There are two types of in-house lawyers. Firstly, there are in-house lawyers with a large budget whose main role is to manage outside counsel and advise the board. Secondly, there are those in-house lawyers with a small budget. Their role tends to involve frantically running around trying to close deals and answering any vaguely legal, or compliance query that comes their way.
Both types of lawyers have a dual function. Not only do they have the duty to support the business to ensure it makes money, but at the same time they need to keep the company out of trouble. The reality is that in-house lawyers are generally asked to prioritise revenue. This means that there is proportionately less time for compliance. Also, if the General Counsel requests more headcount, a request for a deal lawyer is much more likely to be successful than a request for a compliance lawyer.
Getting compliance done can, therefore, be a little tricky. What an in-house lawyer needs is a time saving, cost effective way of getting the compliance job done in a secure way whilst at the same time servicing the other needs of the business.
This article is designed to give in-house lawyers who may be searching for a solution a few useful pointers.
GDPR compliance isn’t done by lawyers
Mention the word ‘compliance’ and everyone looks to the lawyer. However, in data protection compliance, the lawyer rarely has the answer. The Data Protection Act and the GDPR both give great scope to organisations to come up with their own answers, so there is little there for a lawyer to point to when asked a question. A lawyer doesn’t know what “adequate” security is. A lawyer is unlikely to know the minutiae of online targeting of consumers using cookies and other unique identifiers. And a lawyer will not know how long the HR department needs to keep the records of unsuccessful job candidates.
To answer all these questions requires a cross-functional team, suitably empowered by the board, to establish a data protection compliance programme and carry out that programme, recording their progress as they go along.
People who don’t care, make mistakes
Individuals increasingly care about their personal data in their personal lives. They certainly don’t want their medical details or dating profiles distributed freely. However, those same individuals probably don’t appreciate the important role that they play in protecting the personal information of individuals they handle whilst at work.
If you train your staff properly, you should make them care. If they care, they may ask questions before they share personal information with someone they shouldn’t. If they don’t mistakenly share information, you may have saved your organisation from an embarrassing and costly trip to the regulator. The Privacy Compliance Hub includes a training element that makes your people care.
Risk management with a business advantage
Make everyone on the board happy. Complying with the GDPR is not all about risk management – it is also about business opportunity. Trusted companies are successful companies. Be transparent by informing your customers what you do with their data. Build products which enable customers to manage their data. Treat customers’ personal information with respect and those customers will reward your organisation with their business.
Outside counsel aren’t the answer (although they may be able to help)
Sometimes getting expensive outside counsel to do a job is the right call – big litigation, large scale M&A and competition/antitrust spring to mind. Data protection is not a job for outside counsel. They are too expensive and can’t always get the job done properly in any event. Often, all they can do is ask you a number of questions, point to where you are going wrong and then charge you an awful lot of money to try and fix the problems. They will then leave.
What you need is a long term solution that empowers you and your business to take responsibility for embedding data protection compliance within your organisation. If there is a particularly tricky area of law where you need help then, by all means, ask outside counsel, but you may find that you will get the answer you need from the regulator itself.
What you should not do is allow that one tricky question to stop your organisation taking all the useful compliance steps it can take by itself. All you need is help on where to start. Having guidance for your compliance journey that includes all the required tools and templates is what you need. That is where our Hub can help. The Hub also provides you with the means to demonstrate your organisation’s GDPR compliance to anyone you wish, including your customers and regulators.
The Privacy Compliance Hub
The Privacy Compliance Hub was developed by two former senior Google in-house lawyers, Nigel Jones and Karima Noren. Their expertise and experience have together allowed them to develop a product that they know would have benefited their roles if they were still in-house lawyers. It is aimed at making the business responsible for building and maintaining compliance, not just the lawyers. The lawyers can’t do compliance on their own. They need a cross departmental team to support them in the job of embedding GDPR compliance within an organisation so that risk is managed in the best, most time efficient and cost effective way.
If you would like to chat (lawyer to lawyer!) about how The Privacy Compliance Hub could help your organisation, feel free to get in touch with Karima or Nigel via the website, or to arrange a free demo.