Substantive and Procedural Law

Substantive law defines the rights, duties, and liabilities of individuals and entities. It dictates what is legally right and wrong. For example, the EU's General Data Protection Regulation (GDPR), in Articles 5 and 6, sets out the core principles and lawful bases for processing personal data—a substantive rule. Procedural law, in contrast, outlines the rules and processes for enforcing those substantive rights and duties. It governs the mechanics of how a legal case flows. For instance, GDPR Article 33 mandates a 72-hour deadline for reporting a data breach to a supervisory authority; this is a procedural requirement. In enterprise risk management, substantive law is used for risk identification (what constitutes a compliance violation), while procedural law informs the risk response plan (how to legally manage a lawsuit, investigation, or breach notification).

Enterprises can integrate substantive and procedural law into risk management through a structured approach. First, conduct a Legal Obligation Mapping by identifying all applicable substantive laws (e.g., GDPR, trade secret acts) and mapping specific articles to business processes. This creates a clear inventory of compliance duties. Second, develop Incident Response Playbooks based on procedural law. For a data breach, this means creating an SOP that details the notification timeline per GDPR Article 33, evidence preservation steps, and communication protocols. Third, implement continuous auditing and training to validate that controls meet substantive requirements and that response procedures are effective. A measurable outcome could be reducing the legal review time for new products by 40% or achieving a 100% on-time breach notification rate in drills, thereby minimizing fines and reputational damage.

Taiwan enterprises, particularly those in the tech and export sectors, face several key challenges. First is managing cross-border legal complexity; the definitions of 'personal data' (substantive) and breach notification timelines (procedural) differ significantly between Taiwan's PDPA and the EU's GDPR, creating compliance conflicts. Second, there are often internal silos between legal, IT, and business units, preventing the effective translation of substantive legal obligations into technical controls. Third, small and medium-sized enterprises (SMEs) lack dedicated legal resources to proactively track and implement changes in both law types. To overcome this, enterprises should form a cross-functional compliance task force, leverage RegTech solutions for automated legal tracking, and engage external consultants to build a scalable compliance framework focused on high-risk areas first.

Winners Consulting specializes in substantive and procedural law for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact