In-house lawyers expect to play a greater role in cybersecurity over the next 12 months as organisations brace themselves for the arrival of a tough data protection regime.

The European General Data Protection Regulation comes into force on 25 May, placing new duties on organisations that process personal information.

According to the Association of Corporate Counsel’s latest cybersecurity survey, 67% of in-house counsel expect their department’s role in cybersecurity to increase, compared with 55% who envisaged greater responsibilities in 2015.

Four in 10 say they are in a leadership role at organisational level regarding cybersecurity. A third of lawyers have a departmental leadership role; 25% are part of a team designated with cybersecurity responsibilities.

At present, 37% of in-house counsel brief the board of directors on cybersecurity on an ad-hoc basis; 22% brief their bosses quarterly. The association says this is double the percentage who reported quarterly briefings in 2015, when 11% briefed directors more regularly or frequently.

Four in 10 respondents work for companies that must be GDPR-compliant. The regime will require firms to make a notification of a breach within 72 hours of discovering it. In-house lawyers are likely to be involved in the process of identifying what happened, how, what was affected, who was responsible and what data was leaked. However, when asked if the respondent’s company had determined how it will meet the 72-hour requirement, 37% said they had not done so.