In a context where 1 in 2 firms fear CNIL control, Paris Bar lawyer and partner at DS Avocats Sylvain Staub decided to launch Data Legal Drive in 2018. The goal of this legaltech: to help organizations comply with increasingly complex European databases.
Where are you from and how did you come up with the idea of launching a startup?
Sylvan Stop: She became a lawyer at the Paris Bar in 1997 after obtaining a master’s degree in New Technologies Law. I have worked for several French and Anglo-Saxon firms specializing in intellectual property law and information technology. She then created Staub & Associés in 2004, which then joined DS Avocats in 2019.
What prompted me to create Data Legal Drive was the desire to digitize part of my activity as a lawyer, and to offer our clients another approach to legal compliance, more efficient, more reliable.
Was this your first entrepreneurial venture?
In fact, I have always sought to create professional or associative activities in parallel with my profession as a lawyer. In 2004 for example, a friend and I created the company Do Not Squat (referring to DNS) to detect similarities between different domain names using an algorithm. This allowed our customers to receive an alert and consider legal action when a domain name that was similar to theirs was registered and could create a risk of commercial misappropriation or system security. I finally chose to discontinue this activity, which was nonetheless wonderful and in full development, because I could no longer divide myself between my family life, my hobbies, my practice, and this start-up startup.
In 2014, it considered an activity that allows managing the execution of IT contracts for large groups thanks to the blockchain. The goal was to link the obligations in the technical appendices to these contracts to the step-by-step implementation of each phase of the IT project, from specification to verification of regular service through specification, unit tests or partial recipes. But there again the reality of time constraints and the danger of excessive distraction overtook me.
I imagine it was the adoption of the General Data Protection Regulation (GDPR) in 2016 that prompted you to launch a legal data drive?
This is clearly no coincidence… In 2016, with the entry into force of the General Data Protection Regulation (GDPR), many of our customers asked us to support them in making their data processing compliant. However, the GDPR is an entirely new data governance, and an almost complete change in the burden of proof.
Companies now have to demonstrate that they are in compliance, so they have mapped processing, manage their records, perform necessary impact analyses, respond to legal requests, incidents reported to CNIL, and teams trained in data protection issues. This is when the new profession of Data Protection Officer (DPO) emerged. However, at the time when this new profession and this new corporate burden were born, I couldn’t find any software that could seriously help companies comply.
During the two years between the adoption of the GDPR and its entry into force, I have therefore worked to develop software that takes on each of the processes imposed by the new regulation, by dissecting 99 articles, 173 anecdotes, CNIL and G29 doctrine, today’s CEPD.
The goal was to translate it into decision trees so that each data person in the company can take their share of the work and everything is centralized, validated, managed and updated by the data officer. The result: Data Legal Drive was created in May 2018, drawing on the technical teams of Pocket Result, the BI company started by my wife, Maÿlis Staub, in 2013.
How have organizations adapted? How would you rate their level of maturity on these issues?
We have seen a huge change in mentality since the GDPR: whether it is small and medium businesses, international trade organizations, large accounts, communities or departments, no one is ignorant of what it means to protect personal data. And the issue of data management now resonates outside of DPO and DSI jobs, and also relates largely to marketing, sales, HR or purchasing professions.
Also for a year, the GDPR is no longer seen only as a legal and technical issue. The latter is a moral issue in and of itself, values that organizations adopt in their positions. Along with a commitment to compliance, European companies are now advocating for a truly ethical culture of data management.
And other countries around the world are obviously inspired by it, for example the CCPA and then the CRPA in California, the Brazilian LGDP or the recent Indonesian bill. Overall, the United Nations indicated in December 2021 that 137 countries out of 194 have put in place legislation aimed at ensuring the protection of personal data and privacy.
GDPR has a significant extraterritorial application and thus has become a standard in the world.
Does the New European Texts Digital Services Act and the Digital Market Act also attract your attention?
Yes, of course. As part of the European strategy to enable the EU to become a leading player in a data-driven society, digital platforms will soon be subject to further regulation at a European level.
This is indeed DMA and DSA, but it is also Data Governance Act (DGA).
The legislator seeks to regulate the practices of the web giants and somehow strengthen the power of users in order to achieve a digital space of trust. But what weight, what striking force of the European Union? What is certain is that although it is not directly targeted, data protection must be further strengthened by the introduction of these new rules.
What do you make of the current debate about hosting sovereign data in Europe?
The current discussion about the sovereign cloud is much broader than the discussion about privacy, and the issue of putting forward the so-called sovereign offering may still be far from the interests of individuals.
There are, in my opinion, 4 concepts that must be taken into account: This discussion touches in terms of topics related to private life and everyone can understand their interests. But on the other hand, it is also linked to issues of state, related to what we wish to define as an integral part of our sovereign autonomy. I think everyone can understand this point since the health crisis and more recently since the energy crisis. It’s the same issue with the sovereign hosting of our data and the importance of deciding what we want to share offshore or keep to maintain our independence.
Then there is an economic dimension to consider: if we do not greatly support the French and European digital industry, it is certain that it will not be able to compete with champions from across the Atlantic or from the Middle Kingdom.
And finally, regarding data industry in particular: if we want to erect unicorns — even dice — we’ll have to agree to feed our algorithms. In other words, a company may develop a robust algorithm, but it will be useless if it is not supported enough. We must therefore agree to our data industry preference, particularly through general orders.
We are in an economic war, in the digital industry as in other industries, and it shouldn’t be impolite to say that. Therefore, we must prioritize our ecosystem and give horizons to our brains and investments. Indeed, we have great engineering training, but what is the fate of these talents, these algorithms and this program that the American siren has attracted?
Last year, I succeeded in completing the second round of financing with the amount of 2 million euros… What is the money used for?
Lefebvre Dalloz, the European leader in legal and tax knowledge, actually invested 1.5 million euros for the first time in 2019 and then 2 million euros in 2021. This has allowed us to accelerate and recruit: we are now 60 employees at Data Legal Drive – half in technical terms – and uses Our software serves more than 3,000 clients, from SMEs to CAC40’s, in more than 50 countries.
This money also allowed us to develop a second program to comply with anti-corruption regulations. There are also many commonalities in data protection and anti-corruption operations, particularly with third party repository management or risk planning. As of now, we are considering a new program that responds to other risks – such as the duty of care and corporate social responsibility – while being careful not to divide ourselves and always maintaining an expert approach to the topics.