THE LEGAL 500 > EVENTS > Colombia Roundtable
On the morning of Pope Francisco’s arrival in Colombia - and as Bogotá went into security lockdown - The Legal 500 and sponsor firm Posse Herrera Ruiz held a breakfast round-table on cyber security and data protection. With attendees from a range of industries for which data is their business, such as Microsoft and Hewlett Packard Enterprise; via information-sensitive businesses such as insurance, with representatives from AIG, Liberty Mutual, Allianz Colombia and health insurer Banmedica, to financials (GM Financial), pharmaceuticals (Roche), engineering (Siemens; El Condor), retail (Productos Ramo) and services ranging from Promigas to DirecTV, we were fortunate to count upon a spectrum of participants with differing concerns and perspectives on the subjects in question. Not to mention representatives of the so-called disruptor industries –such as Uber- the very business models of which are reliant upon tech-driven data utilities.
The point of departure was, necessarily, that of Colombia’s current data protection legislation: the principal relevant statutes being 2012's Law 1581 and 2013's Decree 1377 which cover 'data processing' (ie use, storage, transmission and transferral) by both private and public entities. Arguably most difficulties have arisen form the issue of consent (stemming from the latter decree) and by the requirement (since November 2015) that data bases be registered with the Superintendence of Industry & Commerce. While the period available to reach compliance regarding data base registry has recently been extended, strong anecdotal evidence pointed to the fact that companies are already coming under significant regulatory and administrative pressure (with the concomitant risk of considerable financial penalties). Indeed, the issue of administrative relations, governmental mishandling of data and/or of public regulators overstepping the mark in terms of data seizure, proved to be a recurrent theme.
If the scenario regarding ‘hard data’ is relatively straight forward in law (if undoubtedly complex and potentially expensive to put into practice and maintain), the issues around ‘soft’ –and commercially sensitive– data are even more tricky: the limits, for example, of precisely when knowledge generated by commercial client / external legal-service-provider relations is covered by legal privilege is far from clear. As of yet, consideration of such matters would appear to remain largely beyond the remit of Colombian commercial entities’ data protection priorities. Just two days after our discussion, however, news of the massive hack at credit agency Equifax served to remind everyone of the immediacy of the (ever increasing) threat of data loss (and the associated reputational damage), and the inescapability of the issue as a key aspect of a general counsel’s role; as one attendee reiterated: today, all businesses are information businesses.
The Legal 500 and Posse Herrera Ruiz would like to thank all the attendees for their fascinating and forthright comments and interventions; and in addition I would like to note our thanks to Posse Herrera Ruiz, without whom this event would not have been possible.