Special focus data privacy: Spend wisely
Data privacy is an area shrouded in uncertainty, so it is vital that clients don’t go for the cheap option when looking for legal advisers.
Data privacy is a hot topic as clients grapple with new European data regulations. However, the fact that the Spanish authorities have not adapted the local legal framework to the new rules means there is a climate of uncertainty. Consequently, plagued by doubts, businesses are adopting an over-cautious approach to marketing and this could be damaging their business. Given that data privacy is such a complex issue, lawyers say clients should pay for the best advisers available rather than going for the cheap option. Meanwhile, law firms also recognise that demand for legal services in this area means it is imperative they invest in the appropriate technological and human resources.
Opportunity for law firms
The entry into force of the European Union’s General Data Protection Regulation (GDPR) in May 2018 is driving rapidly increasing demand for services related to data privacy, and this is an issue that is impacting on all sectors. One of the key requirements of the regulation concerns the duty to appoint a data protection officer – this duty applies to public authorities and public bodies, as well as companies that carry out certain types of data processing activities. Bartolomé Martín, counsel at CMS Albiñana & Suárez de Lezo, says this is one of the biggest opportunities for law firms at present. “The GDPR allows for the outsourcing of the data protection officer role,” he explains. “For law firms, this is an opportunity to take on a significant role within the company, which in turn opens up the possibility to cross-sell other services.”
Awareness of the importance of data privacy, as well as the potential risks of any breach, has grown among all clients, not only those that are required to appoint a data protection officer, according to Alejandro Padín, counsel at Garrigues. “There is enormous concern due to the potential fines outlined in the GDPR for privacy infringements, and we have seen a significant increase in demand from companies of all sizes and industries,” he says.
Meanwhile, data protection principles such as ‘privacy by design’ are increasingly applied across all aspects of businesses in all industry sectors, from healthcare to energy and financial services. Leticia López-Lapuente, counsel at Uría Menéndez, says privacy by design involves the integration of data protection principles throughout the “life cycle of data management technology” from design to implementation. She adds: “In practice, this means that data privacy has to be considered in all the processes of a business, from human resources to compliance and marketing – legal advice for each agreement or transaction is likely to require data privacy analysis.”
Given that data privacy is an issue that affects all areas of business, demand for related legal services is increasing significantly, says Martin. “Data privacy experts will have to become involved in the earliest stages of almost any project, product or service which a company intends to develop,” he explains.
In addition to concerns surrounding compliance with the new regulations and the ubiquitous nature of data privacy issues, there are other factors driving the growth in law firms’ data privacy practices. According to Lupe Sampedro, partner at Bird and Bird, one of these is the realisation that the data clients handle has enormous commercial potential.
“Companies are increasingly aware of the value of the data that they manage,” she explains. “For example, the personalisation of services – which is especially significant in relation to the life sciences and healthcare industries – entails the processing of huge amounts of personal data. This is one of the areas where law firms will find the greatest opportunities when it comes to data protection advice.”
Strategic advice needed
Clients are still in the process of tapping into the potential of personal data, both as a tool to increase business and as an asset that can be sold to third parties, says Martín. “Companies are still discovering the added value that personal data can bring, not just in terms of improving their own forecasting techniques, but also as a source of income either by the sale of raw data or the results of its treatment.”
López-Lapuente says there has been an increase in awareness of the strategic importance of data: “During the last few months, we have noticed how particular decisions regarding data privacy have become strategic for companies – companies realise that decisions concerning client relationship management, marketing actions or the retention periods for clients’ personal data are crucial for the business and, as a result, advice regarding data privacy has more added value.” This has significant implications for law firms, adds López-Lapuente. “The more strategic that data privacy advice becomes for clients, the more business-oriented our advice must be,” she remarks.
Another challenge for law firms advising on data privacy matters is the lack of precedents, which creates uncertainty for clients, says Martín. “Data privacy regulations are still relatively new, and the lack of jurisprudence and previous sanctions allows for different interpretations of the same precept,” he explains. “This generates a certain lack of security for companies, which is not easy for lawyers to resolve.”
According to Martín, clients expect legal advisers to give them legal advice that provides benefit to their business. “What clients demand from lawyers is more akin to the role of strategic consultants, which is a challenge for the profession,” he says.
López-Lapuente agrees that the uncertainty that surrounds the issue of data privacy is causing concern for both clients and lawyers. “A significant challenge is the lack of security due to the fact that the local legal framework is not yet adapted to the new European regulations, although this is expected to happen in the near future,” she says. “The fact that the Spanish Data Protection Agency has not yet issued resolutions or reports on certain rules that are new in the GDPR makes it harder for firms to anticipate its criteria for sanctions and graduating fines under the GDPR.”
As a result of this uncertainty, clients sometimes act in an over-cautious manner, conducting unnecessary checks or requesting permission for marketing campaigns when it is not necessary, which can have a negative impact on their business. “One of the most frequent mistakes clients make is failing to identify the appropriate legal basis that applies to the treatment of data,” says Martín. “Due to the lack of knowledge or the fear of potential sanctions, clients request permission when it is not necessary.” Martín adds that this results in unnecessary limits being put on marketing activity, and also carries further associated risks: “An over-cautious approach can have the opposite effect of what´s intended, as providing irrelevant information to the interested party can delegitimise the treatment of data.”
Don’t choose on price
According to Padín, it is now more important than ever that clients devote sufficient resources to data privacy, and also appoint advisers who have in-depth expertise, even if this may not seem the most cost-effective option. “The biggest mistake clients make is to choose an adviser based only on pricing considerations,” he says. “Data privacy is a highly-complex area of the law, and there is much more to privacy compliance than paperwork – extremely cheap offers won’t fulfil the comprehensive needs clients face. Sampedro says it is also important that law firms invest appropriately in resources for this area of practice. “Data privacy is inevitably linked to technology,” she says. “Having technical resources, as well as human resources with the appropriate technical knowledge, has become essential for law firms that advise on data privacy.”