Companies may be better served if they give responsibility for data-protection to more practically minded employees, such as IT professionals
General counsel may not necessarily be the most appropriate people in companies to be responsible for data protection compliance, attendees at a recent Iberian Lawyer compliance roundtable in Lisbon heard.
Participants were told that, while there was often a lot of pressure on in-house lawyers to be the face of compliance, they were “probably not the best people” to take on such a role. With regard to this issue, one concern expressed was that lawyers sometimes look at such matters in too abstract a way, and that it may be better to make more practically minded employees responsible, such as members of the companies IT department.
Emergency response team
Another recommendation was that companies could have a data protection compliance “emergency response team”. This team should ideally be made up of technical and communications staff – attendees heard it was vital technical staff are trained continuously to keep them up to date with new developments.
According to Ana Rocha, of CCA Ontier Advogados, the biggest data protection concerns for compliance professionals in the coming years will include cross-border data transfer, the prevention of cyber attacks and data breaches. However, the options open to companies seeking to eliminate such risks are numerous. Participants in the roundtable – who included heads of legal and compliance at Portugal´s leading companies, heard that the decision on the preferred course of action would greatly depend on the type of business the company in question is involved in as well as the way in which that company accesses the market. One specific challenge would be the implications of possibly “bringing cloud computing in-house”, one attendee remarked.
Ask the right questions
A big challenge for lawyers is how to convince clients they may have to pay attention to very detailed aspects of data protection procedures of which they may not even be aware. Clients were reminded that when they get data from a third party, they are responsible for ensuring that the data is compliant.
“The first responsibility lies with the business,” one of the attendees remarked. “I wouldn´t expect anyone in the business to know every type of relevant data, but I expect them to ask the right questions and I would expect them to have a suitable process for mapping this out.” It is also crucial that general awareness of data protection compliance is raised among staff so that a “culture of compliance” is fostered. “Usually, data protection is breached by people so even though we have all the safety measures implemented, let´s also have awareness and information,” one attendee remarked.