By Axel Viaene As general counsel of a publicly traded company based in Europe, you work hard
to strengthen your company’s internal controls and compliance framework. Not a week goes
by without receiving alarmist newsflashes about the European Union’s impending General
Data Protection Regulation (GDPR). These messages arrive immediately after you read the
latest sensational news story about a peer company falling victim to a cyberattack. The board
asks you to help design a compliance roadmap for privacy, outlining data protection and
cybersecurity initiatives. You start investigating and encounter terms like opt-in, privacy by
design, data breach protocol, the right to be forgotten, the cloud, big data, and the Internet of
Things — on top of an impressive alphabet soup of acronyms like DPO, BCR, EuroPriSe, CSO,
and PIA. You receive the newsletter of an activist shareholder highlighting cybersecurity as
one of the key topics that will be discussed during the upcoming general shareholder meeting.
The audit committee inquires as to whether the company should obtain cyber insurance. Your
company’s data journey has started in earnest. General counsel should play a valuable role
during it. This article provides a practical perspective on the key challenges and suggested
tactics to solve these problems.