Dr. Michael Rath, Managing Partner of the lawfirm Luther Rechtsanwaltskanzlei, about the competitive advantages by an effective management of IT and data privacy.
1. Herr Dr. Rath. Sie haben sich als Jurist auf IT-Recht spezialisiert und sind seit langer Zeit ein geschätzter Fachmann auf diesem Gebiet. Was war für Sie der Auslöser diesen Weg zu beschreiten?
I am specialized since 1999 in IT and Data privacy law. Already during my studies I have been working as research assistant in the department of legal IT at Prof. Dr. Herberger in Saarbrücken. I have written my PhD on the legislation of search engines. The combination between technology and law has fascinated me from the beginning. I must confess that I run a small server at home, and I also like to get involved in the technical aspects of the big IT projects where we consult.
2. Maintaining information security is becoming increasingly complex for companies, as the use of new technologies has to be reconciled at the same time with associated threats and increasing regulatory requirements. That’s why we‘ve decided to offer our clients from one source consultancy for their legal department, as well as management consultants and security experienced consultants. Which are in your opinion the consultancy domains that might benefit the clients, due to the synergy of these two competencies?
The legal requirements in IT change as often as the underlying technology. Just think of the new IT security Law and the EU data protection regulation. There is also an extensive law case on issues such as the private use of IT at the workplace. Given these laws and regulations, it is increasingly difficult for companies to keep an overview of the IT regulatory requirements. IT professionals and lawyers often speak an entirely different language. Here is important to follow an integrated consultancy approach and, for example, in the efforts to improve IT security, the demands of lawyers, technicians and data protection officers have to be harmonized.
3. For many companies, especially for SMEs, IT security and IT Law are heavily underestimated fields in regards to assumed risks. Which is in your opinion the best approach to ensure an adequate level of security and legal binding?
As far as this is concerned, there is a set of frameworks that companies can consider. Of course, an IT Security Management System after ISO 27001 is the best way a company can embark. But there is also good guidance for the middle companies. It is essential for the overall management of information security to be guided by the ISO and COBIT standards. For the SMEs also a „ISMS-light approach“ is recommended (like „TtS 3473“ – TtS-certified cyber security), which is usually a precursor to a possible ISO/IEC 27001 and BSI IT basic protection certification.
4. Which other laws and regulations are beginning to emerge, to which companies will have to adjust?
A whole series of laws in Germany will change only by the new EU privacy regulation alone. As the regulation will, however, bring some fundamental changes with it, such as the „Right to be forgotten“ or the right to data portability, the current national regulation need to be adapted until the application of the EU-regulation. The laws around fighting against terrorism are also constantly changing in the field related to data retention or legal interception. In addition, the European Parliament has just adopted a new policy for increased cyber security (called NIS directive).
This EU directive extends the liability of its critical infrastructure operators. Even major online service providers such as transport nodes operators, domain registries or online marketplaces such as eBay or Amazon have now to be covered by the security and reporting requirements. Even search engines like Google and cloud providers are now affected by the Directive. However, the EU Directive has to be implemented in the national law in the next two years.
5. The data protection requirements are tightening themselves further. What fundamental changes come in this regard to the client?
If the specific type of data usage (for example for cloud services) comprise a potentially high risk for the rights and freedom of the affected persons, it is mandatory in the future to have a so called data protection impact assessment, in regards to the probability of risk occurrence. In this regards, measures to mitigate the risk have also to be considered. Additionally, the scope of this mandatory inspection clearly exceeds the previous legal regulations of BDSG. Especially considering the documentation obligations and drastically increased fines, the responsible bodies should take this obligation seriously. Because not only has the level of fines increased to 10/20 million euros, respectively 2/4% of the Group’s global annual turnover, also replaceable damage positions have been expanded. As per this regulation, immaterial damages, so damages that cannot be directly measured in money, can be replaced. Until now, this was in Germany only very restrictively granted.