The Legal Update

What are the big concerns facing legal departments that are keeping GCs up at night? There were some very interesting insights from Morrison and Foerster’s Up At Night report, examining the key themes and issues that are pressing on GCs’ minds. We take a look at some of standout results from the study…

#1 GDPR and Other Global Regulatory Challenges

It’s the acronym that’s making every lawyer, regulator and business owner quake, but GDPR is part of a larger picture of global regulatory worries that GCs are facing. A fragmented regulatory environment on an international scale was identified in the study as one of the major causes for concern for legal departments, with 72% of respondents citing regulations and enforcement as a ‘very important’ challenge. The sheer pace of evolution of data security and privacy regulations can leave departments short of the time and resources needed to address the problem. Our advisory article on GDPR offers some tips on keeping departments on track to comply with the new regulations.

#2 Intellectual Property

Along with regulations and enforcement, intellectual property is the subject that has seen the biggest increase in imbalance between time spent on the issue and the level of importance it is deemed to have. Global regulations covering data privacy and intellectual property are themselves playing catch up with the ever-evolving means in which we produce and share intellectual property, so it’s little wonder that GCs are fretting about how to apply current laws to new circumstances, and realising the need to keep up with new enforcements with the same level of budgets and resources. Drilling down further into the responses, 52% of GCs described enforcing IP rights and trademark/copyright infringement as their primary concerns in the realm of intellectual property.

#3 Budgets – Doing more with less

As a more general theme, budget and resources restrictions repeatedly come up as a major concern in all issues highlighted in the study. From risk and crisis management to litigation, the worry for most GCs seems to be the availability of financial and team resources to dedicate to the issues.  The needs of the business and the state of the regulatory environment are the primary drivers influencing changes in demand as we can see below.

Graphic courtesy of Morrison Foerster/ALM

#4 Resource Crunch

To compound the problem of complex issues and stretching budgets, legal departments are also facing a resource crunch. Many GCs cite that their departments simply do not have the necessary finance, staffing and technology available required to meet the challenges they face. One way to remedy staffing shortages is to increase legal outsourcing and work with legal services companies, such as Obelisk Support, who can provide temporary support for legal teams. Adopting legal technologies can also be an efficient way to speed up and automate repetitive low-skills processes, freeing up valuable lawyer time to deal with more complex issues. For regular updates on Legal Tech, Artificial Lawyer is a good place to start. One particular concern quoted by respondents is the lack of resources to train staff for compliance purposes (see #1 GDPR). Companies will be under pressure to assess their budget priorities to tackle this issue.

 #5 Organisational Misalignment

Possibly as a result of resource constraints, there is a suggestion that the time being spent on addressing those concerns amongst GCs is much less than the perceived importance of the issue. It seems that departments are also yet to implement measures to ensure organisations avoid silos of information and procedural overlaps and clashes. With no improvement in the disparity between the Spring and Fall 2017 studies, the conclusion drawn is that legal departments are in danger of becoming overwhelmed, and are yet to find a solution. Reviewing internal processes to streamline and avoid crossovers between departments is a time-consuming but necessary exercise that GCs would greatly benefit from.

Graphic courtesy of Morrison Foerster/ALM

#6 Privacy and Data Protection

Becoming ever more pertinent in our daily lives, GCs have a whole range of new and evolving issues relating to privacy and data that can mean very real consequences of litigation, reputation and trust loss. But it’s interesting to see exactly what privacy and data issues GCs are troubled by – and more interestingly perhaps, the ones they appear to be prioritising less. The following shows the percentage of respondents who deemed concerns ‘not important’ – that the lack of necessary technology is not a concern for many is somewhat surprising, considering aforementioned concerns over technological resources, and that legal departments more generally are highlighted as being slow to adapt to new technological advances.

Graphic courtesy of Morrison Foerster/ALM

#6 Cyber Security Threats

Cyber security was the biggest and most specific concern under the theme of Risk and Crisis Management for GCs, accounting for nearly 60% of all the risk & crisis management concerns expressed by survey respondents. It is an issue that has seen the most rapid rise to the top of the priority list, so it is little wonder that participants cite resource restrictions as one of the main challenges they are facing in tackling cyber security threats.

#7 Outsourcing Work

Coming back to #4 Resource Crunch, strategic sourcing is a theme connected to the resources constraints and increasing complexity of issues to be tackled. GCs are challenged by the need to source an ever increasing variety of legal expertise, in the most cost-effective manner. It appears that budget concerns are behind many of the decisions to source work to a supplier, as well as the need to bring in expertise that is lacking in the department. We predict that alternative service providers are going to become a bigger part of this picture in 2018 and beyond. North American trends also show that working with legal suppliers who value diversity, inclusion and other responsible business practices will soon be as important as negotiating their budget or scoping the work.

Graphic courtesy of Morrison Foerster/ALM

While some of these themes are familiar concerns for GCs, many are on new and unknown legal territory. Without the in-house resources available, GCs are going to need to become more agile to source and make the most of available expertise.

The Legal Update

Obelisk Support consultant Alisha McKerron Heese provides some advice on how data processors can comply with upcoming GDPR legislation.

We are fast reaching the countdown phase for the General Data Protection Regulation (GDPR) which comes into effect in just over six months on 25th May 2018. 

Preparing for GDPR is a complex process which requires far more than merely updating your processing agreements and fulfilling your contractual obligation. While the regulations stipulate that certain provisions be inserted in processing agreements (art. 28(3)), they do not stop at that. For the first time, statutory data protection requirements (which previously only applied to data controllers) will place direct obligations on you as well. This enables data subjects to enforce their rights directly against you. Non-compliance is also more severely punished, through significantly heavier fines. To be precise, under the current law, the maximum fine the Information Commissioner can impose is £50,000. Under GDPR, however, that fine can be anything up to 4% of an organisation’s annual worldwide turnover, or 20,000,000€, whichever is largest.

So, what are these new requirements and what steps should you take to ensure that you will be compliant from 25 May 2018?

#1 Review Existing Processing Agreements 

Your processing agreements must be GDPR compliant. This means that you have agreed to:

  1. Process personal data only after documented instructions from your client
  2. Ensure that all of your employees who are authorized to process personal data have committed themselves to confidentiality
  3. Take appropriate security measures (see step 3 below)
  4. Engage sub- processor correctly (see step 6 below)
  5. Help your client(s) to respond to requests by data subjects who are exercising their rights
  6. Help your clients to meet their compliance obligations (relating to securing personal data, data breaches, data impact assessments, and consultations with the supervisory authority)
  7. At the choice of your client, delete or return personal data
  8. Allow for and contribute to audits conducted by your client.

More details here.

#2 GDPR Compliance Accountability Procedures

You must have determined if you are required to maintain written records of categories of processing activities (art. 30). This requirement originates from the accountability principle (art. 5), a re-occurring theme throughout GDPR which puts the onus on you to be responsible for, and to demonstrate compliance. Information which must be captured includes details of any other processors, your client’s details and those of Data Protection Officers (DPO), categories of processing, details of transfers to third countries and a description of general technical and organizational security measures (art. 30 (2)). These records must be provided to the supervisory authority on request.

If you employ 250 employees or less, you will be excluded from this requirement provided that the processing does not pose a risk to the rights and freedoms of individuals, is not more than occasional, and does not include special category data.

Note: Special category data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, and biometric data or data concerning health or data concerning a natural person’s sex life or sexual orientation (art. 9(1)).

#3 Data Security

You must have appropriate security measures – referred to as appropriate technical and organisational measures (art. 32). If you are wondering what appropriate technical and organisational measures means, you are not the first. No definition is provided by the regulation, thereby putting the onus on you to decide. You must consider a variety of factors:  the sensitivity of data, the risks to individuals associated with any security breach, the state of the art, the costs of implementation and nature of processing.

This requires you to have a comprehensive understanding of your systems and the type of data processed. While they can vary, appropriate measures include pseudonymisation and encryption of personal data. Regular testing of any security measures is also required where appropriate. This will enable you to detect any weaknesses and pick up any problems quickly which is particularly important in the event of a breach.

More details here.

#4 Data Breach Notification

You must be able to detect data breaches and notify the controller without undue delay upon becoming aware of a breach (art. 34). It may be in your interests to clarify in your processing agreement (if you have not already done so) when delay may be undue as this is not made clear in the regulation.

More details here.

#5 Data Protection Officers

You must have a DPO if required, although you may have one even if not required. A DPO is required if you are a public authority, if processing requires regular and systematic monitoring of data subjects on a large scale, or if your core activities consist of processing large scale special categories of personal data. A DPO’s primary role is to independently advise you on compliance with the GDPR, and they are the contact point for any data subjects and for the supervisory authority.

More details here.

#6 Reviewing Use of Subcontractors

You must have prior specific or general written authorisation from your client if you enlist another processor or replace a sub-processor (art. 28(2)). You must reflect the same contractual obligations you have with your client in a contract with any sub-processor and shall remain liable to your client for the action or inaction of any sub-processor.

#7 International Transfers

You must ensure that you have appropriate safeguards for any transfers of personal data to a third country (in the absence of an adequacy decision) and that the data subjects have enforceable rights in that country with respect to the data. This is your decision to make, and is independent of any instructions from your client with regards to data processing.

More details here.

Making your processing agreement GDPR complaint is just the start.  The steps outlined above are by no means an exhaustive list, but should hopefully assist you in your journey to becoming GDPR compliant. Not long to go before the clock stops ticking!

The Legal Update

The Attic recently caught up with Catie Sheret, Senior Vice President, Associate General Counsel and Chief Privacy Officer at Pearson to discuss the new GDPR regulation.

1. What is GDPR?

GDPR stands for the General Data Protection Regulation. It’s a new European regulation adopted two years ago that will take effect on May 25, 2018. It replaces the current directive and is designed to harmonise data protection rules with minimal deviations in the way they’re applied in each country. Compared to the current legislation it has increased extra-territorial effects, meaning entities that are selling/supplying services to European Union (EU) data subjects are subject to these rules, even if they are not paid-for products or services, and even if the controller is neither in the EU nor process the data in the EU.

Overall, GDPR doesn’t introduce a massive amount of change from the current legislation, but it is a huge talking point due to the following:

  • Sanctions: Failure to comply can result in potentially huge fines –  up to €20M or 4% of a company’s worldwide turnover.
  • Accountability: Responsibility is transferred from the data subjects trying to enforce their rights to the company having to demonstrate that it complies with the legislation.
  • Breach notification requirement: This doesn’t currently exist in many EU countries. You need to be ready to deal with data security breaches very quickly. With recent high-profile breaches and the reputational backlash, there’s a lot of sensitivity around that, and boards are really taking notice.

2. What is GDPR compliance and what are its implications?

A description frequently used is that this regulation is “an evolution, not a revolution.” Robust data protection laws exist now but the risk of fines and requirement for accountability are factors that are really changing the way people think about them. This means a stronger focus on bringing organisations into compliance with the legislation, and for some this involves working to bring compliance first with current laws, then the additional requirements of GDPR.

As far as accountability is concerned, there are a number of aspects to consider. A key one for us is compiling our ‘records of processing’. There are varied views on what this requires, ranging from very detailed data inventories to something more high level. In brief, you need to record what personal data you have, where it came from, how long you’ve had it and where you’re keeping it, what you plan to do with it, where the risks and protections around it are, and what level of international transfers are going on.  For a large global organisation like Pearson that’s a complex picture. It’s even further complicated by the fact we are often acting as a data processor for our customers rather than a data controller. But once this is done, it really helps support lots of other activities required by GDPR, such as managing user rights, conducting risk assessments and implementing privacy by design.

3. What does GDPR mean for a legal team like yours?

We are 150 globally in the legal team, including about 70 lawyers as well as other legal professionals, administrative staff and paralegals. For us, GDPR is an area we need to stay on top of, since data privacy is identified as one of our key risks. More broadly, data privacy is an area we take very seriously. We take our responsibility to protect our customers’ and learners’ data extremely seriously and have systems, processes and staff devoted to implementing such security controls, and verifying data protection, across our business.

In recognition of the importance of data privacy for us, in 2014 we hired an expert data privacy lawyer who set up our Data Privacy Office as part of the legal team. Pretty quickly, the team grew to six people who are all privacy professionals or lawyers, based in the U.S. and the U.K.. We also get interim people to help as needed, such as a dedicated resource at the moment around programme development.

Fortunately, there’s a lot of overlap between what’s needed for the global privacy programme and what we need to do to comply with GDPR, so the whole team work closely together though do have some specific areas of focus. Increasingly, global regulations are coming into line with EU regulations. Our UK team  is very focused on GDPR and though there might be nuances in some countries, we aim to achieve the same high standards outside of Europe. In practice, some country-specific regulations add complexity and make it challenging for us to take a global approach.

As sometimes happens in law, it can be tricky to know how to deal with different concepts in different countries. Take reliance on consent and legitimate interest under GDPR. That concept (‘legitimate interest’) is not widely understood nor part of the law outside Europe. Colleagues or clients in the U.S. have no idea what that means. And if we’re trying to come up with a global privacy notice that works universally, it can take some work to get the wording right. Lawyers are good at playing with language!

4. How do you keep up with market practice?

We are in a strong position as we have this dedicated team but compliance and awareness needs to extend beyond our team to the whole organisation – I’ll talk more later on about Awareness Week and other ways we address this. Our lawyers are bombarded by webinar invitations by various law firms and other suppliers, and a lot of our legal team staff attend webinars and in-person data protection training sessions because it’s useful to hear the information in a different format sometimes. It’s helpful for all of us to hear about market practices, both internal and external, and from there we can build targeted training that’s relevant to our lawyers. For example, one area we’re focused on is training in how to manage subject access requests which may get more numerous. Commercial lawyers handling contracts also need to be aware of the new requirements in both customer and supplier contracts, and it is helpful to understand how other organisations are approaching this – so we’re watching what approach large suppliers like Google, Salesforce and others are taking.

To get to know about market practices, LinkedIn is incredibly useful. You can find some very knowledgeable professionals regularly blogging, suggesting others’ material and being very quick to post updated regulatory guidance such as that coming from the EU regulators’ advisory body known as the Article 29 Working Party (WP29) (soon to be known as the European Data Protection Board (EDPB)). I try to follow and connect with lawyers and privacy professionals who understand more than the theory, who also know what to do in practice. And what is just as useful is seeing knowledgeable professionals challenge the views of others, it can really help highlight common misunderstandings with what is a complex regulation. GDPR is an area where you have to be very careful about misinformation. The Information Commissioners Office (ICO) has a blog series dedicated to busting GDPR myths and their GDPR page for organisations is very helpful. Professionals need to learn to navigate between what’s right and the distortions.

5. What is your timeline in rolling out GDPR processes?

Our data privacy office started working on our GDPR programme around two and a half years ago, so when I started working on GDPR a year ago, there was already a plan in place. Obviously it is constantly evolving. Recently, an external consultancy came to conduct an in-depth analysis of our GDPR readiness and they gave us a plan on points that need to be improved, such as refining our privacy impact assessment process and updating our incident response plan. As well as acting swiftly on these suggestions, we are in the process of getting our supplier contracts ready and looking to see how we should update our customer contracts to comply with GDPR.

Breach readiness will be a big area of focus for the next six months and for this we are working closely with the information security team. This includes lining up credit check organisations and eDiscovery vendors, so we are prepared should the worst case arise. In case of an emergency, you don’t want to spend 2 weeks lining up external support to deal with your situation. The turnaround time on breach notification will be 72 hours which is incredibly short when you take into account how difficult it can be to determine exactly what has happened.

6. What are the main challenges facing legal teams?

One of the main challenges relates to grey areas, aspects of the regulation that are still without consensus. For example, the notion of consent: The ICO (UK regulator) published some draft guidance on the new requirements relating to consent in March 2017, but it is still not finalised, and organisations still don’t know when to expect it as the ICO is waiting for the WP29 to publish theirs first. Other areas on which final guidance is still awaited is in relation to contracts between controllers and data processors, children’s data, and accountability, including documentation. We have had to go ahead with our preparations without the benefit of this given the size of the task for a large organisation like ours, and may need to make changes if our chosen approach needs refining once the guidance comes out. And that’s another key challenge – addressing a compliance challenge which requires the whole organisation to engage and be aware, not just the Legal and Information Security teams.

I do recognise we are fortunate to have dedicated resources for this project – this might represent a daunting task for a smaller organisation with a small legal team without specific privacy expertise. In that case, the importance of a risk-based approach is the only practical way to approach this. Again, there are plenty of useful resources out there.

7. How do you ensure that GDPR processes are followed at every level in the company?

A combination of bottom-up and top-down involvement seems to me to be the best way to approach this. It’s important to have a good governance structure to formalise this support, which also helps meet the accountability requirement in showing how compliance is driven. In our case, this takes the form of an executive committee, a steering committee of senior leaders from every business unit across the organisation, and a champions network of 80+ from all countries, office and business teams to help us with day-to-day engagement throughout Pearson.

We also organise an Awareness Week every year during which the mandatory annual training is issued. We hold webinars, local in-person training, run quizzes and post blogs, stories and guidance on our intranet. Our CEO and other executives filmed a short introductory video to underline the message that this is of vital importance to the company. We really try to present the concepts in very human and personal ways. For instance, we recently ran a story about a colleague who had been the victim of identity theft, and the impacts it has had on her life. That got a really good response. Hopefully that helps people understand why it’s so important to do everything we can to protect the personal data that is entrusted to us.

8. What resources would you recommend to a legal team about to roll out GDPR?

In terms of resources I’d recommend:

  • ICO website – GDPR for organisations is here. It has useful guidance on compliance activities like the 12 steps to take to prepare, and a readiness checklist, plus more in-depth materials on things like data privacy impact assessments and marketing guidance.
  • Isle of Man data protection commissioner has some really good practical easy-to-follow tools and information.
  • Many law firms provide great materials, but I particularly like Fieldfisher’s Privacy Law Blog and Hunton & Williams Privacy Law Blog (one of the most global sources of information).
  • Good industry bodies to get involved with are the IAPP, Future of Privacy Forum and the Data Protection Network, though there are many others.

We are very grateful to Catie Sheret for sharing her GDPR implementation expertise in such detail and for providing additional resources to help fellow lawyers get on the right GDPR track.