Exclusive Q&A on Cyber Security with Maria Vidal

Who Are The Main Regulators And What Are The Key Legislations That Apply To The Cybersecurity In Your Jurisdiction?

For several years national and European regulators have focused more and more on cybersecurity and cyber risks. This is reflected, for example, in the importance placed on cybersecurity in studies and international forums such as the World Economic Forum where cybersecurity has been a significant concern for years. In Spain, the Critical Infrastructures Law was a turning point with respect to cybersecurity obligations. Also, all European regulations have for some time now taken cybersecurity into consideration in some way. For example, we have PSD2, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) or Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (“NIS Directive”), which already take into consideration the reporting of cyber incidents. In this connection, one of the main problems is the heterogeneity of regulators and supervisory authorities on the basis of the type of data concerned, the sector, etc. Some of the examples of the regulators/supervisory authorities are, inter alia, the Spanish Data Protection Agency, the National Centre for the Protection of Critical Infrastructures, the Computer Emergency Response Team for Security and Industry (CERTSI), the Ministry of the Interior and the Ministry of Energy. 

Have There Been Any Recent Regulatory Changes Or Interesting Developments?

On 25 May 2016 the GDPR entered into force. It will be directly applicable in May 2018. Spain is still working on the amendments to local legislation that this regulation requires in relation to data protection.
 
Also, on 6 July 2016, the European Commission approved the NIS Directive. The Directive was conceived to complement and harmonise the cybersecurity actions and legislation in the member states. Implementation of the Directive in Spanish legislation will require the creation of ad hoc legislation.
 
The main objectives of the Cybersecurity Directive are to guarantee a high common level of security in the member states, improve and expedite cooperation between member states in relation to providing early warnings on risks and incidents and to foster the implementation by operators of essential services of specific risk management and incident reporting policies. With respect to this last point, operators of essential services, which are also referred to as "critical infrastructure operators", include the energy sector, the transport sector, the banking sector, the health sector, public administrations and the key service providers, such as online search engines and cloud computing services. 

Are There Any Compliance Issues Or Potential Pitfalls That Firms Need To Be Cautious About?

The new obligations under the aforementioned laws, the GDPR and the NIS Directive, require that companies implement incident prevention and remediation procedures, which in the majority of cases represent procedural, system and organisational changes.
 
The obligation to compensate any damage a person may suffer as a result of an infringement of any provision of the GDPR, as well as the significant increase in administrative fines for infringement of the GDPR – these fines can total up to 4% of companies' total revenue – are matters which will necessarily make all companies include in their procedures a new data-protection risk control box.

How Can Companies’ Best Prepare For Compliance Towards The Recently Signed General Data Protection Regulation (GDPR)? As The New Rules Do Not Enter Into Effect Until 2018, Is It Too Early To Start Taking Action Now?

When the European regulator granted a two-year period for the law to be directly applicable, this two-year period is not granted gratuitously. This two-year period is the amount of time that the legislature deems necessary for companies to be able to implement all the necessary measures under the GDPR.
 
Certain of the new obligations, inter alia, that in my opinion cannot be implemented overnight are the following:
 

• Consent obtained validly in accordance with the requirements of the GDPR: In Spain's case, the understanding of consent as freely given by clear affirmative action means that lots of consents will have to be obtained again. To date, consent has been obtained through silence or pre-ticked boxes (these forms no longer constitute valid consent under the GDPR).
• To implement a consent remediation plan at a company requires extensive analysis of the data processing operations together with possible authorisations to which such processing operations might be subject, as well as a decision-making process for which, in many cases, it could be said that the two-year deadline is quite tight.
• The introduction of concepts such as privacy by design and privacy by default will require many procedural changes that take time to be agreed upon and implemented.
•  Identification and creation of records of processing activities that will help to identify which processing operations necessarily entail privacy impact assessments. From May 2018 these risk methodologies must be available to the supervisory authority.

The obligation, where required under the GDPR, to designate a data protection officer. This figure can be internal or external, but it must be designated on the aforementioned date. The design of data protection governance at companies where this figure is not developed requires time since its approval will likely require the voice of many of the affected areas as well as a long chain of approvals.
 
All these new requirements under the GDPR affect multiple areas at organisations (legal, organisation, technology, cybersecurity, etc.). In this regard, entities know the importance of the new regulation and of the effort the adaptation process represents; therefore, the entities are aware of the need to conduct in-depth analysis and to establish an appropriate project plan with sufficient time to enable its implementation for May 2018.

Why Is It Important For Information Security To Be At The Heart Of The Organisation?

Information is one of an entity's most important assets; by information we are not just referring to clients' data, but to corporate information in general. Therefore, over recent years, we have seen information security gain greater importance at companies; companies launch more and more initiatives and projects focused on information security.
 
Poor management of information security might give rise to incidents that have a big reputational risk and, in addition, sound use of information and the quality thereof enable the use of new technologies such as analytics or big data, through which processes and clients' user experience are improved.

What Are The Key Factors When Building An Information Security Strategic Plan? 

When preparing a cybersecurity master plan, it is important not to lose the overall view of the business in the analysis.
 
In this connection, we like to take four lines into consideration in all cybersecurity plans:

• Governance – alignment with the business, establishment of the policy, performance of risk analysis, etc.,
• Secure – preventive measures to protect against a cyber-threat,
• Vigilant – being vigilant to what is happening externally and internally, and
• Resilient – when suffering a cyberattack, having the mechanisms to be able to recover and provide a service to the business and clients.

 
At Deloitte we have proprietary models that consider these aspects.

What Are The Most Common Mistakes Companies Make Regarding Their Information Security Strategy?
There are areas in which a company must strengthen protection and it is a common mistake companies make. Employees, and third-party service providers that can access the company’s personal data area not enough covered.
 
From my point of view, these areas must be highly controlled to minimise risks. In the case of service providers, it will be necessary, in the provider engagement process, to perform a light assessment to identify whether or not the service provider in question will have access to personal data, what type of data, what processing, and so on, and, on the basis of the result, whether it would be advisable to request the provider to fulfil certain privacy requirements. These controls can either be the implementation of security safeguards, regular controls by means of audits, the obligation to report certain incidents, duty of secrecy and confidentiality obligations, or, in the case of providers that render their services at the company, by providing resources that are not connected to any of the company’s systems that do not have external ports, in order to prevent information leaks.
 
The case of employees, a good level of awareness will be necessary, ranging from the highest-ranking position to the company’s most recent recruit. The level of awareness will be as necessary in management positions as in employees who process customers’ personal data. Everyone at the company should be trained regularly with regard to their obligations and the steps they should take in the event that certain situations arise.
 
The main mistake that we tend to make is forgetting the importance of people, our employees and clients. However robust the cybersecurity strategy of an organisation is, however many protection and vigilance measures that are implemented, security begins and ends with people.

What Key Trends Do You Expect To See Over The Coming Year And In An Ideal World What Would You Like To See Implemented Or Changed?

Companies have started to come to terms with the fact that in order to comply with all the regulatory requirements, it is necessary to modify a lot of the established procedures and above all, how things are done compared to how they were done before.
 
The new regulatory trend grants more power to the users and gives them the tools to decide where they want to be and what they want to do with their data.
 
Any procedure, new campaign, new launch/product will require privacy risk analysis; therefore, in the coming years, we will become accustomed to seeing companies with increasingly specialist privacy and information security teams.

María Vidal is a senior associate in the IP&IT law department at Deloitte Legal Madrid and a specialist in information technologies and intellectual property matters. Throughout her 13 years of experience, she has developed most of her career with Deloitte Legal, obtaining a Certified Information Privacy Professional from the International Association of Privacy Professionals. She is also co-author of data protection books and teaches data protection matters at Instituto de Estudios Bursátiles (IEB) and at Instituto Superior de Derecho y Economía (ISDE). She has been recognised as an “associate to watch” in TMT by Chambers and Partners 2016.

Maria can be contacted on marvidal@deloitte.es