
HANDLING, STORAGE
AND TRANSFER, WHAT
REGULATORY, FINANCIAL
AND REPUTATIONAL RISKS
DO THEY FACE IN MEXICO?
ROMAN: The Mexican privacy law was issued in July 2010, but after
five years many companies still do not understand the impact and
importance of the law and privacy. We have seen over the last year
that companies are being more conscious about the financial and
reputational impact of this law because the authorities are establishing
high monetary penalties for non-compliance in all types of business and
sectors. Previously, companies in Mexico believed that privacy simply
involved notifying data owners of the purpose for which their data was
being used. However, they are now becoming more aware that privacy
involves many different aspects including technical, physical and
administrative security measures, and also involves making changes to
their processes and how data is handled to mitigate risks such as data
loss, leakage or malicious usage.
ROMAN: Mexicans are facing more and more privacy issues
encompassing topics such as identity theft and fraud. The more
frequently people hear about a database leakage or that their data has
been stolen, the more they quickly start to lose trust in companies
and how those firms will use and protect their customer data. We can
see in the media that data breaches are increasingly becoming a big
issue in Mexico, and companies are facing more cyber security risks.
Accordingly, companies are facing significant reputational risks. More
firms are being talked about not for the services they provide or for
their competitive advantages, but for their security issues, or because
of the latest breach they have suffered.
MEXICOFERNANDO ROMAN SANDOVALPWC MEXICO
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW SA N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 17 8www.f inancierworldwide.com
Q WHAT PENALTIES MIGHT
ARISE FOR A COMPANY THAT
BREACHES OR VIOLATES
DATA OR PRIVACY LAWS IN
MEXICO?
Q WHAT INSIGHTS CAN WE
DRAW FROM RECENT CASES
OF NOTE? WHAT IMPACT
HAVE THESE EVENTS HAD
ON THE DATA PROTECTION
LANDSCAPE?
ROMAN: The Mexican privacy law has two types of penalties. The first
is a fine of up to MXN 21m and the second is imprisonment from
six months up to five years. Both can be doubled if the case involves
sensitive data. In 2014, the authorities handed down penalties of around
MXN 66m for non-compliance to 26 different companies. The main
sectors that have been sanctioned are the financial and health sectors.
The penalties have been related to non-compliance issues such as not
executing the data owners’ rights, not establishing adequate privacy
notices, incorrect data transfers without the data owners’ consent and
database vulnerabilities.
ROMAN: Currently one of the biggest privacy issues in Mexico relates
to firms not having adequate security measures in place to protect
data. This often results in data leakage or misuse. In our experience, one
of the biggest problems is that companies don’t understand and do
not have a complete vision of how data flows inside the company. Due
to the increase in news about data privacy penalties and the security
issues companies are facing, in the coming years companies’ main
focus will likely be related to data governance and good information
security practices to ensure that data is protected during its lifecycle
by establishing adequate controls related to technical controls and
administrative policies, procedures and processes.
MEXICO • FERNANDO ROMAN SANDOVAL • PWC MEXICO
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
18 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
“ In Mexico, we are just beginning to understand the idea of what privacy is and what it involves.”
MEXICO • FERNANDO ROMAN SANDOVAL • PWC MEXICO
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
A COMPANY TAKE TO
PREPARE FOR A POTENTIAL
DATA SECURITY BREACH,
SUCH AS DEVELOPING
RESPONSE PLANS AND
UNDERSTANDING
NOTIFICATION
REQUIREMENTS?
Q WHAT CAN COMPANIES DO
TO MANAGE INTERNAL RISKS
AND THREATS ARISING FROM
THE ACTIONS OF ROGUE
EMPLOYEES?
ROMAN: In our experience, the first step is to establish the whole
data flow cycle – how the company obtains data, where they store
it and how they transfer or destroy it. This can help to identify all the
risks that companies face and what controls are necessary to protect
the data. Then they should be able to establish controls to monitor
how the data is handled, and have a good incident response plan to
detect any data issues they are facing, stop the vulnerability and start
adequate remediation plans. One of the key issues is how to analyse
the incident, develop the root-cause analysis and have a good response
team integrated by the key stakeholders that can make the decisions
and take actions to resolve the issue. A good practice is to integrate
the incident respond plan into the business continuity plan. Also, one
of the key aspects in an incident response plan is to have remediation
services to soften the blow of a data breach, by facilitating good
communications with the parties involved, such as a call centre.
ROMAN: Most companies are starting to create their own privacy
and security cultures by issuing an internal privacy policy where they
establish the company’s missions and objectives related to privacy
and how personal data must be handled. Also, they are establishing
privacy clauses and obligations in employee contracts. The main aspect
is creating awareness and consciousness among employees on the
importance and impact of protecting personal data by providing annual
training and having good communication strategies to constantly
remind employees of the importance of executing and following
security and privacy practices established by the company.
ROMAN: In Mexico, we are just beginning to understand the idea of
what privacy is and what it involves. The issuing of the law was the
first step the country took in developing a data protection culture. The
National Institute of Information Access (INAI) has initiated strong
Q WOULD YOU SAY THERE IS
A STRONG CULTURE OF DATA
PROTECTION DEVELOPING
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 19www.f inancierworldwide.com
MEXICO • FERNANDO ROMAN SANDOVAL • PWC MEXICO
IN MEXICO? ARE COMPANIES
PROACTIVELY IMPLEMENTING
APPROPRIATE CONTROLS
AND RISK MANAGEMENT
PROCESSES?
Fernando Roman Sandoval
Cyber Security and Data Privacy Partner in Risk Assurance
PwC Mexico
+52 55 526 5898
Fernando Roman Sandoval is an Information Security and Technology Partner in PwC Mexico within the IT Risk Assurance area. During the last 10 years, he has developed PwC Mexico’s information security and technology services portfolio, through which he has provided support to clients concerning the strengthening of their risk management and compliance with different regulations which they are subject to. Mr Roman has participated in and managed numerous projects in different industry sectors: financial sector, public sector, and consumer, among others. Mr Roman is the coordinator responsible for the IT Risk Assurance Innovation Group for PwC Mexico.
campaigns to create a privacy culture. This year, Mexicans are starting
to understand more about the law and are becoming more conscious
of their constitutional privacy laws. In the coming years, privacy will
become more important and people will take better precautions when
protecting their personal data. According to our June 2015 study on
Cyber Security in Mexico, going forward companies in Mexico will be
challenged by the constant movement of sensitive and confidential
information and transactions in the digital space, and will likely be much
more vulnerable to attack. Organisations today face unprecedented
cyber and insider threats to data and the information technologies
that store, process and transmit it. Because of these threats, we are
seeing a paradigm shift in the way companies are approaching cyber
security. Companies across all sectors need to create good information
security strategies according to their industry, to build an environment
to protect and enforce the security measures around their data and
generate more trust from their customers.
20 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
Q DO YOU BELIEVE
COMPANIES FULLY
UNDERSTAND THEIR DUTIES
OF CONFIDENTIALITY AND
DATA PROTECTION IN AN
AGE OF EVOLVING PRIVACY
LAWS?
Q AS COMPANIES INCREASE
THEIR DATA PROCESSING
ACTIVITIES, INCLUDING
HANDLING, STORAGE
AND TRANSFER, WHAT
REGULATORY, FINANCIAL
AND REPUTATIONAL RISKS
DO THEY FACE IN THE UK?
TREACY: The degree to which different companies understand their
privacy and data protection compliance obligations varies considerably. In
general, companies that operate in highly regulated industries, or routinely
process large volumes of personal data – such as banks, pharmaceutical
companies, search engines, or insurance companies – are the most likely
to have well-structured risk management procedures deeply embedded
within their respective corporate cultures. Many other companies,
however, do not fully understand their data protection obligations, or focus
their attention too narrowly on data security while neglecting broader
compliance requirements. For example, the Information Commissioner’s
Office (ICO) recently issued a £200,000 fine – the largest ever issued for
direct marketing offences in the UK – to a company that had failed to
understand its compliance obligations. In a world of big data analytics, the
cloud, and the internet of things, the businesses that flourish are those
that understand how to fulfil their compliance obligations, and use their
data assets strategically to build trust and confidence among consumers.
TREACY: The risks associated with failures to comply with data protection
law are increasing markedly. The proposed General Data Protection
Regulation will bring with it greater enforcement powers for regulators
and significantly higher fines of up to €100m or between 2 and 5
percent of global turnover. In addition, the reputational risks of non-
compliance are significant. The results of investigations by the ICO are
generally made public and are permanently maintained on the ICO’s
website, potentially causing substantial and long-lasting public relations
damage to the investigated company. Serious failures to process personal
data responsibly can also damage consumer trust, and may have a long-
lasting negative impact upon customer relationships. There is also a
danger of being excessively risk-averse, as such an approach may restrict a
company’s ability to exploit business opportunities arising out of its data
UNITED KINGDOMBRIDGET TREACYHUNTON & WILLIAMS
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 21 8www.f inancierworldwide.com
Q WHAT PENALTIES MIGHT
ARISE FOR A COMPANY THAT
BREACHES OR VIOLATES
DATA OR PRIVACY LAWS IN
THE UK?
Q WHAT INSIGHTS CAN WE
DRAW FROM RECENT CASES
OF NOTE? WHAT IMPACT
HAVE THESE EVENTS HAD
ON THE DATA PROTECTION
LANDSCAPE?
processing operations. Striking the right balance between these risks is key
to succeeding in this area.
TREACY: Any applicable penalty depends on the nature and scale of the
relevant violation, and the ICO has a range of enforcement powers, and
wide ranging discretion, available to it. In the first instance, the ICO is
likely to contact the company to request information about the suspected
violation. Following a failure to provide the requested information, the
ICO may serve an ‘Information Notice’, which is a legally binding demand
for information. If the ICO determines that a violation has occurred, it can
issue an ‘enforcement notice’, which may require the company to make
changes to its data processing operations or cease certain processing
activities altogether. The ICO can also impose fines of up to £500,000.
In a few limited cases, for example, where personal data are unlawfully
obtained, or where the company fails to fulfil its obligation to register
as a data controller where applicable, the ICO may pursue a criminal
prosecution against the company.
TREACY: The overall trend in recent case law has been that the privacy
rights of individuals are paramount, and take precedence over the
business interests of companies. In particular, the CJEU has demonstrated
a willingness to adopt flexible interpretations of the law in order to give
effect to the data protection rights of individuals and in Schrems has
invalidated the European Commission’s US Safe Harbor decision in order to
protect the privacy of individuals. In a similar vein, the English courts have
shown a willingness in cases such as Vidal Hall to create new categories
of civil wrongs in order to protect individuals and, in some cases such as
Mulcahy, they have directly overruled guidance from the ICO. The message
for companies is that the courts take data protection rights seriously, and
UNITED KINGDOM • BRIDGET TREACY • HUNTON & WILLIAMS
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
22 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
UNITED KINGDOM • BRIDGET TREACY • HUNTON & WILLIAMS
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
A COMPANY TAKE TO
PREPARE FOR A POTENTIAL
DATA SECURITY BREACH,
SUCH AS DEVELOPING
RESPONSE PLANS AND
UNDERSTANDING
NOTIFICATION
REQUIREMENTS?
Q WHAT CAN COMPANIES DO
TO MANAGE INTERNAL RISKS
AND THREATS ARISING FROM
THE ACTIONS OF ROGUE
EMPLOYEES?
they consider the commercial interests of companies to be of secondary
importance where the two conflict.
TREACY: First and foremost, companies should take steps to implement
appropriate security measures, in order to minimise the risk of a security
breach. However, even the best security measures can be breached,
and companies should therefore put careful thought into creating and
implementing a clear data breach policy, and ensuring that employees are
trained in the application of the policy. At a minimum, a data breach policy
should explain to employees what they should do in the event that they
discover a data breach. It is important to designate an individual or team, in
advance, to act as the primary contact point in the event of a data breach.
The data breach policy should also address the steps that the company
should take in response to a breach. These include investigating the
breach to establish its extent and possible consequences, and establishing
whether it is appropriate to report the breach to any regulators or affected
individuals.
TREACY: Companies should ensure that they provide regular and
comprehensive data protection training to those employees that process
personal data, ensuring that such employees understand that the
company’s ability to comply with the law depends on those employees.
If the company fosters a strong culture of data protection compliance,
and employees have a good level of awareness of their responsibilities,
then rogue behaviour is more likely to be noticed. In addition, companies
should implement strong internal data security measures, including
limiting logical and physical access to systems containing personal data,
implementing network logging to record which employees access those
systems and, where appropriate, using data loss prevention techniques to
prevent data being taken outside the company’s systems without proper
authorisation. If the company suspects that an employee has breached
its data protection or data security policies, it should carefully investigate
that suspected breach and take disciplinary action where necessary.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 23www.f inancierworldwide.com
“ Many companies are beginning to use a consumer-friendly approach to privacy as a business differentiator.”
UNITED KINGDOM • BRIDGET TREACY • HUNTON & WILLIAMS
Q WOULD YOU SAY THERE
IS A STRONG CULTURE
OF DATA PROTECTION
DEVELOPING IN THE UK? ARE
COMPANIES PROACTIVELY
IMPLEMENTING APPROPRIATE
CONTROLS AND RISK
MANAGEMENT PROCESSES?
Bridget Treacy
Partner
Hunton & Williams
+44 (0)20 7220 5731
Bridget Treacy leads Hunton & Williams’ UK Privacy and Cyber security team. For more than 14 years her practice has focused on all aspects of privacy and information governance for multinational companies, including big data analytics and the internet of things, behavioural targeting, cloud computing, cross-border data transfers and BCRs, and data breach. Ms Treacy is top ranked in Chambers, which describes her as “one of the leading thinkers on data protection, providing practical solutions to thorny legal issues”.
TREACY: There is a growing culture of data protection compliance in the
UK because companies are finding that trust is a key factor in persuading
consumers to use their services. As companies continue to invest in
technologies to enable them to better monetise data, through data
sharing and ‘big data’ analytics, they are increasingly keen to be seen to be
doing the right thing when it comes to protecting individual privacy. Many
companies are beginning to use a consumer-friendly approach to privacy
as a business differentiator, illustrating the ways in which their products
and services are more privacy-focused than those of their competitors.
Companies are also reviewing, assessing and updating their compliance
structures in preparation for the proposed General Data Protection
Regulation, which will materially increase the data protection compliance
burden on most companies.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
24 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
Q DO YOU BELIEVE
COMPANIES FULLY
UNDERSTAND THEIR DUTIES
OF CONFIDENTIALITY AND
DATA PROTECTION IN AN
AGE OF EVOLVING PRIVACY
LAWS?
Q AS COMPANIES INCREASE
THEIR DATA PROCESSING
ACTIVITIES, INCLUDING
HANDLING, STORAGE
AND TRANSFER, WHAT
REGULATORY, FINANCIAL
AND REPUTATIONAL RISKS
DO THEY FACE IN FRANCE?
FRANÇOIS: Companies are getting a better understanding of their data
protection obligations under the current regulatory framework. This may
be explained by a number of factors, including the fact that the French
data protection authority (CNIL) regularly publishes guidance. For
example, on 19 February 2015, the CNIL published practical information
to remind companies of best practices related to Bring Your Own Device
programmes. On 2 September 2015, the CNIL released new guidance to
help child-directed website publishers comply with French data protection
law. However, the CNIL has not taken an official position in every instance
and companies are constantly developing new technologies involving the
processing of personal data, which may raise questions on how to reach
compliance in these new circumstances. Finally, the proposed EU General
Data Protection Regulation will impose new accountability obligations and
companies are figuring out the impact of these new obligations for their
organisation.
FRANÇOIS: Companies face high reputational risks due to the increased
publicity around data protection. The CNIL may make its sanctions public
and order their publication in newspapers or other media at the expense
of the company that breaches French data protection law. The CNIL may
also publish the formal notice it serves on a company to cease its non-
compliance. Formal notices do not constitute a sanction but they may
lead to a fine if the company does not comply with the notice served.
The CNIL regularly uses this power by publishing its decisions, including its
formal notices, which results in adverse publicity for companies. Turning
to financial risks, such risks are currently medium. The CNIL generally
imposes administrative fines that do not exceed €40,000 and only in a
second stage, but there is also a risk of criminal proceedings and higher
fines in this context. Financial risks will be increased under the new EU
FRANCECLAIRE FRANÇOISHUNTON & WILLIAMS LLP
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW SA N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 25 8www.f inancierworldwide.com
Q WHAT PENALTIES MIGHT
ARISE FOR A COMPANY THAT
BREACHES OR VIOLATES
DATA OR PRIVACY LAWS IN
FRANCE?
Q WHAT INSIGHTS CAN WE
DRAW FROM RECENT CASES
OF NOTE? WHAT IMPACT
HAVE THESE EVENTS HAD
ON THE DATA PROTECTION
LANDSCAPE?
regulatory framework, with fines of up to 2 or 5 percent of a company’s
annual worldwide turnover.
FRANÇOIS: The CNIL may impose an administrative sanction on a company
that acts as a data controller for breaching French data protection law. These
sanctions may include a warning, a fine of up to €150,000 or €300,000 in
the event of a repeat breach within five years, if the CNIL has served formal
notice on the company to cease its non-compliance within a given deadline
and the company does not comply with the notice served, an injunction
to cease data processing, and withdrawal of any authorisation granted. In
addition, CNIL may refer the case to the French public prosecutor or a data
subject may raise a criminal complaint and a French judge may impose a
criminal sanction which may lead to up to five years’ imprisonment and
a fine of up to €300,000 for individuals or €1.5m if the company is held
liable. Data subjects who suffered damage as a result of a breach of data
protection law could also claim compensation in civil law proceedings.
FRANÇOIS: On 3 January 2014, the CNIL imposed a record fine of €150,000
on Google Inc. for various breaches of French data protection law, including
cookie law requirements. The CNIL started inspections in October 2014 to
verify whether companies were complying with these requirements. On
30 June 2015, the CNIL published the results of these inspections, which
revealed that, in general, websites do not sufficiently inform web users of
the use of cookies and do not obtain their consent before placing cookies
on their devices. The CNIL also observed that websites often invite users
to adjust their browser settings to refuse cookies. According to the CNIL,
however, browser settings constitute a compliant opt-out mechanism
FRANCE • CLAIRE FRANÇOIS • HUNTON & WILLIAMS LLP
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
26 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
FRANCE • CLAIRE FRANÇOIS • HUNTON & WILLIAMS LLP
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
A COMPANY TAKE TO
PREPARE FOR A POTENTIAL
DATA SECURITY BREACH,
SUCH AS DEVELOPING
RESPONSE PLANS AND
UNDERSTANDING
NOTIFICATION
REQUIREMENTS?
Q WHAT CAN COMPANIES DO
TO MANAGE INTERNAL RISKS
AND THREATS ARISING FROM
THE ACTIONS OF ROGUE
EMPLOYEES?
only in very limited circumstances. The CNIL, therefore, served a formal
notice on approximately 20 web publishers to comply with French cookie
law requirements within a prescribed period of time. The first responses
provided by web publishers show their willingness to comply.
FRANÇOIS: Irrespective of their notification requirements, companies
should develop a data breach response plan. That plan should at least specify
the types of information to be conveyed to the data protection officer
(DPO), if any, or the president or CEO in less than 24 hours of detecting the
breach, and elements to help determine the nature of the breach. It should
cover all the steps to handle a data security breach, from the detection of
the breach to the implementation of corrective measures and a revision
of the previous risk analysis, if appropriate. Upstream, companies should
conduct a risk analysis or privacy impact assessment (PIA) when creating
new products, services or other data processing activities. On 2 July 2015,
the CNIL published its methodology to conduct PIAs. On that occasion, the
CNIL stressed the importance of monitoring changes over time – changes
in the context of which data processing takes place, controls to comply
with legal requirements and address privacy risks, and updating the PIA
whenever a significant change occurs.
FRANÇOIS: Companies can first manage these risks and threats by having
an internal privacy policy that defines the role and responsibility of each
actor involved in the implementation of data processing operations. This
policy should explain how the organisation protects personal data and
contain the organisation’s primary data protection principles. Companies
should raise employee awareness about the policy and the risks associated
with data protection through appropriate training activities. They should
also ensure that they have the proper data processing agreements in
place. Further, they should conduct periodic audits, internal or external,
of the processing operations that pose the highest risk, to ensure that
employees and subcontractors process personal data in compliance with
data protection requirements.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 27www.f inancierworldwide.com
“ A rather strong culture of data protection is indeed developing in France.”
FRANCE • CLAIRE FRANÇOIS • HUNTON & WILLIAMS LLP
Q WOULD YOU SAY THERE IS
A STRONG CULTURE OF DATA
PROTECTION DEVELOPING
IN FRANCE? ARE COMPANIES
PROACTIVELY IMPLEMENTING
APPROPRIATE CONTROLS
AND RISK MANAGEMENT
PROCESSES?
Claire François
Associate
Hunton & Williams LLP
+32 (0)2 643 58 00
Claire François is a French qualified lawyer and advises a broad spectrum of clients on EU and French data protection and cyber security matters, including implementation of global data management strategies, international data transfers, and local data compliance. She also regularly represents clients before the French Data Protection Authority.
FRANÇOIS: A rather strong culture of data protection is indeed developing
in France. Since 2011, the CNIL has granted more than 50 seals to companies
that comply with the requirements laid down in one of its four standards.
In January 2015, the CNIL published its 4th standard on Data Protection
Governance to assist organisations that have appointed a DPO in France to
implement appropriate controls and improve accountability in light of the
proposed EU General Data Protection Regulation. Companies complying
with the 25 requirements set out in this standard may obtain a seal for
their data privacy governance procedures. The CNIL had previously adopted
standards on procedures such as data processing audits and data protection
training programmes as well as a standard on digital safety boxes.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
28 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
Q DO YOU BELIEVE
COMPANIES FULLY
UNDERSTAND THEIR DUTIES
OF CONFIDENTIALITY AND
DATA PROTECTION IN AN
AGE OF EVOLVING PRIVACY
LAWS?
Q AS COMPANIES INCREASE
THEIR DATA PROCESSING
ACTIVITIES, INCLUDING
HANDLING, STORAGE
AND TRANSFER, WHAT
REGULATORY, FINANCIAL
AND REPUTATIONAL RISKS
DO THEY FACE IN BELGIUM?
NAUWELAERTS: The ongoing discussions about the proposed
EU General Data Protection Regulation (GDPR), the more active
enforcement approach taken by certain Data Protection Authorities,
as well as some major data incidents, have made privacy and data
protection compliance a recurrent topic in the press. This has moved
compliance up the agenda of many companies, which are increasingly
investing significant efforts to fully understand and comply with their
obligations under data protection laws. This is especially the case for
businesses that handle massive volumes of data, such as cloud service
providers, or routinely deal with ‘sensitive’ personal data, such as
health-related information. In addition, a lot of companies are closely
monitoring the discussions on the proposed GDPR and have started
preparing for the changes that the GDPR is expected to bring. In the
aftermath of the EU Court of Justice ruling of 6 October 2015 in the
Schrems case, the focus of many companies previously relying on
the EU-US Safe Harbor framework has shifted to finding alternative
solutions for legitimately transferring personal data to the US.
NAUWELAERTS: Although the Belgian Commission for the Protection
of Privacy (CPP) does not have the power to impose sanctions, it
can investigate complaints, perform audits and initiate proceedings
before national Courts in case of alleged violations of the Belgian
Data Protection Act. In practice, the CPP will typically offer companies
the possibility to take remediation measures before initiating court
proceedings. The financial risk companies are currently facing in
Belgium is therefore rather low. However, investigations by the CPP can
result in media coverage, in which case the company’s reputation can
be severely damaged. Restoring trust among consumers and other ‘data
subjects’ following reports about a CPP investigation can be difficult
and time consuming. The financial risks companies are facing will most
BELGIUMWIM NAUWELAERTSHUNTON & WILLIAMS
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW SA N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 29 8www.f inancierworldwide.com
Q WHAT PENALTIES MIGHT
ARISE FOR A COMPANY THAT
BREACHES OR VIOLATES
DATA OR PRIVACY LAWS IN
BELGIUM?
Q WHAT INSIGHTS CAN WE
DRAW FROM RECENT CASES
OF NOTE? WHAT IMPACT
HAVE THESE EVENTS HAD
ON THE DATA PROTECTION
LANDSCAPE?
likely increase significantly in the near future as the proposed GDPR
provides for fines up to 2 percent or even 5 percent of a company’s
global annual turnover. Furthermore, the Belgian Secretary of State for
Privacy Matters announced earlier this year that a new law enabling
the CPP to impose administrative fines on data controllers will be
introduced.
NAUWELAERTS: Belgian Courts may impose criminal fines of up to
€600,000 for violations of the Belgian Data Protection Act. Furthermore,
Courts can order the confiscation of media containing personal data,
the erasure of the personal data processed, a prohibition to process any
personal data for a period of up to two years and the publication of their
judgment in one or more newspapers. In addition, any repeated violation
of the Act or violation of the prohibition to process personal data for a
certain period of time may be sanctioned with imprisonment of up to
two years. Individuals who have suffered damages due to a violation of
the Belgian Data Protection Act may also claim compensation for these
damages in civil proceedings, including via class actions.
NAUWELAERTS: There is limited case law on privacy and data protection
matters in Belgium. However, at EU level, the EU Court of Justice (CJEU)
recently issued a number of rulings that have significantly changed the
data protection landscape in the EU and beyond. For instance, in the
Schrems case, the CJEU invalidated the EU-US Safe Harbor framework,
which has served as a key mechanism for data transfers from the EU
to the US for thousands of companies over the last 15 years. Further,
the CJEU’s ruling in the Costeja case, which recognises the right to be
delisted from search engines, and the Weltimmo case, applying a broad
interpretation to the territorial scope of EU data protection law, will
BELGIUM • WIM NAUWELAERTS • HUNTON & WILLIAMS
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
30 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
“ Stronger enforcement has certainly increased the focus and awareness of companies on the importance of data protection compliance.”
BELGIUM • WIM NAUWELAERTS • HUNTON & WILLIAMS
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
A COMPANY TAKE TO
PREPARE FOR A POTENTIAL
DATA SECURITY BREACH,
SUCH AS DEVELOPING
RESPONSE PLANS AND
UNDERSTANDING
NOTIFICATION
REQUIREMENTS?
Q WHAT CAN COMPANIES DO
TO MANAGE INTERNAL RISKS
AND THREATS ARISING FROM
THE ACTIONS OF ROGUE
EMPLOYEES?
have an important impact on companies doing business online. These
rulings demonstrate a strong willingness to strengthen the protection
of individuals’ privacy rights, including by reinforcing the national data
protection authorities’ powers.
NAUWELAERTS: Companies should, in the first place, take measures to
prevent data security breaches to the extent possible. These measures
include performing Privacy Impact Assessments to detect and evaluate
possible privacy risks and identify appropriate measures to mitigate
those risks. Further, companies should have a documented incident
response procedure that is duly communicated to their employees.
The procedure should clearly identify who employees should contact,
on a technical and management level, in the event of a data security
breach, and should also clearly identify the relevant stakeholders’ roles
and responsibilities. Further, companies should also consider preparing
template communications that can be used to expeditiously inform
the CPP and, in some cases, the affected individuals in the event of a
breach.
NAUWELAERTS: Companies should inform their employees of their
responsibilities in terms of privacy and data protection, and the
associated risks, especially for the company as a ‘data controller’, in the
case of non-compliance. This can be done by implementing clear policies
and providing training on how to handle personal data. Companies
should also implement security measures that limit access to personal
data on a need-to-know basis and prevent unlawful technical and
physical access to data processing systems. Further, companies may
also consider implementing monitoring solutions to prevent, detect
and investigate behaviour of employees that may be harmful for the
company. When implementing such monitoring solutions companies
should, however, carefully assess the legal restrictions on the use of such
solutions, both from a data protection and labour law perspective.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 31www.f inancierworldwide.com
BELGIUM • WIM NAUWELAERTS • HUNTON & WILLIAMS
Q WOULD YOU SAY THERE IS
A STRONG CULTURE OF DATA
PROTECTION DEVELOPING
IN BELGIUM? ARE
COMPANIES PROACTIVELY
IMPLEMENTING APPROPRIATE
CONTROLS AND RISK
MANAGEMENT PROCESSES?
Wim Nauwelaerts
Partner
Hunton & Williams
T: +32 02 643 5800
Wim Nauwelaerts leads Hunton & Williams’ Privacy and Cyber Security team in Brussels. His practice focuses on European data protection matters, with a particular emphasis on privacy issues in the areas of new media and communication technologies, financial services, healthcare and life sciences. Mr Nauwelaerts is recognised as a leading privacy practitioner by Chambers Global, The Legal 500 (Belgium), and The International Who’s Who of Technology Lawyers. He has written and spoken widely on privacy-related topics, such as cloud computing.
NAUWELAERTS: There is a trend toward stronger enforcement of data
protection rules in Belgium. The Secretary of State for Privacy Matters,
Mr Bart Tommelein, has played an active role in raising awareness
concerning the importance of data protection compliance and has
expressed the need for stronger enforcement on several occasions.
In addition, the CPP has recently initiated court proceedings against
Facebook for failure to comply with the CPP’s recommendations. This
trend towards stronger enforcement has certainly increased the focus
and awareness of companies on the importance of data protection
compliance and the respect of their employees’, customers’ and other
individuals’ privacy rights.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
32 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
Q DO YOU BELIEVE
COMPANIES FULLY
UNDERSTAND THEIR DUTIES
OF CONFIDENTIALITY AND
DATA PROTECTION IN AN
AGE OF EVOLVING PRIVACY
LAWS?
Q AS COMPANIES INCREASE
THEIR DATA PROCESSING
ACTIVITIES, INCLUDING
HANDLING, STORAGE
AND TRANSFER, WHAT
REGULATORY, FINANCIAL
AND REPUTATIONAL
RISKS DO THEY FACE IN
LUXEMBOURG?
GROSJEAN: Companies usually see data protection and all its binding
rules as an impediment to their development. On the contrary, a real
programme for data protection should be perceived as a commercial
argument, a real asset. The European Regulation that will come
into force next year will impose on companies a certain number of
protective measures. The European Regulation proposal contains
important sanctions for non-compliance with its provisions. Companies
will, in any case, have to comply with principles like accountability that
will completely change the way they process data. It is up to them to
turn these obligations into a positive policy consisting of protection,
security, trust and transparency. I do believe that companies can clearly
benefit from this age of evolving laws.
GROSJEAN: Luxembourg companies face several risks in relation to
personal data breaches. Losing data, regardless of its causes, can have
disastrous consequences for any company. These consequences can be
even more serious for companies dealing with particularly sensitive
data such as banks, insurance companies and audit firms, in matters of
reputation and liability toward their clients. Luxembourg has witnessed
some breaches arising from human faults. Even through most of these
cases did not reach a courtroom, the loss of a good reputation is not
something that can easily be regained. With the European Regulation
proposal, there will be an obligation to notify regulatory authorities
and concerned persons. That is why companies need to question their
policies and the nature of their data processes.
LUXEMBOURGALAIN GROSJEANBONN & SCHMITT
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW SA N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 33 8www.f inancierworldwide.com
Q WHAT PENALTIES MIGHT
ARISE FOR A COMPANY THAT
BREACHES OR VIOLATES
DATA OR PRIVACY LAWS IN
LUXEMBOURG?
Q WHAT INSIGHTS CAN WE
DRAW FROM RECENT CASES
OF NOTE? WHAT IMPACT
HAVE THESE EVENTS HAD
ON THE DATA PROTECTION
LANDSCAPE?
GROSJEAN: The Luxembourg law of 2 August 2002 related to the
protection of individuals with regard to the processing of personal data,
which was subsequently modified, sets, for a company which illegally
processes personal data or breaches any legal obligation, sanctions
ranging up to one year of imprisonment and a €125,000 fine. The last
version of the European Regulation proposal provides that a controller
which illegally processes personal data or breaches any legal obligation
will be subject to sanctions ranging up to a €1m fine, or for a company
up to 2 percent of its turnover.
GROSJEAN: One of the major lessons we can learn from recent
notable cases is that we should improve employee training in relation
to the protection of personal data. The human element may be the
most important aspect of a data protection policy because it is the
one with the least ability to control. In most cases, the employee at
fault is not aware of the potential risks of their actions. The European
Regulation proposal and its principle of accountability establishes
improved awareness and training in relation to the mechanisms of data
protection, complaints procedures, internal audit schemes as well as
corrective measures in the event of incidents, attacks and failures.
LUXEMBOURG • ALAIN GROSJEAN • BONN & SCHMITT
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
34 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
LUXEMBOURG • ALAIN GROSJEAN • BONN & SCHMITT
Q WOULD YOU SAY THERE IS
A STRONG CULTURE OF DATA
PROTECTION DEVELOPING
IN LUXEMBOURG? ARE
COMPANIES PROACTIVELY
IMPLEMENTING APPROPRIATE
CONTROLS AND RISK
MANAGEMENT PROCESSES?
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
A COMPANY TAKE TO
PREPARE FOR A POTENTIAL
DATA SECURITY BREACH,
SUCH AS DEVELOPING
RESPONSE PLANS AND
UNDERSTANDING
NOTIFICATION
REQUIREMENTS?
Q WHAT CAN COMPANIES DO
TO MANAGE INTERNAL RISKS
AND THREATS ARISING FROM
THE ACTIONS OF ROGUE
EMPLOYEES?
GROSJEAN: A company must establish an explicit list, which creates a
hierarchy of each threat, and then map the risks with respect to their
seriousness and the likelihood of their occurrence in order to create
priorities. Once the priorities have been evaluated and identified, they
can be processed to establish adequate means of reducing them.
The company should then implement security failure and incident
management protocols. A set of preparatory actions, which define the
strategy that the company has to adopt in order to effectively control
the threats and incidents surrounding personal data, must be put in
place.
GROSJEAN: Regular awareness campaigns, training, complaints
management and internal audits are the key measures to undertake.
Companies will have to implement internal transparency rules, which
should be concise and clear, and easily accessible in relation to personal
data protection processes and the ability of people affected by it to
exercise their rights. Codes of conduct, good practice, charters and
labels are tools that can be used to enhance awareness and improve
staff training.
GROSJEAN: Luxembourg, with its deep experience in finance and
banking, has a strong culture of data protection. The banks, regulated
by the Luxembourg Commission for the Supervision of the Financial
Sector, need to adopt strong measures for the protection of their
clients’ data. Outsourcing providers, data centres, electronic signature
and data portability control are all elements that make Luxembourg a
prominent country in relation to personal data protection. With the law
of 25 July 2015, Luxembourg is one of the leading European countries
on electronic storage, creating three statuses of certified service
providers for specialised archiving companies: the Conservation Service
Provider (PSDC-C), the Dematerialisation Service Provider (PSDC-D)
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 35www.f inancierworldwide.com
“ Luxembourg, with its deep experience in finance and banking, has a strong culture of data protection.”
LUXEMBOURG • ALAIN GROSJEAN • BONN & SCHMITT
Alain Grosjean
Partner
Bonn & Schmitt
+352 27 855
Alain Grosjean is a partner at Bonn & Schmitt and a member of the Luxembourg Bar Council. He was admitted to the Mediation Centre of the Luxembourg bar as a mediator and was nominated in October 2015 as Deputy Secretary-General of the International Association of Lawyers (UIA). He is specialised in new technologies, information and communication, data protection, e-commerce, electronic signature, electronic storage and intellectual property.
and the Conservation and Dematerialisation Service Provider (PSDCD-
DC). If you decide to use the services of a certified service provider for
the conservation of your electronic documents, you will benefit from
a presumption of conformity to the original hard copies. Otherwise,
you will have to prove their conformity. The shift of the new European
Regulation will be an interesting and informative turning point for
Luxembourg companies.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
36 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
Q DO YOU BELIEVE
COMPANIES FULLY
UNDERSTAND THEIR DUTIES
OF CONFIDENTIALITY AND
DATA PROTECTION IN AN
AGE OF EVOLVING PRIVACY
LAWS?
Q AS COMPANIES INCREASE
THEIR DATA PROCESSING
ACTIVITIES, INCLUDING
HANDLING, STORAGE
AND TRANSFER, WHAT
REGULATORY, FINANCIAL
AND REPUTATIONAL RISKS
DO THEY FACE IN DENMARK?
AAES-JØRGENSEN: Companies tend to focus on their primary business
with customer needs as their first priority. Their second priority is
complying with accounting principles and tax regulation. Generally
speaking, efforts are dedicated to other administrative procedures only
to the extent that companies have the time and manpower to do so.
For many years, data protection was regarded as one of the things that
would be given attention when time permitted. But in the last few years,
the understanding of, and focus on, data protection and privacy have
grown tremendously, and efforts related to complying with the data
protection legislation are increasing. And there is no doubt that – with
the new General Data Protection Regulation (GDPR) on the horizon
– data protection will be given even higher priority in the future.
AAES-JØRGENSEN: So far companies have mainly focused on keeping
their essential business data secure rather than on the privacy-related
risks of customers, employees or patients. However, today the media
frequently focuses on companies’ lack of privacy awareness, so
reputational risks seem to be on the rise. Obviously, the bigger the brand,
the bigger the financial damage a breach of data protection legislation
may cause. In Denmark, the level of compensation for a breach of data
protection legislation is quite low – and the same goes for the level of
fines. Thus, if a company is the target of the attention of the Danish
Data Protection Agency (DPA), the real risk is the reputational risk
related to the DPA making its decision public.
DENMARKELSEBETH AAES-JØRGENSENNORRBOM VINDING
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW SA N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 37 8www.f inancierworldwide.com
Q WHAT PENALTIES MIGHT
ARISE FOR A COMPANY THAT
BREACHES OR VIOLATES
DATA OR PRIVACY LAWS IN
DENMARK?
Q WHAT INSIGHTS CAN WE
DRAW FROM RECENT CASES
OF NOTE? WHAT IMPACT
HAVE THESE EVENTS HAD
ON THE DATA PROTECTION
LANDSCAPE?
AAES-JØRGENSEN: If a company breaches the data protection
legislation, the affected employee may be entitled to compensation
of up to DKK 25,000, approximately £2450. Likewise, if charges are
filed for breach of the data protection legislation, and the company
in question is found guilty on the charges, the level of the fine will be
quite low. However, the proposed GDPR is expected to change that
situation substantially, as one of the draft proposals is to increase the
level of fines to up to €100m, or up to 5 percent of the group’s annual
global turnover.
AAES-JØRGENSEN: Danish case law on data protection is still very
limited. So far only a few cases have reached the Supreme Court.
Nevertheless, it is becoming increasingly common that personal
data issues pop up in ‘classic’ employment law cases. Thus, in recent
years focus has, for example, been given to employers’ monitoring of
employees, including access to emails, and we have also seen an increase
in the number of companies implementing whistleblower schemes. In
early 2015, the DPA issued more specific guidelines for companies’
HR administration and this has encouraged many companies to re-
examine their HR procedures.
DENMARK • ELSEBETH AAES-JØRGENSEN • NORRBOM VINDING
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
38 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
DENMARK • ELSEBETH AAES-JØRGENSEN • NORRBOM VINDING
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
A COMPANY TAKE TO
PREPARE FOR A POTENTIAL
DATA SECURITY BREACH,
SUCH AS DEVELOPING
RESPONSE PLANS AND
UNDERSTANDING
NOTIFICATION
REQUIREMENTS?
Q WHAT CAN COMPANIES DO
TO MANAGE INTERNAL RISKS
AND THREATS ARISING FROM
THE ACTIONS OF ROGUE
EMPLOYEES?
AAES-JØRGENSEN: Obviously, companies that have internal
procedures in place, that train their employees to comply with the
procedures and make sure that their employees do in fact comply
with such procedures, are in a much better position when it comes to
avoiding data security breaches than companies paying less attention
to data security. That said, companies should also have procedures
in place for handling data security breaches. Such procedures should
regulate how to stop or minimise the breach, how to identify the
extent of the breach and how to handle the necessary communication
on the breach. Thus, companies should have procedures for providing
information to the affected individuals, notifying the relevant authorities
and communicating via the media.
AAES-JØRGENSEN: Everything starts with awareness – especially
if awareness is followed by policies and procedures. The challenge is
that technological developments happen so fast that it is practically
impossible for companies to keep up-to-date when it comes to having
the right procedures in place. But companies that have implemented
policies and communicate these to their employees, who must then
comply with such policies, certainly have a better starting point than
companies that do not have the same focus on data security. However,
even if companies do minimise the risks by implementing policies,
it is impossible to completely eliminate the risk of rogue – or even
indiscreet or malicious – employees acting in a way that may pose
a threat to privacy and data security. In such situations, the usual
remedies under Danish employment law become relevant, with the
most severe sanction possible being termination with immediate effect.
If the company’s brand is damaged, such a remedy may, however, prove
insufficient.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 39www.f inancierworldwide.com
“ More and more companies want to be at the ‘cutting edge’ of data protection.”
DENMARK • ELSEBETH AAES-JØRGENSEN • NORRBOM VINDING
Q WOULD YOU SAY THERE IS
A STRONG CULTURE OF DATA
PROTECTION DEVELOPING
IN DENMARK? ARE
COMPANIES PROACTIVELY
IMPLEMENTING APPROPRIATE
CONTROLS AND RISK
MANAGEMENT PROCESSES?
Elsebeth Aaes-Jørgensen
Partner
Norrbom Vinding
+45 3525 3940
Elsebeth Aaes-Jørgensen advises on all aspects of labour and employment law but has a special interest in public law in general, including municipal and administrative law, data protection, business immigration, pensions, the private practice sector as well as litigation in the civil courts, the Danish Labour Court and industrial tribunals. Ms Aaes-Jørgensen is frequently involved in teaching activities and is a regular speaker in various contexts on all aspects of labour and employment law, including data protection. In addition, she heads Norrbom Vinding’s data protection team and is a member of the International Association of Privacy Professionals (IAPP) and the Copenhagen Data Protection Forum.
AAES-JØRGENSEN: More and more companies want to be at the
‘cutting edge’ of data protection. Data protection has moved from
being an issue for the minority to being considered a genuine business
risk if not properly handled. This is not likely to change moving forward.
Until recently, consumers largely looked for convenient solutions and
were less concerned about data security. With increasing media focus
on privacy breaches, we might see a movement toward data security as
a competition parameter, especially for companies labelling themselves
as CSR-dedicated.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
40 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
Q DO YOU BELIEVE
COMPANIES FULLY
UNDERSTAND THEIR DUTIES
OF CONFIDENTIALITY AND
DATA PROTECTION IN AN
AGE OF EVOLVING PRIVACY
LAWS?
Q AS COMPANIES INCREASE
THEIR DATA PROCESSING
ACTIVITIES, INCLUDING
HANDLING, STORAGE
AND TRANSFER, WHAT
REGULATORY, FINANCIAL
AND REPUTATIONAL RISKS
DO THEY FACE IN ITALY?
GALLISTRU: In order to have a better understanding of the local context,
it is worth highlighting the limited number of large-size operators
and high number of medium and small-size enterprises operating in
Italy. However, large operators represent a significant portion of the
country’s competitive potential, so the degree of awareness of privacy
issues varies. Large companies operating in Italy have a satisfactory
understanding of privacy issues, as the officers in charge work constantly
to ensure their company follows the most recent decisions and guidance
of the authorities. Possible areas for improvement include appointing
a responsible officer, such as a privacy officer, capable of overseeing a
holistic approach, better communication among corporate functions
such as legal and IT, and better enforcement of system requirements. By
contrast, SMEs find it difficult to remain up-to-date and fully compliant
with applicable requirements. The growing exposure to privacy risks is
unavoidable, resulting in these organisations shifting from a traditional
approach to a more proactive approach when addressing data security,
protection and management issues. In general, the economic community
is concerned about these issues and anxiously awaits the adoption
of new European regulations. With more new technologies having a
significant impact, and the threats increasing, the new regulations
promise to revolutionise data protection in Italy.
GALLISTRU: Local regulations on personal data protection are
characterised by a general primary rule accompanied by specific
requirements for each segment. Given the exponential increase in
information and data processed by organisations, this reference
background is characterised by user expectations for greater safeguards
and protection as well as increased transparency due to social media
diffusion. When negative circumstances arise, besides the conceivable
damage to reputation, the financial impact should also be taken into
ITALYALFREDO GALLISTRUPWC ITALY
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW SA N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 41 8www.f inancierworldwide.com
Q WHAT PENALTIES MIGHT
ARISE FOR A COMPANY THAT
BREACHES OR VIOLATES
DATA OR PRIVACY LAWS IN
ITALY?
Q WHAT INSIGHTS CAN WE
DRAW FROM RECENT CASES
OF NOTE? WHAT IMPACT
HAVE THESE EVENTS HAD
ON THE DATA PROTECTION
LANDSCAPE?
account. To date, these are mainly connected with penalties and
sanctions. In practice, class actions are relatively uncommon at a local
level. In the event of an attack on third party data, local regulations
affecting corporate liability can result in monetary sanctions, as well
as interdiction measures including suspension of a company’s business
operations.
GALLISTRU: Current legislation provides for fixed administrative
sanctions in addition to possible penal sanctions. Under these
circumstances, at least with reference to larger enterprises, the negative
consequences are mainly operational and reputational. The possible
future introduction of administrative sanctions, proportional to
turnover, could result in businesses reviewing their risk assessments.
GALLISTRU: The most recent legislative provisions, case law judgements
and privacy authority measures address issues such as cookies, the
obligation to report potential data attacks to the authorities, the new
labour laws regarding remote control for employees, enforcement of
the deontology code on the treatment of personal data for commercial
purposes, and the new safe harbour issues. These innovations require
organisations to review their business processes to adequately respond
to the new requirements impacting data processing and protection,
including implementation and control measures to verify compliance.
More mature organisations consider such innovations as an opportunity
to implement ‘privacy by design’ processes. Attacks suffered by
companies, even those operating in the security business, emphasise
the need to strengthen and increase security measures, starting with a
review of the effectiveness of prevention measures through appropriate
vulnerability assessments. The increasing use of outsourcers in business
ITALY • ALFREDO GALLISTRU • PWC ITALY
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
42 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
ITALY • ALFREDO GALLISTRU • PWC ITALY
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
A COMPANY TAKE TO
PREPARE FOR A POTENTIAL
DATA SECURITY BREACH,
SUCH AS DEVELOPING
RESPONSE PLANS AND
UNDERSTANDING
NOTIFICATION
REQUIREMENTS?
Q WHAT CAN COMPANIES DO
TO MANAGE INTERNAL RISKS
AND THREATS ARISING FROM
THE ACTIONS OF ROGUE
EMPLOYEES?
processes, particularly in environments where privacy issues are
significant, such as telemarketing and information technology, makes
it necessary to protect such data through independent assessments
and strong internal controls. In general, potential vulnerabilities in a
company’s processes could damage a company’s reputation with huge
consequences for the organisation’s value. This means it is necessary to
deal with these issues, not just to achieve compliance, but primarily to
manage this important element of business strategy.
GALLISTRU: Critical issues for companies to consider include timeliness,
how to identify a data security breach, and how to ascertain that the
breach concerns privacy data. It is also necessary to define escalation
procedures to report the matter to data protection authorities and
to identify countermeasures to stop the attack. The response plan
should be periodically tested to verify its effectiveness, timeliness and
stakeholder awareness. Records of incidents, root cause analysis and
security issues should be maintained to identify potential vulnerabilities
and data breaches that are not detected by existing alert tools.
GALLISTRU: Risk responses should reflect a balanced combination of
prevention and detection. Effective prevention starts with the selection,
recruitment and dismissal of personnel, including background checks,
specific contractual clauses, exit procedures, training and awareness
programmes outlining expected conduct, measures to be carried out,
and the use of whistleblowing mechanisms. Data protection and
security systems should be subjected to a structured and formalised
process of risk detection, control assessment and identification of
corrective actions. When designing prevention measures, aside from
the rules governing data classification and protection measures,
particular attention should be paid to identifying specific sources of
risk. Data access rules and segregation of duties must be considered.
Besides specific privacy audits, significant added value could result
from a system log analysis and the ability to analyse relevant available
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 43www.f inancierworldwide.com
“ The response plan should be periodically tested to verify its effectiveness, timeliness and stakeholder awareness.”
ITALY • ALFREDO GALLISTRU • PWC ITALY
Q WOULD YOU SAY THERE
IS A STRONG CULTURE
OF DATA PROTECTION
DEVELOPING IN ITALY? ARE
COMPANIES PROACTIVELY
IMPLEMENTING APPROPRIATE
CONTROLS AND RISK
MANAGEMENT PROCESSES?
Alfredo Gallistru
Partner
PwC
+39 02 7785 483
Alfredo Gallistru is a partner at PwC Italy. Within the risk assurance services practice he leads the IT risk assurance solution set. Mr Gallistru is a certified information systems auditor (CISA), certified internal auditor (CIA), certified information security manager (CISM), certified in the governance of enterprise IT (CGEIT) and certified in risk and information systems control (CRISC). He is vice president of the local ISACA Chapter in Milan. Mr Gallistru has more than 20 years of experience in information system auditing, privacy and information security consulting, compliance review and in the assessment and implementation of IT governance and IT controls.
information. However, the system’s overall effectiveness must include
a crisis management programme to deal with possible incidents.
GALLISTRU: Our 2015 Global State of Information Security Survey
noted that 29.6 percent of European board of directors actively
participated in a review of current security and privacy risk, while 44.2
percent participated in defining the overall security strategy. In prior
years, board and top management concerns for these issues was less
focused, so this trend reflects the development of a stronger risk culture
and a more mature approach to creating lines of defence.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
44 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
Q DO YOU BELIEVE
COMPANIES FULLY
UNDERSTAND THEIR DUTIES
OF CONFIDENTIALITY AND
DATA PROTECTION IN AN
AGE OF EVOLVING PRIVACY
LAWS?
Q AS COMPANIES INCREASE
THEIR DATA PROCESSING
ACTIVITIES, INCLUDING
HANDLING, STORAGE
AND TRANSFER, WHAT
REGULATORY, FINANCIAL
AND REPUTATIONAL RISKS
DO THEY FACE IN JAPAN?
NAKAZAKI: Large Japanese companies are aware of their duties of
confidentiality and data protection under the Act on the Protection of
Personal Information (APPI). However, many small and medium-sized
companies are unaware of their duties, since private businesses which
have less than 5000 individuals listed in their electronic or manual
database at any time in the past six months are exempt under the APPI’s
small business exception. This exception will be abolished under the
amendments to the APPI which will come into force in 2017, and as a
result, small and medium-sized companies must be prepared to achieve
compliance with their new confidential obligations and ensure protection
of personal data and privacy. Large companies must also reconsider their
privacy policies, internal data protection rules and information security
systems following the 2017 amendments.
NAKAZAKI: In the 10 years that have passed since the enactment of
the APPI, remarkable progress has occurred in the field of information
and communications technology, such that it is now possible to store
and analyse what has come to be called Big Data. Despite the need for,
and the high value of, the use of Big Data, many Japanese companies
are hesitant to make use of the same, particularly personal data, due
to the apparent ambiguities of the rules under the APPI framework and
the reputational risks that flow from the growing privacy concerns of
consumers. In addition, companies face the risk that data that is stored
and handled in bulk may be leaked or hacked. As a result, companies now
expend significant financial resources to protect such data. Moreover,
the amendments to the APPI herald stricter regulations on the transfer
of personal data to third parties and in respect of international transfers
out of Japan.
JAPANTAKASHI NAKAZAKIANDERSON MORI & TOMOTSUNE
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW SA N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 45 8www.f inancierworldwide.com
Q WHAT PENALTIES MIGHT
ARISE FOR A COMPANY THAT
BREACHES OR VIOLATES
DATA OR PRIVACY LAWS IN
JAPAN?
Q WHAT INSIGHTS CAN WE
DRAW FROM RECENT CASES
OF NOTE? WHAT IMPACT
HAVE THESE EVENTS HAD
ON THE DATA PROTECTION
LANDSCAPE?
NAKAZAKI: Under the APPI, criminal penalties may be imposed if a person
fails to comply with any order issued by the relevant ministry, subject to
penal servitude of six months or less or a criminal fine of ¥300,000 or
less. Failure to submit reports, or submitting untrue reports, as required
by the governmental ministry, carries a criminal fine of ¥300,000 or less. A
company may also be liable to pay a criminal fine in the event that these
offences are committed by an officer or employee of the company. Under
the new APPI, criminal penalties will be introduced to target employees or
former employees who steal personal data. As to civil liability, companies
which become the subjects of personal data leaks may become liable
to pay compensation under the Civil Code, provided that individuals
successfully file a claim in the courts. There have not been many such
cases in the courts thus far, and the ceiling for civil liability is ¥35,000 per
affected individual.
NAKAZAKI: Several large incidents in relation to leaks of personal data
have been publicly announced recently in Japan. In the Benesse case
involving one of the largest companies in the education industry, the
personal data of some 23 million people was leaked from a subsidiary
by a systems engineer. He stored the data in a smartphone and sold it to
a number of data brokers. The case illustrates the potentially significant
impact of allowing companies to store large quantities of personal data.
Many industry-specific and sector-specific administrative guidelines
of the APPI have been compiled by governmental ministries to amend
and strengthen personal data protection rules. The new measures
introduced include stricter guidelines on the supervision of employees
and subcontractors and the implementation of stronger technical and
systematic protection measures.
JAPAN • TAKASHI NAKAZAKI • ANDERSON MORI & TOMOTSUNE
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
46 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
“ Many Japanese companies have either suspended or improved their business plans to utilise anonymised personal data for business purposes.”
JAPAN • TAKASHI NAKAZAKI • ANDERSON MORI & TOMOTSUNE
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
A COMPANY TAKE TO
PREPARE FOR A POTENTIAL
DATA SECURITY BREACH,
SUCH AS DEVELOPING
RESPONSE PLANS AND
UNDERSTANDING
NOTIFICATION
REQUIREMENTS?
Q WHAT CAN COMPANIES DO
TO MANAGE INTERNAL RISKS
AND THREATS ARISING FROM
THE ACTIONS OF ROGUE
EMPLOYEES?
NAKAZAKI: Companies should consider a number of steps to avoid a
potential data security breach. Systematic security control measures
should be implemented including clearly establishing rules surrounding
the responsibility and authority of workers regarding security control,
preparing and enforcing regulations and procedure manuals, and confirming
the status of implementation. Human security control measures should
be employed including concluding nondisclosure agreements in relation
to personal data, specifying such data as constituting an operational
secret kept by workers and educating and training such workers on the
protection of the privacy of such data. Companies should also consider
improved physical security control measures, including measures that
control entrance into, and departure from, a given location – and prevent
the theft of personal data. Further, companies should factor in technical
security control measures, including measures that provide for the security
control of personal data by limiting access to certain data.
NAKAZAKI: Companies should consider several measures to manage
internal risks and threats arising from the actions of rogue employees.
They should consider employee education, as it is important to ensure
that employees recognise and understand the potential risks and threats,
both to themselves and the company, that result from the improper
use of personal data. This may, for instance, involve making employees
aware of the significant damage that can arise from such improper use
of personal data and the potential termination of employment that may
result. It may also include more proactive measures such as employee
training, including e-learning and the requirement to periodically obtain
a letter of commitment to avoid a security breach. Companies must also
take systematic measures into account, which are useful for keeping
potential rogue actors away from customer data. Technical measures are
also important, such as minimising the number of persons to whom the
authority is granted to access personal data and implementing access
control measures based on identification authentication, such as ID and
password or biometric authentication.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 47www.f inancierworldwide.com
JAPAN • TAKASHI NAKAZAKI • ANDERSON MORI & TOMOTSUNE
Q WOULD YOU SAY THERE
IS A STRONG CULTURE
OF DATA PROTECTION
DEVELOPING IN JAPAN? ARE
COMPANIES PROACTIVELY
IMPLEMENTING APPROPRIATE
CONTROLS AND RISK
MANAGEMENT PROCESSES?
Takashi Nakazaki
Special Counsel
Anderson Mori & Tomotsune
+81 3 6888 1101
Takashi Nakazaki has been engaged in an extensive range of TMT matters at Anderson Mori & Tomotsune, including telecom regulations, computers, software development, e-commerce, platform service, domain name disputes, drones and digital forensics. His experience also includes legal advice in several fields of intellectual property and licensing, including traditional copyright, digital copyright, trademark, open source, cross-border licensing and biochemical. Mr Nakazaki has also assisted many start-up clients with general corporate advice. He is a member of the editorial board of AIPPI Japan and KnowledgeNet co-chair of IAPP Japan.
NAKAZAKI: Many Japanese people have become highly sensitive to
privacy concerns and there is public concern about the collection and
utilisation of personal data by the private sector for business purposes. This
public sensitivity was brought to light in the Super Urban Intelligent Card
(Suica) case in 2013. A Suica card is a rechargeable smart card that can
be used as a fare card on trains in Japan. The East Japan Railway Company
(JR East) decided to sell the processed travel record information and
purchase history recorded on customers’ Suica cards to a third party. JR
East planned to delete each person’s name and telephone number before
transferring the information so that the third-party recipient could not
identify the person. However, a number of objections and opposing views
were raised by consumers, who contended that personal identification
may be possible, and that their privacy would be infringed even if there
were no direct violation of the APPI. JR East consequently abandoned the
plan. Following the Suica case, many Japanese companies have either
suspended or improved their business plans to utilise anonymised personal
data for business purposes to avoid such disputes with consumers.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
48 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
Q DO YOU BELIEVE
COMPANIES FULLY
UNDERSTAND THEIR DUTIES
OF CONFIDENTIALITY AND
DATA PROTECTION IN AN
AGE OF EVOLVING PRIVACY
LAWS?
Q AS COMPANIES INCREASE
THEIR DATA PROCESSING
ACTIVITIES, INCLUDING
HANDLING, STORAGE
AND TRANSFER, WHAT
REGULATORY, FINANCIAL
AND REPUTATIONAL RISKS
DO THEY FACE IN CHINA?
MAISOG: The frequency and extent of abusive uses of personal
information, such as unwanted text advertising messages, in China
suggests that companies are not as aware of the risks and duties
associated with personal information as they should be. Repeated
enforcement campaigns, in which suspects are rounded up for
investigations – seemingly in wholesale waves – as well as repeatedly
reactive rulemaking in which regulations are promulgated only after
and in response to an event or crisis, seem to suggest weaknesses in the
overall attitude with which privacy related risks are regarded in China.
MAISOG: Since there is no comprehensive or uniform personal data
protection law in China, there are no requirements generally applicable
to all processing of personal data. Some requirements apply on a
sector-by-sector basis. There are requirements scattered throughout
various Chinese laws and regulations under which different entities
that may have access to personal information must keep such personal
information and the private matters of individuals confidential. Some
of these provisions provide for punishment for a violation of this
obligation of confidentiality.
MAISOG: In China, government authorities are paying more and more
attention to privacy and data protection. In newly promulgated data
protection rules, data breach activities can be subject to substantial
monetary compensation, administrative penalties and even criminal
liability. For example, the 9th Amendment to the PRC Criminal Law,
which became effective on 1 November 2015, prohibits the sale
or provision to others in violation of law, or the theft of or illegally
Q WHAT PENALTIES MIGHT
ARISE FOR A COMPANY THAT
BREACHES OR VIOLATES
DATA OR PRIVACY LAWS IN
CHINA?
CHINAMANUEL MAISOGHUNTON & WILLIAMS LLP
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW SA N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 49 8www.f inancierworldwide.com
Q WHAT INSIGHTS CAN WE
DRAW FROM RECENT CASES
OF NOTE? WHAT IMPACT
HAVE THESE EVENTS HAD
ON THE DATA PROTECTION
LANDSCAPE?
obtaining personal information by any individual or entity. If an entity
commits any of these crimes, it will be subject to a fine and the persons
directly in charge and other persons directly liable will be subject to
fixed-term imprisonment or criminal detention and concurrently or
separately may also be subject to a fine. Entities which sell or provide
personal information obtained during their performance of duties and
provisions of services, in violation of law, would be subject to even
heavier punishment.
MAISOG: The general insight appears, so far, to be that government
authorities in China have started to give a higher level of priority to
cyber security and personal data protection on the internet. Government
authorities appear to be responding to the rapid development of
internet technology and the resulting surge in the number of users of
internet services.
MAISOG: Probably the best step is to take measures to achieve a level
of technical security at which a security breach becomes unlikely. A
security breach incident is better avoided in the first place. It constitutes
a cost centre and a distraction from a company’s generation of its
core products and services. It is rarely a profitable experience, other
than from the lessons learned, and mostly delivers only risk to the
company’s reputation and to its relationship with clients. Beyond the
priority of prevention, it is important to have a clear understanding of
breach notification requirements. In China, only four industry sectors
are subject to mandatory breach reporting requirements. Companies
in one of these sectors should prepare and rehearse security incident
CHINA • MANUEL MAISOG • HUNTON & WILLIAMS LLP
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
A COMPANY TAKE TO
PREPARE FOR A POTENTIAL
DATA SECURITY BREACH,
SUCH AS DEVELOPING
RESPONSE PLANS AND
UNDERSTANDING
NOTIFICATION
REQUIREMENTS?
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
50 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
CHINA • MANUEL MAISOG • HUNTON & WILLIAMS LLP
Q WHAT CAN COMPANIES DO
TO MANAGE INTERNAL RISKS
AND THREATS ARISING FROM
THE ACTIONS OF ROGUE
EMPLOYEES?
response plans because once a breach occurs they will be under immense
time pressure to satisfy all requirements and to do so accurately and
correctly. Companies not in one of these sectors should also prepare
and rehearse security incident response plans, but their plans may not
have to reflect or anticipate the same level of extreme time pressure.
Aside from preparation and rehearsal of security incident response
plans, preparations that could mitigate liability for a breach incident,
when and if one occurs, can be undertaken simply by adopting and
consistently applying best practices during the ordinary course of day-
to-day data processing.
MAISOG: The best approach is not a legal approach, but an organisational
and even moral one. That is, a company can best manage internal risks
and threats arising from the actions of rogue employees by promoting
and protecting an internal corporate culture that is rooted securely
in honesty and integrity. The company should hire only persons of
integrity and trustworthiness, and should quickly terminate employees
who show a willingness to undertake illegal or unethical actions at the
workplace, or to tolerate these actions among others. A team that is
made up of honest people will not have any difficulty in managing
internal risks and threats arising from the actions of rogue employees,
because it will not have any rogue employees in the first place. Subject
to the foregoing, in China it is also possible to undertake employee
monitoring campaigns. In the context of Mainland China, there are very
few general rules on privacy and personal information protection in
an employment context. As such, there is no prohibition on employee
monitoring and no particular rules on how employee monitoring should
be conducted.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 51www.f inancierworldwide.com
“ It is probably true that companies in Mainland China are not as aware of the risks and duties associated with personal information as they should be.”
CHINA • MANUEL MAISOG • HUNTON & WILLIAMS LLP
Q WOULD YOU SAY THERE
IS A STRONG CULTURE
OF DATA PROTECTION
DEVELOPING IN CHINA? ARE
COMPANIES PROACTIVELY
IMPLEMENTING APPROPRIATE
CONTROLS AND RISK
MANAGEMENT PROCESSES?
Manuel Maisog
Partner
Hunton & Williams LLP
+86 10 5863 7507
Bing Maisog is the chief representative of the firm’s office in Beijing. He is a member of the firm’s Corporate practice team, and has also worked as a member of the Energy and Infrastructure team. Prior to the establishment of the Beijing office, he was resident in both Bangkok and Hong Kong, and worked on significant project finance and project acquisition transactions in many countries across Asia. In the past, he has also worked as a corporate finance lawyer, with experience in initial public offerings, private placements, and financial institution merger and acquisition transactions.
MAISOG: China’s data privacy framework is emerging on a patchwork,
sector-by-sector basis. As such, companies in some sectors are
becoming aware of the risks and duties associated with collecting and
handling personal information, while companies in other sectors have
little awareness of the same risks and little incentive to develop any
awareness of them. On the whole, however, it is probably true that
companies in Mainland China are not as aware of the risks and duties
associated with personal information as they should be.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
52 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
Q DO YOU BELIEVE
COMPANIES FULLY
UNDERSTAND THEIR DUTIES
OF CONFIDENTIALITY AND
DATA PROTECTION IN AN
AGE OF EVOLVING PRIVACY
LAWS?
Q AS COMPANIES INCREASE
THEIR DATA PROCESSING
ACTIVITIES, INCLUDING
HANDLING, STORAGE
AND TRANSFER, WHAT
REGULATORY, FINANCIAL
AND REPUTATIONAL RISKS
DO THEY FACE IN TAIWAN?
CHANG: Taiwan passed the Personal Data Protection Act (PDPA) in
April 2010 and it came into force in October 2012. The PDPA applies to
all companies, individuals and public organisations and is a milestone
piece of legislation. After three years of PDPA enforcement, the
awareness of data protection in Taiwan varies by sector. The Taiwanese
authorities enforce the data protection order to those companies who
hold a large amount of personal data, such as firms in the telecoms,
e-commerce and especially the financial services industry. Accordingly,
those companies have committed considerable resources to boosting
cyber security under the PDPA, particularly compared to companies in
other industries. Most firms have implemented Personal Information
Management Systems (PIMS) in order to comply with the regulation.
Recently the Ministry of Education has conducted privacy and data
protection supervision for a number of higher education institutions
and is pushing the higher education sector to adopt PIMS. Though
many other industries in Taiwan don’t pay enough attention to the
risks associated with data protection, the emergence of a new digital
economy will eventually force them to do so.
CHANG: The increase in cyber crime in Taiwan is something we have
to take into serious consideration; no company can escape from cyber
attack. The increased utilisation of data processing, and the country’s
newly developed reliance on third party vendors, has increased the
complexity of data protection in Taiwan. In turn, this has exposed
companies to cyber risk. Companies face a maximum fine of NT $200m
for a data breach according to the PDPA, and the speed at which news
spreads on the internet and across traditional and social media increases
reputational risk.
TAIWANCHIN-JUI CHANGPWC TAIWAN
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW SA N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 53 8www.f inancierworldwide.com
Q WHAT PENALTIES MIGHT
ARISE FOR A COMPANY THAT
BREACHES OR VIOLATES
DATA OR PRIVACY LAWS IN
TAIWAN?
Q WHAT INSIGHTS CAN WE
DRAW FROM RECENT CASES
OF NOTE? WHAT IMPACT
HAVE THESE EVENTS HAD
ON THE DATA PROTECTION
LANDSCAPE?
CHANG: Failure to comply with the PDPA can result in the imposition
of civil liabilities in the range of approximately US$16 to $680 for
each record, and up to a maximum of approximately US$6.8m in total,
depending on the circumstances of infringement. Private entities in
breach may face administrative fines of up to approximately US$16,000
for each violation. Breach of certain provisions, such as those relating
to the processing of sensitive personal data, constitutes a criminal
offence and, if the private entity violates the restrictions relating to
the processing of sensitive personal data with intent to make profits,
such a violation carries a maximum sentence of five years in prison
in addition to or instead of fines of up to approximately US$33,000.
Representatives of a company may be subject to the same amount of
administrative penalties when the company violates the PDPA.
CHANG: The impact of the data breach is not only an IT operation event
but also a corporate reputation risk. In Taiwan, the greatest privacy risk
for organisations is reputational risk, and the reward for compliance with
the PDPA is building trust with stakeholders. Compared to companies
that do not pay attention to the PDPA, trust building companies have
more advantage in terms of customer confidence and loyalty.
TAIWAN • CHIN-JUI CHANG • PWC TAIWAN
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
54 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
TAIWAN • CHIN-JUI CHANG • PWC TAIWAN
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
A COMPANY TAKE TO
PREPARE FOR A POTENTIAL
DATA SECURITY BREACH,
SUCH AS DEVELOPING
RESPONSE PLANS AND
UNDERSTANDING
NOTIFICATION
REQUIREMENTS?
Q WHAT CAN COMPANIES DO
TO MANAGE INTERNAL RISKS
AND THREATS ARISING FROM
THE ACTIONS OF ROGUE
EMPLOYEES?
CHANG: The best practice for dealing with privacy risk is to adopt
a compliance program, a PIMS and appoint a chief privacy officer
(CPO), a C-suite officer responsible for communicating privacy and
data protection issues to board members and employees. In order to
reduce the privacy risk, company should implement all the necessary
processes for data protection. Data breach response plans should
include notification procedures that comply with PDPA and related
regulations.
CHANG: In order to manage internal privacy risk, education and
training to raise the awareness of privacy and data protection is a
must. Companies should apply their privacy and data protection rules
to all employees’ daily tasks. Violation of these rules should result in
termination. In order to have a clear picture of the compliance levels of
both the company and employees with privacy and data protection rules,
proper internal audit and maturity measure should be implemented.
Technical data protection solutions, such as DLP, are another option
companies have to reduce the risk faced from malicious employees.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 55www.f inancierworldwide.com
“ Data breach response plans should include notification procedures that comply with PDPA and related regulations.”
TAIWAN • CHIN-JUI CHANG • PWC TAIWAN
Q WOULD YOU SAY THERE IS
A STRONG CULTURE OF DATA
PROTECTION DEVELOPING
IN TAIWAN? ARE COMPANIES
PROACTIVELY IMPLEMENTING
APPROPRIATE CONTROLS
AND RISK MANAGEMENT
PROCESSES?
Chin-Jui Chang
Partner
PricewaterhouseCoopers Taiwan
+886 2 27296916
Chin-Jui is a partner in the risk assurance practice of PricewaterhouseCoopers Taiwan and leads the firm’s Privacy and Cyber Security services. He focuses on all aspects of privacy and security in a range of industries. He also specialises in the establishment of compliance systems, particularly in regard to Information Security Management System (ISMS) and Personal Information Management System (PIMS). Mr Chang is active in public affairs and is also a supervisor of the Institution of Internal Auditors, ROC (Taiwan).
CHANG: Government authorities have increased their supervision
and enforcement with respect to privacy and data protection in some
sectors. This makes companies aware of data protection and enables
them to embed data protection into their corporate governance and
management processes. Companies within these sectors will benefit
from implementing PIMS, as internal and external audit provides
a chance for a proactive review of appropriate controls and risk
management.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
56 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
Q DO YOU BELIEVE
COMPANIES FULLY
UNDERSTAND THEIR DUTIES
OF CONFIDENTIALITY AND
DATA PROTECTION IN AN
AGE OF EVOLVING PRIVACY
LAWS?
Q AS COMPANIES INCREASE
THEIR DATA PROCESSING
ACTIVITIES, INCLUDING
HANDLING, STORAGE
AND TRANSFER, WHAT
REGULATORY, FINANCIAL
AND REPUTATIONAL
RISKS DO THEY FACE IN
AUSTRALIA?
GUINTO: Australian organisations are playing catch-up with the rest of
the world. However, the amendments that were made to federal privacy
legislation 18 months ago, together with recent high profile enforcement
actions taken by the Office of the Australian Information Commissioner
(OAIC) against organisations that were deemed to have violated the privacy
of their consumers, has raised the profile of this topic to the board and C-
suite executives. There are still varying degrees of privacy maturity across
Australian organisations. Some believe a simple update to their market-
facing privacy statement is enough to satisfy their duties of confidentiality
and data protection, while others have used their privacy compliance efforts
to drive forward their responsibilities and build a competitive advantage by
engendering consumer trust.
GUINTO: As organisations continue to engage with their consumers in a
digital ecosystem, there is an increasing amount of personal data that is
collected, handled, stored and transferred within and outside of Australia to
the organisation’s related entities and third party service providers. With this
comes the increasing expectation from consumers that these organisations
will be responsible and accountable for its safekeeping. This is reflected
in the significant increase in privacy complaints received by the OAIC in
recent years. Those Australian organisations that have breached the privacy
of consumer data can find themselves being investigated by the privacy
commissioner, be burdened with significant financial costs involved with
fines and remediation activities and face the erosion of the organisation’s
reputation, resulting in consumer churn and loss of new business.
AUSTRALIAGRACE GUINTOPWC AUSTRALIA
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW SA N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 57 8www.f inancierworldwide.com
Q WHAT PENALTIES MIGHT
ARISE FOR A COMPANY THAT
BREACHES OR VIOLATES
DATA OR PRIVACY LAWS IN
AUSTRALIA?
Q WHAT INSIGHTS CAN WE
DRAW FROM RECENT CASES
OF NOTE? WHAT IMPACT
HAVE THESE EVENTS HAD
ON THE DATA PROTECTION
LANDSCAPE?
GUINTO: Within Australia, both public sector and private sector
organisations, with some exceptions, are bound by the Privacy Act. The OAIC
is responsible for bringing enforcement action against those organisations
that violate a privacy law. Serious or repeated privacy breaches can attract
fines from the OAIC of up to AUD$1.7m for organisations and AUD$340,000
for individuals. To offset the costs of a privacy breach, Australian organisations
have been investing increasingly in insurance products to help protect
against financial losses that result from security incidents, for example cyber
insurance. In our recently released 2016 Global State of Information Security
Survey (GSISS), 56 percent of respondents indicated that they have taken
out cyber insurance to offset the costs associated with penalties that might
arise following a breach or violation of data or privacy laws in their region.
However, the cyber insurance offering is still maturing, can be expensive
and does not always cover all possible costs that can be imposed on an
organisation that has experienced a data or privacy breach.
GUINTO: Recent cases have demonstrated that the OAIC has the ability
to bring enforcement actions against organisations that have violated
the Privacy Act, irrespective of whether they are operating in Australia or
are headquartered elsewhere. The OAIC has taken recent actions against
two global technology organisations following a security breach of their
consumer accounts, which included Australian-based individuals. These
recent cases have also demonstrated the consultative role that the privacy
commissioner has played in the Australian data protection landscape. The
OAIC has sought to balance their enforceable actions with helping entities
to ensure they have the right privacy governance frameworks in place to
meet their privacy obligations to Australian consumers.
AUSTRALIA • GRACE GUINTO • PWC AUSTRALIA
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
58 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
“ While an organisation can outsource their data handling processes, they cannot outsource their responsibilities when that data is breached.”
AUSTRALIA • GRACE GUINTO • PWC AUSTRALIA
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
A COMPANY TAKE TO
PREPARE FOR A POTENTIAL
DATA SECURITY BREACH,
SUCH AS DEVELOPING
RESPONSE PLANS AND
UNDERSTANDING
NOTIFICATION
REQUIREMENTS?
Q WHAT CAN COMPANIES DO
TO MANAGE INTERNAL RISKS
AND THREATS ARISING FROM
THE ACTIONS OF ROGUE
EMPLOYEES?
GUINTO: In Australia, despite the absence of the mandatory data breach
notification, the OAIC has issued guidance to help entities governed by the
Privacy Act to understand the key steps in preparing and responding accordingly
to a data security breach. However, one of the key steps that we find Australian
organisations often forget to undertake as part of this process is to first
understand what data they actually hold and where it’s located. According to
the GSISS, security events ascribed to current and former third-party partners
jumped 22 percent over the previous year. As such, organisations must invest
time in understanding the personal information it maintains for its customers,
suppliers, shareholders, employees and other stakeholder groups, including the
data stored on their behalf by third-party service providers. This is a critical first
step in building a breach management plan, as it then allows organisations to
clearly consider the responsibilities of their third-party service providers. As
we have seen with the recent spate of privacy breaches, while an organisation
can outsource their data handling processes, they cannot outsource their
responsibilities when that data is breached.
GUINTO: The GSISS reports that employees, both current and former, remain
the most cited source of compromise, but incidents attributed to business
partners are up substantially. To mitigate this risk, organisations need to
adopt a multi-faceted approach – including establishing robust privacy and
security governance framework policies and procedures, rolling out training
and awareness campaigns and implementing controls around employees’
user access and security to data. This is important in building a corporate
culture and approach that acknowledges and respects the role of employees
in protecting and safeguarding the personal information they hold. As risks
and threats rise, the GSISS also reports that organisations have significantly
boosted investments in information security by 24 percent in 2015, which
includes funds allocated for hardware, software, services, education and
information security staff. It will be interesting to see whether this boost in
information security spending will translate to a drop in detected security
incidents in future years, or actually result in an increase, as organisations
seek to adopt more sophisticated tools and services to manage their internal
risk and threats. This includes the use of cloud-based security services and
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 59www.f inancierworldwide.com
AUSTRALIA • GRACE GUINTO • PWC AUSTRALIA
Q WOULD YOU SAY THERE IS
A STRONG CULTURE OF DATA
PROTECTION DEVELOPING
IN AUSTRALIA? ARE
COMPANIES PROACTIVELY
IMPLEMENTING APPROPRIATE
CONTROLS AND RISK
MANAGEMENT PROCESSES?
Grace Guinto
Director
PwC Australia
+61 (3) 8603 1344
Grace Guinto is the national privacy leader for PwC Australia’s Digital Trust practice. Ms Guinto advises clients on how to assess and build sustainable and repeatable privacy programs, respond to regulatory orders and build confidence among consumers and other stakeholders through their privacy and data security efforts. She has considerable experience in both Australia and the US working with clients to increase their transparency with investors, regulators, business partners and customers, enhancing trust and creating competitive advantages through their data protection and privacy compliance efforts.
the employment of Big Data analytics to model for and identify information
security incidents.
GUINTO: Due to the global impact of many recent data security breaches
experienced in the US and EU, coupled with the recent security breaches
experienced by Australian organisations, we are seeing more organisations
take steps to ensure that appropriate controls and risk management
processes are in place. However, more can be done in this space. Australian
organisations should not allow the uncertainty of the future privacy
regulatory role of the OAIC to hold them back from complying with the
Privacy Act and fulfilling the privacy commitments they have made to their
consumers. They should recognise that privacy is a fundamental element
in building trust with their consumers, especially in the digital world where
they will collect, hold and store more personal information about their
consumers than ever before.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
60 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
Q DO YOU BELIEVE
COMPANIES FULLY
UNDERSTAND THEIR DUTIES
OF CONFIDENTIALITY AND
DATA PROTECTION IN AN
AGE OF EVOLVING PRIVACY
LAWS?
Q AS COMPANIES INCREASE
THEIR DATA PROCESSING
ACTIVITIES, INCLUDING
HANDLING, STORAGE
AND TRANSFER, WHAT
REGULATORY, FINANCIAL
AND REPUTATIONAL RISKS
DO THEY FACE IN NEW
ZEALAND?
MCCABE: The gap in New Zealand understanding is due to the speed of
digital change rather than evolving privacy laws. New Zealand privacy
legislation is more than 20 years old, and while there have been some
amendments over time, it is not comprehensively equipped to govern
and regulate privacy in a rapidly changing digital landscape. Recognising
this, privacy law reform was signalled by the Minister of Justice in
2014, with proposals to address some of the shortcomings following
an earlier Law Commission review, although there is yet to be a bill
before parliament. We are seeing improvements in the understanding of
privacy laws, especially in the public sector, yet there is still a great deal
of variation in the maturity of privacy practices across organisations,
and their understanding of their obligations, especially in areas such
as offshore cloud services, outsourcing and cross-border information
transfers and disclosures.
MCCABE: As in most regions, there is a great deal of concern over
the consequences of inappropriate disclosure of personal information,
in both the public and private sectors. The loss of public and customer
confidence in a brand, service or government can be extremely damaging
and this type of reputational risk is often quoted as a prime concern.
Public trust and confidence in the ability of the government to safely
manage personal information is critical to the delivery of better digitally-
enabled public services. In the private sector, where personal information
is often a valuable and core asset to the business model, a loss of public
trust often translates into a loss of shareholder or company value, and
the financial implications of this can be crippling to a business. The
absence of mandatory disclosure of personal information breaches in
New Zealand and the very limited powers of the privacy commissioner
mean that regulatory risks are generally considered to be minor, although
we expect the pending legislation reform will change this position.
NEW ZEALANDSTEVE MCCABEPWC NEW ZEALAND
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW SA N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 61 8www.f inancierworldwide.com
Q WHAT PENALTIES MIGHT
ARISE FOR A COMPANY THAT
BREACHES OR VIOLATES
DATA OR PRIVACY LAWS IN
NEW ZEALAND?
Q WHAT INSIGHTS CAN WE
DRAW FROM RECENT CASES
OF NOTE? WHAT IMPACT
HAVE THESE EVENTS HAD
ON THE DATA PROTECTION
LANDSCAPE?
MCCABE: The privacy commissioner has very limited powers under
legislation in New Zealand and cannot impose penalties for privacy
breaches. Yet, following an investigation, the privacy commissioner
can refer cases to the director of human rights proceedings who may
then take it to tribunal, which does have the power to award damages
and compel a company to take action. This year, a complainant was
awarded NZ$168,000 in damages for a significant breach of personal
privacy, the highest amount ever awarded for a breach of the Privacy
Act in New Zealand. Another notable penalty available to the regulator
is the ‘name and shame’ approach where the threat of public exposure
is considered to be a useful tool – when used sparingly – to encourage
organisations to adopt good privacy practices. The privacy commissioner
has recently published policy which clarifies the circumstances under
which organisations may be named that have breached the Privacy
Act.
MCCABE: The cases that have had the biggest impact on the data
protection landscape in New Zealand occurred in 2012 which the
privacy commissioner described as the ‘year of the breach’ in her annual
report. The Accident Compensation Corporation and the Ministry of
Social Development – both government agencies – suffered personal
information breaches in close proximity resulting in the government
taking unprecedented action to raise the maturity and effectiveness
of privacy and security practices across the public sector. Both a
government chief information officer and a government chief privacy
officer were appointed to govern and drive a quantum shift in privacy
and security practices and maturity, and the office of the privacy
commissioner was awarded an additional NZ$7m in funding from
2014 to 2018. There has been recognition that good privacy practices
are less about legal interpretation of the Act and more about the risk
NEW ZEALAND • STEVE MCCABE • PWC NEW ZEALAND
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
62 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NEW ZEALAND • STEVE MCCABE • PWC NEW ZEALAND
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
A COMPANY TAKE TO
PREPARE FOR A POTENTIAL
DATA SECURITY BREACH,
SUCH AS DEVELOPING
RESPONSE PLANS AND
UNDERSTANDING
NOTIFICATION
REQUIREMENTS?
Q WHAT CAN COMPANIES DO
TO MANAGE INTERNAL RISKS
AND THREATS ARISING FROM
THE ACTIONS OF ROGUE
EMPLOYEES?
of harm to individuals and the consequences to them should personal
information be mismanaged.
MCCABE: Educating your people about what is sensitive and how to
handle it appropriately is your best defence. However, you also need to be
ready for an incident and the first step is to determine how you are going
to detect and identify one. Ensure that you have clearly communicated
channels for reporting incidents and near misses. Develop education
and training programmes that build a culture of transparency where
reporting is encouraged and rewarded. Demonstrate through your
actions that this leads to better responses, not witch hunts. Develop
your communications strategy and be prepared to communicate
clearly and often with your customers, the public and the media. Build
a multi-disciplinary response team that encompasses all key business
functions, align this with your disaster recovery and business continuity
plans and response teams. Most importantly, practice your response
thoroughly and often.
MCCABE: There is a substantial market for personal information and
companies must recognise that this threat is significant. Companies must
ensure that the employment process includes robust vetting procedures
proportionate to the value of the information that employees will
handle. Manage your digital identities carefully by controlling access
and entitlements, limiting system privileges and ensuring employee
accounts are disabled on termination or exit. Educate and train your
employees, as insiders are less likely to act maliciously if there is a
strong security culture. Focus your detective efforts on characterising
and identifying abnormal behaviours such as large movements of data
or login activity at unusual times of the day. As for any risk management
exercise, prioritise your efforts on your most important assets.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 63www.f inancierworldwide.com
“ There is a substantial market for personal information and companies must recognise that this threat is significant.”
NEW ZEALAND • STEVE MCCABE • PWC NEW ZEALAND
Q WOULD YOU SAY THERE IS
A STRONG CULTURE OF DATA
PROTECTION DEVELOPING
IN NEW ZEALAND? ARE
COMPANIES PROACTIVELY
IMPLEMENTING APPROPRIATE
CONTROLS AND RISK
MANAGEMENT PROCESSES?
Steve McCabe
Partner
PwC New Zealand
+64 4 462 7050
Steve McCabe is a partner in the cyber security practice at PwC New Zealand. For more than 15 years he has practiced in consulting, management and leadership roles across all aspects of privacy and security, both in New Zealand and the UK. He advises public and private sector clients on security and privacy strategies, governance, risk management, transformation and assurance and is passionate about enabling organisational success through the effective management of digital risk to information assets. He has worked with many of New Zealand’s largest public and private sector organisations on the enhancement of privacy in large digital initiatives.
MCCABE: This is a work in progress. In our 2016 Global State of
Information Security Survey, we saw a significant dip in the confidence
that New Zealand respondents have in the effectiveness of their
security controls from previous years. We think this is a maturity
step and reflects the realisation that there is limited, comprehensive
controls assurance in most organisations to substantiate higher
confidence levels. Having said this, the public sector is improving in its
risk management processes and privacy maturity, and new tools and
documentation from the privacy commissioner are helping companies
understand how to assess impacts to privacy when handling, processing
and storing personal information. There is still some way to go but we
are certainly making progress.
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
64 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
Q DO YOU BELIEVE
COMPANIES FULLY
UNDERSTAND THEIR DUTIES
OF CONFIDENTIALITY AND
DATA PROTECTION IN AN
AGE OF EVOLVING PRIVACY
LAWS?
Q AS COMPANIES INCREASE
THEIR DATA PROCESSING
ACTIVITIES, INCLUDING
HANDLING, STORAGE
AND TRANSFER, WHAT
REGULATORY, FINANCIAL
AND REPUTATIONAL RISKS
DO THEY FACE IN SOUTH
AFRICA?
MATHE: Most South African companies are familiar with confidentiality
requirements, but privacy and the requirements for lawful processing of
personal information is a relatively new concept to many. Exceptions to this
include financial institutions, among others, which have been preparing for the
commencement of South African privacy law since 2009 and before, resulting
in a greater understanding of privacy and data protection requirements. In
addition, awareness among South African companies in general has been
steadily increasing since the Protection of Personal Information Act was
signed into law in 2013, and certain sections of the Act commenced in April
2014. Another factor in rising levels of awareness has been the increased
pressure being experienced by South African companies to provide evidence
of compliance with data protection requirements in their dealings with both
local and international counterparts, trading partners, clients and vendors.
All of this has resulted in the initiation of privacy compliance efforts and
programmes to implement compliance.
MATHE: In South Africa, the Protection of Personal Information Act is not
fully effective yet. Only those sections dealing with the definitions, the
establishment of the Information Regulator, its powers, duties and functions,
and the powers of the Minister of Justice to make Regulations in terms
of the Act are currently effective. The Information Regulator is yet to be
appointed and the commencement date of the remainder of the Act is still
to be announced. Therefore, regulatory and financial risk in terms of the Act
does not yet apply, however companies may face reputational risk if they
experience a breach of personal information or if they fail to demonstrate
that they are serious about protecting the personal information of their
employees, customers and vendors. There is also the potential civil liability
that may be incurred through violation of existing common law. In addition,
companies with both a local and international footprint, whose international
group entities are subject to privacy laws of other jurisdictions, may expose
SOUTH AFRICABUSISIWE MATHEPWC SOUTH AFRICA
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW SA N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 65 8www.f inancierworldwide.com
Q WHAT PENALTIES MIGHT
ARISE FOR A COMPANY THAT
BREACHES OR VIOLATES
DATA OR PRIVACY LAWS IN
SOUTH AFRICA?
Q WHAT INSIGHTS CAN WE
DRAW FROM RECENT CASES
OF NOTE? WHAT IMPACT
HAVE THESE EVENTS HAD
ON THE DATA PROTECTION
LANDSCAPE?
the group to regulatory, financial and reputational risk if they don’t adhere
to group privacy policies.
MATHE: Once the South African privacy law is fully in place, any person who
feels that their rights as a data subject have been infringed may submit a
complaint to the Information Regulator, in writing. Companies may attract
liability if they violate the privacy of data subjects. This may be civil liability
for patrimonial and non-patrimonial damages, for interference with personal
information regardless of whether or not there is intent or negligence. Or it
may be criminal liability of up to 10 years in prison or the payment of a fine.
Or it may be administrative liability for an administrative penalty payable to
the Information Regulator up to a maximum of R10m.
MATHE: There have been breaches of personal information locally, however,
these have not been subject to litigation, and most instances are not reported.
However, from the reaction of regulators in other jurisdictions it is clear that
data breaches are taken seriously by the regulators and those regulators will
not hesitate to demonstrate their powers in cases where companies have
not implemented or did not comply with procedures that could or should
have prevented such a breach. It is also clear that consumers are becoming
more aware of their privacy rights and are losing trust in those companies
that don’t take the protection of their personal information seriously. Recent
global breaches have highlighted the need to consider reactive measures,
such as cyber liability insurance, to protect companies against the financial
losses that could result from a personal information or data security breach.
The effect of a cyber attack or other security breach could be devastating,
from both a financial and reputational perspective. One method of mitigating
the financial risk is to ensure that you have extensive insurance against cyber
liability.
SOUTH AFRICA • BUSISIWE MATHE • PWC SOUTH AFRICA
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
66 • F INANCIER WORLDWIDE • NOVEMBER 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
“ Where companies allow employees to use personal devices to access the company network, they should have a clearly defined Bring Your Own Device policy.”
SOUTH AFRICA • BUSISIWE MATHE • PWC SOUTH AFRICA
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
A COMPANY TAKE TO
PREPARE FOR A POTENTIAL
DATA SECURITY BREACH,
SUCH AS DEVELOPING
RESPONSE PLANS AND
UNDERSTANDING
NOTIFICATION
REQUIREMENTS?
Q WHAT CAN COMPANIES DO
TO MANAGE INTERNAL RISKS
AND THREATS ARISING FROM
THE ACTIONS OF ROGUE
EMPLOYEES?
MATHE: Companies need to have adequate security and privacy breach
procedures in place and must implement effective processes to identify
affected data subjects and promptly report the breach – or suspected breach
– to each data subject, as well as the regulator. Companies should at the
very least ensure that they clearly define what events or actions constitute a
data or personal information breach, implement controls and procedures to
detect such breaches, and ensure that such breaches are reported internally.
They should define forensic procedures to analyse the breach and identify
affected data subjects, develop a response plan to ensure that the breach
is promptly contained, and develop communication and media protocols,
to govern the dissemination of information. They should also identify
notification requirements imposed by law and implement procedures for
notifying the relevant regulator and, where necessary, the data subjects
that have been affected, and ensure that the contracts with third parties
that process personal information on their behalf, require the third party to
promptly notify the company of any breach or suspected breach of the data
that they have under their control, and define penalties in the event of a
failure to notify within a predetermined time period.
MATHE: Companies should address privacy and confidentiality requirements
in employment contracts for both permanent and temporary employees.
Actions that the company will take in the event of violation must be clearly
specified. This should be accompanied by targeted awareness training so that
employees understand what constitutes personal or confidential information,
and the data protection requirements that need to be applied when they
handle personal information in the course of their duties, via email, or by
any means. South African privacy legislation has a very broad definition of
personal information and it applies to the personal information of both
natural and juristic persons. Until such time as they undertake awareness
training or are involved in a privacy project, most employees are not aware
of this. In addition, companies must ensure that their controls around the
administration of user access and system rights are tight, are tested and
updated regularly to ensure that risks are continuously identified and
A N N U A L R E V I E W • D ATA P R O T E C T I O N & P R I VA C Y L AW S
NOVEMBER 2015 • F INANCIER WORLDWIDE • 67www.f inancierworldwide.com
SOUTH AFRICA • BUSISIWE MATHE • PWC SOUTH AFRICA
Q WOULD YOU SAY THERE IS
A STRONG CULTURE OF DATA
PROTECTION DEVELOPING
IN SOUTH AFRICA? ARE
COMPANIES PROACTIVELY
IMPLEMENTING APPROPRIATE
CONTROLS AND RISK
MANAGEMENT PROCESSES?
Busisiwe Mathe
Director & Partner
PricewaterhouseCoopers
+27 11 797 4875
Busisiwe Mathe is a partner & director at PwC in South Africa – Gauteng Region. She is responsible for cyber security, privacy and business continuity management competencies within PwC’s Risk Assurance Services division. Ms Mathe is a member of the South African Institute of Chartered Accountants, Independent Regulatory Board for Auditors and is the South African Chapter Agent of the Information Security Forum (ISF). She has over 10 years experience in leading teams undertaking reviews and providing services including cyber security assessments, privacy reviews, internal audits and external audits across different sectors and industries. She has managed large scale transformational ICT projects.
addressed. This is especially relevant when employees leave the organisation,
and when third party contractors are allowed to have access to a company’s
systems. Access rights should be promptly revoked when employment
contracts end. Where companies allow employees to use personal devices to
access the company network, they should have a clearly defined Bring Your
Own Device policy, and apply strict controls such as remote wipe technology
should devices be lost or stolen, or if any foul play is suspected.
MATHE: Although awareness about data protection and privacy is increasing,
many companies have not yet embarked on programmes to embed controls
and risk management processes that will ensure the protection of personal
information. A lot of work still needs to be done across most sectors of
business in South Africa.
FWS U P P L E M E N T
www.fi nancierworldwide.com
A N N U A L R E V I E W