The introduction of huge fines for allowing cyber hacks; a beefed-up rule book for European markets; and the spectre of a bad Brexit: European companies faced a host of threats last year.
While uncomfortable for businesses at the receiving end, those challenges have spelt new opportunities for law firms that are helping their clients navigate them.
“The world in Europe changed last year and it was all to do with GDPR,” says Patrick Van Eecke, partner and global co-chair of data protection, privacy and security at law firm DLA Piper.
To some, the letters GDPR (General Data Protection Regulation) might conjure up needy emails from retailers and news websites beseeching customers “not to leave”. But for companies operating across the EU, the new data protection rules, designed to prevent the abuse of personal data, have resulted in big new obligations and potentially devastating fines for breaches.
“Before that, companies could shuffle breaches into the background and hope no one would find out about them,” says Mr Van Eecke.
Today companies have just 72 hours to notify their relevant data regulator — in the UK, the Information Commissioner — and risk punitive fines of up to 4 per cent of their annual revenues or €20m, whichever is the higher, for infringing certain rules. In the UK, for example, the previous maximum fine was £500,000, as levied on Facebook in 2018 for failing to protect users’ personal information in the Cambridge Analytica data scandal.
Yet, despite the possibility of fines, there are no clear guidelines on how to define the severity of a breach, and it is not straightforward to work out whether customers should be informed. “Companies are struggling with the definitions of ‘high impact’ and ‘high risk’ in the context of a data breach because it has not been defined by legislation,” says Mr Van Eecke.
Some law firms have devised systems to help companies understand their responsibilities. After work by DLA Piper lawyers across Europe, the firm launched its Notify software, which uses an algorithm based on the requirements, definitions and exemptions surrounding data breaches and the necessary response. It replaces a process of human interpretation with a streamlined questionnaire that spits out a reporting template too.
Last year British Airways was the first company to be fined under GDPR by the UK regulator, after cyber hackers stole personal data of half a million of the airline’s customers, resulting in a £183m fine.
Lawyers have legal privilege, giving them an advantage over the Big Four accountancy and consultancy firms, which have been encroaching on law firms’ turf, particularly in areas of employment law and intellectual property.
“Law is the only profession to offer privilege on all information shared in a cyber incident,” says Mr Van Eecke. “When the situation can change on an hour-by-hour basis you don’t want to have any documents created by consultants which do not fall under privilege, as the company could be in extreme danger,” he argues.
Paragraphs of legal text in Mifid II that emerged over seven years
Another seismic regulatory shift has hit companies in Europe over the past year. In January 2018, European market rules were overhauled in ambitious reforms known as Mifid II. The aim was to afford greater protection to investors and improve transparency of trading and investing across asset classes, from derivatives to bonds and fixed income.
But the legislation — seven years in the making and running to some 1.5m paragraphs of text — had a big impact on companies operating in financial markets, which sought stringent advice from lawyers and consultancies.
One change affected financial companies relying on trading venues, which have mushroomed across Europe. After Mifid II came in, the venues amended their rules.
“The rule books can range from 50 pages to over 200,” says April Brousseau, head of innovation and new business at law firm Simmons & Simmons. The firm has devised Trading Venue Reviewer, a tool that allows clients to compare and contrast the rules on each venue on a single platform.
Regulatory changes such as Mifid II, GDPR and uncertainty thrown up by Brexit have led to new mandates for the Big Four accounting and consultancy firms. The Big Four, it was predicted in 2017, could earn as much as $30bn a year from legal services, according to ALM Intelligence, a consulting and legal analyst.
In July, one of the Big Four, Deloitte, hired Andrew Lilley, former managing partner at law firm Travers Smith, to lead its employment practice, having secured an alternative business licence in June 2018. The move intensified an increasingly fierce turf war.
Magic circle law firm Allen & Overy has set up its own consulting business, A & O Consulting, and says it is filling a gap highlighted by clients, including big banks. “Law firms have tended to give structural advice and consultancy firms have come in to do the implementation. But as a bank you have to deal with two different parties and there’s a risk of a lack of co-ordination or the ball getting dropped between the two,” says Tom Lodder, managing director of A & O Consulting. “The incumbents probably aren’t happy with the increased competition. We have interaction with the Big Four and we are learning from them and, in some cases, stealing talent too.”
The tables below rank law firms for the FT Innovative Lawyers Europe awards.
Explore the Innovative Lawyers Europe rankings 2019
- Most Innovative Law Firms in Europe
- Most Innovative In-house Legal Teams in Europe
- Rule of law and Access to Justice
Business of Law
- Data, Knowledge and Intelligence
- Managing and Developing Talent / Diversity and Inclusion
- New Business and Service Delivery Models
- New Products and Services
- Strategy and Changing Behaviours
- Talent, Strategy and Changing Behaviours
Get alerts on Legal services when a new story is published