Data Protection is one of Nestor Nestor Diculescu Kingston Petersen’s hottest practices. Partner and Head of Data Protection Iurie Cojocaru explores the roots, the shifts, and the drivers behind this work, and looks to the practice’s future trajectory.
CEELM: Please give our readers a bit of context regarding your Data Protection practice.
Cojocaru: The realm of data protection gained significant prominence with the introduction of the GDPR. Before this milestone, fines were relatively modest and did not raise a lot of concerns for companies with substantial turnovers. The paradigm shifted dramatically with the introduction of the GDPR when potential fines surged to a staggering EUR 20 million or 4% of the global annual turnover. This marked a turning point, prompting a surge in compliance efforts across numerous sectors. While we did see some initially high fines, they have tapered off over time. However, it's noteworthy that the Romanian Data Protection Authority continues to levy fines at a consistent rate – sometimes two or three per week – and data is publicly accessible. Beyond the monetary impact, the reputational consequences can be profound, particularly for entities like banks and insurance companies.
CEELM: And what kind of work are you currently looking at? How have mandates evolved?
Cojocaru: NNDKP's Data Protection practice, established in 2008, has undergone a noticeable evolution. Initially centered around compliance with data protection regulations, mandates have evolved into more intricate and specific projects. Nowadays, clients approach us with tools, apps, and projects, seeking our expertise on their data protection implications. This transformation is largely attributable to the emergence of high-tech software and tools, which weren't fully considered when the GDPR was introduced.
CEELM: And what would you say are the main drivers for Data Protection work?
Cojocaru: Our data protection mandates can be classified based on urgency and frequency. As for the main areas, first and foremost, there are critical situations where clients are grappling with substantial problems – such as data breaches – necessitating a swift resolution to comply with the 72-hour authority notification window.
Second, individuals’ complaints or requests for actions like data deletion or objections to processing are quite common, and they are time-sensitive as well.
Third, clients frequently approach us with innovative tools or apps, seeking guidance on their data protection compliance.
Then, there are companies focused on ongoing compliance and annual audits to stay current with the evolving regulations. Additionally, we offer data protection officer (DPO) services for companies required to appoint one under the GDPR. Apart from this – and this is increasingly rare – we occasionally assist companies that have yet to fully address their compliance issues.
CEELM: How do you see the work evolving over the next 12 months?
Cojocaru: The Romanian Data Protection Authority has been more active, issuing more sanctions in recent months. This uptick may lead to more litigation, particularly for high fines, where companies might contest and seek reductions. Furthermore, a stronger awareness among individuals and consumers about their data protection rights is expected. This may result in more inquiries, requests, and potential complaints. As such, we'll also need to play an educational role for our clients, helping them prepare friendly, timely, and compliant responses to all requests. Finally, some upcoming legislation such as the AI Regulation and e-Privacy Regulation are poised to shape the data protection landscape for years to come.
CEELM: What about your own team? How are you preparing for these developments?
Cojocaru: Our team is expanding to meet the growing demands of the data protection landscape. However, the challenge lies in the lack of dedicated data protection programs in law schools. Therefore, we often have to train graduates from scratch. Practical knowledge in more technical areas like AI, biometric data, and cookies is highly important, as it enables us to provide actionable advice to clients. This expertise is where we add significant value, as it bridges the gap between theoretical knowledge and its application in specific cases.