By Jo Anne Schwendinger, Regional General Counsel Asia-Pacific and Sub-Saharan Africa, John Deere In collaboration with Lynn Arthur, Compliance Division Manager, John Deere
Laws and regulations change. In-house counsel must understand these changes promptly, and advise clients on the business practices to be adopted or changed in order to comply with the new legal requirement. This TopTen suggests a ten-step process for in-house lawyers to follow in making the transition from awareness that a new law has been adopted or an existing one changed, to adopting sustainably compliant business practices.
1. Read and Understand the Law.
Once you, as the in-house lawyer, become aware of a new legal requirement, the initial steps are obvious, but bear mentioning. First, you must read and understand the law. Perusing articles and attending seminars help. It is also useful to outline the law, breaking it into small components, to allow focus on nuances and details. The outlines that you prepare now, to assist in understanding the law, will be valuable again when you start to develop training modules and draft client communications.
2. Develop Checklists.
It is worthwhile to start building checklists at this point. You and your client will use these later, to determine whether your proposed new business practices are compliant.
3. Draft Model Contract Provisions.
Model contract provisions can be stared early on as well, for use at a later stage in the process.
4. Review Existing Policies.
Given the close association between law and compliance departments, the next step most in-house counsel will consider is whether there is an existing compliance policy that needs to be reviewed and amended to take into account changes in the law. If the law is wholly new, a compliance policy will need to be drafted. Drafting or revising a compliance policy to conform to a change in law is an activity that in-house lawyers are likely to feel comfortable performing. In its most basic form, a policy is a statement that it is the client's intent that the law be followed. Typically, more color and content will be included, with legal requirements restated as rules of behavior, perhaps with illustrative examples to guide that behavior. Policies are a necessary part of a company's legal compliance efforts, but policies alone do not ensure compliant practices. For that, it is necessary to dig deeper and understand how the client does business.
5. Conduct Surveys.
To gain an understanding of relevant business practices, in-house lawyers can ask their clients to complete a survey to elicit information about the people, processes and tools that the lawyer believes will be affected by the new law. The survey can be done in two phases, with the first one directed at management. Management will provide information on which individuals in their organization have a direct role to play in ensuring compliance with the law. The second survey will ask more detailed questions of those individuals.
Each survey should begin with a high level statement of why the client is being asked to complete it. It should not have as its aim to teach the client about the law, but should include enough information about the new legal requirement, including definitions of key terms, that the survey recipient understands the survey, and the reason for it.
To take a hypothetical example, if there is a change in the law that governs the protection of personal data, the surveys could be configured as follows:
Introduction
A new law protecting the personal data of individuals has passed and will become effective [date]. The law and compliance department needs your help in assessing the steps we need to take for our business practices to comply with the new law. This survey is one of those steps. Thank you in advance for responding to it.
I. Questions for Management
"Personal data" means [include applicable definition].
- What are the major areas in your business or functional unit where personal data is collected and used? Who in your organization collects, uses, stores or distributes personal data?
II. Questions for Individuals
Your name was provided by your management team as someone who is responsible for a business or functional area, and who is familiar with a process or procedure where personal data is collected, used, stored or distributed. In that context, please answer the following questions:
- How and when do you collect, use and store personal data? When and how do you dispose of personal data? What processes do you use where personal data is collected, used, stored or transmitted? What tools do you use to collect, use and store personal data? Where are those tools hosted, and who has access to the data? Does a third party collect personal data and transmit it to us? When you collect personal data, do you inform the person? Do you get and record consent? Has your area entered into a contract for collecting, processing or distributing personal data? If so, please provide a copy, or a link to the contract.
The above questions are illustrative only; actual survey questions must track legislative terminology, and be targeted to elicit actionable data from the respondents.
6. Use Survey Responses to Refine Data Gathering and Identify Process Gaps.
Answers to initial surveys will likely lead to further questions, and the need to conduct one-on-one meetings or follow-up surveys. Quickly, enough data should emerge so that the law department understands existing business processes, and can identify gaps in them.
7. Work With Process Owners to Close Gaps.
At this point, the law department's role is to advise process owners that a gap has been identified, and then work with them to devise changes to the processes that will allow the business to operate in compliance with the law. As new processes are being configured, the checklists drafted earlier can be used to ensure that all points of the new law are considered.
8. Determine Which Contracts Must be Amended.
Another output from the survey will be information on existing contracts that will have to be reviewed to determine whether the model contract provisions, which were drafted at the beginning of the process, need to be incorporated. That information will be fed into a schedule of contracts to be amended, that includes information such as who, how and by when the amendments must be signed. New or revised contract templates that incorporate the model provisions should also be adopted at this point.
9. Train Employees; Communicate with Internal Audit.
For business process changes to work, employees must know what is expected of them. Training should explain the new legal and compliance landscape, while focusing on changes in the employee's role. Once processes are updated, and employees know what they must do, it is time to communicate with the internal audit staff so that they can incorporate policy changes into an audit schedule. Ideally, any failures to comply that are detected by the internal audit staff will be communicated to the law and compliance team, so additional training, or changes in processes, can be considered.
10. Continuously Improve the Process.
While every change in law is different, the process for adapting to the change can be made repeatable. As with all processes, this one should be reviewed and improved continuously by in-house counsel, in the context of their organization's needs, and in light of what they learn as they use it.
In-house counsel must know and understand the laws that apply to their clients' business. Developing a thorough understanding of applicable laws and how the business operates within the legal framework can, by itself, be challenging, particularly for highly regulated companies operating in multiple jurisdictions. Increasing the challenge is the fact that neither laws nor business practices are static. Developing a process for in-house counsel to follow that allows them to guide their clients from awareness that a law has changed, to how the business must respond in order to comply with the new legal requirements, is one of the many ways in-house lawyers create value for their clients.