I came to the data field because in the 90s I worked with an incredible data protection lawyer, Simon Chalton, who had written the first book on data protection and was fondly referred to as the grandfather of data protection. It was Simon that got me interested in the topic. I was at the time mainly working on large IT contracts, but I soon realised that data was the future, and something that would be of relevance to every sector.
Some highlights from my career so far include working on developing new ways to comply with existing data protection law and guidance, and liaising with regulators, on one of the earliest projects involving the sequencing of patients' DNA in order to improve their treatment.
The big challenge I would say for most of our clients right at this moment is finding the time and budget to keep up with the relentless push for more compliance. For example, dealing with international data transfers is, for most businesses, the number one issue; especially with the expectation that detailed documentation will be created for each transfer outside the EU/UK. Additionally, recent regulatory action and guidance has meant that both transfers to the US and separately the use of adtech by businesses is now under question.
It's essential to keep up to date with what is happening via whatever sources you have, and to plan for potential issues. Following regulatory action in the EU, UK, US and elsewhere, it is now easier to explain to boards why it is necessary to budget for privacy compliance, what may be more difficult is if it becomes necessary to revise a business model because some elements are prohibited by regulators. In that case it is essential to have planned for the alternatives.
In terms of emerging trends I am interested in the direction of privacy enforcement – which in the UK was originally directed towards data breaches. I think this is now broadening and, especially in the EU, we see more enforcement directed towards other failures to comply (eg lack of transparency), so I think we will see more enforcement of other parts of privacy law such as accountability and individual rights.
I am also interested in the development of privacy disputes. Unlike in the US, in the UK and EU we see relatively few privacy disputes. But, I think as time goes on we will see more, from individual claims or complaints to contractual disputes between controllers and processors.
A piece of advice I would give aspiring data lawyers and professionals: I would say read everything, which was a piece advice given to me when I was training. I don’t live up to that – who can these days – but it is a good mantra. Beyond the law, cases and guidance, there are a lot of different sources of material that can help you advise your clients, as you get to know individual sectors better.