Most in-house lawyers have a broad remit of responsibilities. That results in the demanding challenge of having to deal with a plethora of seemingly ever-increasing legislative and regulatory changes while performing broad legal functions. In practice this means they don’t have time to dig deep into specialist areas of law and all its implications – they can’t (and usually don’t want to) ‘do it all’.
Data protection is a growing challenge
In 2018, the coming into effect of the General Data Protection Regulation was one of the most significant legislative and regulatory changes to have been introduced in the UK for many years. Having the time (and perhaps inclination) to fully get to grips with the GDPR in order to fully understand and appreciate its impact was a serious challenge for every in-house lawyer.
That challenge has become greater – as a result of Brexit there are now two GDPRs:
- The GDPR that exists at the moment will continue apply to the EU Member States. This will be known – in the UK – as the “EU GDPR”.
- In the UK, a new “UK GDPR” will come into force, which will effectively mirror the EU GDPR in almost all respects, except for some minor tweaks to make it UK specific.
This means that:
- UK-based businesses will need to comply with the UK GDPR
- UK-based businesses that offer goods or services to, or monitor the behaviour of, individuals in the EEA will, in addition, need to comply with the EU GDPR
- EEA-based businesses will need to comply with the EU GDPR
- EEA-based businesses that offer goods or services to individuals in the UK or that monitor those individuals’ behaviour will in addition, need to comply with the UK GDPR
- All businesses that are not UK or EEA based, that offer goods or services to, or monitor the behaviour of, individuals in the UK and EEA will need to comply with both the UK GDPR and the EU GDPR
In addition to the GDPRs, there are of course other data protection laws, in particular the ePrivacy Directive (in the UK the Privacy and Electronic Communications Regulations (PECR)). These laws will continue post -Brexit, but at some point, the EU will introduce a new law – the ePrivacy Regulation. When that eventually arrives, (it has been much delayed), it will not apply to the UK. This means that, as and when that happens there is likely to be significant differences between the respective ‘cookie laws’ and the rules re email marketing between the UK and the EU.
Can you meet that challenge?
Every organisation needs to ask if its in-house lawyers:
- Are able to keep fully up to date with changes to UK data protection law?
- Have the time to work out whether the UK or EU GDPR applies in any given situation?
- Can monitor developments in the EU re the ePrivacy Regulation?
How norm. supports in-house legal teams
Our specialist data protection team, led by a UK qualified solicitor, fulfils the vital role of supporting in-house lawyers in navigating the ever-changing and increasingly complex data protection landscape.
We begin by carrying out an analysis of your current data-processing activities with a view to introducing, if required, a privacy accountability framework, to help ensure that your business fully complies with data protection legislation – and demonstrate your compliance.
That’s because the ICO, your business partners and your customers need to see that you are managing personal data risks, so that you can secure their trust and confidence. This can enhance your reputation and give you a competitive edge, helping your business to thrive and grow.
We also carry out a ‘horizon scanning’ exercise, relating to possible further data protection-related legal and regulatory developments, to help your in-house lawyers identify emerging issues and support business decision-making.
Leadership and oversight
One of the principles of data protection is accountability and a fundamental building block of accountability is strong leadership and oversight. This is something we can help with, usually by being appointed as your DPO.
Data protection as a solution, not a problem
Often, within a business, seeking support or approval from the legal team is viewed as a hurdle to be overcome. We understand that there is a balance to be struck and that legal input has to be positive, creative and enabling. In practice this means helping you to understand how you should use the GDPR to your advantage.
For example, if your business is considering developing a new product or service, the early involvement of data protection specialists is vital. This will enable you to design a product or service from the outset with data protection and privacy considerations in mind, and to meet the requirements of the GDPR.
A solution that’s tried and tested
What’s clear is that the advice of data protection specialists, who are pragmatic, business- minded and able to cope with legal uncertainty IS worth it.
But don’t take our word for it – we already provide this service to an international confectionary-maker and a London-based wealth management firm, both of which have in-house lawyers. Our service enables them to focus on what they are best at – building trusted relationships with their customers and growing the business in a sustainable way.
Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.