Schrems II wasn’t the first privacy ruling to place new, confusing burdens on organizations – it’s not likely to be the last. As organizations address Schrems II related remediation projects, it’s important to think about what’s on the horizon and how current remediation efforts can be leveraged for the future.
With the EU Commission’s deadline for implementing updated Standard Contractual Clauses looming, it can be hard to focus on anything beyond the present. Factor is here to help with Code Reg: our podcast dedicated to regulatory remediation programs. This season is all about Schrems II/GDPR related remediation; in episode three, our experienced internal practitioners move their discussion into the future and provide insights on how contract hygiene can help you prepare for future regulatory change.
In this recap of Code Reg episode three, we:
Throughout this season of Code Reg, our hosts have frequently referenced the importance of contract hygiene. But what exactly does that mean?
“It’s really a couple of things … one thing that comes to mind is how you’re doing your contracts. What are your processes, what types of workflows? But what we really want to focus on here is around the actual data, and how you're setting that data up once the contracts are executed, along with where.”
- Karl Dorwart
The question of where contracts are going plays a more important role in contract hygiene than you might imagine.
“Is [the contract] going into a repository? … A repository, while good at storing things, is not necessarily great at … retrieving information. So, what happens is, you have lots of stuff dumped into it, you find out that you need to mine data (for instance, in response to a regulatory change that requires some type of repapering, or insight into your contracts to set up your remediation strategy). And you go into your repository, and it doesn't have great file structure or folder structure. What results is that you end up creating a project within a project.”
- Karl Dorwart
Organizations who focus on contract hygiene ensure that they’re positioned for success beyond the current project.
“They're looking at the cleanliness of the data, the ability to recall that data out of their system, the ability to potentially transfer that data from their system.”
- Karl Dorwart
Essentially, contract hygiene is an interconnected concept that should be considered before there’s a need to mine data.
“When you talk about a system or repository for contracts, and the whole concept of contract hygiene, you’re not just talking about storing the piece of paper that's in digitized form, but you're talking about kind of forward thinking about the types of data elements that exist within a contract, and perhaps maintaining that information in a readily available format, in some form of database that can be retrieved in response to regulatory change.”
- David Shaw
So, although data cleanliness is an important part of contract hygiene, it’s not the only component to consider.
A vital complement to data cleanliness is a consideration of processes.
“When we talk about contract hygiene, and we talk about CLM (contract lifecycle management), it's not just the data ... it's all the processes that are involved.”
- Karl Dorwart
Though a CLM tool can support contract hygiene by facilitating data cleanliness, internal processes are what make these tools effective.
“Technology is an enabler. It doesn't solve an issue. You've got to look at the process for post execution obligation management, if you are looking at … a new CLM, how are you setting up the metadata fields to (hopefully) automatically capture those data points or those data elements that we're talking about upfront post execution? And there are a lot of technologies out there that are utilizing AI for that purpose.”
- Karl Dorwart
Establishing processes for the use of a tool ensures they’re as useful as possible. And with CLM implementation failure rates so staggeringly high, it’s important to remember that it’s usually the processes or lack thereof (not the technology) that ultimately lead to failure.
For organizations with poor contract hygiene, it can be difficult to get internal buy in on CLM tech or other potentially helpful tools. Remediation necessitated by regulatory changes like the GDPR and Schrems II can prove the perfect catalyst.
“If you're going to go into the contract, think big. Go into it once and look at those other data points and ensure that you're building a robust environment on the back end. But if you're opening the contracts, if you're pulling metadata fields, metadata clauses, it's both efficient and cost effective to do that while you're under this gun and getting access to budget to respond to a regulatory event that is mandatory.”
- Karl Dorwart
Given the urgency of GDPR/Schrems II remediation, organizations who have struggled to establish good contract hygiene thus far can use this as an opportunity. And taking a closer look at data can prove beneficial far beyond remediation.
“Data is something that every client that we have is looking at. How are they harnessing it? How are they tracking it? How are they maintaining it? Where is it located? But also, how can they drive insights out of it to fuel their own revenue growth, as well as internal things like maintaining employee satisfaction, and all the way to driving new IP based on existing data that resides right in front of them, but just hasn't been mined, collated, analyzed and regurgitated.”
- Karl Dorwart
Whether for corporate activities or as a future-proofing measure, the effort it takes to establish contract hygiene now will pay off.
“This is really an opportunity for organizations to bring in some consulting and arms and legs on the ground, just to help get organized, pull some of the threads together and start to really do this investigative process. It is an internal organizational investigation to find this type of information, to find it readily, to make sure that it's accurate, to validate it with business owners. That is a heavy lift. But it is the type of lift that typically pays dividends over time, because it will help set up that structured data, which organizations can then use moving forward.”
- Coque Dion
While data can empower organizations in a range of areas, specific types of data are likely to prove vital for complying with future regulatory change.
As with Schrems II and the GDPR, location is likely to remain a focal point for future regulatory change.
“It's critically important to understand the location of the data and have those data points: location, jurisdiction, identification of the parties (where are the parties organized? Where are they doing business?) all of those facts can result in triggering various jurisdictions’ data protection laws.”
- David Shaw
While gathering the data is important, maintaining it is equally vital.
“It's critically important to map [data points] out and maintain good records around it. Many, many privacy professionals will tell you that privacy is becoming very, very much technology driven because of just the sheer volume of data that has to be collected and maintained on an ongoing basis … you need to be forward thinking about the technology that you're acquiring in order to maintain data ... so that when it comes time to having to pull pretty sophisticated reporting, you have the ability to do so.”
- David Shaw
With a clearer understanding of what exactly contract hygiene means and which data points should remain at the forefront, it’s easier to feel prepared for regulatory changes already on the horizon.
While Schrems II and the GDPR are relevant to organizations doing business in Europe, parts of the US may soon implement changes at a state level.
“The states have basically had free rein in the absence of federal legislation. California has probably had on the books the longest a pretty robust privacy law that's becoming even more robust … In 2023 they’ll be enacting amendments to the existing California Privacy Act. Connecticut's another state that's moving in the same direction, as well as Colorado, Utah, and Virginia.”
- David Shaw
These states are some of the most likely to enact change soon, but upward of 15 – 20 states have some sort of legislation currently in process. In general, these data privacy laws are moving closer to something similar to the GDPR.
The fact that states are left to create their own privacy laws creates a layer of complexity.
“Not all the state laws are the same. So you have to look out for the differences, and you have to potentially amend your contracts in order to account for those differences. And then probably even more challenging for customers is to revise processes, systems (in terms of the type of data they collect), privacy notices, and then also be mindful of what potential liability lies ahead for them if they get it wrong.”
- David Shaw
Those liabilities may come at multiple levels. Several states are enacting laws that essentially give individuals private rights of action against companies. So, if organizations fail to comply, they might face an inquiry or an action by the state attorney general's office, but they may also face litigation in the form of an individual lawsuit or a class action lawsuit.
Establishing processes, using tech as an enabler and applying a forward-thinking approach to all remediation-related efforts can help organizations position themselves for future change. And as these regulations become more frequent, this sort of preparation isn’t just a good idea – it's a necessity.
“Keeping up with the pace of regulatory changes is incredibly burdensome. This can't be one of those situations where, every time you need to respond to a regulatory change, or a change in the business that requires you to open up your contracts and pull some data, you can't be starting from scratch.”
- Coque Dion
Listen to the full episode: