Data Protection and Cybersecurity

Cybercrime is a major threat to critical infrastructure, businesses and individuals. Governments in the EU and Norway are responding with increasingly strict regulations. Companies specialising in cybersecurity are countering the threat by developing complex technological solutions to provide stronger protection for their clients. As a result, cybersecurity and data protection have become areas where complex legal issues intersect with equally complex technology, and where mistakes can have serious consequences for both operations and reputation.

At Arntzen Grette, we help businesses understand, implement and document compliance in a regulatory landscape that is continually expanding and becoming more demanding. We have particular experience with regulations such as the General Data Protection Regulation (GDPR), NIS2 and DORA, and we combine legal expertise with technological and commercial insight. We also advise on cybersecurity and information security as part of corporate governance, risk management and regulatory expectations.

We work closely with data protection officers, management teams and technology functions on matters involving international data transfers, compliance frameworks, information security and regulatory processes. In particular, we support businesses at the intersection of technology, data protection and business-critical processes, whether relating to digital platforms, acquisitions, group structures or regulatory interventions.

Selected references include:

• Bufdir and Bufetat: Advising on a complex data protection project over a two-year period, relating to the processing of sensitive personal data concerning vulnerable groups.
• Critical infrastructure and energy supply: Assisting organisations operating critical infrastructure in connection with investigations following major personal data breaches. The work has included interviews, document reviews, governance assessments, contributions to external investigation reports, and the establishment of enhanced data protection and security procedures.\
• Finance and international financial services: Advising leading financial institutions on the local implementation of global data protection frameworks, including Binding Corporate Rules (BCRs), HR and screening processes, national requirements relating to consent and transparency mechanisms, and the implementation of data protection measures within multinational IT and HR platforms.
• KYC and AI-driven financial technology: Assisting providers of AI-based KYC and compliance solutions with GDPR implementation, documentation including DPIAs, TIAs, LIAs and DPAs, management of transfers to third countries, and ongoing data protection advice.
• FinTech, digital payments and financial infrastructure: Advising providers of payment, invoicing and financial infrastructure services on DORA-related matters, including the negotiation of Financial Services Annexes, regulatory adaptations, and technical and legal assessments of ICT and cyber security requirements.