As the adage goes, hindsight is 20/20. But when it comes to regulatory remediation, hindsight isn’t always good enough – a clear view of the road ahead helps you stay on track and on schedule.
With the EU Commission’s deadline for implementing updated Standard Contractual Clauses (SCCs) nearly upon us, there’s no time to spare for unforeseen roadblocks. This season, Factor’s podcast – Code Reg – is dedicated to Schrems II/GDPR related remediation. In episode four, our experienced internal practitioners reflect on their involvement with a few organizations handling Schrems II/GDPR remediation.
In this recap of Code Reg episode four, we:
While episode three of Code Reg focused heavily on preparing for future regulatory change, episode four begins with a look in the opposite direction – the past.
To illustrate the strengths and weaknesses of different approaches, we retroactively explore the efforts of a few (anonymous) clients to see where they were successful and where missteps occurred.
One client came to Factor with a clear picture of their vendor relationships and contract data. This enabled them to take a pointed approach to the regulatory remediation project.
“They were able to be very pointed in having a list of suppliers that they basically said, ‘look, we can't handle the outreach internally, we don't have enough bandwidth. We don't have a technology solution. So, can you help us?’ And in that case, the answer is always yes.”
- Karl Dorwart
Armed with clear direction, Factor quickly built a team to start questionnaire outreach, which enabled all downstream remediation activities. But despite their preparation, it became clear that this client had misjudged the volume of vendors that would require remediation. What’s more, interactions with the business made it clear that additional parties would need to be added.
“There's always going to be some shift and flux ... But where this client came to us, they had their playbook already in place to enable the negotiations, they had their form of questionnaire, they had the SCCs already in a translated form ... it was more of us following marching orders, which is certainly easy for us to do.”
- Karl Dorwart
While this client’s preparation allowed them to take a pointed approach, it still required some pivoting once the project began. And of course, this approach requires a handle on the scope of the outreach, which is only possible through good contract hygiene.
Another client – who lacked the visibility to simply give “marching orders” – opted to set themselves up for success with a robust planning phase ahead of the remediation project itself.
“We engaged in a lengthy and aligned consulting engagement that allowed us to get good visibility into how the client was structured from a contract perspective … And that really set us up as a result to be very pointed in the next phase.”
- Karl Dorwart
These planning efforts not only provided clarity around the scope and number of counterparties necessary for outreach, but also helped define priorities.
“What I took from that project is the importance of the pre-planning ... we created a process to help them guide themselves in identifying those priorities, in terms of which contracts to look to first based upon the likelihood of risk to the organization.”
- David Shaw
While this “project before the project” made remediation efforts smoother, its impact transcends regulatory compliance.
That upfront planning for this client and aligning with the efforts that were already being taken internally will enable, not only regulatory compliance efforts, but also just good business practices.”
- Karl Dorwart
Several clients began their Schrems II/GDPR remediation projects early in the year; they had time on their side, so they started out with a great deal of optimism – but not with clear project ownership.
“Without proper project management in place, it just ‘let's throw some bodies at the problem and let them work it out.’ [These clients] ran into consistent challenges with internally understanding who had ownership of some of these vendor relationships, who understood where the contracts were, where the details were around processors and controllers.”
- Coque Dion
This lack of project management and oversight chipped away at the optimism instilled by that early start and caused morale to falter.
“Several months were lost just in those early stages with a group of smart people, ready to do the work, but frankly really frustrated and sort of handcuffed, unable to go and effectively progress the project's objectives ... this led to turnover and some frustration on the teams.”
- Coque Dion
Taking our review of a few clients’ efforts into account, themes begin to emerge. It’s clear that a healthy dose of curiosity around the comprehensiveness of accessible data, a pre-planning phase, project management and oversight throughout the process are key to success.
On the other hand, diving in without a plan and simply “throwing bodies at the problem” is a recipe for slow progress, confusion and general discontentment.
Fortunately, these hallmarks of successful remediation projects can all be managed by investing energy in just one: the planning phase. Proper planning helps uncover relevant internal stakeholders, defines priorities and objectives, clarifies scope and creates a documented roadmap, among other things.
“[Pre-planning] aligns the stakeholders internally, it ensures that you have all the right information in front of you. And it allows everybody to align on the steps that come thereafter from an internal capacity perspective, but also from a budget perspective.”
- Karl Dorwart
And of course, with the December 27th deadline to implement the updated SCCs right around the corner, organizations need to be cognizant of how they can defend their strategy should they fail to reach full compliance on time.
“You need to have a properly documented plan ... so that if a firm is faced with some sort of regulatory inquiry from a data privacy supervisory authority, you've got a good story to tell ... it's a common theme when you're facing any kind of regulatory remediation project: planning, planning, planning and good documentation.”
- David Shaw
So, a robust planning phase can ultimately make all the difference when it comes to Schrems II/GDPR related remediation – and when it comes to other outreach projects, too.
“That upfront investment is going to better prepare you for all types of outreach projects – not just Schrems or regulatory related remediation projects, but any type of project … the pre-planning is as critical, if not more critical, than the actual execution of the project.”
- Karl Dorwart
Listen to the full episode here:
For more Schrems II/GDPR related insights, subscribe to Code Reg wherever you get your podcasts.