Where to start your cybersecurity compliance journey?

Companies today are faced with an increasingly complex system of rules and regulations that they need to adapt to and incorporate into their businesses in varying degrees. In this blog post we aim to provide you with a few starting points for your compliance work if you, like many others, feel like the sheer number of existing rules and regulations can be overwhelming and that you do not know where or how to start raising your organisation’s compliance level.

Simply put, cybersecurity compliance means living up to a minimum standard as prescribed by law or other regulations, including, when necessary, an obligation to confer with relevant supervisory authorities and other stakeholders or to notify the authorities of certain events, breaches or suspicions of a breach.

Having worked with a multitude of companies of all different shapes and sizes we have noticed that a common barrier for companies who wishes to increase their level of compliance, thereby decreasing the regulatory risks associated with non-compliance, is that the prospect of ensuring compliance can often feel daunting and overwhelming. In response to this need, we offer pre-packaged solutions to kick-start your organisation’s compliance journey, in addition to our tailor-made solutions.

So, where to start?

Many industry sectors have sector-specific rules and regulations that must be followed. But if nothing else, all businesses (with the rare exception) are subject to the GDPR and its requirements for processing of personal data. As the GDPR requires a processor or controller (i.e., a company that processes personal data) to have and maintain a certain degree of security as well as an understanding and inventory the data flows and the data processed, compliance with the GDPR is, in our opinion, a natural starting point for almost all organisations, regardless of industry sector.

To facilitate this, we at Norelid Advokatbyrå offer our clients a service we call “Compliance Support”. Through our compliance support we provide the initial building blocks that every organisation needs according to the GDPR. At a minimum we ensure that:
– There is a structure compliant with the GDPR for informing data subjects of the processing that takes place (internally as well as externally),
– Data subjects are informed of their rights according to the GDPR,
– You are provided with an analysis of when and where you may need to enter into so-called data processing agreements,
– We assist you in mapping your processes and the different legal bases for the processing in a register of processes,
– We assist you with developing guidelines for how to act and who to contact if and when a personal data breach occurs.

For a more comprehensive compliance support, we offer a more advanced package where we, in addition to the above, also assist your organisation with:
– Analysis of the need for performing a Data Protection Impact Assessment as well as assistance with the performance of such an assessment,
– Analysis of the need for performing a Transfer Impact Assessment as well as assistance with the performance of such an assessment,
– Data Processing Agreement (“DPA”) review where we review and analyze your cooperation and supplier agreements to determine where and if DPAs are needed,
– Employee seminars where we educate your employees in order to strengthen your organization’s resilience by ensuring that every employee knows what to look out for and when to check in with a supervisor when processing personal data.

Do not hesitate to contact our cyber specialists if your organisation is ready to start its compliance journey.

/Norelid Cyber Desk

Published: 2022-06-08

The Log4J vulnerability

Tips for improving your legal preparedness following the recently discovered Log4J vulnerability known as Log4Shell.

The vulnerability in the logging library Log4J has been called the worst to occur in a decade. Given that it could take years to address the issues that the vulnerability poses to its users and given the possibility of the vulnerability impacting hundreds of millions of devices, it has also been described as a ticking timebomb for companies. Recently, the U.S Cybersecurity & Infrastructure Security Agency – CISA – posted a list over third-party software applications that are affected by the vulnerability. The list, that is continuously updated, can be found here:

While many IT-security experts have posted a multitude of technical solutions and tips to mitigate the impact of the Log4J vulnerability, this by itself is not enough should disaster strike. Good IT-security is a tripod consisting of both technical, organisational and legal preparations and safety measures. As such, it is important that your organisation has prepared for a data breach from all three of these angles.

The legal preparedness involves identifying how well your organisation complies with the requirements set forth in the GDPR and other legislation and based on the results design a tailor-made action plan to tackle any identified gaps in your compliance. This could involve reviewing your existing policies, data processing agreements and/or your company’s routines. A good legal preparedness also involves developing and implementing a data breach policy that is well understood within your organisation. In short, a good data breach policy works as a preset plan that allows your organisation to efficiently identify, limit and where necessary notify appropriate entities such as your insurance company, data subjects and the applicable supervisory authority about the data breach. By staying legally prepared it is possible to mitigate or avoid unnecessary administrative fines, third party claims as well as reputational damages.

At Norelid Advokatbyrå, we are experts at helping our clients prepare and take appropriate measures for the legal implications before, during and after a data breach. As a way of helping other companies improve their IT-security from a legal perspective, we have made a number of checklists available at our Cyber Intelligence Corner. If you would like to know more about us and what we can assist your organisation with, you are of course more than welcome to contact our cyber specialist at info@norelidlaw.com.

You can find the above-mentioned checklists here:

/Norelid Cyber Desk

Published: 2021-12-17

We kick-off the autumn

Following the cessation of the restrictions, we launched the autumn’s first mini-event last week: GDPR – An introduction. The seminar, which we held on 29 September, was the first in our three-part series regarding the practical application of the GDPR. Naturally, it was a great experience to be able to host the first physical event in a long time and the seminar offered a lot of exiting questions and discussions. We have received good feedback following the seminar and it feels great that so many people appreciated the concept of the mini-events, where we offer both a lighter lunch and an one hour seminar. In particular, it feels great to be able to organise such events once more since our purpose with these events is to share our experiences and our know-how and thereby hopefully being able to help our participants’ organisations both in their proactive GDPR work but also in preparing for the day when a data breach occurs.

The first seminar focused on questions concerning how the regulations are to be applied based on the particular organisation’s risk profile, how the different roles in the GDPR interact with each other and how it is possible to simplify one’s interpretation of the regulations by viewing them in light of the foundational principles of the GDPR. In order to make the seminar more interactive, participants were encouraged to connect to a mentimeter-test which also included a competition in seven parts.

If you are interested in attending one or both of the remaining mini-events: GDPR Proactive – The art of preparing (27 Oct, 12:00 to 1:15 pm.) and GDPR Incident – When disaster strikes (24 Nov, 12:00 to 1:15 pm), do not hesitate to sign up here:

/Norelid Cyber Desk
Published: 2021-10-06

Welcome to Norelid Advokatbyrå’s Cyber Blog

We would like to welcome you to Norelid Advokatbyrå’s Cyber Blog where we are going to provide a lot of exciting updates regarding the dynamic cyber market and the activities of our Cyber Response Team. We will keep you up data with relevant news, the latest trends and we will of course share our Cyber Experts’ comments and thoughts regarding the latest happenings within cyber and data security.

Norelid Advokatbyrå has worked with our clients to provide legal assistance and recommendations regarding the GDPR and data privacy since long before the EU’s new General Data Protection Regulations entered into force in May of 2018. We have extensive experience and knowledge in the data protection/privacy practice area. We have built a full-service network with cyber security and IT experts, crisis management consultants and more, with local and international availability, which enables us to provide service of the highest level regarding incidents local to Sweden or with cross-border implications.

During the past few years, the demand of expert knowledge within GDPR, data protection and Cyber Risk, has been highly requested. Therefore, we decided a couple of years ago to put a lot of effort into this area which turned out to be a great success. We have divided the practice area “GDPR and Data Protection” into two sections, GDPR Proactive and GDPR Incident.

Through our service GDPR Proactive we provide organisations with support and advice to minimize the risk of processing personal data in an incorrect way. We help our clients to be compliant with the applicable regulations by ensuring that the client always has access to the right documents, policies, contracts, and other relevant routines to meet the demands of the applicable regulations, manage the contacts with the client’s insurance company and in general manage the incident wholistically under the circumstances in each individual case.

Through our service GDPR Incident we manage ongoing personal data breaches where we act as Incident Managers. As Incident Managers, we manage, coordinate, and facilitate the communication between all parties in the incident, draft such reports that is required by the Swedish Authority for Privacy Protection or other supervising authorities, manage any contacts with the affected client’s insurance company and take a holistic approach to the incident in general, considering the circumstances in each case.

To work in this practice area is not only exciting but also very gratifying as we are able to provide useful, concrete advise to our clients in an ever-changing environment. We would like to share our experiences with you as we believe that the best way for us to help client companies and others with their data protection and compliance is to share our knowledge and experience with as many people as possible. If you are interested in our work or in data protection in general, do not hesitate to follow us for more updates and tips and tricks that we hope will be useful for you and your organisation. Stay tuned!

/Norelid Cyber Desk

Published: 2021-09-13

Back to Cyber Intelligence Corner