How to Meet The 2022 GDPR Deadline Without Increasing Your Costs or Lowering Your Standards
By Susan Jacobson
Three steps to seamlessly select and engage your SCC legal team now
“You don’t have to know everything. You just have to know where to find it.” -- Albert Einstein
Here’s what we know: The privacy regulatory landscape continues to evolve, but the deadlines to meet those changes are fixed and quickly approaching.
Over the summer, the European Commission published its much anticipated Implementing Decision adopting new standard contractual clauses (SCCs) for the transfer of personal data to third countries. The new SCCs are designed to comply with the General Data Protection Regulation (GDPR) and take into account the Schrems II judgment of the Court of Justice of the European Union. As part of the regulatory mandate, previously executed SCCs must be replaced with new SCCs by December 27, 2022. That means all relevant, existing agreements must be updated, and depending on the enterprise, those agreements can number into the hundreds or thousands.
But, if you’re reading this article, you probably already know that.
You also know that failing to comply with these new deadlines is costly. Since GDPR took effect in May 2018, we’ve seen over 900 fines issued across the European Economic Area (EEA) and the U.K. These fines have ramped up significantly in recent months. The sum total of GDPR fines in Q3 2021 reached over a billion dollars — 20 times greater than the totals for Q1 and Q2 2021 combined. The companies that have incurred the biggest fines are some of the biggest names in business: Amazon (€746 million/$877 million), WhatsApp (€225 million/$255 million), Google Ireland (€90 million/$102 million), Facebook €60 million/$68 million).
Of course, you don’t have to be a widely recognized name to be fined (see: Bulgaria’s National Review Agency, Italian grocery delivery service Foodinho, Spanish financial services company Caixabank, and Swedish healthcare provider Capio St. Goran). The list goes on and on (and on and on). While the financial implications of the fines are significant, so too is the reputational damage done to companies who are perceived as playing too loose with consumer data and being ineffective guardians of customer privacy.
You also likely know that the volume of agreements and an impending December deadline mean that impacted companies must immediately begin to identify and engage the appropriate resources and expertise in order to comply on time and avoid hefty fines.
The bottom line is: you know you need SCC compliance help. But as Albert Einstein noted, the real question is where to find that help. For companies needing privacy regulatory guidance, it’s not a lack of options that’s the problem, it’s the abundance of them.
The Price and Process Problems when Partnering with a Law Firm:
You can’t blink without missing a headline about some law firm’s new privacy partner, or another law firm’s growing privacy practice. But just because you can find privacy expertise in a law firm doesn’t mean a law firm is the right solution for complying with upcoming GDPR SCC deadlines. Why?
First, Big Law means big rates. Firms have always been an expensive option for accessing legal talent. The price is only increasing: Law.com recently reported that many law firms are planning to raise rates by 5-10% in 2022, with some anticipating even greater increases, on top of similar rate increases from the prior year. Big Law’s escalating rates may be warranted for bet-the-company work or litigation, but for compliance-related matters here there are other, more cost-efficient and equally competent in-house or alternative options, the price just isn’t justified.
Second, law firms are inherently external providers. They’re not designed to offer pragmatic solutions or work in-tandem with in-house experts, and don’t possess the commercial acumen of an internal team.
And finally, there’s a new dynamic at play. The Great Resignation has hit law firms hard. Even if in-house leaders are willing to tolerate a lack of pragmatism and stomach price increases, there are still no assurances they can find law firms with an available bench of experts to handle SCC-related work. According to the same Law.com report, “law firms just don’t have enough folks to go around and pick up all of the commercial and compliance work that’s floating around… because everyone is looking to hire the same people.”
The Permanency and Talent Market Issues Associated with In-House Teams and Hires:
Whether thanks to the evolving regulatory landscape or continued emerging pandemic-related risks, privacy lawyers have never been in greater demand. The hot talent market has significant hiring implications.
Because demand for in-house privacy attorneys has outstripped supply, it’s taking much longer to find these specialized lawyers. Once found, it’s also taking longer to fill open seats. According to studies, it typically takes over six weeks to fill an open legal position, and 11 weeks to fill one at the managerial level. Given the war for talent, qualified privacy candidates fielding multiple offers are extending the negotiating process by weeks or months beyond what’s typical. Even once an offer is accepted, legal leaders need to consider the time it will take to accommodate a notice period at the candidate’s current employer.
Then there’s the actual cost of the hire. Over the past few years, industry dynamics have shifted toward bringing more work in-house in an attempt to save money and mitigate expensive Big Law fees. But the legal industry is seeing a record number of open positions (Leopard Solutions tracked nearly 12,000 open legal positions during 2021 — a record high since the firm began monitoring in 2006). Given the number of open positions, in-house recruiters vying for those specialties most in demand (like privacy) must now compete with law firms for talent, particularly at the associate level where firms have been aggressively increasing compensation. In-house legal leaders must, therefore, contend with the bonuses, perks, counteroffers, and accelerated promotion schedules law firms are offering talented privacy associates in an attempt to retain them.
But even if the legal department can find and retain privacy lawyers, GDPR compliance is likely not the best use of their time or talent. In-house privacy attorneys’ work should be aligned with the strategic goals of the company and the emergent privacy risks which require critical institutional expertise and novel judgment. (Ensuring internal privacy lawyers are given the most complex matters will also pay retention dividends during the war for talent.)
Finally, few in-house departments have the amount of in-seat privacy lawyers and legal professionals it will take to address SCC compliance, and investing in permanent headcount for what is a temporary project is inefficient, at best.
Legal Judgement/Expertise Concerns with Legal Process Outsourcers or Managed Service Providers:
While automation may aid some portion of the repapering work, much of the SCC-specific heavy lifting will involve the kind of negotiation that requires legal judgment and nuanced expertise. SCC matters may not count as bet-the-company litigation, but they should not be dismissed as low-complexity process or repapering work, either. And choosing the cheapest option, like an LPO or managed service provider for work that requires judgment, may, in fact, prove more costly in the long run - as fines for non-compliance or renegotiating mistakes can run into the millions.
The right option is a provider who can apply privacy expertise, scale, and flexibility to SCC and GDPR compliance, enabling legal departments to meet the upcoming deadline while reducing unnecessary costs.
Axiom’s structured team approach to SCC GDPR updates enables companies to engage a coordinated team of flexible, privacy lawyers and legal professionals, led by an experienced manager.: The team will review and update contracts as efficiently and cost-effectively as possible, streamlining communication and work allocation through a client privacy contact and Axiom privacy professionals while providing clients with the option of technology-driven metrics and reporting to track progress against goals.
Elements of a typical SCC structured team engagement include creating a project plan and progress tracker, determining a strategy for SCC modules, execution against project plan including counterparty negotiation, and escalation support.
Experienced privacy and regulatory compliance lawyers: Axiom's network of 5,800 lawyers includes attorneys with extensive privacy experience at leading law firms, enhanced by in-house experience, that can be assembled into a winning team
- Over 850 lawyers with AmLaw 200 or Magic Circle experience
- Over 1,400 lawyers with F500 experience
- Over 850 graduates from US News & World Report Top 50 Schools
- 200+ privacy engagements in 2019 and 2020; Axiom teams currently support multiple SCC update projects
Talent management: Solve pressing SCC compliance updates without having to turn to your law firm, divert in-house resources, or manage the process
- Unique insights mined from 20+ years of experience building teams of 3 to 50 lawyers
- Experienced team leaders, capable of managing SCC compliance projects end-to-end
- Performance management and feedback, with configurable onboarding, regular check-ins, and end-of-engagement management, reducing your administrative burden
Leverage best practices and technology: Allows you to better monitor resource allocation and optimize your results
- Comprehensive playbooks include detailed templates for navigating the lifecycle of SCC compliance scenarios
- Leading technology partners who ensure an efficient remote work environment and resource optimization
- Detailed reporting and insight into work being performed, allowing for data-driven decision-making
Three Steps to Immediately and Seamlessly Engage Your SCC Legal Team:
- Step 1: Click here to review available privacy lawyers: Review pre-vetted lawyers and legal professionals for detailed lawyer biographies including rates, specific privacy expertise, industry experience, and/or geographic needs.
- Step 2: Customize your team: Easily search our network of active privacy lawyers and legal professionals.
- Step 3: Reach out to Axiom: Contact us to start a discussion about your specific needs and to build your customized team.
Contact us to learn more* Required
Susan Jacobson serves as Senior Client Advisor for Axiom. She was formerly General Counsel at Paylocity and Deputy General Counsel of Cardinal Health.
Five reasons why Axiom can help you continue your legal career on your terms.
Read how an Axiom lawyer offers advice for attorneys who follow non-traditional career paths to transition their legal careers during an uncertain economy.
Looking behind the data can help to identify opportunities and help scale Legal through automation, secondments and productized Legal services.