As data privacy laws continue to evolve almost yearly, it’s imperative for legal practitioners to keep up with the mountains of legal documents that must be repapered to remain compliant. Recently, the EU updated their data privacy regulations off the heels of the Schrems II decision requiring that companies, yet again, update the standard contractual clauses (SCCs) in their executed agreements with the new pre-approved language before December 27, 2022. If this is not your first rodeo, you know this is just another in a long line of data privacy projects with more on the horizon.
Considering that Fortune 1000 companies are governed by tens of thousands of active contracts, haven’t you asked yourself if there was a better way to respond to the shape-shifting nature of these ever-changing laws?
Contracts in any form, from sales agreements to data privacy, are living, breathing documents subject to change by superseding agreements, active status, or other terms buried inside the contract text. Yet, despite the advances to today’s technology, legal teams must still (shockingly) revert to imperfect and unsustainable processes that can’t respond quickly or accurately to the dynamic nature of business. We think the problem has been solved with CLMs or AI, but if the technology is built on legacy thinking, we are just operationalizing and amplifying the effects of a flawed process.
There is no better example than data privacy remediation projects. With every new law that emerges, we are compelled to throw ourselves back into the flurry of rinse, repeat, and recycle when all we have to do to stem this eternal cycle of madness is to stop the madness. The best way to tame “data privacy chaos” is by employing a new set of best practices that will simplify compliance and enable full-scale contract management across your entire portfolio — not just when the next data privacy project emerges.
Thinking Long Term
Enterprises naturally focus their time on new agreements and create new policies and playbooks that ensure standards are replicated systematically each time a new contract is created. Meanwhile, executed agreements — the backbone of the contract management lifecycle — remains untapped as a rich resource of data and analytics. When the EU’s directive first came out in June 2021, it required companies to update their templates with the new SCC language within three months. Why? Because updating templates are the easier part. The real struggle is:
- Identifying which contracts contain the old SCC language – a challenge when 80% of companies can’t locate even the most current versions of their contracts.
- Re-negotiating with counterparties, which we found happens 25-35% of the time and causes significant delays of up to 12 weeks.
- Proving ongoing compliance — a process that requires repeating the same steps if an audit isn’t performed soon after you’ve completed the remediation project
For this directive, the EU gave companies 18 months to comply. Why? Because scoping, negotiating, and maintaining a system of record, is the most difficult, time-intensive, and costly part of the remediation process. However, it doesn’t have to be anymore.
This Way or That Way…
If legal teams shift their approach, they could experience a 30-40% reduction in data privacy costs on each project with proper scoping and cut costs by one-third for future data privacy projects, all while adding long-term value across the business at the same time.
There are two ways to tackle data privacy compliance — the controllership approach or the agile approach. One way uses a familiar methodology that leverages front-end controls and processes typically found in CLMs, making step one of the SCC data remediation relatively simple. The other approach solves your 18-month challenge by creating a virtuous circle of contract management that benefits both new and executed agreements for your entire contract portfolio.