‘I first became interested in IT law about 45 years ago. When I was a trainee solicitor, I worked on a case that involved computers and afterwards I thought to myself, “that was really very interesting". I went to night school to learn more about IT law and as there were very few lawyers, in those days, who specialised in IT, people started to come to me for advice.’
Do you have any advice for people early in their careers looking to get into IT or data governance law?
‘There are two principal ways in which you could do that: the first is the way that I did, where you qualify as a lawyer and then you start to specialise in a particular subject. Another way of doing it, is to work in the IT industry first - whether as a developer or in other areas - and then qualify as a lawyer second, which I think in some ways has an advantage because you will then have practical knowledge of the industry.’
You recently gave the talk ‘What is REALLY happening in data protection - one year after GDPR?’ Tell us, what should be happening and what’s been going on?
‘What people should do to comply with GDPR, firstly, is examine what personal data they hold and see where their data flows, i.e. where it goes, where it came from and what they do with it. ‘Secondly, now that subject access requests are free, there's been a big upsurge in people making them – although 50% are from former dissatisfied employees. I have a lot of clients who've never had a subject access request before and it's not quite as straightforward as you might imagine.
‘Thirdly, something which didn't exist before GDPR, or the Data Protection Act 2018, if you have a personal data breach of any significance, you have to report it to the Information Commissioner within 72 hours – which can be tough if it happens on a Friday afternoon or a Friday evening before a bank holiday. The main piece of advice I've given companies, in relation to that, is to have your lawyer’s home telephone number, or mobile telephone number, so you can discuss it outside office hours.’
Since GDPR took effect, are there areas in which EU data protection authorities seem to be concentrating their enforcement activity?
‘The two main examples are British Airways and Marriott Hotels, which had significant fines for data breaches. It seems to me that the Information Commissioner is concentrating on household names and large companies. I think they're picking off the bigger targets first because they want to frighten other people into compliance.
‘In addition to that, we also have a situation in commercial contracts, where people are trying to pass over liability for things that go wrong to others and are expecting indemnities because they're so worried about the size of fines if there's a problem.’
The fines for data breaches can run into hundreds of millions - crippling sums for many companies. Do you think the deterrent of fines is actually making things more secure?
‘Fines are raising awareness, but, I still get clients who come in to see me saying, "what's all this nonsense about GDPR? Do I need to do anything about it?" I then groan at that stage and wonder where to start because I question what kind of stone they've been living under.
‘GDPR applies within the European Union and it applies to anybody else who holds personal data about citizens of the European Economic Area (EEA), but the intention is for it to be rolled out as the plan for dealing with personal data throughout the rest of the world. Already quite a few other places such as Singapore and California are using the GDPR model as a template for their own legislation.’
Whilst some companies are still resisting GDPR, are others worried about how they may be affected by Brexit?
‘Yes. A no-deal Brexit is what keeps me awake at night. Of all the countries in the European Union, the UK makes more money out of data processing than any other. So, data protection is incredibly important to us because of the data that flows into this country.
‘Whilst we're inside the EEA and we're compliant with GDPR, we're okay. I think the reason some other countries such as the United States use us, is because we're one of two English speaking countries in the EEA. We've got more infrastructure here and because of our shared history, America feels quite comfortable sending information here.
‘If we have a no-deal Brexit, we will still be able to transfer information to the European Union, but what will be much more difficult, is the transfer of personal data to us; there will suddenly be a blizzard of contracts that people will need to sign.’
‘What practical advice do you have for companies dealing with subject access requests or data breach reports within the mandatory 72 hours?
It is surprising how much extra information you have to give in answer to a subject access request. I think a lot of people think, "we simply have to provide the information that we have about that person." While that is true, there are lots of other things that you have to provide such as where you got that information, to whom you have passed that information and what purpose you had in holding the information initially.
‘It also applies to any audio recordings or any film or photographs that you took of that particular person, including CCTV. I've acted with a number of clients where it's been quite difficult to extract all the different images that they had taken of a particular member of staff over the years.’
Some employers may not even realise the extent to which subject access requests apply…
‘The good news for people who receive subject access requests is that it is quite common for the applicant to complain to the Information Commissioner as an extra stage of punishment afterwards and, in my experience, all the Information Commissioner is interested in is whether you have adopted a sensible procedure in answering the subject access request. They don't send the Feds around to check that you have actually disclosed all the information.’
The 2018 update to the Data Protection Act and the introduction of GDPR was a huge shift. Do you think it goes far enough?
‘I think this was quite a seismic shift. There will be some tinkering with it, but there will not be a whole-scale tightening up of this any further. The aim was to get organisations that held personal data to start taking this quite seriously and it has suddenly made organisations place personal data higher up their board agenda.’
Your successful book, A Manager's Guide to IT Law, is soon to be available as a new edition, A Practical Guide to IT Law. What are the main updates readers can expect to see?
‘It’s been nine years since the last edition, so there are lots of new areas, including a separate chapter on cloud; a separate chapter on cloud contracts; a new chapter on agile; a chapter, obviously, on GDPR; a separate chapter on GDPR exceptions; a new chapter on cyber security; a new chapter on open source and much more of a concentration on social media (to protect the employer from employee activity).
‘Originally designed for managers, we were surprised to find that it was also very popular amongst students studying at universities. This edition is aimed at managers, students, IT professionals and legal practitioners.’
What advice would you give to your peers to help nurture new talent?
‘I feel very strongly about training youngsters. I have lectured for more than 23 years to other lawyers about this and the final part my lecture to other lawyers has generally been signposting how they can find more information: there is the BCS Law Specialist Group, of which I was the secretary for 11 years. There's also the Society for Computers and Law.
‘It's still quite a small, developing field and I've got to know a number of other specialist practitioners in this area, simply by meeting them at conferences. There's still a feeling that people who work in this field should share their information with others, so if another IT lawyer rang me and asked my view on something, I would give them a direct and helpful answer. It's a bit like having a weather station in the Atlantic - if that's what's going on there, if that's the problem they've got, then maybe I'm going to have something similar in the very near future.
‘IT Law is so fast-moving, everybody needs to help everyone else to be able to deal with the torrent of new developments.’