Practices

Data Privacy and Cyber Risk

Our expertise:

Data privacy and cyber security is particularly important to Ireland’s thriving technology sector and to any data-centric companies in the pharma, healthcare, medical devices, professional services, retail and public sectors. It is also a key concern for financial services, telecommunications, energy, transport and utility companies. Focussing on data privacy compliance can also be a key benefit to companies who can ensure that data becomes a valuable asset for their business.

We assist our private sector and public sector clients across this broad range of industries to identify, analyse, manage, mitigate and resolve their legal risk in a way that meets their commercial goals.

We have a proven track record of advising on privacy and cyber security incidents and are regularly engaged by existing and new clients to help them to deal with such breaches.

We are advising a large number of private sector and public sector clients on the forthcoming EU General Data Protection Regulation, carrying out data protection audits and assessments, helping clients to complete data inventories and ensuring that clients’ data protection notices and policies and their processing activities with be compliant with the more onerous requirements of the GDPR.

Key areas:

We have significant experience of advising on all aspects of data protection law, including on:

• Data protection compliance
  • Data protection notices/privacy policies; Data protection assessments and audits; data inventories, record retention/security policies; subject access requests; marketing notices and consents, data controller and processor registrations and data processing agreements, including to facilitate international data transfers, advising on binding corporate rules, conducting Privacy Impact Assessments
• the EU General Data Protection Regulation
  • carrying out data protection audits and assessments and completing data inventories, drafting and updating relevant data protection notices and policies, advising on new GDPR rules, including Data Protection Officer requirements, the Right to be Forgotten and Data Portability
• Data security including security breach notification
  • Advising clients on all aspects of data and cyber security incidents, including compliance with the Data Protection Commissioner’s Personal Data Security Breach Code of Practice, assisting clients in dealing with the Office of the Data Protection Commissioner and identifying risk mitigation measures for clients
• Outsourcing
  • Advising clients on the data protection implications of outsourcing arrangements, including appropriate protections in outsourcing agreements, international data transfers and return of data by third party service providers
• Data processor agreements, including provisions required by existing and prospective data protection laws
• Cloud computing
  • Advising clients on additional data protection considerations arising in connection with the hosting of data in the cloud
• International data transfers
  • Advising clients on relevant solutions including model clauses, Binding Corporate Rules, the EU/US Privacy Shield and data subject consent
• Cookies compliance
  • Drafting and advising on appropriate cookies policies to comply with applicable law including the Electronic Privacy Regulations 2011
• Marketing
  • Advising of appropriate marketing Opt-ins and opt-outs; Profiling; Behavioural advertising
• Enforcement and prosecutions
  • Assisting clients in defending enforcement proceedings and prosecutions, with a focus on advice and guidance to reduce the likelihood of such proceedings and prosecutions and securing amicable resolutions of such matters
• Monitoring including CCTV and Surveillance and interception of communications
  • Advising on data protection obligations including notice, relevance and proportionality requirements and drafting relevant policies
• Advising on data protection considerations in corporate transactions, including due diligence on the likely compliance by a target company with data protection obligations and the likely uses and disclosures which are permitted of such data, including use for marketing and data analytics

We advise on all aspects of data security and cyber security including:

• Advising on legal and regulatory cyber security obligations
• Developing internal policies and procedures, including incident response plans, to ensure compliance and mitigate risks
• Assisting in security incident management, including:
  • advising on notification obligations and best practice, including the Data Protection Commissioner’s Personal Data Security Breach Code of Practice
  • management of litigation and regulatory enforcement risks and, if necessary, defence of any such actions
  • bringing proceedings against third parties
  • internal investigations
  • reputation management
• Advising on data theft and its interaction with cyber crime in the context of fraud and asset tracing
• Advising on the strategic use of technologies in detecting fraud arising from cyber attack and advising on measures to mitigate risk
• Advising on contractual strategies for dealing with third party cyber security risks
• Advising on insurance considerations
• Assessing and addressing legal cyber security risks in corporate transactions

Key highlights include advising:

• Hostelworld.com on its data protection obligations including fair collection and processing, appropriate data protection notices and privacy statements, data transfers (including international transfers), data security compliance, data access requests, cookies and jurisdictional queries (which data protection law applies), electronic privacy, record retention, cookies and user generated content. Advising Hostelworld on GDPR compliance initiatives
• The Central Bank of Ireland on the first case in Ireland on the meaning of personal data
• The Data Protection Commissioner on data protection issues in connection with (i) processing that causes significant distress (the first case of its kind in Ireland), (ii) mobile marketing issues and (iii) enforcement issues
• Microsoft on the Irish elements of its case in the United States under which a US Judge has ordered the disclosure of personal data hosted in Ireland
• Road Safety Authority (“RSA”) in connection with fair collection and processing obligations, data security obligations, data protection notices and policies
• Transport Infrastructure Ireland on data protection compliance matters, including a data protection audit, Privacy Impact Assessments and GDPR compliance
• US Department of Justice in its participation as an amicus curiae in landmark data protection proceedings brought in the Irish Commercial Court by the Irish Data Protection Commissioner