Cyber security & Data Protection

New requirements under data privacy and protection laws, such as the European Union (EU) General Data Protection Regulations (GDPR) are extra-territorial in scope - non-EU organizations often fall within their purview. These obligations are expected to massively increase administration and compliance for business.

As the obligations increase, governments are gaining strong regulatory powers to enforce them. Companies that run afoul of these obligations or otherwise experience a breach may face:

• Serious financial penalties of up to 4% of annual global turnover, potentially reaching tens of thousands of Euros or dollars; GDPR in particular, can expose entities to a virtually unlimited financial liability
• Data-related compensation claims such as class action suits, claims based on distress, and even third-party litigation
• Temporary or indefinite bans on processing as well as data flows with third parties
• Reputational damage and negative publicity that can impact the company’s brand, its sales, and bottom line for years to come.

In addition, a growing trend is for new cyber security laws to regulate network and information security – in effect, these laws extend regulatory requirements beyond simply focusing on personal data. One example is the Network and Information Security Directive that establishes minimum standards and reporting requirements for serious breaches.

Many organizations are largely unprepared for these new obligations, notwithstanding that there is currently a myriad of them in place, with new laws being enacted across the world. These laws often have a broad jurisdictional scope, applying to various multinational organizations. Those companies embarking on a ‘compliance journey’ to meet these significant challenges are facing difficult choices about priorities and investing considerable resources and time for legal analysis and planning.