normative juridical research

Normative juridical research is a legal research methodology focused on analyzing legal norms, principles, and doctrines to determine what the law ought to be and how it should be interpreted. Unlike empirical research, which studies law in action, normative research is prescriptive. In the context of enterprise risk management and Privacy Information Management Systems (PIMS), this method is fundamental. The international standard ISO/IEC 27701, in control A.7.1.1, requires organizations to identify applicable legislation. Normative juridical research is the formal process to fulfill this requirement. For instance, to comply with GDPR's Article 25 principle of 'Data protection by design and by default,' a company must conduct this research to accurately interpret what constitutes 'appropriate technical and organisational measures.' This allows the translation of abstract legal requirements into concrete internal policies, procedures, and system designs, ensuring compliance is substantive and aligned with legislative intent, rather than a mere checklist exercise.

In enterprise risk management, particularly for privacy, normative juridical research is applied through a systematic, three-step process. Step 1: Regulatory Scoping and Obligation Identification. This involves identifying all applicable data protection laws (e.g., Taiwan's PDPA, GDPR) and conducting a normative analysis to translate legal text into a clear 'Register of Compliance Obligations.' For example, this would specify GDPR's 72-hour data breach notification requirement. Step 2: Gap Analysis and Control Design. The identified obligations are compared against the company's existing policies and procedures to find compliance gaps. Based on this analysis, new or revised controls are designed, such as updating the incident response plan to include the 72-hour notification protocol. Step 3: Continuous Monitoring and Updating. Legal frameworks are dynamic. A process for ongoing regulatory monitoring is established to conduct periodic normative research, updating the compliance register and controls in response to new laws or court rulings. This structured application helps organizations achieve a high compliance rate, significantly reducing the risk of fines—such as those under GDPR, which can reach 4% of global annual turnover—and ensuring successful certification audits like ISO/IEC 27701.

Taiwanese enterprises face three primary challenges when implementing normative juridical research for data protection compliance. First, Complexity of Cross-Border Regulations: Many firms operate globally and must navigate the intricate and often conflicting requirements of Taiwan's PDPA, GDPR, and other international laws, especially concerning legal bases for data transfers. Second, Lack of In-House Expertise: Small and medium-sized enterprises (SMEs) often lack dedicated legal teams with specialized knowledge in international privacy law, leading to superficial interpretations of regulations and incomplete risk identification. Third, Adapting to Regulatory Velocity: The rapid pace of change in data protection law, including new court decisions and legislative amendments, makes it difficult for companies without a systematic monitoring process to adapt their compliance programs in a timely manner. To overcome these, enterprises should: 1) Implement a Data Transfer Impact Assessment (DTIA) framework to manage cross-border data flows. 2) Engage external experts or 'Compliance-as-a-Service' providers for specialized legal analysis. 3) Adopt Regulatory Technology (RegTech) tools for automated monitoring of legal changes, enabling proactive adjustments to internal controls.

Winners Consulting specializes in normative juridical research for Taiwan enterprises, delivering compliant management systems within 90 days. We have successfully served over 100 local companies. Request a free consultation: https://winners.com.tw/contact