Short overview of the importance of the applicable legislation and the need of adequate business reaction in the EU
Enough time has passed since the application of the General Data Protection Regulation (GDPR) and the EU Network and Information Security Directive (NIS) and there are still many companies that do not understand the difference between personal data protection and information security, do not see the point in achieving good level of legal compliance as they rely on technical security only or believe that cybersecurity has nothing to do with law.
Especially after the issues of remote working that the pandemic has brought to light, it is no longer serious to believe that technical and organizational measures, certain certification or the use of a wide range of DLP tools can circumvent the need to enforce the rules governing the protection of sensitive information and / or personal data. In addition, it is extremely irresponsible to consider that observing the applicable legal rules means simply the filling in of several blank documents to prove compliance. Employees are rarely educated and trained to respond to data breach or incident and so the existence of written model rules and policies renders it completely meaningless.
Cyber law covers aspects of personal data protection, intellectual property, freedom of movement and trade and much more. It builds on individual expert laws and regulations, including the GDPR. Through NIS and the accumulated practice of the regulators of the individual Member States, the individual companies are guided on how to ensure security in the digital circulation of software, online communication and e-commerce. Cyber law also provides legal recognition of electronic documents. Or, to put it simply, this is the legal infrastructure for dealing with cybercrime and abuse of information.
The right of protection of information consists of rules that dictate how the Internet and software products are used. The importance of cyber law can be explained with the following material parameters:
- Defines the actions and reactions in cyberspace and when performing online transactions;
- Teaches people (employees) how to avoid security breaches;
- Enables companies to organize their activities in such a way that the threats of security breaches are much smaller and the reaction of employees along the chain - faster and adequate;
- Defines the functions of the regulatory bodies and the sanctions that may be imposed.
In order to achieve a good level of information protection, it is necessary for companies to make internal or external due diligence of their structures and to establish the most convenient framework in which to organize the flow of information in a secure environment. It is particularly important to know that the GDPR, the guidelines of the European Data Protection Board (EDPB) and the European Union Agency for Cybersecurity (ENISA) as well as all applicable national laws should be considered as a whole and at once. Compliance should go hand in hand with these regulations as they complement and build on each other.
After the analysis of the current baseline of the company, a plan is drawn up for what policies to be prepared and what registers to be maintained, so that not only the applicable legislation can be observed, but also so that it can be easily updated.
Finally, all this should be brought to the attention of the C-suite, the management bodies responsible for the individual departments and finally to each employee who has access to relevant company information and personal data. There are already enough opportunities and solutions training and awareness to be maintained in understandable language, with the help of a legal adviser.
We currently expect a strengthening of the role of NIS as a regulatory framework (amendments almost ready). Further, the introduction of Directive 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services is still pending for some of the Member States. Without timely preparation by side of the business, catching up with regulatory requirements will become increasingly difficult and violations more and more often.
Member States are likely to need to put a little more effort into awareness-raising campaigns to explain exactly why these new rules are inextricably linked to the rapid development of the digital world and what are the benefits of complying with them. In addition, the IT sector urgently needs to rethink its approach to lawyers - experts in this field (and vice versa), as these two types of professionals should finally join hands to work simultaneously and help provide comprehensive and reliable protection of information and data. Companies that harmonize their technical practices with the legal framework in a timely manner are much more confident in developing their work in a digital environment, as they are restructuring their business in a way that is competitive, up-to-date and prepared for the new challenges of the future.
By Irena Georgieva, Managing Partner, PPG Lawyers