Following its adoption in April 2016, the General Data Protection Regulation, known as “GDPR”, became an instant phenomenon for a significant part of European corporations, and especially a nightmare for the business public.
The actual content of this legal regulation has garnered a significant level of attention, generating a myriad of articles. Let us have a look at the GDPR from a fresh perspective.More than a year has gone by since the GDPR was adopted and many large companies and financial institutions have already started preparing for its effective date to implement their compliance. It is becoming increasingly more evident that in addition to new rights and obligations for businesses, the GDPR also brings a specific opportunity for legal advisors to break free from traditional memoranda and theoretical analyses to prove that even legal services can be innovative. There have been numerous comments that the panic caused by the adoption of the GDPR is unnecessarily excessive and that many obligations imposed by the GDPR already apply. On the other hand, it is no secret that many companies have previously failed to pay sufficient attention to these matters. In this respect, the GDPR brings one of the most important changes; high fines. Corporations now have a longer road to compliance in an effort to avoid breaching the set conditions, resulting in a heavy monetary burden.
Prepare for Hundreds of Adjustments of Processes and System
Multiply this fact by the GDPR’s scope, and the panic no longer looks so unsubstantiated. What makes the GDPR specific is the fact that the personal data processing it regulates affects the vast majority of corporate processes, from product development, to supply chain management, to human resources. All of these processes are often subject to other regulations as well (especially sector ones – AML, consumer protection, finance sector regulations), which complicate the implementation of change requirements. Personal data is simply found everywhere, as well as being stored in most systems and other IT equipment that corporations utilize. The GDPR places new demands on these systems, which can often lead to the creation of new applications or other solutions. It is not said in vain that the GDPR is the lawyers’ revenge on the IT sphere. In addition, one of the essential topics from the GDPR perspective is the security of personal data, the breaches of which constitute the data protection breaches subject to the highest and most frequent fines by the Personal Data Protection Authority in recent years, as indicated by Deloitte Legal’s statistics.
Hundreds of required adjustments of processes and systems can appear within one client when the corporation is used as a personal data controller. The preparation The GDPR as a Test of Innovativeness for Legal Services Legal news – July 2017 3 New Rules on Offence Proceedings Come into Effect in a Few Days The GDPR as a Test of Innovativeness for Legal Services and implementation of these requirements is significantly time consuming and financially demanding. It is evident that it is not in the power of any legal advisor to successfully prepare their client’s GDPR compliant regime on their own without the help of experts in each client’s processes, analytics and IT specializations. The client needs a quick and efficient solution in order to process the requirements before the regulation is imposed, on its own and through its other suppliers.
Lawyers Alone are Not Enough
We know from our own practical experience with comprehensive GDPR projects that the traditional theoretical memoranda, or at least the general analyses of possible impacts prepared by law offices, are not sufficiently concrete for the employees of the client’s and suppliers’ individual departments to be able to prepare the specific requirements for implementation. These purely legal reports do not adequately represent the technical (including security) and procedural side of the implementation required – legal advisors are not trained to map every circumstance of personal data processing for their clients. Such mapping can take trained specialists hundreds of hours, which most law offices lack. In addition, the mapping of such services is not legal in nature.
The procedural mapping is then conducted internally by the clients trained personnel, or by a contracted specialist from another external advisory company. When contracting, the client must invest further funds in educating the advisor on the client’s activities and the capacities of its own employees to ensure cooperation with these external advisors as they get to know the system. In an instance where the legal advisor can offer an educated advisor with sufficient knowledge of the client’s processes and systems, this legal output is likely to fail due to the recommended solution being unfeasible, too costly or undoable in the required time frame. Legal advisory is unable to address and comprehend many of these non-legal aspects. It is therefore necessary to come up with a way of adapting legal advisory to the client’s specific needs during complex legal changes that have such an extensive impact on the client as the GDPR does and additionally require significant knowledge of technologies and security norms. When dealing with the GDPR reform, the key to survival is precisely the innovativeness and flexibility of legal advisors.
Synergy of Legal and Specialised Advisory is the Core of Success
Deloitte Legal offers its clients several alternative solutions. All of these alternatives Legal news – July 2017 4 New Rules on Offence Proceedings Come into Effect in a Few Days The GDPR as a Test of Innovativeness for Legal Services are based on the key cooperation between legal advisors specialising in personal data protection and experts from Deloitte Advisory. These experts specialise in business analysis, security, IT advisory and project management. Thanks to their joint efforts, the client receives comprehensive advisory as a result of the work of a multidisciplinary team of experts. Our team takes advantage both of a deep knowledge of the law and knowledge of the client’s business, the standards in the field, technological possibilities and the security context. This may result in detailed and specified requirements and recommendations that are completely tailored to fit the client’s business activities. Additionally, Deloitte offers the client’s management group and employees with a comprehensible and approachable advisory team. The recommendations and change requirements given by the Deloitte advisory team take into account non-legal aspects, such as financial cost-intensiveness of the implementation compared to the risks the client faces in the event of non-implementation, while at the same time guaranteeing the compliance of the proposed solutions with the new legislation.
The client receives a unique benefit between the synergy of legal and expert advisory, allowing them to easily integrate new obligations set by the GDPR, e.g. the inclusion of personal data impact assessment in change management processes. Or preparing for modifying the wording of documents and the process of concluding contracts with employees and customers (or other data subjects) in a way that meets the GDPR requirements for the granting of consent with personal data processing. Furthermore, we can help define security demands on the client’s marketing or other service providers which are given access to personal data, or define instructions for IT providers to adjust specific systems so that the client is able to satisfy a data subject’s right to access their personal data, and many other aspects.
DPO: Save Your Capacities Deloitte Legal cooperates with security professionals within its own network on the “DPO as a Service” project, which is unique in the area of legal services and enables the outsourcing of the services provided by these professionals as Data Protection Officers. The quality of this service is substantially supported by regular consultations with the legal advisors of our law office. Clients will thus save expenses for their own capacities and may once again profit from the combination of legal certainty and a business-friendly approach.
Bringing these benefits to clients is where Deloitte Legal sees the long-term future of successful provisions of legal services, thanks to the added value for the client and Legal news – July 2017 5 New Rules on Offence Proceedings Come into Effect in a Few Days The GDPR as a Test of Innovativeness for Legal Services the increasing demand for modern-type services, as Jan Spáčil, the Managing Partner of Ambruz & Dark Deloitte Legal, already mentioned in the 2016 issue of the Inovativní právník magazine.
Jaroslava Kračúnová firstname.lastname@example.org
Martina Heřmanová email@example.com
GDPR in facts