What do you do?
Partner with clients to help them better protect and utilise data, and navigate the complex web of overlapping regulatory regimes. A huge part of that is helping clients manage data-related risk and reward, and defending their interests if things go wrong or they otherwise find themselves scrutinised by regulators, consumers or civil society.
Being able to sit at the crossroads between technology, law, risk management and regulatory defence. There’s no faster moving area of law out there and helping clients tackle the current challenges and prepare for new ones while growing their businesses is hugely satisfying.
What’s keeping you busy?
Ransomware. Lots of ransomware! Also M&A due diligence and related advice. Buyers are more aware than ever that data risk can sink an investment, so we are doing more (and more in-depth) diligence pre-acquisition and advising on whether existing lines of business would survive regulatory scrutiny.
What mentors or other influential figures have helped you get where you are today?
I am hugely grateful to all of the partners in the Debevoise data strategy & security team, with particular thanks to Luke Dembosky and Jim Pastore who brought me into the fold and guided me through my first cyber incident response matter. Outside Debevoise, Barry Fishley under whom I trained at Weil Gotshal & Manges: he had me complete my first standard contractual clauses as a trainee and has been a fantastic mentor to me ever since.
If you could change one data-related law, how and why would you change it?
Data breach notification obligations under GDPR article 33 and 34. From a purely selfish perspective, if we could swap “rights and freedoms” for “harm” (broadly defined, of course), it would make my life much easier when explaining to clients what the provisions mean.
How has covid-19 affected what you do?
Thankfully covid-19 has not had a big impact on my day to day work. We still have to help clients tackle cyber threats, and as their businesses creep back towards some sense of normality, we are seeing more discretionary projects coming back to life and clients renewing their investment in data and new technologies.
What’s the next big thing – what data opportunities are companies now looking at?
Everyone is saying it, but the use of AI, algorithmic decision-making and other similar tools. That’s coupled though with much greater scrutiny of how companies, particularly in financial services, collect, store and monetise data of all kinds. In some cases clients are having to educate the regulators on these issues, and that makes it a fascinating area to advise on.
What’s keeping companies worried at the moment – what are some key data risks?
Strong foundations build strong businesses, and investment in compliance now will pay dividends later.
A big challenge for companies is moving from surface level GDPR compliance to what I call “GDPR 2.0”. The idea that your policies and procedures have to work well in practice and not just on paper, and regulators will call you out if they don’t. The days of inserting an audit right in a data processing agreement and never exercising it are very likely behind us. European regulators are pushing companies hard to up their game and the parallel threat of increasing private litigation is significantly changing the risk calculus for many businesses when deciding whether to invest more heavily in data protection compliance and cybersecurity.
What do you do to relax?
Listen to podcasts and audiobooks. I’m a huge fan of “People I (Mostly) Admire” hosted by Steven Levitt, the University of Chicago economist and author of Freakonomics. He’s yet to interview a cybersecurity lawyer, but maybe one day…