With fines of 4% of a trader's annual turnover for infringements, you could be forgiven for thinking that we’re talking about GDPR. But no, we're actually talking about the European Commission's overhaul of consumer law, the New Deal for Consumers, which introduces hugely increased 'GDPR-level' fines for breaches of consumer law to give regulators more teeth against non-compliant businesses.
The level of fines isn't the only parallel between the New Deal for Consumers and GDPR. As with the data protection reforms, the overhaul of consumer regulation will mean potentially complex implementation projects for any affected companies. This time round though, we can use the lessons learned from that 'spring of GDPR' to ensure an orderly and well thought through implementation of the new consumer regime.
In this article (which forms part of our wider series on New Deal for Consumers), we look at the lessons learned from GDPR, and how they can be applied to the New Deal for Consumers:
1. Prepare as soon as possible
These types of compliance projects often much take longer than one may think, particularly where there are multiple stakeholders involved within the business.
Time is still on our side. Member States have until 28 November 2021 to adopt and publish their implementing legislation, so businesses will have more information on the exact scope of the changes by then. The laws will then come into effect on 28th May 2022.
This may seem like a long way out, but to be in good shape, businesses will need to start their compliance activities towards the end of 2021. This in turn means that the project will need to be scoped out, the team prepared, and the business informed and resource and budget obtained (if needed) in the first half of 2021.
Planning is of course essential. A basic plan will help you understand the steps needed to get to compliance, breaking down the tasks and turning the whole project into a more manageable exercise. It will also allow you to establish a timetable to make sure the project is on track to meet the deadline, and will make it easier to budget for any additional or external resources required.
A plan should include at least the following components:
- Establish the changes to the law. For companies working across the EU, this will be a big task and will involve carefully monitoring the implementation in all 27 member states. A decision will then need to be made about compliance in the UK, since the UK will not be bound to bring in these changes as the deadline for implementation falls after the end of the transition period (which ends on 31 December 2020).
- Understand which products and services are caught, and in which territories.
- Conduct an impact assessment to determine what changes are necessary. Business will need to review compliance decisions they have taken in the past. The decisions made some years ago might now be wrong.
- Prioritise. Where you have multiple products and services but limited resource, or where some changes may take longer to implement, or where there are known vulnerabilities, it may be necessary to focus on those products and services first.
- Manage stakeholders. A key piece of any compliance exercise is stakeholder management and escalating any issues; this should be factored into the plan (as we discuss in more detail below).
3. Risk assessment
Where the business decides to take a certain risk, it will need to understand the potential consequences and prepare for those.
For example, recently there has been an increase in enforcement of consumer law breaches in Germany and Italy. So if a decision is taken to risk non-compliance in those territories, the business should understand the potential implications, sign off on that basis and prepare for the consequences, such as litigation.
4. Prepare the business
Key stakeholders in the business need to be informed of this new legislation as soon as possible. This will include the board, and also any product owners whose products may have to change. This is a particularly essential step if resource and budget need to be obtained to assist with the project.
Consider setting up a cross-functional team now, which meets on a regular basis. This will ensure stakeholders are kept informed about the changes required, the impact on their products and the timeframes.
Finally, consider producing some materials or training to circulate amongst the business, to ensure they better understand what is coming down the tracks and to assist in identifying products and services which may be affected.
5. Compliance by design
One of the requirements of the GDPR is "data protection by design" (or "privacy by design"). Just as data protection should be an essential part of the creation of new products and services, so should consumer law.
Businesses should make sure that any new consumer-facing products and services are designed to be compliant with the new laws at launch. This will save headaches further down the line if you need to change those products to be compliant.
How we can help with the New Deal for Consumers
Please get in touch if you would like to discuss your New Deal for Consumers project in more detail. We would be very happy to share a draft implementation plan with you. Our international consumer regulatory team regularly advises our clients on regulatory implementation projects, including of course the GDPR, but also most recently the Portability Regulation, the Platforms for Business Regulation and the new Audiovisual Media Services Directive.