In our last GDPR-related post, our in-house legal expert and General Counsel Julian Palmer took ecommerce marketers through everything they should know ahead of the EU’s upcoming regulation.
Fast-forward two months and Julian is back— this time talking about ten things retailers should bear in mind when choosing, and working with, a GDPR lawyer.
From the sort of legal firms to seek out to the services you can expect, here’s what he suggests.
p.s. We’ve written a no-nonsense guide to GDPR for retail marketers– you can download it by clicking here.
GDPR is one of the most complicated and far-reaching pieces of legislation to have emerged from EU Parliament, and Brexit will no doubt add further complexity—both in terms of a new Data Protection Act and cross-border data transfer provisions along the lines of the US Privacy Shield.
Because of this, you should be looking for firms that have been dealing with data protection for years (and not necessarily go to your usual solicitors).
The scope of work you ask your lawyer to undertake can be difficult to determine (especially if you’re not even sure what it is that you have to do), but bear in mind that the main role of a solicitor is to give you advice and draft documentations—so not necessarily advising you on the processes that you should follow.
Only you and your colleagues fully understand your business and how personal data flows to and from: customer, you and your processors. Whilst a lawyer can describe what a ‘data impact assessment’ is, only you guys will have the knowledge of undertaking that assessment. Better to also look for help from the IT sector specialising in privacy (have a look for a member of the IAPP).
With that in mind, you need to suss out what it is that you want your lawyer to help you with. I suggest you (or a colleague!) read one or two of the following GDPR guides, each written by some of the leading data protection practitioners today (there are others):
Most retailers are struggling with the question of whether or not they need to obtain ‘new’ consent from their existing customer database.
It all depends on how the customer was onboarded.
To enable your lawyer to help you in this area, segment your customers by:
Present your lawyer with the documents in the right-hand column in order to:
Let’s focus on the second point above: reviewing your privacy statement.
Since customers must actively give informed consent—no more soft opt-in, people!—you will need to describe the processing of data in your privacy statements. That means you understanding:
… And then conveying all that to your lawyer.
Take note: Your privacy statement (whether it’s written, recorded or animated) must be understandable to your target audience. Lawyers have a style of language of their own (which is perfectly understandable to other lawyers, but tends to confuse others).
Just about every business uses a sub-processor to deliver part of a service or support their business; for example: a courier that processes your deliveries, outsourced payroll, and accountants that have access to staff details.
GDPR requires specific terms to be agreed with your sub-processors, and many of them (e.g. Ometria, Amazon Web Service and Microsoft) are issuing new terms to all of their customers to cover the terms of the regulation.
We recommend putting together a list of sub-processors, and checking each off as you receive their new GDPR processing terms. This will leave you with a handful of parties that you might have to ask your lawyer to help with drafting terms.
If you find that a sub-processor has unusual processes or transfers its data outside of the EEA to a country that has weak data protection laws, you should consider either changing supplier or insisting the supplier implements more vigorous protections, or bring such weaknesses to the attention of your customers in your privacy statement.
GDPR is as applicable to staff as it is to customers.
After all, personal information is being held by you on each member of staff: be that name, address, national insurance numbers, health records, grievance and disciplinary records etc.
Without going into the complexities of GDPR in detail here, you need to implement policies for:
We know data minimisation and limitation is important to the customer-facing side of the business, but—for this point —I’m going to focus on why you might need to discuss these issues with your lawyer or employment law consultants too.
Let’s say you need a new Head of Ecommerce. You choose to seek potential candidates via a recruitment agency, as well as direct marketing. In this scenario, you would need to consider:
Let’s be clear: lawyers are expensive.
The overheads of running a solicitors practice are high in terms of: costs, regulation and compliance and access to knowledge (continuing professional development is expensive, practitioner books and journals cost hundreds of pounds and practice software costs a few thousand per user).
Solicitors will usually charge an hourly rate or a fixed fee. Good practice management requires solicitors to record their time, so that the partners understand how much work is being done by each solicitor and how much each fee earner is bringing in. Most fee earners are expected to bill 5.5 hours a day. The pressure to bill, in my view, causes fee earners to overtime record (and so charge).
If you agree an hourly rate, restrict the work to the estimates. For example, if the engagement letter estimates it will take five to eight hours to write your privacy policies, then ask for a limit of four hours and see what has been done at that stage by asking for the time recording.
Now, it might take as much as a whole day to write a policy statement. This will provide time …
An alternative to an on-going hourly fee is a fixed fee. Fixed fees do not necessarily mean that you pay less than hourly fees, but I suggest you look at achieving a fixed fee for all narrowly scoped work.
Solicitors are obliged to give you a fair indication of fees at the outset; this may be an estimate. Don’t ask for a fixed fee straight away as you will have no real feel for how long the work actually takes.
Once you have an estimate, you might talk about capping the fee or having a fixed fee recognising that there will be a bit of give and take and that if the work could be done in less time so the solicitor makes more profit. Your skill is to make it worthwhile to the solicitor to take on your work, but that you limit your costs exposure.
Have a read of the below dialogue to see how you can curb fees. (N.b. You should play this out slowly, only once you have an idea of the fees the firm are thinking of charging.)
You: ‘You are a specialist solicitor practising in GDPR?’
You: ‘So, you must draft privacy statements all the time?’
Solicitor: ‘All clients have differing needs.’
You: ‘True, but all policies substantially follow the same framework.’
Solicitor: ‘To a certain extent, yes.’
You: ‘So, in fact, the drafting does not take a great deal of time as it is pretty formulaic based on a precedent.’
You: ‘So why can you not do that for a fixed fee of (say) £300 and have a separate fixed fee for looking at my company and providing company-specific advice on GDPR?’
The legal profession is highly competitive. As such you should think about two things:
But the use of disrupters will not be appropriate for all retailers. If you run a multi-national company, you may find that like-for-like solicitors are hard to find outside of the capital, but if your business is not so complex shop around the country.
Equally, from a risk perspective, you may consider that there is considerable value to paying a solicitor to handle the work, because your time is far more valuable doing the things that you are especially good at in retail and because if the solicitor gets it wrong your company may have a claim for which the solicitor carries professional indemnity insurance against.
The best lawyers are already very busy with GDPR, and they will only get busier closer to May. Now is the time to engage your legal team.
You do not have to accept the first firm that you contact. In fact, better to meet a few, get a feel for them and, if needed, ask for references in the area of privacy and data protection, agree the scope of the work and a fee structure along with turnaround times. You must also give UX/UI enough time to change the design of your site.
In summary, then, we recommend arm yourself with one of the many excellent guides written by the top legal practices in the EU, then shop around to find the most experienced advisor for your size of business, looking to work with him or her on providing you with appropriate advice and documentation for the best value you can negotiate.