Following completion of an English law degree at Kings College and a French law degree at the University of Paris-Sorbonne, I started my legal career at Simmons & Simmons and then moved to technology-focused roles at other UK and US law firms. Significantly, during this period I was seconded to Yahoo, gaining invaluable experience of the real-world challenges facing technology companies particularly with data, privacy, and cybersecurity.
In May 2018, I moved to my current firm, Paul Hastings LLP, where I head up the European privacy and cybersecurity practice, and co-chair the global AI working group. My role involves assisting clients to identify, evaluate and manage global privacy and information security risks and compliance issues and navigate them through data breach response and associated regulatory investigations and enforcement proceedings. I also advise clients on complex commercial and technology-related contracts, and the privacy and security issues arising in the context of corporate transactions.
I am also heavily involved in helping governments around the world develop or expand existing data protection legislation and am at the forefront of global developments in artificial intelligence (AI), often working with the UN and similar organisations.
Being engaged to advise a foreign government on the development of its new legislative framework for data protection.
The personal invitation for me, together with my colleague Rob Silvers, to take part in the “Global Governance of AI Roundtable” (GGAR), held as part of the World Government Summit in the United Arab Emirates, is also pretty high up there in terms of proudest moments.
We both chaired roundtable discussions on cybersecurity and data and I was subsequently invited to be a member of the “Global Data Commons International Taskforce” to develop a set of global principles for artificial intelligence.
Largely yes. I had expected 2019 to be all about data and a continuation of GDPR implementation projects, with GDPR having heightened awareness of data protection issues the year before. In particular, I thought it would be the year of the data breach – and it was. We saw an increase in breach reporting and in regulatory bodies wielding their increased powers and imposing the sanctions at their disposal, primarily the much-publicised financial penalties.
I suspect it will be a good year for the industry but not without some challenges. Scrutiny around companies’ use and storage of personal data looks set to continue and EU GDPR-like regulatory principles are pervading legislators around the world.
Regulation will likely increase with EU GDPR principles, or similar concepts, spreading globally. The fines for breaches are significant, so the industry will, or should be, focusing on compliance. With the increased sophistication of bad actors and the proliferation of cyberattacks, the spotlight will likely be on security in 2020 from a compliance perspective – and the need to take preventative measures, as well as to be ready to respond quickly and effectively in the event of an incident.
A general sense of improved efficiency and effectiveness. If we use/implement data and technology in the right way, we can capitalise on the benefits while avoiding the risks and pitfalls.
With appropriate direction, we can use data and technology to achieve global change for the good. The Global Data Commons Taskforce, for example, is all about using data in order to achieve the Sustainable Development Goals set by the UN.
It really depends what stage an organisation is at, in terms of its digital transformation. Key will be ensuring the appropriate technical and security measures are taken from a compliance perspective. This is not always easy and depends largely on the nature and size of the businesses.
It’s vital to keep the spotlight on cybersecurity risk, whatever stage an organisation is at in terms of transformation – criminals and opportunists are becoming increasingly sophisticated.
Regulatory scrutiny and investigations are more than ever focusing on what companies are doing to avoid breaches, rather than how quickly or responsibly they respond when a breach occurs. Companies that only have response strategies and teams in place, rather than preventative measures, risk reputational and business woes that can easily be mitigated with effective planning and preparation.