Thanks for chatting with us Jon! What got you interested in privacy?
I’ve always been interested in people’s right to privacy. Many years ago, I worked for a local authority in customer services and my manager asked me to do some training in freedom of information and data protection rights. One thing led to another and I got more involved in the subject, reading more widely, writing and talking about it. Data protection and privacy are important for us all.
Although you work within a law firm, you’re not a lawyer! Tell us a bit about your responsibilities at Mishcon de Reya.
You’re right, I’m not a lawyer, but I do work alongside Mishcon lawyers as a subject matter expert. I’ve been here for three years and I do an enormous range of work across all of the firm’s practice areas. That can be contracts, transactions, working with or defending against regulators, working for private individuals to exercise their rights, and acting for companies in terms of their obligations. So there’s lots of variety and it’s always interesting.
Why do you think data protection is often framed as a legal issue?
One can’t get away from the fact that there is law underpinning this; it’s not just about societal or ethical values. This is a technical subject and one that involves an analysis and an understanding of the law. That can be a challenge for some companies. But this does stretch beyond the law to the whole of a business’s operations. Almost everything companies do is likely to involve the processing of personal data in some way.
How has the privacy conversation developed across sectors?
One of the consequences of the General Data Protection Regulation (GDPR) was a greater understanding and knowledge about these issues. If I go back 10 or 15 years, the Data Protection Officer was a very lonely person who was only brought out when something went horribly wrong. Data protection lawyers were also very isolated. This was seen as a narrow, very technical piece of work. Thankfully, that’s starting to change.
What are some of the mistakes you see companies making?
Clients will ask me to look at a contract, but only the data protection section. I always insist that I need to understand the wider context. That’s a common misstep – to see this as something you can draw a line around. I’ve also seen people invest in expert advice that isn’t very good, which might be worse than getting no advice at all! Consultants will come in for a short period of time, and leave a few sheets of paper behind that no one ever looks at again. The fact is, you can’t get someone to come in and sort out your compliance. This isn’t something that’s done to you but something that you do yourself, with support if necessary. That enables you to build these skills in house, create your own documentation that you understand and which is relevant to the wider business.
Where should companies start?
It’s really important to identify the right people in your organisation to lead on this. And they might not be the obvious people – you might have a customer service manager who’s really interested in personal data rights like I was, or you might have an IT person who’s thinking more deeply about data flows. Ask who’s interested, don’t just parachute someone into the role. Then there are tools. I’m not just selling the Privacy Compliance Hub and Hub Plus…
Are you sure? We don’t mind if you are
Well it is an initiative. And Hub Plus is one that Mishcon and Privacy Compliance Hub have developed together. There are lots of companies who claim to offer software solutions to compliance but this is the only one I’ve recommended because it works. It encourages clients to get their own team together and do the spade work themselves. That’s the only way you’re going to make a real improvement.
What are the benefits of getting this right?
At a fundamental level you don’t want to break the law. But more than that, this is the right thing to do. I think people respect that and want to work for and deal with companies behaving ethically on this issue. More commercially speaking, if you get data protection and privacy compliance right, you’re exercising really good business practice. You’re identifying what data you’ve got, what you’re using it for and how you’re keeping it secure. The basic principles of data protection law complement the basic principles of good business practice.
How do you think Brexit will impact data protection practices in the UK?
For the movement of personal data to continue between the EU and the UK, there has to be a broadly equivalent level of protection between the two so I don’t foresee a wholesale change. The UK was one of the initiators of our modern human rights framework, post World War II. Data protection rights are part of that package.
What else do you think the future holds for data protection and privacy?
Personally, I would like to see a slightly different enforcement approach from the Information Commissioner’s Office (ICO) – less of a focus on big security incidents, and more on individual issues, such as failure to comply with subject data requests. There is also a case against Google going to the Supreme Court in April that, if successful, may lead to a flood of compensation claims. I think such action raises a very interesting point. What’s my personal data worth? And if these companies are getting value from it and aren’t telling me about it, do I have a right to claim compensation? We’ll have to wait and see.