About

What are the most important transactions and litigations that you have been involved in during the last two years?

Many people working in global data privacy law would provide exactly the same answer as me – GDPR compliance. The EU General Data Protection Regulation (GDPR) has pushed data privacy compliance up the risk registers of global companies – mostly because of the significant changes to the enforcement powers of EU data protection authorities. For B2B companies, the GDPR didn’t change our core compliance obligations that much, and some of the new obligations such as data breach reporting and privacy impact assessments were already “good practice”. However the introduction of tough statutory deadlines (such as that for data breach notification) combined with the new “big enforcement stick” has made companies sit up and take notice.

We started updating our global data privacy compliance programme two years before the GDPR came into effect – I thought that would be plenty of time as we were already a long way down the GDPR compliance path. However the time and effort needed to roll out updates across a global organisation was significant – we needed every bit of those two years. Naturally the work is ongoing – as processing changes and technologies evolve, compliance with the GDPR and other privacy laws that apply to our business around the world requires constant attention. I don’t think you ever get to a point where all the work is done because there is always something changing – whether internally or externally.

How do you suggest in-house lawyers build strong relationships with business partners?

I think strong relationships with business partners (within the company) are built over time when you trust each other’s expertise and recognise that “we are all in this together”. My team shares objectives with many of our business partners – it’s all about protecting the company and its people – and once that’s recognised, you’re a long way towards building the relationships you need to be effective.

Also, making the effort to actually meet in person when you can makes a huge difference. That can be challenging when you are in a global role with business partners in different parts of the world but in my experience it is always worthwhile to get to know who you are working with. And as we are talking about business partners, I can’t finish answering this question without a plug for our cyber security team – I could not do my job without them. I am a lawyer not an IT expert, so rely on the cyber security team to help me understand new technologies and to undertake the technical and security risk assessments for those technologies.

What “legal tech” products do you currently utilise, and do you foresee implementing more of these in the near future?

Our data privacy team relies on a product that is broader than a “legal tech” product – as it is an integrated risk management platform. We use this to help us maintain our EU record of processing, to manage Privacy Impact Assessments and also to track and close out compliance actions, among other things. We are planning to migrate our internal data privacy incident reporting process to that platform too. The GDPR was what prompted us to get better organised – so it’s an illustration of the old saying “It’s an ill wind that blows no-one good”.

Have any new laws, regulations or judicial decisions greatly impacted your company’s business or your legal practice?

The GDPR has certainly impacted my workload and our global data privacy programme. It is described as a “game changer”, because the penalties for non-compliance now mean that data privacy is in the same sphere as the FCPA for instance.

There have also been changes of substance in other parts of the world too – including mandatory data breach notification laws introduced into the Privacy Act in Australia and PIPEDA in Canada. Having a global data privacy programme means keeping legal developments across all the company’s operating countries under review – and the changes keep on coming (for example I have recently been immersed in Brazil’s new laws). It requires effort to keep up with these changes and to ensure that our programme, compliance advice and training, addresses any local nuances. But that is what makes the job interesting too.

What do you feel are the most effective techniques for getting the most out of external counsel, in terms of how to instruct them?

Time spent in preparing a comprehensive briefing is always time well spent – the better the briefing, the better the advice. In data privacy, so much depends on context. So taking time to prepare a detailed briefing for external counsel is not only appreciated by them, but it means you are going to get the focussed advice you need.

On a personal level, saying “thank you” also goes a long way. When I was in private practice, some clients saw external lawyers as “service providers” rather than people – with no “thank yous” for the late hours and hard work. That’s not on.

In a modern digital world, why does privacy matter?

To answer this or to respond to claims that “privacy is dead”, my response is to say “think about how you would feel if you had no privacy at all – if governments and organisations could collect, use and share whatever they wanted about you for whatever purpose they wanted, and without telling you anything”. Our modern digital world and the explosion in the quantity of data that is available about us all heightens rather than diminishes the importance of privacy as a human right, and highlights the importance of data privacy laws.

Working in data privacy in the private sector, it is about finding the right balance between organisations needing to do business, and for people’s rights to be respected – so that all personal data processing is, among other things, necessary, proportionate, transparent and secure. That is achievable – but it requires a focus not only on what is technically lawful, but also what is ethical. The longer I work in this area, the more I know that privacy matters.