Month: July 2019

Foreword

The way global companies handle data is set to change dramatically on 25 May 2018, when the European Union’s (EU) General Data Protection Regulation (GDPR) comes into force. Designed to address concerns over the security and use of personal data, GDPR will apply to data processing activities regarding personal data within Europe as well as data transfers within the EU and between the EU and non-EU countries, and it looks likely to become the global benchmark for protecting personal data.

Legal teams are front and center as companies get ready to comply with GDPR, and the stakes are high. Companies that do not get compliance right risk fines of 4% of global turnover or €20m, whichever is greater. Regulators have made it clear that they intend to fully flex their powers to enforce the regulation.

Juerg Birri, Global Head of Legal Services
KPMG International

Compliance with GDPR aside, no business wants to face the reputational fall-out of failing to protect their customers’ personal information – as the WannaCry, Cambridge Analytica and far too many other breaches show.

How are legal teams working with businesses to prepare for the new regime, and are they confident they will be ready? KPMG International sponsored The Legal 500 to find out.

The results of a survey of 448 legal counsel and in-depth interviews with over 30 senior general counsels, set out in this report, combine to offer a view of the state of GDPR implementation worldwide. The countries, regions and jurisdictions covered in this survey – Australia, Brazil, Germany, Ireland, Italy, Russia, Spain, Taiwan, United Kingdom and United States – cover a range of key markets, both within and outside the EU.

The results of this survey reveal that legal teams face significant hurdles as they seek to implement a data protection management system that allows them to continue operations and capitalise on the valuable data they hold. Among the biggest challenges respondents faced:

• • GDPR affects all parts of the organisation, which can frustrate efforts to determine responsibility and accountability. Implementing policies across the organisation was named as the top challenge by about one in five respondents.

• • While the legal team is central to preparation efforts, success depends on its ability to work with other departments to map issues and develop solutions.

• • The GDPR regime is based on principles rather than prescriptive rules, and interpretation of legal requirements and obligations can be difficult in the absence of precedents or additional guidance.

• • GDPR compliance requires understanding and control over all of the IT systems and processes for handling personal data collection – including data that may be hidden in legacy architecture and systems.

• • Few organisations have sought to understand the risks arising from the actions of third-party suppliers and other commercial partners; only 10% have made contact to check third-party compliance with GDPR.
  • Finally, most organisations have struggled to identify all data processing activities or gain a broad internal overview of their processes. For GCs, this has made compliance a continually moving target.

Faced with challenges like these, only a minority of the legal counsel surveyed feel confident that their organisations have done enough to comply. Fewer than half (46%) of respondents believe their organisations are prepared for GDPR, while under 10% of respondents believe that employees at their organisation are fully aware of their data protection obligations under GDPR and national laws.

This report offers a view of how legal teams are addressing the challenges of GDPR and identifies a number of leading practices for getting organisations systems and processes onside. As legal counsel reported in interviews, the best solution to these challenges may be to focus on the opportunities. For example:

• • Demonstrating GDPR compliance can be a good opportunity to differentiate your business by winning more consumer trust and thus competitive advantage.
  • GDPR compliance can benefit the organisation’s culture, as stronger governance structures for handling data help mitigate other risks (e.g. security, bribery, corruption).
  • More disciplined management of customer data can produce opportunities to build connections with customers and produce better products.

By approaching GDPR as a chance to invest in a leading-edge global data protection management system, KPMG member firm legal teams can help their clients get more control over data and leverage that data to gain more strategic value.

 

KPMG’s Global Legal Services practice is proud to support The Legal 500’s survey to better understand how organisations inside and outside the EU are preparing for GDPR as well as identify challenges they are facing along the way. The KPMG network of Legal Services firms are uniquely positioned to offer advice in this area due to our multi-disciplinary service approach, deep industry knowledge, and global reach. Our legal practices operate in 75 countries with over 1,650 legal professionals.

KPMG member firms may render legal services where authorized by law, with full observance of relevant local regulations. Legal services may not be offered to SEC registrant audit clients and/or affiliates or where otherwise prohibited by law.

The challenges of GDPR

Our detailed survey took the views of legal counsel at 448 institutions globally, more than half (63%) of which had already appointed a dedicated data protection officer (DPO) or local representative in the EU. The median annual turnover of the organisations surveyed was $4.3bn.

The results of this survey, combined with in-depth, structured interviews with over 30 senior GCs globally, show the following issues are challenging legal teams when it comes to implementing GDPR.

 

‘While the legal team is a key part of any GDPR strategy, ideally an organisation needs to appoint a ring-fenced team that is dedicated to compliance. This team should work with other departments to establish key areas of concern. Leaving it all to legal teams makes no sense in a business environment where the legal team already has a thousand other compliance challenges to meet’ (General counsel, TMT company).

Lack of support from the wider business

‘A lot of GCs are almost victimised by their organisations over this. If your IT teams won’t talk to you and show you the systems – either because they don’t see it as their job or they are not properly incentivised – then you can’t really do much’ (General counsel, consumer goods company).

Understanding GDPR itself

‘GDPR is not overly prescriptive about how to achieve compliance. It seems to allow for a degree of interpretation. While this is a positive, it does mean that organisations need to prioritise and decide on their policies. This feels like uncharted waters for me as GC. I am advising on something that I cannot control in reference to the law itself’ (General counsel, TMT company).

Maintaining a consistent approach globally

‘Ideally, a common language should be adopted and used to discuss compliance in all jurisdictions. That sounds very good in principle, but when you try to implement it in practice you realise it is all but impossible. We have too many staff to standardise our approach to compliance’ (General counsel, financial services company).

Understanding IT systems and processes underpinning data collection

‘We have spent a long time looking at data security and our handling of customer data and I have spent a long time on this personally. Like every GC, I have realised that the closer you look at it the more problems come out of the woodwork. Particularly when you dig into IT architecture and legacy IT systems. We are constantly finding stacks of data we’d forgotten about. We then need to address where it has come from and how it is being used’ (General counsel, consumer goods company).

Coping with ambiguity

‘GDPR has hit the IT community particularly hard and they have a very specific way of working that engenders itself to finding a right answer. As a compliance practitioner, I need to tell them it’s not always straightforward – there’s not always a right answer’ (Head of compliance, consumer goods company).

Assessing risks in the supply chain

‘The real difficulty with GDPR is working out which third-party relationships might get us into difficulty. Knowing how our commercial partners use data is a critical part of our compliance strategy but it is very difficult to monitor effectively. Even though we are not looking to monetise customer data it is absolutely crucial to be 100% on top of things’ (General counsel, TMT company).

 

Preparing for GDPR

With just over a month to go before GDPR comes into force, fewer than half (46%) of respondents feel their organisations are sufficiently prepared.

Put another way, our survey shows that more than half of global businesses have failed to prepare for GDPR. Given the penalties organisations may face if they fail to comply by 25 May, this represents a significant source of regulatory risk in the market.

The good news is, it is not yet time to panic. GDPR compliance is a challenge for all organisations, but big steps toward meeting the regulation’s requirements can be made in a short space of time. In the following report, we hope to give a sense of how GCs are finding solutions to the problems of GDPR and how, by following their best-practice approach, others can address the challenges of GDPR compliance within their organisations.

Of all the challenges facing legal teams, establishing or adapting processes to ensure compliance is the most pressing.

 

 

Over a fifth (21%) of respondents said implementing policies across all divisions of their organisation or group was the biggest challenge they faced. However, the perceived challenges varied greatly by country. Updating systems and changing the way in which the organisation stores data so that new rights such as the right to be forgotten can be implemented effectively was seen as the biggest challenge in the UK and Ireland, while ensuring ongoing compliance with GDPR was the top priority for businesses in Germany.

Transferring data to third parties, including those outside the EU, is also presenting a challenge. Just over half (51%) of organisations globally use EU standard clauses when transferring personal data to third parties, while less than a fifth (18%) are relying on adequacy decisions of the EU Commission.

Ensuring employees throughout an organisation are aware of how the new obligations apply to them is likely to cause problems long after 25 May.

While four fifths (80%) of respondents felt that employees were either somewhat aware or mostly aware of their responsibilities, it was notable that confidence fell off markedly at organisations with a group global annual turnover exceeding $1bn.

It was also clear that a significant number of organisations are likely to encounter serious problems related to employee awareness.

Fewer than 10% of respondents believe that employees at their organisation are fully aware of their obligations under GDPR and applicable national laws, while more GCs think the employees across their organisations are completely unaware of GDPR than think they are fully aware.

 

Employees specifically responsible for processing personal data will be particularly important to an organisation’s compliance strategy. While more than half (55%) of respondents believed those handling and processing personal data understood the implications of GDPR, it was striking that nearly a quarter (24%) felt even these key employees were not aware of their responsibilities. Running due diligence on these employee groups is essential before 25 May.

Surprisingly, organisations based outside the EU reported low levels of preparation anxiety.

Respondents in Brazil expressed the most confidence (52%) that they would be fully prepared for GDPR, with similarly high confidence levels reported in Russia (44%), Australia (51%) and the US (51%).

It seems likely that these organisations may not be fully aware of what GDPR compliance entails.

Many respondents showed either a lack of familiarity with the regulation or a lack of concern over its extra-territorial scope. One Russia-based GC, representing a multinational organisation handling the data of EU citizens, stated: ‘We fall outside the scope of GDPR. Russia has its own data protection regime and is not in the EU, [as a result, GDPR] will not affect us.’

Such misplaced confidence may come at a high cost. A high proportion (72%) of these respondents represented organisations with subsidiaries or branches in the EU. Their organisations will certainly need to establish how personal data will be compliantly transferred between jurisdictions. Moreover, organisations not located within the EU but processing personal data of EU citizens must comply with GDPR, even if they only plan to use this data for the purposes of monitoring customer behaviour rather than direct marketing.

Within the EU, respondents in Italy were the most confident of all, with two thirds (64%) feeling their organisations are ready for GDPR – the highest of all countries surveyed globally.

However, fewer than half (49%) of Italian respondents had an overview of all data protection measures within their organisation, while just 38% said their organisations documented all data processing activities, the lowest rate among those surveyed. Complying with GDPR without such a record of activities will be difficult.

Our survey shows that, even for those organisations located within the EU, there is a high degree of misplaced confidence when it comes to assessing preparations for GDPR.

The views in brief

Who is responsible for GDPR?

GCs are taking ownership of GDPR. Across the organisations surveyed, GCs were responsible for setting data protection compliance policies in over a third (34%) of cases. Chief compliance officers took on the data protection burden in just a quarter (25%) of cases.

Whether or not an organisation’s GC is expected to manage GDPR compliance, legal teams will play a critical role in the process. Finding ways to work with different business functions, and to win organisational support for the project, will be essential to success.

Our survey shows that organisations where data security and cyber risk is deemed a priority for the board tend to be further along their GDPR journey than those who do not.

Fully half (50%) of respondents who reported that their organisation saw these topics as a board-level issue also reported that they felt their business was sufficiently prepared for GDPR, compared to just 13% of those for whom data security and cyber risk were not board-level issues.

Making sure data security reaches the attention of senior management is the single most important thing GCs can do to prepare their organisations for GDPR. Our survey shows that an engaged board helps at every stage of the journey toward compliance.

 

Systems and processes

For GCs appointed to the role of data protection officer (DPO), getting an overview of the various data collection and processing systems across their organisation will be a challenge. This challenge is particularly pronounced at multinationals where staff operate in many different jurisdictions, each with its own data protection regulations.

‘Many of the elements of GDPR were already required in certain countries,’ says Jan Bredehoeft, head of legal for Germany at Huawei. ‘However, ensuring these elements are understood and complied with globally is a big challenge for a diverse, multicultural and data-heavy organisation. Data security and compliance processes are in place across various parts of the organisation, but putting them together to make sure there is a comprehensive control and follow-up strategy is a major piece of work.’

Establishing global data protection standards has, however, proved difficult for many. Just under half (47%) of organisations said data privacy was managed by a single, centralised function, while over half (55%) said they had put in place a single, global data protection standard.

 

Further, as interviewees reported, ensuring on-the-ground compliance with these standards is a big challenge. Even for those based in countries with comparatively well-established data protection standards can struggle. ‘The main challenge is to implement structures across the whole group, including in markets where data protection law is not really common’, says Alexandra Albrecht-Baba, head of corporate compliance at Hochtief.

While software is being sold as a panacea for GDPR compliance, only 35% of businesses globally have implemented a software or IT-based GDPR compliance system.

Ireland-based organisations were the lowest adopters, with only 21% having introduced a software-based platform.

When it comes to monitoring compliance, most organisations are focusing on training staff in their use of email and IT systems. Just over half (51%) said they had developed internal policies for this purpose. However, as one GC pointed out, this is not exactly a surefire way to ensure compliance: ‘Knowing whether staff understand the risks surrounding use of data is the biggest challenge we face. You can send a circular message out about GDPR but you cannot police whether it will be read or followed.’

The views in brief

The risks

SUPPLY-CHAIN RISKS

Significant GDPR compliance risks can lie outside an organisation’s own staff or systems and processes. Any third parties to which an organisation transmits personal data must also be evaluated as part of its compliance strategy. While larger organisations will be able to access sophisticated compliance teams to help them implement GDPR, they will also face greater difficulties in addressing GDPR risk across their supply chains.

Just 10% of the 448 senior counsel polled for this report said that their organisation had contacted commercial suppliers and partners to check their compliance with GDPR.

Given the difficulties organisations will face in scrutinising global supply chains, many are looking to reduce the number of suppliers they work with. For example, one GC reported his team had helped shed over 50,000 suppliers in the past seven years. As an increasing number of companies begin to examine the compliance standards of their suppliers and review third-party contracts, it is likely that GDPR will cause a ripple effect that touches a far greater number of businesses.

For organisations based outside the EU, a mixture of political will and financial risk is likely to drive awareness. ‘Taiwan’s laws have historically been very close to the EU when it comes to data protection’, comments Lawrence Ong, a partner at KPMG Law Firm in Taiwan. ‘But while Taiwan had similar laws to the EU, it was never so serious when it came to fines. GDPR will change that and is helping to focus people’s minds.’

‘Taiwan is a very export-oriented economy and will do a lot to ensure its businesses are not at a competitive disadvantage’, Ong continues, ‘as such, there will be strong political support for GDPR compliance. However, for organisations themselves, the prospect of significant fines is much more likely to spur compliance.’

Adapting to the new laws will not be easy. ‘Data protection teams at Taiwanese organisations tend to be led by computer engineers rather than lawyers, but GDPR compliance is not a back-end, IT security issue. That means people need to adjust the way they think about privacy and take an approach that empowers legal teams to set strategy. Fortunately, a great many Taiwanese organisations are waking up to the fact that GDPR will apply to them and that a coherent compliance strategy will allow them to sell services to partners and customers much more effectively.’

HOW WILL THE REGULATORS RESPOND?

One small comfort for GCs has been the level of clarity offered by the regulations themselves. The work of The Article 29 working party was widely praised for achieving a workable approach to data protection by those we spoke to.

At the same time, a lack of certainty around how these will be enforced makes the precise level of risk difficult to judge.

Some believe that the regulators’ approach will be measured. As one Italy-based legal director commented, ‘data protection regulators are likely to make a distinction between those who have made sincere efforts to comply and those who have not.’

However, says Dr. Konstantin von Busekist of KPMG Law in Germany, there will be very little manoeuvrability on the part of regulators when assessing and imposing penalties for breaches. ‘The question of whether to prosecute is not at the discretion of the authorities. Whenever they have knowledge of an offence they have to prosecute. Even companies which fall outside high-risk sectors such as TMT and healthcare can be at risk from a strong works council, which may have a political interest in bringing the company before review.’

And, adds one GC with close connections to the regulatory authorities, ‘within six months of GDPR’s implementation the regulators will look to penalise a large corporate which has not complied. It’s certainly what I would advise them to do. If a year goes by without any large fines there is a risk that companies will become complacent.’

Andrew Yorston, head of risk and compliance at Vodafone UK has a similar take. ‘Our group audit and risk committee asked “what is the precise risk we face here?” It is hard to quantify the risk, but I advised them that, for GDPR to work as it should, there will have to be investigations. A single customer complaint will be enough to trigger an investigation’.

Conclusion

MAKING THE MOST OF GDPR

‘The problem with GDPR’, says Rob Green, data privacy director at Canon Europe, ‘is there are so many people with different opinions that you can run yourself into a circle of despair. GDPR clearly does represent a massive change, but GCs need to keep a cool head. A lot of this is not new at all.’

Gordon Wade of KPMG in Ireland offers similar advice. ‘There has always been and will always be a data protection compliance requirement. GDPR contains many of these existing principles and should be seen as an evolution rather than something to worry about.’

While the 25 May deadline does not leave GCs much time to work with, a lot can be done in a matter of days. Focusing on quick wins is the best approach for those who feel their planning is behind schedule.

Alexandra Albrecht-Baba, head of corporate compliance at Hochtief, puts it more bluntly. ‘There is a theoretical approach and a pragmatic approach [to compliance]. My impression is that all GCs are going to take the pragmatic approach until 25 May this year and only then try to consider what the best theoretical approach may be.’

Finally, as a number of GCs reported, the best solution to the challenge of GDPR is to make the most of it and focus on the opportunities it presents to an organisation.

GDPR IS AN OPPORTUNITY TO DIFFERENTIATE YOUR BUSINESS

Jeff Langlands, general counsel, BT business and public sector

‘For a number of businesses, GDPR compliance can be a differentiator in the market. In the telecoms space that is definitely true. The money we spend on GDPR compliance is not a sunk cost, it is a way of getting an advantage on our competitors. There are also cultural benefits to GDPR compliance across the organisation. It stirs the pot and makes sure other risks – from security to modern slavery and anti-bribery and corruption – are placed under a better governance structure.’

Dan Guildford, general counsel, Financial Times

‘GDPR presents unique challenges for the media sector. Subscription-based media companies such as FT rely heavily on user data to help promote subscriber acquisition, retention and engagement, and GDPR also poses potential risks for journalistic freedom. We need to ensure that all of our lawyers have a good knowledge of data protection laws and are taking the lead on ensuring the company fulfils with its regulatory requirements under GDPR. Ultimately, if we get this right we will be well ahead of other organisations in our field.’

Martin Bowen, general counsel, Dyson

‘GDPR is often seen as a very onerous thing to comply with, but we see the opportunities. A future where we are connected to our consumers looks more and more likely. A rich seam of information will help us produce even better products if we can get the discipline of handling the data properly in place.’

Carolyn Jameson, group general counsel, Skyscanner

‘There is a big drive to personalise our product line, which will mean collecting more personal data. In this sense, GDPR has been fortuitous for the business and for me as DPO. It has given us an opportunity to think systematically about what we want to do with data before we collect it.’

 

Foreword

Whereas intellectual property (IP) law firms hitherto concentrated on legal advice, they are today confronted with a great variety of demands by their clients and a rapidly changing market environment. Thus, traditional approaches are in many cases no longer feasible.

Historically, most companies outsourced all of their IP work to external law firms. Nowadays, a growing number of companies have in-house IP departments coping with some or even a major proportion of the work. While some companies still outsource the high-profile work, such as litigation, freedom to operate and opposition, other companies tend to mainly outsource drafting and prosecution.

In addition, whereas IP firms were in the past dedicated to the whole value-added chain, from filing to the end of the lifetime of the patent, more and more tasks, such as annuities or validation of a European patent, have been taken over by IP service providers not offering any legal advice and often being capital driven.

To offer the whole range of tasks, IP firms, however, have to have available patent attorneys adequate for both the high-profile work and prosecution, and highly qualified paralegals attending to the formal work. Whereas the costs for the high-profile work are generally not an issue, there is a high cost pressure on prosecution and drafting as well as on formal tasks.

To strike a balance between loss of business to service providers and the still desired need for high responsiveness and quality, the pricing structure of IP firms is in a state of flux, with a tendency to increase hourly rates for the legal advice. To put it differently, the pricing structure of German and European IP firms will likely change towards the pricing structure most companies are used to from their US counsels.

Moreover, there is a move towards new ‘products’, such as taking over the IP data management or to offer tools that allow automatic transfer of or access to the necessary data. Due to the great variety of patent management systems on the market and used by companies, there is no easy solution for IP firms to satisfy those needs.

Besides legal advice, law firms are now also concerned with automation of processes. They make use of application programming interfaces in order to enable communication between their database and the various databases and patent management systems of their clients. Web-based communication and internet platforms are also in the picture.

In any case, it is of high importance for the law firm to obtain knowledge about the actual needs and expectations of the companies, apart from the legal advice they traditionally expect.

Best practice: engaging with outside counsel

The Legal 500 Deutschland IP survey sheds light on when it is best to engage external legal advisers on IP issues, and how best to ensure the engagement is run efficiently and effectively

Striking an appropriate balance between building in-house intellectual property teams against outsourcing matters to external law firms is not a straightforward conundrum. In-house professionals are typically immersed in the business, understand its priorities and can quickly engage and collaborate with internal colleagues, such as management and those in research and development (R&D).

External law firms have the advantage of economies of scale, and the ability to develop more specialised expertise and more rounded industry expertise, from advising and representing multiple clients in a number of industries. Often they will have an international network or at least a raft of international connections.

In-house legal teams have grown considerably in recent years, as the global regulatory environment has become more burdensome. They have also expanded as businesses have sought to cut costs by reducing the use of more expensive external lawyers and lowering the inherent inefficiencies of engaging outside counsel.

The crux of the issue is utilisation; there is no point in building in-house teams unless they are equipped to handle a consistent flow of matters. Where niche or a higher level of expertise is required, or where a business simply does not have a sufficient flow of intellectual property (IP) requirements in a particular area to warrant having an internally assigned professional, then it needs to think about effective engagement with an external law firm.

In our survey of over 100 professionals that have responsibility for IP issues, most revealed that they outsourced some of their requirements to external law firms. Moreover, 43% indicated that they outsourced everything. This illustrates the continued significant demand for specialist IP expertise in private practice law firms and the fact that companies simply cannot build a business case for having a fully fledged internal department that can handle all IP matters. In many instances, businesses would effectively need to administer a large and consistent flow of IP applications and related business before they could bring this all in house.

Regulations also play a part in Germany. A senior legal counsel at a major automotive company says that it will always engage outside counsel for a dispute, not just because they have the court experience, but because the business is able to claim their legal costs from the opponent if they win the case; this occurs whether or not the dispute reaches the courts.

Beyond this, the international requirements surrounding effective exploitation of IP will typically ask too much of an in-house department. They will need to engage counsel in various jurisdictions to ensure that their IP assets are properly enforced and protected. Christof Wolpert, vice president global legal innovation at adidas, explains why having a network of specialised external counsel is necessary: ‘There are certain skillsets in our corporate structure that we don’t have in-house. We operate 170 subsidiaries around the globe and we have IP-related litigation in more than 60 different jurisdictions, so we need to work with local counsel.’

Wolpert believes that it is fruitful to retain much of the core business in-house, because it boosts institutional knowledge, which can be reapplied and refined over time. ‘We do the clearance or freedom to operate in-house because we build experience,’ he explains. ‘We like to build that know-how internally, which enables us to make decisions faster.’

On less critical issues, Wolpert believes that engaging outside legal advisers and the economies of scale that they can provide makes good business sense: ‘I want people in my team working on clearance and strategy, and not on drafting. That doesn’t broaden your skillset as an in-house counsel. We want people to advise on what the business can or can’t do, what are the possibilities, the risks and the threats, and that is how we add value to the process.’

There is a widely held view that in-house teams are better equipped to take more risks, to take more commercially driven decisions even if there is a chance of a negative outcome. In-house counsel recognise that law firms have to minimise their potential liabilities and this necessitates that they pay
more attention to possible downsides, which is not always strategically optimal.

Cross-border expertise is especially important, as illustrated in our survey, which showed that 82% of respondents do business in more than one EU country and 85% do business outside of the EU. The importance of cross-border and international capabilities is brought into sharp focus by the survey, which reveals that 62% of respondents have a dedicated internal resource to manage IP registrations in multiple countries. At the same time, 54% of survey participants outsource this responsibility to external law firms.

Needing a helping hand

When to turn to external legal advisers can pose a problem. For many smaller businesses, they simply do not have the expertise or resources to manage any of their IP matters. For others, they would engage external counsel when there is a cross-border component or if the issue was so complex that it would require specialist or niche expertise. Other businesses prefer to use outside legal expertise for more routine and volume matters, where economies of scale can be beneficial.

Christian Reinders, chief IP counsel at Dräxlmaier Group, the German automotive component supplier, says that he needs to constantly assess capacity and utilisation in his own team, and identify when it simply does not have the expertise, experience or geographic capability to handle a matter: ‘We look at what resources we have internally, whether we can manage that or if the case is so complex that it would make sense to engage outside counsel with specific expertise in that field.’

Carmen de la Hoz Llarandi, head of the industrial property office at Banco Santander, says the bank routinely looks to external legal advisers when matters become ‘complex and require more expertise’. The bank was involved in a long-running trade mark dispute with Sparkassen, the German savings bank, over the use of a particular hue of red in its branding.

Reinders believes that as the global economy develops, and innovative technologies become more integral to manufacturing and product design, businesses inevitably have to think carefully about looking outside for particular skills and knowledge that do not exist in-house. ‘If we are stepping into a technology field where we do not have the experience and background, we like to involve outside counsel that can help us better understand that technology. I try to find specialists and patent attorneys with specific expertise in business models and technical standards that are different to our traditional business model,’ he explains.

When it comes to IP strategy, businesses typically feel that this is best served by an internal person and/or team. In this instance, only 20% of survey participants look to external counsel for guidance on IP strategy, though this issue does become more complicated as businesses grow internationally. Reinders says that running the strategy in-house makes absolute sense because he and other team members have easy access to and regular communication with the management board and the R&D department. He admits though that this approach has its limitations: ‘It might be different if we were a multinational company that was ten times the size. If you were so big in size that you had to organise invention harvesting in local branches of the company, it might then make sense to completely outsource the patent work.’

Even for smaller companies, Maike Weber, head of legal at Native Instruments, says that external advisers can contribute a great deal to a business’s strategy: ‘We would always discuss the overall IP strategy with external experts, because they have experience of other companies and understand how other companies of this size operate. Their experience can help us to be better.’

Identifying the right external counsel

Our survey highlights common factors in how businesses choose their legal advisers. Not surprisingly, businesses have a primary emphasis on getting the best IP expertise from their external counsel. Priorities for choosing advisers also include appropriate pricing structures, and quick responses and feedback. Of less importance is a dedicated account manager and of least importance is the availability of budgeting tools and cloud-based software solutions. Our independent interviews suggested these tools and software solutions are becoming increasingly important, but interviewees in particular highlighted the importance of outside counsel understanding how their businesses operated, the technologies and structures that drive them, and the industry that they compete in.

Beyond this, the head of legal international at a Munich-based technology company says that he looks for especially high levels of pragmatism and commercialism in his legal advisers: ‘I definitely require external counsel to be in-house counsel-like and operate in a way that we operate as a legal team. They don’t have to give us the 100% answer on everything if it takes ages to get it done when all we wanted was an educated guess on exposure to a certain issue. If someone is able to give us a 95% accurate answer quickly and tell me that there is still some residual risk that needs to be checked, that clearly helps. I don’t want them to spend hours on a certain issue that I explained at the beginning was not so important.’

Equally, a senior legal counsel for IP matters at a leading Germany-based clothing company says that legal advisers must be cognizant of a company’s appetite for litigation and whether the potential commercial advantages will warrant the time, resource and monetary cost of pursuing a dispute. ‘The most important characteristic is a pragmatic approach,’ she explains. ‘We don’t want to be forced into claims that don’t make sense or where we have no chance to defend them. We are cost-sensitive and it needs to be the best solution from a monetary point of view.’

Paying for legal services

For all the talk of alternative fee arrangements over the last decade, the vast majority of law firms around the world are still wedded to the billable hour. It does provide transparency and convenience for both firm and client, though it is not necessarily the most efficient means of charging for legal services. There is of course the administrative time that goes into tracking hourly costs; there is then the reluctance among clients to pick up the phone when a query arises in case the clock starts ticking. The billable hour is not always conducive to regular contact and effective collaboration, and that is why clients continue to look for alternative arrangements. Our survey indicates that businesses have a preference for fixed fees, even if there is some flexibility around them. Fifty-five percent of respondents reveal that they pay external law firms on a flat-fee basis. An in-house counsel from a German firm explains the reasons why the billable hour is falling out of favour and where he feels firms can be more creative around fees: ‘I do not care for the hourly rate. It is something that is transparent and makes a law firm comparable to the next firm, but I am more concerned about the efficiency of the lawyer and how they handle the matter. I’m interested in smart models; it would be interesting to have a monthly base rate that covers the ten-to-15-minute calls that we have every now and then, rather than always starting the clock on an hourly basis.’

Reinders has similar sentiments, though he recognises that clients should not impose too much of a financial burden on the legal advisers as this can be counterproductive in fostering fruitful relationships and inspiring quality service delivery: ‘A fixed fee definitely helps as it is more predictable for our controllers and the people responsible for our budget. I really like fixed fees, but because I have worked as an outside counsel I recognise that it can cause constraints. I’m very happy to agree fixed fees, but recognise that we should not put all the cost pressure on the IP firm.’

Creative approaches to billing should always be at the forefront of a law firm’s considerations, especially as clients have faced increasing pressure to cut costs and stick to budgets. Robert Fichter, chair of the board of directors at Dennemeyer & Associates, says that one way of increasing predictability is to fix currency conversion rates, which he recognises can be a particular challenge given today’s uncertain geopolitical and economic climate: ‘As managing IP rights all over the world involves currency issues, it is a common desire to fix conversion rates for a certain period of time.’

Connecting through technology

While much interaction with outside legal advisers continues to be via phone and email, there is a growing demand for technology to facilitate more integrated relationships and collaboration. Our individual interviews suggest that a high degree of communication remains through traditional methods, but our survey indicates that the landscape is changing. Fifty-five percent of respondents say their legal advisers provide a cloud-hosted IP software solution to help clients track progress and ensure that matters move forward more efficiently.

Seventy-four percent of survey participants indicate that cloud-hosted software helps to improve connectivity and promotes efficiency in budgeting, exchanging data and other work. Fichter says: ‘Communicating by email is the most convenient way to implement, but as we all know, it is also a very cumbersome and time-consuming method.’ He believes that shared portals ‘allow easy sharing of documents among all involved parties’ and ‘the direct upload of documents and related bibliographic information’. Moreover, he indicates that an IP management system ‘directly increases efficiency on both the outsourcing party’s and outsourcing partner’s ends’ and believes that the transfer of emails can be radically reduced, especially when follow-ups and requests for confirmation of receipt of emails can be eliminated.

For businesses, this can be hugely important, with 82% of respondents suggesting that cloud-hosted solutions provided by their legal advisers had saved them money, including freeing them from having to purchase the tools themselves. Speaking to The Legal 500 Deutschland, a senior in-house lawyer says that cloud hosted software can enable a business and its external legal adviser to work concurrently on a shared document, to monitor progress from both sides and be able to access key files at all times: ‘That would make life much easier as every single request can be time consuming, where you ask for an update on a particular template, and the partner goes to the associate who has to invest time in providing a response and the partner then forwards the response to me. The administrative time is very high. I would like to use cloud tools or other tools that help me understand where a matter stands, what the external adviser needs, and what is pending from them and pending from us.’

Despite the increasing prevalence of these tools as part of a law firm’s offering to clients, 70% of survey participants indicated they had acquired their own software systems, in part because they still required their own internal tools and often work with a range of external advisers. Popular systems used by respondents include those provided by WiNPAT, DIAMS iQ, Computer Packages, PatOrg and Ipendo.

One senior in-house lawyer at a German automotive industry company says that he does not have high expectations of his external counsel to provide cloud-hosted software programs, because it would unlikely be compatible with the business’s own e-filing system.

The relationship between a business and a law firm is becoming increasingly complicated due to the greater expectations from clients and the technology solutions that are coming onto the market. Businesses continue to grapple with the choice between building sizeable in-house IP teams and the recognition that external law firms can provide a broader suite of expertise, resources and economies of scale. To make the relationship between client and firm more fertile, external legal advisers will have to work harder to understand their clients’ business priorities, to provide more flexible and creative fee structures, and to make their day-to-day communications and collaborations tighter and more effective.

Chris Crowe

 

Data summary and overview

The vast majority of respondents (83%) outsource at least some of their IP requirements to a law firm. Expertise in IP is of course an expectation, as is appropriate pricing structures and responsive feedback. Over half pay a flat fee, rather than an hourly rate.

Over half are provided with a cloud hosted IP software solution by their law firm. Benefits can include increased efficiency and cost savings, although they may still have to buy IP software themselves.

Over 80% of respondents said that their companies do business in more than one EU company or outside of the EU. Dedicated in-house roles are the most common way of coping with IP requirements in different countries.

Many companies use their IP to their advantage, whether it is to enable co-operation, for marketing purposes, making it an attractive target for M&A, to help obtain funding or quantifying the value of the company itself.

IP incentivisation mainly takes the form of fostering an innovative culture and environment, although half offer financial incentives. Companies provide induction training and other training sessions to ensure basic IP knowledge, while some provide workshops for inspiration.