GDPR lawyer: A traditional player in GDPR compliance

The method that is generally used by GDPR lawyers to bring a structure into GDPR compliance is called the Lexing method.

Today, a GDPR lawyer is considered a traditional compliance player. That said, the compliance method wasn't born with the General Data Protection Regulation. It dates back to the Data Protection Act of 1978. This was the first law to provide a framework and set rules for what can be done with personal data.

Personal data refers to any information that directly or indirectlyidentifies a natural person (surname, first name, e-mail address, payment card, telephone number, ID number, social security number, IP address, photo of a face, video showing a person, etc.).

The General Data Protection RegulationGDPR)

The General Data Protection Regulation was definitively adopted by the European Parliament on April 27, 2016. It came into force in all EU member states on May 25, 2018. 

In application with the GDPR, structures whose main activities include the regular and systematic control of sensitive or personal data, as well as those in the public sector, must therefore appoint a GDPR data protection officer (DPO) or a data protection officer.

The DPO will be responsible for processing personal data. His or her role is to guarantee the structure's compliance. For example, in the event of personal data breaches, he or she must set out the procedures to be followed and the rules to be complied with. See Dipeeo's offer: outsourced DPO.

What are the specialties of a GDPR lawyer?

In general, a GDPR lawyer is specialised in intellectual property law, data protection law and new technologies.

Intellectual property: the purpose of industrial property is to protect and promote inventions, innovations and creations.

Data protection law: training in personal data regulations, individual rights

New technologies: knowledge of new technologies. This is a key point for a GDPR lawyer to understand his clients' issues.

The studies last an average of 7 years and offer good knowledge for achieving GDPR compliance and dealing with personal data issues on a daily basis.

How does a GDPR lawyer achieve compliance?

GDPR lawyers are the traditional players in compliance. The training of a GDPR lawyer is reputable and of a high standard. They carry out a method based on an initial audit. However, fees are high.

The method generally used to bring a structure into compliance is known as the Lexing method, or the Bensoussan method. It was developed by Alain Bensoussan, lawyer, pioneer in advanced technology law, IT law and recognized expert in personal data protection law.

This method consists of 4 steps:

Step one:

Establish a regulatory map in 4 phases: scoping meeting, data processing inventory and legal map, compliance analysis, plan for communicating results to the business.

Step 2:

Establish a roadmap, including action plan, provisional timetable and tools

Step three:

Carrying out compliance actions: RACI method (Réalisation - Accountable - Consultation - Information)

Fourth step :

Implement actions and ensure follow-up (implementation plan, document location, control audit grid, etc.).

The objectives of this method are as follows:

• Acquire a compliance project management methodology;
• Master the essential tools of the data lawyer / DPO ;
• Set up a Compliance Data process within the company.

Here are the advantages and disadvantages of hiring a specialised lawyer:

Benefits

- High level of competence and quality

- Full legal compliancee.g privacy policy, cookie policy, registry, etc.)

- Control of technical service providers not always included

- clients confidence

Disadvantages

- High cost (especially for startups and low-income structures)

- Successive quotations as needs change

- Time-consuming compliance, given the manual audit method and the need to draw up all the documents.

- Not very innovative or adapted to today's market

Watch the video on Privacy policy - Dipeeo

Opening up the compliance market to non-lawyers

The General Data Protection Regulation has opened up the compliance market to competition. Previously, this was a market reserved for lawyers. The same applies to many legal issues.

This has had a major impact, with new players entering the market. This has created opportunities for innovation, as well as new, more accessible offerings. New risks have arisen, in particular a drop in quality , as compliance work can be carried out by people less well trained than lawyers.

There are also articles, videos, and guides that help bring a website into GDPR compliance. They enable you to draw up a privacy policy, a cookies policy, carry out an impact analysis or even a processing register. 

The evolution of legaltech

Faced with cybercrime, data breaches and the importance of protecting personal data, several legaltechs have developed and specialized in personal data management solutions to ensure corporate compliance.

The legaltech field has increased its potential. We can see this in the 4.2 million euros raised by Leeway in 2021 (contract management for legal departments), Data Legal Drive (2 million euros for its compliance software) and Adequacy (1.2 million euros).

Who are the competitors of a GDPR lawyer?

In this section, we will compare the advantages and disadvantages of law firms' competitors: 

• Consulting firms
• IT security and digital transformation firms
• Legaltech outside Dipeeo
• Dipeeo

GDPR consulting firms

Consulting firms provide compliance and outsourced data protection officer services. They have mainly emerged with the General Data Protection Regulation since 2018.

They use the traditional avocado method.

Benefits

- Full legal compliance

- Quite cheap

Disadvantages

- Very long compliance

- Not very innovative, as documents are not updated automatically, for example.

- Average skill level

These consulting firms are flourishing and competing head-on with law firms in the VSE/SME sector. 

We include DPO (Data Protection Officer) freelancers in this category.

IT security and digital transformation firms

IT security and digital transformation firms have decided to offer their client a complementary service and, if necessary, a data protection delegate, as part of a website creation or security project.

Benefits

- Security and compliance of visible aspects of the website

- Compliance included in the initial service

Disadvantages

- Partial compliance (privacy policy only, for example)

- Not very innovative, as there are no tools to help client achieve compliance.

- Very low skill level

- Very high risk for the client in the event of an inspection

These firms focus primarily on small and medium-sized businesses. They are ideally positioned to work with clients upstream of the website creation process.

Legaltech outside Dipeeo 

A significant number of legaltechs have sprung up since the implementation of the General Data Protection Regulation in 2018. Some position themselves as a "compliance assistance tool". These are Saas software programs that help to pilot or organize one's compliance. What's more, some tools enable you to carry out an impact analysis or a "digital" processing register.

However, these tools are designed for specialist data protection officers to help them in their activities. However, legal skills are still required for the drafting of legal documents (which represents a significant part of compliance).

Benefits

- Useful in the context of accountability [1].

Disadvantages

- No compliance: the tools do not allow you to draft / write the GDPR documents required to be compliant

- Innovative

- High coste.g around €200 excl. tax/month for a very small business, to which must be added the personnel costs for the internal or external DPO)

- For DPOs only

[1] Accountability means being able client demonstrate compliance in the event of an audit. Legaltech GDPR tools are useful in this respect, as they enable all GDPR documents to be filed and centralized in the software. However, these tools do not produce the documents for the user.

Dipeeo: the outsourced GDPR DPO 

Dipeeo brings together both software and certified DPOs, e.g, in the same company. The software automates the low value-added parts of compliance. The software automates the low value-added parts of the compliance process, making it easy to achieve compliance and to be supported on a day-to-day basis by a certified Data Protection Officer (DPO), who becomes the data controller for the structure being supported.

The data protection officers are trained and rely on a proven method and software, so the quality delivered is very high. The automation function saves clients a great deal of time, notably by drastically reducing auditing time. And thanks to partial automation, prices are very affordable. The overall compliance experience is transformed.

Dipeeo will also appoint itself as Data Protection Officer (DPO) for the CNIL (National Commission for Information Technology and Civil Liberties) ). The assisted structure will be able to display a compliance label on its website.

Benefits

- Compliance on behalf of the client (on behalf of the customer) and appointment as DPO with the CNIL (National Commission for Information Technology and Civil Liberties) on behalf of the client.

- The client has access to the full range of GDPR support in a single package.

- Support and assistance, via our lawyers / DPO, for clients in the event of difficultiese.g clients complaints, HR, CNIL (National Commission for Information Technology and Civil Liberties) inspections, etc.).

How much does a GDPR lawyer charge?

A law firm has significant structural costs, which are linked to its status as a law firm and to the high salaries of lawyers, given their education and level of expertise.

Rates vary from one firm to another, and depend above all on the activity of the company requiring compliance. There are also considerable variations depending on the scope of intervention. A firm's involvement can be limited to a few documents, or it can cover the entire DPO role, with nomination to the CNIL (National Commission for Information Technology and Civil Liberties)).

It is estimated that, on average, for a 30-person digital startup in a field that does not deal with sensitive data (religion, health data...), it will cost 10,000 Euros per year to handle its compliance with a lawyer.

How can I find a GDPR lawyer?

To find a GDPR lawyer, there are firms specializing in GDPR, IP and new technologies or generalist firms in which there are competent lawyers.

The search for a lawyer is often done via one's own network, one's incubator for a startup, or one's network of clients and partners. In this way, you can gather opinions on the lawyer's services even before consulting him or her.

Law firm directories are a great way to find what you're looking for, thanks in particular to the "Ordre des avocats". Here are a few examples of law firm directories:

• https://www.avocatparis.org/annuaire
• https://www.cnb.avocat.fr/fr/annuaire-barreaux