A Step into the Future of Law

June 30, 2000

Eduardo Ustaran is a solicitor specialising in data protection and e-commerce law in the Computer, Media & IP Group at Paisner & Co, London. He is responsible for complytoday, Paisner’s online data protection compliance package for e-businesses and can be contacted at eustaran@paisner.co.uk

The legal profession is going through a period of radical transformation. It is blatantly obvious that much of this change has to do with the emergence of new technologies. The widespread use of e-mail and the proliferation of legal Web sites, in particular, are playing a key role in this process.
However, this transformation is not just about using e-mail as a means of communication, doing research online or developing a Web site. The real change is about being able to take advantage of the new technologies to serve the clients’ expectations of the 21st-century law firm. Interactive and standardised services delivered over the Internet, such as complytoday – our recently launched data protection compliance package – are a small but important step into the future of the provision of legal advice.

The reasons behind complytoday
The so-called e-commerce revolution has brought with it a new type of client. Whether you call them e-businesses or Internet start-ups, this new breed of clients are as attractive as they are intricate to deal with. These clients’ demands are strongly influenced by their own pace and business approach and, therefore, their expectations are not easily met from a traditional lawyer’s standpoint. For the e-business client, our ability to deliver professional and reliable legal advice is assumed. The client’s main interest is invariably three-fold:

• ability to respond in ‘Internet time’
• availability of flexible fee structures and
• awareness of the commercial impact of the advice given.

In the new e-commerce economy, missing a strategic deal today means failing to achieve global expansion tomorrow. Given that the speed of our response is such an essential feature, anticipating the way in which e-businesses need to comply with the law is the only way to offer effective solutions. This means that legal advice is not only provided in response to clients’ instructions, but suggested in anticipation of the challenges and concerns they face.
In a world where money has become so volatile, static fees are a thing of the past and flexible payment mechanisms become critical. What was a four-figure job a year ago is today almost given away with the brochure. Sensible pricing has become a moving target. Charging is no longer a process of ‘what you can get away with’, but a difficult task which involves dynamic thinking and a sound understanding of your client’s perspective.
Perhaps the most difficult task of all is to make sure that lawyers are perceived as business facilitators. Telling an e-commerce client what the regulator thinks or what the law prohibits will not clear the path. E-commerce clients think and act imaginatively – for our advice to be listened to, it must address the issues in the same imaginative ways. The onus is on us to present the law as an opportunity to give businesses an edge, and not as a necessary evil.
complytoday is aimed at addressing these three aspects. As the immediateness of the name suggests, our goal is to enable e-businesses to take instant steps to achieve data protection compliance. The cost of the service is meant to fit within the budget of any serious start-up. complytoday focuses on giving practical advice on how to comply with the key data protection obligations rather than on summarising the provisions of the Data Protection Act.

How doescomplytoday work?
complytoday is a modular advisory service which enables businesses operating on the Internet to comply with the new data protection laws in the UK. It uses the Web as a platform for receiving instructions and e-mail as a means of delivery of the service.
The service is organised in five modules (see box) that can be ordered independently at £100 a piece. Clients go to our site (www.complytoday.com) where they identify and select the modules they need. Payment is made by credit card. Once we receive the instructions, the relevant modules are sent to the client by e-mail. Two of the modules are more interactive and clients are provided with access to a password-protected questionnaire, which enables us to customise those modules on the basis of the answers.

What does this mean for us?
We are managing to convey the message that we at Paisner know our stuff when it comes to giving e-commerce related advice. It’s early days to know what the real impact of package-shaped, Web-based services like complytoday will be. However, in a job like ours – allegedly lacking in creativity – it is not only interesting to experiment, but it may be the only way to survive. If future advisory services are to be provided in a seamless and cost-effective way, the use of new technologies should be a response, not to a growing trend within the legal profession, but to a call for an imaginative way to deal with business needs.

Module 1 – Quick reference information pack

Module 1 is a detailed information pack delivered by e-mail, which provides practical guidance on how to comply with the new UK data protection regime. Module 1 includes:

• Background information on the thinking behind data protection law

• The scope of application of the law

• How to benefit from the transitional provisions

• How to comply with key obligations

• Useful sources of reference.

Module 2 – Dealing with new notification regime to cover online processing

Anyone that processes personal data in the UK must provide an accurate picture of the uses of the data and other relevant details (such as the subjects of the data, the type of data and any persons to whom the data is to be disclosed) to the Data Protection Commissioner. This new notification regime replaces the old registration obligation. Module 2 allows e-businesses to deal with their notification to reflect the use of the Internet to collect, process and disseminate personal data. Module 2 consists of the following process:

Step 1: Following submission of a Request Form, the e-business is provided with access to an ‘M2’ questionnaire, which is in a password-protected section of our Web site

Step 2: Once the ‘M2’ questionnaire is submitted, Paisner prepares and sends by e-mail a draft application form for approval by the e-business (including guidance on how to complete the
notification process)

Step 3: E-business finalises the notification process.

Module 3 – Customised Privacy Policy

Users of personal data must make available to the individuals to whom the data relates details regarding the purposes for which the data is intended to be processed and any other relevant information. The most practical and user-friendly way to do this online is by displaying a Privacy Policy on the Web site explaining the data processing practices of the business. Module 3 consists of the following process:

Step 1: Following submission of a Request Form, the e-business is provided with access to an ‘M3’ questionnaire, which is in a password-protected section of our Web site

Step 2:

Once the ‘M3’ questionnaire is submitted, Paisner prepares and sends by e-mail a draft Privacy Policy for approval by the e-business (including guidance on how to display a Privacy Policy)

Step 3: E-business places finalised Privacy Policy on its Web site.

Module 4 – Comprehensive checklist to deal with access requests

Users of personal data are obliged by law to allow individuals to have access to all data held about them. However, such access must only be allowed if certain conditions are met. Module 4 provides e-businesses with a comprehensive step-by-step checklist (delivered by email) to follow each time that individuals request to be provided with information held about them.

Module 5 – Standard clauses for international data-transfer contracts

UK data protection law prohibits the transfer of personal data to countries or territories outside the European Economic Area which do not ensure an adequate level of privacy protection. To overcome this prohibition, the Data Protection Commissioner has recommended that businesses proposing to carry out international data transfers adopt the so-called "Good Practice Approach". This includes the use of specific contractual provisions in agreements with data processors and other recipients of personal data to ensure an adequate level of protection for individuals. Module 5 provides e-businesses with detailed standard clauses for use in contracts with third parties based outside the EEA, which provide processing services on behalf of the e-business.