Kristof Van Quathem, special counsel in Covington’s Brussels office, advises clients on data protection, data security, and cybercrime matters. He has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies, ranging from compliance advice on the adopted laws, regulations, and guidelines, to the representation of clients in non-contentious and contentious matters before data protection authorities.
Kristof assists many international companies in their preparation for the EU General Data Protection Regulation (“GDPR”). This includes strategic advice on governance and data management, as well as hands-on assistance with writing policies, procedures, and agreements.
What are some of the major cybersecurity components of the GDPR and the NIS Directive? What tips can you provide to U.S. companies when preparing for these changes?
Answer:
Although the GDPR does not set out detailed security requirements, a major change for most EU countries will be the introduction of a security breach notification obligation. Under the new rules, companies may be required to report breaches to relevant authorities within 72 hours. Additionally, high-risk breaches will need to be reported to the affected individuals. It’s important to note, however, that the threshold for reporting breaches is still quite vague, which will create a level of uncertainty in the years to come until a standard practice has developed. In addition to the GDPR, the NIS Directive imposes a requirement on providers of essential services to put in place adequate security measures and to report incidents that have significant impacts on the continuity of the essential services, regardless of whether or not personal information is involved.
As U.S. companies start to prepare for the new regulation and the NIS Directive, they need to have a clear picture of existing data flows and repositories. Companies may want to reassess their governance structures and consider appointing a Data Protection Officer and/or Chief Information Security Officer. Additionally, efforts related to consent and transparency deserve prioritization. Because of their high visibility, supervisory authorities are likely to focus on these aspects first. Finally, for essential services, a robust cybersecurity program is no longer a good-to-have option, but an actual legal obligation.