Staying ahead in the evolving digital regulatory environment

In our second 'key takeaways' post from our recent Digital Forum conference, we reflect on words of advice from businesses getting to grips with the complex digital regulatory framework. 

At our Digital Forum conference on 12 September, partner Adam Rendle asked representatives from three different types of business how they were managing the onslaught of new digital regulation coming from the UK and the EU. On the panel were Samantha Lewis (Senior Legal Counsel Product and Privacy, Canva), Vishal Parmar (Global Lead Privacy Counsel and DPO, British Airways), and Stephanie Higgins (Vice President, Chief Privacy and Data Ethics Officer, Cognizant).

Considering legislation like the EU's AI Act, Data Act, Cyber Resilience Act, DORA and UK equivalents from a perspective of B2B and B2C, these different stage businesses had arguably surprisingly similar approaches to getting ready for compliance. 

Key takeaways include:

• You have to identify what your focus is early on and to do this you need to work in cross-functional teams which (ideally) aren't chaired by lawyers.
• Identify which risks could do most damage to the business and prioritise mitigating them.
• Building trust is key to customers (whether consumer or business). This means safety and security, user testing, and research are going to be fundamental.
• Be guided by company goals and values.
• Compliance with incoming regulation is often detailed in guidance which is yet to be published so you have to "get comfortable in the grey". Understand you can't always meet the 'gold standard' and may not even know what that is. Where there is a lack of clarity, consider how you interpret the legislation. Document your decision making process and subsequent actions based on that.
• Keep talking to industry, legal counsel, networking groups and to regulators. Benchmark your approach with that of others. If there is a lack of clarity, hang back if you can but keep moving forward where you can't wait. Leverage international standards where there are regulatory gaps.
• Ensure in-house counsel has a seat at the table and provide management with clear, easy to understand guidance. Who does the regulation apply to? What are the timelines? What happens if you get it wrong? How much will it cost to comply? Why does compliance matter to the business?
• Don't forget about reputational damage and directors' personal liability for non-compliance.

What stood out from the discussion is that success will depend on good communication between all affected areas of the business, both internally between in-house legal, the C-suite and operational departments, and externally with customers, competitors and partners, regulators and external advisors.

You may also be interested in a summary of our AI contracting panel session.