In our last GDPR-related post, our in-house legal expert and General Counsel Julian Palmer took ecommerce marketers through everything they should know ahead of the EU’s upcoming regulation.
Fast-forward two months and Julian is back— this time talking about ten things retailers should bear in mind when choosing, and working with, a GDPR lawyer.
From the sort of legal firms to seek out to the services you can expect, here’s what he suggests.
1) Do you have the right specialist?
GDPR is one of the most complicated and far-reaching pieces of legislation to have emerged from EU Parliament, and Brexit will no doubt add further complexity—both in terms of a new Data Protection Act and cross-border data transfer provisions along the lines of the US Privacy Shield.
Because of this, you should be looking for firms that have been dealing with data protection for years (and not necessarily go to your usual solicitors).
2) Agreeing the scope of work
The scope of work you ask your lawyer to undertake can be difficult to determine (especially if you’re not even sure what it is that you have to do), but bear in mind that the main role of a solicitor is to give you advice and draft documentations—so not necessarily advising you on the processes that you should follow.
Only you and your colleagues fully understand your business and how personal data flows to and from: customer, you and your processors. Whilst a lawyer can describe what a ‘data impact assessment’ is, only you guys will have the knowledge of undertaking that assessment. Better to also look for help from the IT sector specialising in privacy (have a look for a member of the IAPP).
With that in mind, you need to suss out what it is that you want your lawyer to help you with. I suggest you (or a colleague!) read one or two of the following GDPR guides, each written by some of the leading data protection practitioners today (there are others):
3) Likely scope for marketing & order processing
Most retailers are struggling with the question of whether or not they need to obtain ‘new’ consent from their existing customer database.
It all depends on how the customer was onboarded.
To enable your lawyer to help you in this area, segment your customers by:
- the method used to onboard them (as shown in the left hand column below)
- the information surrounding that method (right hand column)
Present your lawyer with the documents in the right-hand column in order to:
- check your terms and conditions for compliance
- have your privacy statement reviewed
- amend your sign-up wording
Let’s focus on the second point above: reviewing your privacy statement.
Since customers must actively give informed consent—no more soft opt-in, people!—you will need to describe the processing of data in your privacy statements. That means you understanding:
- how data is processed, from first contact to deletion
- what data is necessary for the processing
- what data is passed on to third party platforms (couriers, Ometria, etc)
- who has access to your data (including your list accountants, IT support, etc)
- whether you have dedicated servers or are cloud based
- whether data is transferred to non-EEA countries, and, if so, which ones
Take note: Your privacy statement (whether it’s written, recorded or animated) must be understandable to your target audience. Lawyers have a style of language of their own (which is perfectly understandable to other lawyers, but tends to confuse others).
4) Likely scope when using sub-processors
Just about every business uses a sub-processor to deliver part of a service or support their business; for example: a courier that processes your deliveries, outsourced payroll, and accountants that have access to staff details.
GDPR requires specific terms to be agreed with your sub-processors, and many of them (e.g. Ometria, Amazon Web Service and Microsoft) are issuing new terms to all of their customers to cover the terms of the regulation.
We recommend putting together a list of sub-processors, and checking each off as you receive their new GDPR processing terms. This will leave you with a handful of parties that you might have to ask your lawyer to help with drafting terms.
If you find that a sub-processor has unusual processes or transfers its data outside of the EEA to a country that has weak data protection laws, you should consider either changing supplier or insisting the supplier implements more vigorous protections, or bring such weaknesses to the attention of your customers in your privacy statement.
5) Likely scope as an employer
GDPR is as applicable to staff as it is to customers.
After all, personal information is being held by you on each member of staff: be that name, address, national insurance numbers, health records, grievance and disciplinary records etc.
Without going into the complexities of GDPR in detail here, you need to implement policies for:
- what data you will hold
- for what purpose the data is needed
- how long you will need it for
We know data minimisation and limitation is important to the customer-facing side of the business, but—for this point —I’m going to focus on why you might need to discuss these issues with your lawyer or employment law consultants too.
Let’s say you need a new Head of Ecommerce. You choose to seek potential candidates via a recruitment agency, as well as direct marketing. In this scenario, you would need to consider:
- whether, as a sub-processor, the recruitment agency’s terms and conditions satisfy the GDPR obligations on controllers and sub-processors to agree certain core terms
6) Agreeing hourly rates
Let’s be clear: lawyers are expensive.
The overheads of running a solicitors practice are high in terms of: costs, regulation and compliance and access to knowledge (continuing professional development is expensive, practitioner books and journals cost hundreds of pounds and practice software costs a few thousand per user).
Solicitors will usually charge an hourly rate or a fixed fee. Good practice management requires solicitors to record their time, so that the partners understand how much work is being done by each solicitor and how much each fee earner is bringing in. Most fee earners are expected to bill 5.5 hours a day. The pressure to bill, in my view, causes fee earners to overtime record (and so charge).
If you agree an hourly rate, restrict the work to the estimates. For example, if the engagement letter estimates it will take five to eight hours to write your privacy policies, then ask for a limit of four hours and see what has been done at that stage by asking for the time recording.
7) Is fixed fee a better option?
Now, it might take as much as a whole day to write a policy statement. This will provide time …
- to see you initially
- to open a file and issue T&Cs
- to identify your company, directors and majority shareholders for anti-money laundering and regulatory obligations
- to undertake the drafting itself
- for advising you on that drafting and perhaps making further changes and advising you on those further changes
- for invoicing your company
- to close and archive the file
- for emails, letters, phone calls and file notes from start to finish
An alternative to an on-going hourly fee is a fixed fee. Fixed fees do not necessarily mean that you pay less than hourly fees, but I suggest you look at achieving a fixed fee for all narrowly scoped work.
Solicitors are obliged to give you a fair indication of fees at the outset; this may be an estimate. Don’t ask for a fixed fee straight away as you will have no real feel for how long the work actually takes.
Once you have an estimate, you might talk about capping the fee or having a fixed fee recognising that there will be a bit of give and take and that if the work could be done in less time so the solicitor makes more profit. Your skill is to make it worthwhile to the solicitor to take on your work, but that you limit your costs exposure.
8) Use this line of argument to drive down fees
Have a read of the below dialogue to see how you can curb fees. (N.b. You should play this out slowly, only once you have an idea of the fees the firm are thinking of charging.)
You: ‘You are a specialist solicitor practising in GDPR?’
You: ‘So, you must draft privacy statements all the time?’
Solicitor: ‘All clients have differing needs.’
You: ‘True, but all policies substantially follow the same framework.’
Solicitor: ‘To a certain extent, yes.’
You: ‘So, in fact, the drafting does not take a great deal of time as it is pretty formulaic based on a precedent.’
You: ‘So why can you not do that for a fixed fee of (say) £300 and have a separate fixed fee for looking at my company and providing company-specific advice on GDPR?’
9) Consider using disruptors
The legal profession is highly competitive. As such you should think about two things:
- Remotely working with solicitors: If Bob is a specialist solicitor/partner working in London and Kate is equally a GDPR specialist working in Liverpool then it generally follows that Kate’s fees will be cheaper because the practice costs are cheaper and the market in Liverpool will not sustain the higher charges of London. For instance, Bob’s charge out rate may be £400 - £600 per hour, whereas Kate’s is likely to be closer to £250 - £450.
- Use unbundled legal service providers: These companies provide template documents for many of the most common issues—including website terms, GDPR policies, employment handbooks. A great deal of time goes into producing these precedents, but the rewards can be huge for the firm if they are selling such forms in volume. The guidance that goes with the forms is written with the lay person in mind. The principle issue is that you are not receiving legal advice, so you have to decide what is best for you. Some firms bolt on legal advice and will review your drafting. This can be a good compromise because you are doing a lot of the leg work, leaving the lawyer to do the checking.
But the use of disrupters will not be appropriate for all retailers. If you run a multi-national company, you may find that like-for-like solicitors are hard to find outside of the capital, but if your business is not so complex shop around the country.
Equally, from a risk perspective, you may consider that there is considerable value to paying a solicitor to handle the work, because your time is far more valuable doing the things that you are especially good at in retail and because if the solicitor gets it wrong your company may have a claim for which the solicitor carries professional indemnity insurance against.
10) Don’t wait until May to engage your lawyers
The best lawyers are already very busy with GDPR, and they will only get busier closer to May. Now is the time to engage your legal team.
You do not have to accept the first firm that you contact. In fact, better to meet a few, get a feel for them and, if needed, ask for references in the area of privacy and data protection, agree the scope of the work and a fee structure along with turnaround times. You must also give UX/UI enough time to change the design of your site.
In summary, then, we recommend arm yourself with one of the many excellent guides written by the top legal practices in the EU, then shop around to find the most experienced advisor for your size of business, looking to work with him or her on providing you with appropriate advice and documentation for the best value you can negotiate.