Thinking Legal Pod by Boyes Turner

Harnessing Data Protection: Exploring Privacy & GDPR in the Digital Age

Boyes Turner

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 28:55

In this episode, we dive into everything you need to know about data protection with expert Ben Martin, Director of Privacy at Trustpilot and author of 'GDPR for Startups and Scale-ups' and Host, Sarah Williamson, Partner and Head of Commercial Technology at Boyes Turner.  

Ben Martin shares his unique journey from environmental to data protection law, emphasizing the convergence of regulation, technology, and application. As businesses grow and technologies like AI become more integrated into our daily operations, the challenges that in-house counsel face in terms of data protection become more complex.

Throughout the episode, the overarching message is clear: data protection should not be viewed as a mere compliance hurdle but as an essential element of trust and privacy. In essence, this episode provides valuable insights for any business or legal professional aiming to navigate the future of legal tech with confidence. 

 Episode Links

 

 Sarah Williamson: 0:04 

Hello and welcome to the latest in our series of in-house in conversation podcasts. My name is Sarah Williamson and I'm Head of Commercial and Technology at Boyes Turner. Today, we're discussing all things data protection and we'll be looking at some of the challenges faced by in-house counsel and also the ways in which they can approach some of those challenges and get buy-in from the business. I think it's probably fair to say that being an in-house lawyer can often be a lonely role, and sometimes even more so when dealing with data protection issues. We have the ideal guest to join us today to discuss these issues and provide some practical guidance. I'm delighted to be joined by Ben Martin, an experienced data protection lawyer, the author of GDPR for Startups and Scale-Ups and Director of Privacy at Trustpilot. 

Hello, Ben, and thank you for joining us today. 

Ben Martin: 0:51 

Hey, Sarah, thanks very much for having me. 

Sarah Williamson: 0:53 

So, Ben, before we get started, can you just tell us a bit about yourself and how your interest in data protection came about? 

Ben Martin: 1:00 

Yes, of course. So I started out actually working in environmental and regulatory law. I'd always been interested in the regulatory side of things. I like the kind of the nerdy aspect of it and really getting into the, getting into the detail a green energy company and thinking that slightly naively that I'd still be doing some of that kind of regulatory law. But I was thrown into the world of contracts a lot more, which was not the not my first choice and it just so happened that it was around the time that everyone was thinking about GDPR. So I kind of I'd like to say I volunteered, but I think it was volunteered for me to pick that up? 

Sarah Williamson: 1:47 

Yeah, I don't think anybody volunteers. I think most people get volunteered for data protection at some times in their career, don't they? 

Ben Martin: 1:53 

Yeah, but I mean, for me it was great, like I really like the regulatory side of things and I think it, it was the practical application of that that really got me interested.  Tying it in with working a lot with product teams and I'm very interested in technology, so it kind of felt like a really good, a really good mix of all of those aspects. And I then was working in that area this OVO Energy for a while and kind of just grew that interest and starting out doing a lot more product work. But over time I've specialised more into privacy, data protection. 

Sarah Williamson: 2:34 

Great. So you clearly have a passion for data protection and privacy and, as I mentioned, you've written a book about it. Can you just tell us a bit about your book and what the motivation was behind that? 

Ben Martin: 2:46 

Yeah, of course. So the idea came from speaking to an ex-colleague who'd gone in-house as a sole counsel in a startup, and he was having real difficulty in getting to the point at which way he said I need to really focus on this particular area, but I don't need to deal with this stuff until the company's much bigger. And we had a chat through some of the key things that he needed to focus on, but it got to a point where I think we'd had about like six conversations or something like that and I was like I just want to, just want to give him a recommendation for a book. 

Ben Martin: 3:29 

But a lot of the books were very much targeted at bigger companies, were very technical and really, you know, very high quality, but not the right thing that he needed. So I just I just started writing some ideas down and it kind of snowballed from there really, and I've always I've always enjoyed writing and, like, I guess, creating things. So I just started writing some ideas down and it kind of snowballed from there, really, and I've always enjoyed writing and, I guess, creating things. So it was just something that started off as a conversation and snowballed from there really. 

Sarah Williamson: 3:57 

Great. I mean, data protection's obviously been around for a long time. I mean, you might not remember because you're probably much younger than me, but I mean we've had the Data Protection Act, you know 1998. And then GDPR came into force in 2018. And we had a huge amount of press, you know. Obviously, you know a lot of that focus was on these huge fines. And then we had a flurry of emails, you know, asking us all to consent to marketing emails. 

Sarah Williamson: 4:24 

I think things have quietened down over the years. That press tends to focus on the larger corporates you know the likes of Meta, TikTok, Google and also on some of the big data breaches. And we haven't really seen the ICO dishing out substantial fines and it's certainly not as active as some of the EU data protection regulators. Do you think that, as a consequence of that, there's a feeling that, in the absence of, you know, huge volumes of significant fines, that perhaps companies need not be as concerned about data protection as everyone first thought? Do you think it's slipped down the agenda? Or do you just think it's a case of companies just quietly getting on with compliance? You know data protection being part of their normal governance now? 

Ben Martin: 5:10 

It's a good question and I think probably give the standard loyally answer of like it depends and the reason. So I think that there's only so much shouting at people about fines you can do before people become desensitized to it. I think after a few big numbers it kind of just all blurs into one really. Yeah, and especially you mentioned the Metas and the TikToks and big fines. I think a lot of people, certainly in small, smaller organizations, SMEs, startups aren't really interested in those big fines. For them it's like a big fine for a big tech company and from experience and from seeing the kinds of enforcement action that's happened, SMEs know that they aren't likely to be investigated, at least in the near term. So I kind of understand that view of why should we care about this? Like, the fines that the ICO give out are mainly for big data breaches or nuisance calls. So what's in it for a startup that is concerned mainly with existing and finding funding and winning customers. 

Ben Martin: 6:28 

If you're an SME that's growing, this, this kind of vague existential threat, feels a bit distant but I was just going to say that, whilst there's this element of some people not caring about it, I think there is still an element of businesses getting on with it, especially the kind of medium sized businesses you know, once they've got out of a startup into the scale up phase. 

Ben Martin: 6:55 

But it's not. It's not because of the fines. I think it's because you know, if you work in the B2B space, your customers now want to ensure that they can trust their suppliers and that they aren't going to get them into trouble, especially if they're a controller, and I think, similarly, having had that environmental law background, you saw a lot of stuff happening in the green space back when I was doing that, and I think there is starting to be a shift in consumer interest, so more people wanting control over their data, the tech lash and everything associated with big tech. So I think that's perhaps another reason why businesses are starting to care about this stuff. And, yeah, so I think it's in some cases perhaps not, but perhaps in other cases where there are good drivers for it, as businesses mature, absolutely it's becoming more business as usual. 

Sarah Williamson: 7:53 

And for a lot of in-house lawyers you know they're not dedicated data protection lawyers. They might have inherited data protection compliance as part of their remit and for any lawyer in a company who's taken on that responsibility, their task might seem like a huge burden. In-house lawyers already have so much on their desk. They might be dealing with contracts, corporate employment, disputes, property, you name it. To add data protection into the mix, that's a lot to deal with. As a data protection lawyer yourself and working in-house, what are some of the tips that you would give to an in-house lawyer working in a startup or a company that doesn't have a dedicated data privacy lawyer, like yourself? Where do they start? What should they prioritize? 

Ben Martin: 8:37 

Yeah, I mean, I have exactly the same issue and I work in a business where there's a team of us doing the work. I think it's absolutely a problem for for everyone, regardless of the size of the team. The approach that I always try to take is starting off with being like having a real practical focus. So, rather than getting too bogged down obviously the law is important, but rather than getting too bogged down in it and what having that kind of analysis, paralysis, situation, actually, and especially when you're communicating with the business, you need to have a very practical focus, but focusing on what needs to be done. I think is is the is the key thing to start. And then also being proportionate to the stage your business is at. So, not trying to necessarily do a gold standard in one area and forgetting about everything else, but taking a proportionate approach to the way you deal with things and being pragmatic the fact you are working in a business, so things aren't going to be perfect and being pragmatic the fact you are working in a business, so things aren't going to be perfect. So, to my mind, that's the kind of the general approach to always take and, in terms of specifics. 

Ben Martin: 9:58 

My view is that when you're a startup or a small organization or you have limited resources, it's getting everything on the outside right first. So what I always call the UX of data protection. So making sure your privacy policy is written in a very easy to understand, clear way. You've got some good processes in place. They don't need to be fully automated and really shiny, but having some processes in place for data subject rights, having some kind of understanding and context around the way you're doing marketing, so anything that's external, facing those examples, I think would be the first thing to do. And also there are obviously a lot of record keeping obligations in data protection law and in GDPR. Those kind of things are, I think, quite intimidating and a lot of businesses think, oh, if we're doing an impact assessment on something, we absolutely have to do it at the gold standard. But again, I always think something is better than nothing and taking that proportionate approach to whatever you're doing is a really good way to go. 

Sarah Williamson: 11:09 

Yeah, I think when I advise clients, I always talk about transparency. You know, both internally and externally. I mean, externally, do people know what you're, you know what you're doing with their data, and internally, do you know what you're doing with people's data? So I think you know transparency is like a key place to start really. 

Ben Martin: 11:29 

Yeah, absolutely. 

Sarah Williamson: 11:30 

Yeah, and you know, for lawyers in our in-house community, we know that it can be quite difficult to get a business to buy into data protection compliance. You know there might be those businesses that place data protection compliance solely at the door of the legal team and think well, as long as the lawyer ensures that we've got a data processing agreement in place, we've got a privacy policy, you know we don't really need to be concerned with data protection matters, there's nothing else for us to do. You know what challenges have you faced in terms of buy-in, or indeed you know, when writing your book seen at other companies, and what advice would you give to an in-house lawyer who perhaps is struggling to get a business to understand the importance of data protection or to understand that actually it's not the sole responsibility of the legal team? 

Ben Martin: 12:20 

Yeah, I think this is probably the number one challenge that I've faced at every organisation I've worked at and kind of. You know the things I was mentioning about. You know, getting all the external facing stuff sorted. That's well and good, but ultimately if, like you say, if it's not, if the organization doesn't prioritize it, it's very hard to to make any progress. 

Ben Martin: 12:44 

I think it's the ultimate aim is a cultural change or a culture of data protection. 

Ben Martin: 12:53 

That seems to be the holy grail in these scenarios, but it's something that isn't going to happen overnight and it almost feels like there's a few phases. 

Ben Martin: 13:06 

You've got a point where no one knows who you are, no one knows what you do, no one reaches out to you are, no one knows what you does, no one reaches out to you after you put a lot of effort into doing training, trying to make good relationships,  speaking to you know regular patch-ups, those kind of things. People then start to proactively reach out to you. And then I think the final evolution of it is to have a kind of a network of people throughout the business who own data protection in their respective areas. The biggest tone deaf mistake I think I've made in my my career is I was like oh, people keep asking us questions about privacy, let's run a drop-in session. So we all met, we were all in the office and we all set up a drop-in session not one person turned up so if this is like, did you not offer chocolate or cakes? 

Ben Martin: 14:00 

Not one person turned up, so that was a real like wake-up call of like. Actually, yeah, you're right, people don't care about this stuff unless it's important to them at that moment or is preventing them from doing something. 

Sarah Williamson: 14:12 

Yeah, I've got a client who's sort of within the business. Now they've appointed people as data privacy champions, you know, to try and have other points of contact, you know, across across the business, rather than it just being sat in the legal team. 

Ben Martin: 14:31 

We've just kicked off a process our security team's leading very snappily titled uh initiative called spark. So security, privacy and risk champions, and the engagement has been really good, like the. We had our intro meeting and and chatted to the first cohort of people, and it's great. I think there is. There is actually an interest for this stuff, especially from people who work in, you know the more tech-oriented stuff if they're developers yeah, I mean it's amazing. 

Sarah Williamson: 15:02 

Data protection can be interesting, it can be fun, can't it? 

Ben Martin: 15:05 

yeah, I've now made a, made a point of not ever, not ever, apologizing for you know, for training and stuff it's. This stuff is objectively important because the law says it. I will try to make it as subjectively relevant to you as possible in your role, and I think in every role it is relevant. So, yeah, it's a question of that communication thing, rather than text, dents, slides, and it can be like any Very dry, can't it? Yeah, there's lots of things, yeah. 

Sarah Williamson: 15:38 

And you know, in the rush of excitement when a business is perhaps launching a new product or implementing some new software, it can be quite difficult perhaps for an in-house lawyer to get their business to sort of pause or take a step back and look at the data protection considerations before launching or perhaps make changes to the processes, the way that a product works, in order to address specific data protection issues. How can sort of data protection by design and default be achieved without the lawyer appearing to be a roadblock to innovation and development? 

Ben Martin: 16:13 

I think it comes back to that cultural, uh, cultural point and having and really good contacts, and relationships, because ultimately, the way, the way it works well is if someone loops you in early and you're aware of something at day zero. If it gets to two weeks before launch and they loop you in at that point, there's a failure in the process somewhere and some teams who have more awareness of data they will probably loop you in earlier if they know who you are of data. They will probably loop you in earlier if they know who you are. But other people who might not be able to issue spot as well because their head's not in that space, it might be more difficult for them to loop you in. So I think the overall piece again is building relationships throughout the business. But also I think it's important to be pragmatic. 

Ben Martin: 17:21 

This is the roadblock point you made If a business is doing an A-B test of a new feature or they're launching a trial, or they're doing something new, but don't really need to go for that ready to launch in all markets final version approach. I think it's important to be risk aware there. So if it's a, a small group of a, b, like a small testing group in a low risk market, is there, do you need to take the same level of precaution and action as you would do for a full, a full rollout? And asking questions like if they're testing a feature on an app, do you need to be collecting data about that or that new feature? Or are you just testing whether the UX is good and it works? So it's actually asking okay, well, is data? Does data protection need to be a blocker here? Or are we just looking for risks for the sake of looking for risks. 

Sarah Williamson: 18:32 

Yeah, I think also comes back to that. You know, like you said, having those data privacy champions and having you know that communication means that the tech guys are more aware of it and it data protection then isn't something that you look at at the end and then it's like, oh, my goodness, we've just spent months creating this and now we've got to go back and we've got to spend a lot more time and a lot more money, because actually everybody's thinking about data protection, but without really realizing it. It just becomes part of the normal, the normal process for rolling out, you know, a new product. 

Ben Martin: 18:58 

yeah, absolutely yeah, being part of the being part of the team, rather than some, some people sitting in a tower somewhere. 

Sarah Williamson: 19:11 

Yeah, and then just moving to look at data protection on a more global scale, we're obviously now seeing an increasing number of data protection laws come into force around the world. And, as if you know, GDPR and the data protection act wasn't enough to contend with in the UK. How does a business operating in a number of different jurisdictions deal with compliance with all of those laws? I mean, I've spoken to a number of companies who take the view that, oh well, we comply with the GDPR, which is regarded as the most onerous, so we're just going to follow GDPR in all of the countries that we operate in. Do you think that that's a policy that businesses can continue to adopt in the future or, actually, should they now be looking at engaging lawyers in each relevant jurisdiction and perhaps having different documentation and processes, etc. 

Ben Martin: 20:01 

Yeah, I think it comes back to the pragmatic point. If you're a small business, you're unlikely to be able to afford lawyers in each of the markets you operate in and to get advice notes on every single thing, and you're also unlikely to have the resource to do that research yourself. I guess the midpoint for most organisations will be to acknowledge that the GDPR is a high watermark and take that approach of let's comply with this in all jurisdictions but then perhaps have almost bolt-ons and nuances for different countries. So, for example, if you're in the US and operating in California, you might have some extra rights and slight changes on your website to talk about do not sell my data. And if you're in the US and dealing with health data, you might have to have additional privacy things in place there. So I still am of the opinion, if you're a European business or a UK business, that having GDPR compliance will get you a lot of the way there in not every market, but a lot of markets. 

Ben Martin: 21:18 

But there needs to be a recognition of nuances in different places. 

Sarah Williamson: 21:23 

Obviously, AI is a very large topic that could take up hours of podcast time. But what are your views on the data protection risks? But what are your views on the data protection risks, are there any tips that you would give to a business, or indeed an in-house legal team, when embarking on an AI project, to ensure they minimize those risks? 

Ben Martin: 21:40 

Yeah, I think GDPR obviously envisaged some use of AI technology and automated decision making automated decision making but clearly the pace with which it's moved on in the last few years is way beyond what was anticipated by the lawmakers. From my side, I think there's three sort of things I always think about when we're looking at implementing AI or building some technology, and the first main one is to look at the data that's being used. Is the data you're inputting into the model, especially if it's personal data? Is that being used as training data? So, going to the terms of the AI technology and looking at what they say, what they say,  when we were looking at using some Google uh, AI, so it was the palm 2 large language model I went through the terms spoke with Google was really like having to get into which tier of service we were on to understand whether that model would be using the data for training purposes, and that was something that was different than the position with Chat GPT, and I think if you're looking at using other LLMs, the position might change again. So, yeah, really getting to grips with that training data I think is important. 

Ben Martin: 23:06 

All of the other usual stuff that is in GDPR. I think is relevant, like thinking about what you're doing with that data. Are you processing it, do you have a lawful basis, whether you're the controller, processor and obviously that becomes more complicated in the case of AI and then thinking about permissions Is there anything additional which you need to get permission for? To additional which you need to get permission for and then also making you. I guess the third point I would say is making use of risk assessments to really tease out the issues. Doing a data protection impact assessment if you're creating uh synthetic data on individuals, assessing whether that is going to be how you're going to deal with that, whether you'll be storing and using that for the purposes you already have permission for, or whether there are other new things you're doing which you might need to include in terms and get permission for. 

Ben Martin: 24:09 

It's really important and obviously there's the EU AI Act as well, a lot, of a lot of AIs are going to have transparency requirements, so even if it's not a high risk, uh AI, having a register of those uh that technology that you're using, uh and making sure that that you know how that works and that you've done the due diligence on the suppliers, I think will be really important as the law starts to be rolled out and implemented. 

Sarah Williamson: 24:43 

Yeah, we'll certainly be kept busy, won't we? When looking at. 

Ben Martin: 24:46 

AI yeah, yeah. 

Sarah Williamson: 24:50 

And finally, you're obviously passionate about data protection and privacy, but I think it's probably fair to say that you know that's not universally shared by everyone. Sometimes, you know, the mention of GDPR is met with a bit of a groan. So what would you say to someone to try and change their perception of data protection? What would be your elevator pitch for data protection? 

Ben Martin: 25:13 

Hmm, Well, I always think that people are usually in business to solve problems and sell that problem solution for money. So I think the key thing is to focus on talking the language of the people you're speaking to. So, rather than talking about fines and risks all the time, it's important to mention the opportunities that can come from data protection and privacy. So I think there's a lot of it which is a bit of a branding problem. Like people, if you say, oh, yeah, data protection, people think of, oh, I've got to. Whenever data protection people think of, oh, I've got to. Whenever I call up my bank, I've got to give them my address and a name or something like that. 

Ben Martin: 25:57 

Or data subject rights, which are sometimes a bit of a pain for people. But if you start saying, you know it's talking about tech, talking about AI, the benefits of big data, people, people are very interested in that. If you sit down and chat to someone about Cambridge Analytica or social media data use, that kind of stuff even you know Cambridge Analytica was years ago now, but people are still interested in that, in that kind of thing, yeah. So I think reframing as a tech lawyer , a tech lawyer is a good way to do it. Yeah, that's right. 

Sarah Williamson: 26:35 

I like that. 

Ben Martin: 26:36 

Yeah, call yourself a tech lawyer and speak to people about it in their language. So you know, I mentioned before about if you're a B2B business you operate with selling your services or products to businesses those businesses will want to trust you and this is a way you can demonstrate that trust and also they will have their own requirements and if you can't jump through those hoops for them, they might not sign up with you as a supplier. So, yeah, that kind of speaking the language, looking for the opportunities, and also I'm trying to stop apologizing for things like training and you know I'm really sorry you've got to go through this training. It's like, as I say it's, it's not going anywhere. 

Ben Martin: 27:25 

I think just comparing it again, uh, to that environmental law, like that wasn't cool before. Like I chatted to my, my old boss about it and he was like, yeah, it wasn't cool when I started doing it and now it isn't. Certainly in the legal world, we're seeing like more people wanting to qualify into data protection In Trustpilot. We've had two people qualify into the privacy team. Like people want to do it, I think, from the legal side. 

Ben Martin: 27:52 

Data protection is cool, Ben, yeah, I feel that's a that's a good, a good summary of what I'm saying and probably a good note to end on as well absolutely, yeah. 

Sarah Williamson: 28:01 

Um well, Ben, as a fellow data protection lawyer, it's been really great to talk to you today. Um, and I'm sure many listening um would have benefited from your tips and guidance. They'll all be appointing data privacy champions and talking about data protection, but in a very pragmatic and helpful way, obviously, for anyone seeking practical guidance to help them, you know, on their data protection journey, have a look at your book. For now, all that's left for me to say is thank you very much, Ben, and I guess I look forward to the release of your next book. 

Ben Martin: 28:31 

Thanks very much, Sarah. It's been a pleasure speaking. Thanks. 

Sarah Williamson: 28:34 

Thanks for listening to In-House In-Conversation. If you have any questions based on what you've heard in this episode, you can find our contact details on the Boys Turner website. Also, please feel free to rate and review the show wherever you get your podcasts. Goodbye.