Legal Departments Struggle with GDPR Role

Legal Departments Struggle with GDPR Role

The General Data Protection Regulation (GDPR) is set to take effect on May 25, and research suggests that while businesses are busy scrambling to fill data protection officer (DPO) vacancies, other areas of the organization, especially the legal department, could be taken by surprise.

According to logistics firm BDO, about half (48%) of legal team respondents in a recent survey claim GDPR is not applicable to their organization. Given that any US or foreign company that deals with EU citizens’ personal data – the definitions of which are not entirely clear – will be subject to the GDPR’s stringent requirements, that perception is likely not in line with reality.

“It behooves every organization – whether they touch EU personal data or not – to regularly review how information is used and managed to maximize its value and minimize risk,” said Karen Schuler, BDO National Information Governance practice leader. “GDPR is just the catalyst for a higher standard of data privacy and protection to which every company should aspire.”

This confusion comes as digital assets increasingly become corporate counsels’ purview: Among respondents whose organizations have a defined information governance program, 42% of those programs are led by legal, surpassed only by the CIO (47%).

At the same time, legal officers’ cyber-responsibilities continue to expand: 73% of respondents believe their boards are more involved in cybersecurity than they were 12 months ago. About a third (34%) of the counsel surveyed say their organizations will increase cyber-investment by 10% or more in the next 12 months.

The survey also uncovered that, to keep pace with mounting digital risks, almost half (46%) of senior counsel plan to increase their investment in information governance in the next 12 months.  

“Ultimately, today’s corporate counsel must take a holistic view of their organization’s digital risk profile – assessing risk based on data flows, cross-functional interdependencies and global operations – and play a proactive, rather than reactive, role in risk-based strategic planning,” said Stephanie Giammarco, partner and BDO Technology & Business Transformation Services practice leader.

Source: Information Security Magazine