The in-house lawyer looking after the organisation’s IT is likely to have responsibility for the growing area where regulation and Tech intersect. Clearly, this may include many areas of business regulation. This article calls out data protection, data security and sector specific regulation.
The in-house Tech lawyer may have responsibility as the organisation’s data protection officer. Areas of concern include:
- establishing the lawful processing basis of all personal data it processes;
- the organisation’s internal and external privacy and data protection policies;
- demonstrating compliance through records of processing, impact assessments, and privacy by design/default;
- operation of procedures and mechanisms for data subject rights;
- processes and procedures for management of data breaches and, in particular, whether or not to notify an event to the ICO;
- appropriate treatment of data protection and data sharing in the organisation’s national and international contracts;
- overseas transfers; and
Organisations are increasingly focusing on a structured approach to the security of their data and this tends to consist of a mix of management, legal, technical, operational and government controls. The in-house IT lawyer is likely to find her or himself on the project team looking at data security and then dealing with implementation and management.
Cyber attacks are growing in scale, sophistication and consequences, and the impact of each publicised incident is increased by media scrutiny. The NCSC (the National Cyber Security Centre, part of the UK’s GCHQ) reports on cyber threats to business and notes at the moment as among major incident trends ransomware, DDoS attacks (distributed denial of service – bombarding and overloading systems so they fail), massive data breaches and supply chain infiltration with other significant incidents including CEO/senior executive business executive compromise (BEC) (email scams requesting urgent funds transfers) and cyber crime ‘as a service’.
Security is one of a number of rapidly developing areas of Tech law and regulation. These areas overlap to an extent and may best be thought of as providing different perspectives and frameworks from which to analyse and assess IT law issues.
Regulation in your sector
In addition to generic regulation, if the organisation operates in an area like financial, healthcare, travel or legal services or utilities, it will be subject to its own sector’s regulatory regime. As Tech increasingly becomes the beating heart of business, sector specific regulation tends to apply more closely to the organisation’s Tech operations. Special regimes may apply for outsourcing, the cloud, other critical IT, regulatory audit and reports, and treatment of data or IS breaches, etc., and these are likely to be within the remit of the in-house Tech lawyer.