The Legal Update

The Attic recently caught up with Catie Sheret, Senior Vice President, Associate General Counsel and Chief Privacy Officer at Pearson to discuss the new GDPR regulation.

1. What is GDPR?

GDPR stands for the General Data Protection Regulation. It’s a new European regulation adopted two years ago that will take effect on May 25, 2018. It replaces the current directive and is designed to harmonise data protection rules with minimal deviations in the way they’re applied in each country. Compared to the current legislation it has increased extra-territorial effects, meaning entities that are selling/supplying services to European Union (EU) data subjects are subject to these rules, even if they are not paid-for products or services, and even if the controller is neither in the EU nor process the data in the EU.

Overall, GDPR doesn’t introduce a massive amount of change from the current legislation, but it is a huge talking point due to the following:

  • Sanctions: Failure to comply can result in potentially huge fines –  up to €20M or 4% of a company’s worldwide turnover.
  • Accountability: Responsibility is transferred from the data subjects trying to enforce their rights to the company having to demonstrate that it complies with the legislation.
  • Breach notification requirement: This doesn’t currently exist in many EU countries. You need to be ready to deal with data security breaches very quickly. With recent high-profile breaches and the reputational backlash, there’s a lot of sensitivity around that, and boards are really taking notice.

2. What is GDPR compliance and what are its implications?

A description frequently used is that this regulation is “an evolution, not a revolution.” Robust data protection laws exist now but the risk of fines and requirement for accountability are factors that are really changing the way people think about them. This means a stronger focus on bringing organisations into compliance with the legislation, and for some this involves working to bring compliance first with current laws, then the additional requirements of GDPR.

As far as accountability is concerned, there are a number of aspects to consider. A key one for us is compiling our ‘records of processing’. There are varied views on what this requires, ranging from very detailed data inventories to something more high level. In brief, you need to record what personal data you have, where it came from, how long you’ve had it and where you’re keeping it, what you plan to do with it, where the risks and protections around it are, and what level of international transfers are going on.  For a large global organisation like Pearson that’s a complex picture. It’s even further complicated by the fact we are often acting as a data processor for our customers rather than a data controller. But once this is done, it really helps support lots of other activities required by GDPR, such as managing user rights, conducting risk assessments and implementing privacy by design.

3. What does GDPR mean for a legal team like yours?

We are 150 globally in the legal team, including about 70 lawyers as well as other legal professionals, administrative staff and paralegals. For us, GDPR is an area we need to stay on top of, since data privacy is identified as one of our key risks. More broadly, data privacy is an area we take very seriously. We take our responsibility to protect our customers’ and learners’ data extremely seriously and have systems, processes and staff devoted to implementing such security controls, and verifying data protection, across our business.

In recognition of the importance of data privacy for us, in 2014 we hired an expert data privacy lawyer who set up our Data Privacy Office as part of the legal team. Pretty quickly, the team grew to six people who are all privacy professionals or lawyers, based in the U.S. and the U.K.. We also get interim people to help as needed, such as a dedicated resource at the moment around programme development.

Fortunately, there’s a lot of overlap between what’s needed for the global privacy programme and what we need to do to comply with GDPR, so the whole team work closely together though do have some specific areas of focus. Increasingly, global regulations are coming into line with EU regulations. Our UK team  is very focused on GDPR and though there might be nuances in some countries, we aim to achieve the same high standards outside of Europe. In practice, some country-specific regulations add complexity and make it challenging for us to take a global approach.

As sometimes happens in law, it can be tricky to know how to deal with different concepts in different countries. Take reliance on consent and legitimate interest under GDPR. That concept (‘legitimate interest’) is not widely understood nor part of the law outside Europe. Colleagues or clients in the U.S. have no idea what that means. And if we’re trying to come up with a global privacy notice that works universally, it can take some work to get the wording right. Lawyers are good at playing with language!

4. How do you keep up with market practice?

We are in a strong position as we have this dedicated team but compliance and awareness needs to extend beyond our team to the whole organisation – I’ll talk more later on about Awareness Week and other ways we address this. Our lawyers are bombarded by webinar invitations by various law firms and other suppliers, and a lot of our legal team staff attend webinars and in-person data protection training sessions because it’s useful to hear the information in a different format sometimes. It’s helpful for all of us to hear about market practices, both internal and external, and from there we can build targeted training that’s relevant to our lawyers. For example, one area we’re focused on is training in how to manage subject access requests which may get more numerous. Commercial lawyers handling contracts also need to be aware of the new requirements in both customer and supplier contracts, and it is helpful to understand how other organisations are approaching this – so we’re watching what approach large suppliers like Google, Salesforce and others are taking.

To get to know about market practices, LinkedIn is incredibly useful. You can find some very knowledgeable professionals regularly blogging, suggesting others’ material and being very quick to post updated regulatory guidance such as that coming from the EU regulators’ advisory body known as the Article 29 Working Party (WP29) (soon to be known as the European Data Protection Board (EDPB)). I try to follow and connect with lawyers and privacy professionals who understand more than the theory, who also know what to do in practice. And what is just as useful is seeing knowledgeable professionals challenge the views of others, it can really help highlight common misunderstandings with what is a complex regulation. GDPR is an area where you have to be very careful about misinformation. The Information Commissioners Office (ICO) has a blog series dedicated to busting GDPR myths and their GDPR page for organisations is very helpful. Professionals need to learn to navigate between what’s right and the distortions.

5. What is your timeline in rolling out GDPR processes?

Our data privacy office started working on our GDPR programme around two and a half years ago, so when I started working on GDPR a year ago, there was already a plan in place. Obviously it is constantly evolving. Recently, an external consultancy came to conduct an in-depth analysis of our GDPR readiness and they gave us a plan on points that need to be improved, such as refining our privacy impact assessment process and updating our incident response plan. As well as acting swiftly on these suggestions, we are in the process of getting our supplier contracts ready and looking to see how we should update our customer contracts to comply with GDPR.

Breach readiness will be a big area of focus for the next six months and for this we are working closely with the information security team. This includes lining up credit check organisations and eDiscovery vendors, so we are prepared should the worst case arise. In case of an emergency, you don’t want to spend 2 weeks lining up external support to deal with your situation. The turnaround time on breach notification will be 72 hours which is incredibly short when you take into account how difficult it can be to determine exactly what has happened.

6. What are the main challenges facing legal teams?

One of the main challenges relates to grey areas, aspects of the regulation that are still without consensus. For example, the notion of consent: The ICO (UK regulator) published some draft guidance on the new requirements relating to consent in March 2017, but it is still not finalised, and organisations still don’t know when to expect it as the ICO is waiting for the WP29 to publish theirs first. Other areas on which final guidance is still awaited is in relation to contracts between controllers and data processors, children’s data, and accountability, including documentation. We have had to go ahead with our preparations without the benefit of this given the size of the task for a large organisation like ours, and may need to make changes if our chosen approach needs refining once the guidance comes out. And that’s another key challenge – addressing a compliance challenge which requires the whole organisation to engage and be aware, not just the Legal and Information Security teams.

I do recognise we are fortunate to have dedicated resources for this project – this might represent a daunting task for a smaller organisation with a small legal team without specific privacy expertise. In that case, the importance of a risk-based approach is the only practical way to approach this. Again, there are plenty of useful resources out there.

7. How do you ensure that GDPR processes are followed at every level in the company?

A combination of bottom-up and top-down involvement seems to me to be the best way to approach this. It’s important to have a good governance structure to formalise this support, which also helps meet the accountability requirement in showing how compliance is driven. In our case, this takes the form of an executive committee, a steering committee of senior leaders from every business unit across the organisation, and a champions network of 80+ from all countries, office and business teams to help us with day-to-day engagement throughout Pearson.

We also organise an Awareness Week every year during which the mandatory annual training is issued. We hold webinars, local in-person training, run quizzes and post blogs, stories and guidance on our intranet. Our CEO and other executives filmed a short introductory video to underline the message that this is of vital importance to the company. We really try to present the concepts in very human and personal ways. For instance, we recently ran a story about a colleague who had been the victim of identity theft, and the impacts it has had on her life. That got a really good response. Hopefully that helps people understand why it’s so important to do everything we can to protect the personal data that is entrusted to us.

8. What resources would you recommend to a legal team about to roll out GDPR?

In terms of resources I’d recommend:

  • ICO website – GDPR for organisations is here. It has useful guidance on compliance activities like the 12 steps to take to prepare, and a readiness checklist, plus more in-depth materials on things like data privacy impact assessments and marketing guidance.
  • Isle of Man data protection commissioner has some really good practical easy-to-follow tools and information.
  • Many law firms provide great materials, but I particularly like Fieldfisher’s Privacy Law Blog and Hunton & Williams Privacy Law Blog (one of the most global sources of information).
  • Good industry bodies to get involved with are the IAPP, Future of Privacy Forum and the Data Protection Network, though there are many others.

We are very grateful to Catie Sheret for sharing her GDPR implementation expertise in such detail and for providing additional resources to help fellow lawyers get on the right GDPR track. 

Women in Law

Obelisk Support consultant Alisha McKerron Heese provides some advice to women returners on coming back to the law after a career break, from her attendance at CMS’s two-week programme for women returning to work – the first programme of this kind to be organised by a UK law firm .

Coming back into the fold after a career break is by no means an easy thing to do. As women returners, often the barriers we face come not from the gap on our CV, but how we approach it in our own minds. The biggest obstacles we encounter in returning to work are, in fact, those that we create for ourselves by not putting ourselves forward correctly.

Putting yourself forward after a career break requires considerable time and effort – more than you might think. It requires careful consideration of paperwork, including your CV, cover letter and online presence, and putting yourself across in the right way when networking and interviewing.  Allocating a mere half hour to the task is unlikely to yield good results.

1. Start With Your CV

Your CV needs to evolve beyond just a list of employers and experience, particularly when you have a career break to incorporate. Begin with a neat profile about what services you offer, and what you are looking for, so that potential clients can identify themselves as potential clients. Your summary lets you speak directly to your potential clients, and should be used to tell them why you’re their best choice. This should not be more than two or three lines.

Next, note down your previous work experience and education. Don’t just list the names of companies you worked for – it’s important to highlight your specific involvement in the companies, as well as the outcome of your work (example sentence: “Acme Corp: involved in X task, helped Y team complete merger Z”). This paints a more complete picture of your skills. Don’t be despondent that your work experience has dated: as a returner, it’s more about demonstrating the skills you have acquired than demonstrating being up to date. Spend some time thinking about the past – be sure to include anything relevant, no matter how many years ago it was.

Don’t try to hide your career break. Do disclose the length of your career break, but ‘sandwich it’ between past experience and what you are doing at the moment, e.g. any unpaid work that demonstrates recent skills acquired. Skills are transferable, which is why it’s so important to highlight them.

2. Consider Your Online Presence

LinkedIn is an ideal place to establish your online presence as a lawyer, as it is where head-hunters will look for candidates. For work use, other social networks such as Twitter or Facebook are not as vital, though you might see a use for them if you wish to establish a blog or a presence as a public commentator. Take the time to research how to use LinkedIn effectively so your profile really stands out from the crowd.

3. Network Effectively

Networking is less about trying to impress people, and more about gathering information in order to maximise the possibility of a win-win collaboration. It’s less about being interesting and more about being interested. It’s an opportunity to ask questions, to listen, to learn and to make a connection with someone.

Treat networking as an adventure and you may find that it is more pleasant than you might think. While you should not steer the conversation towards yourself, be ready with a synopsis of what you have to offer if asked. Don’t stress about having to talk to everyone – forming a closer connection to a few people can be as beneficial as talking to many. If you do want to talk to others, however, don’t be afraid to leave one person to talk to another. As long as you give a reason for doing so, and don’t leave the person on their own, that’s fine.

4. Prepare Your First Impression for Interviews

When preparing for an interview, it’s important to think about what impression you would like to make. Your first impression is perhaps more important than you might think! Even if the rest of the interview goes well, the first impression tends to dominate the interviewer’s overall impression of you (primacy bias). In fact, they will set about gathering information to confirm their initial assessment of you (confirmation bias).

Some of these biases can be harnessed for good, however: if you are able to match their behaviour – or, better still, pick up on something which you both have in common, you will make a better connection with the interviewer (affinity bias)! Give consideration to: your entrance and exit, what you wear, your deportment and volume, and pace of your speech. Turning up late to an interview should be avoided at all costs (an example of the primacy bias working against you).

5. Practice Your Success Stories

It’s also important to find out as much as you can about the interviewer, and to have a clear understanding of the job description. Think about what competencies the interviewer may be looking for. The work experience listed on your CV should help here.

Be ready to give “STAR stories”: examples of Situations you were involved in where you were given a Task that led to an Action you took, and the consequent Result. Prepare answers for likely questions that may arise. Ensure that you have a good organisational understanding of the company at which you are interviewing. Finally, take a moment to check the news on the morning of your interview, to show that you’re up to date with current affairs. 

A well-prepared CV, a good LinkedIn presence, and good networking skills put to regular use will, sooner or later, lead to an interview. Thorough pre-interview research and preparation will help turn that interview into a job offer.

You may think it’s much more complex than that, as I know I did before I attended the CMS programme. The preparation process helped me identify my skill set, which built up my self-esteem, which in turn built up my self-confidence. Hopefully, it will do the same for you.

The Legal Update

At Obelisk Support, we regularly get requests from clients to assist them in Brexit-related matters, whether it’s in the banking industry or regarding general commercial law. As Brexit is still very much a shifting concept, its legal implications are not as clear-cut as businesses would like them to be. That’s why we were very excited when we learned that Helen Tse, lawyer at Clarke Willmott, was working on a book about doing business after Brexit, featuring a range of experts in the most common legal fields affecting professionals in the U.K. Finally, a book that tells you how Brexit could affect your business.

We are very proud that Obelisk Support CEO, Dana Denis-Smith, and her husband, John Denis-Smith, both contributed a chapter in this book, each in their area of expertise. To get the inside scoop, we caught up with Helen Tse on the legal implications of doing business after Brexit.

#1 How did you come to spearhead this project?

In June 2016, before the referendum, nobody envisaged that Brexit would happen and when it did, a slight panic occurred as to what would happen. As a lot of my clients were calling to know what was going to happen for them with Brexit regarding their property or their business, I pitched the idea of this book to Bloomsbury and they were interested.

I started writing at Christmas time in 2016, because there wasn’t much that we could write until we knew a bit more. To get a steer as to what the government would envisage Brexit to be, I contacted the Brexit department (Department for Exiting the European Union) led by David Davis. This book is based on their guidelines.

#2 Who is the book for?

It is for fellow lawyers, anybody in the professional services sphere who has to advise on Brexit issues, as well as companies, SMEs, high net worth individuals, and anybody with an interest in business. It even features a section by Nigel Barratt that talks about the landscape for investor from abroad. We see Brexit as an opportunity to invest in the UK, as it’s 20% cheaper. The sterling has devalued, therefore buying a property in the UK is a great opportunity.

#3 How did you structure this book and why?

Initially, it was going to be purely an academic piece on leading lawyers from different specialist areas on how they think the law will change. But then, I thought that it would be good to have a business section and created a section on thought-leadership. How might business owners envisage that Brexit would impact their business? So the book is two-part, academic on one hand and pragmatic businesslike on the other.

Doing business after Brexit is such a broad topic that you’ll never be able to cover the whole range of topics, but from a business perspective you can address employment, corporate, commercial, property, corporate finance, and all things that you need to make the business flow. What this book won’t say is how individuals who have a property in Spain will be affected. This is a book strictly about business.

#4 Each one of the book’s chapters is written by a different legal expert. What was the biggest challenge about coordinating these contributors?

The book features about 30 contributors. There are a lot of thought leaders in the frame. My main challenge was to get everybody to deliver on time and then edit contributions to get a constant flow about everything. That took all my weekends, as the book is 400 pages long. Given everybody’s busy schedules, there were slight delays so that impacted my schedule too but we got the job done.

#5 Did anything surprise you in the book?

Looking at Brexit is little bit like the ostrich approach. Nobody knows what to do, so you assume that it’s not going to happen. For instance, if repatriation happened, what would happen to the business? If you’re a UK business getting goods abroad, what would happen? On a business level, a lot of businesses still don’t know what to do or what’s going to happen. This book is very timely and will be a great mind map for many companies and professionals.

The book looks at worst-case scenarios. That was surprising to me, but it was necessary to guide business owners. 

#6 Do you deal with similar issues at work?

I specialise in M&A and right before the referendum, we had a few transactions that had come to terms. The price had been agreed. Payment terms had been agreed. It was basically good to go, except that Brexit happened.

After the referendum, did the buyers still want to go ahead with the transactions? Some buyers went ahead but others decided to wait and see, they did not wish to proceed with the acquisition. There was nothing wrong with the company, but the parties were just nervous about what would happen and the economic uncertainty.

I’ll give you a Lloyds bank statistic that appears in the book. On the day of the referendum, they stopped 100% of all mortgage applications. That’s how much uncertainty can impact a business and that’s why it was important to write this book.

#7 How did you guide your authors and where did you draw a line?

From a book standpoint, we had very clear guidelines with the publisher at Bloomsbury regarding drafting style, the number of words or how each contributor should focus on their particular area of law. Legally, though, we instructed that all authors deal with a hard Brexit situation. It makes it much more feasible for a contributor to give their piece.

#8 Did writing the book change your view on Brexit?

Personally, I was not for Brexit but we are where we are. We do the best of the situation that is being given. I remain very pragmatic and as a lawyer, want to make sure that my clients are protected. It really remains to be seen whether Brexit was a good decision or not but as lawyers, we need to be flexible and adapt.

Let’s take the example of a manufacturer who buys his supplies as raw materials coming from Germany. With the post-Brexit currency changes, the supplies might not be affordable anymore. Under a normal contract, you can only terminate for force majeure or frustration. Instead, we’re inserting Brexit clauses into contracts. The book gives you clauses to think about. They haven’t been drafted by anybody yet and we are definitely  leading the way in that respect.  However until Brexit has happened, we cannot have a clear view of what these templates could be.

#9 What online resources would you recommend to lawyers and general counsels to keep up to date with Brexit legal issues?

First, I would say download the kindle version of this book to have it handy. As far as UK resources, I really like Brexit & Law as well as PLC and LexisNexis.

#10 What next?

I get my weekend back! Of course, we’re going to do a presentation of the book on September 20 in Manchester. All the details are here.

About Helen Tse

Helen Tse is the first port of call for SME companies, high net worth individuals and entrepreneurs regarding corporate and commercial law matters. Helen herself is an entrepreneur, a published author and the recipient of the coveted MBE from Her Majesty The Queen in 2014.

A graduate in Law from Cambridge University with a professional career has included Clifford Chance, London & Hong Kong, PricewaterhouseCoopers and Walkers in the Cayman Islands, Helen Tse is highly sought after and an authority in the world of business. Her combination of legal and business acumen stands her heads and shoulders above her peers.

Making Work, Work

The Attic recently caught up with Mark Maurice-Jones, General Counsel at Nestlé UK & Ireland, to discuss legal team management and flexible working. With 15 members working with the company’s United Kingdom and Ireland divisions, Maurice-Jones’ legal team focuses on internal business partnerships to proactively shape and challenge the company’s business agenda. For Maurice-Jones, flexible working is a common sense work arrangement for modern lawyers – here, he tells us why.

Defining Flexible Work

Starting with the basics, we wanted to know how flexible working was defined at Nestlé UK & Ireland. As it is such a recruitment buzzword, it’s important to know what the phrase encompasses.

“At Nestlé,” said Mark Maurice-Jones, “we have a policy that discusses the various elements of flexible work, whether it’s a number of working hours, a reduction of working hours, a reduction of number of days or working from outside the office. All these are part of the flexible working policy, a policy that’s updated regularly (the current policy dates from 2014) and that applies to all employees in the United Kingdom and Ireland.”

Why Flexible Working?

When you factor in that any of the team do not live close to the location of Nestlé UK & Ireland close to Gatwick Airport, work flexibility becomes a powerful employment tool as well as a driver for a better work-life balance. Indeed, the goal of the flexible working policy at Nestle was to address diversity and inclusion, and also to make sure that people enjoyed a good work-life balance.

In the legal department, several people take advantage of it, particularly when it comes to working in different locations. For two members of the legal team (male and female), working a 4-day week helps them achieve a better work-life balance. Commute is also a big incentive to take up remote working: Issues with public transport? Working from home solves the problem. In this particular instance, work flexibility helps reduce levels of stress.

Last but not least, the type of work they do in the legal depart lends itself to flexible working options. Law is about talking to people; it’s a lot of email correspondence and meetings. “You don’t necessarily have to be located in any one place to do these things,” says Maurice-Jones.

Successes and Challenges of the Flexible Working Lawyer

For Maurice-Jones, flexible working makes a positive difference for everybody. “With the train problems from London to Brighton over the last year,” says Maurice-Jones, “The policy has helped my team on the days that there were strikes.” He adds that working from home has also helped in other instances. “Our office has an open plan environment and it can get a bit noisy. If people need to focus and write something, it is more efficient for them to work from home.”

The feedback on flexible working is very positive and people are appreciative of its impact on their work-life balance.

However, flexible working can only work as long as Maurice-Jones and other lawyers on the legal team continue to have cohesivity within the team and with people working remotely. “I come into the office most of the time,” says Maurice-Jones. “If you come on a Tuesday and you don’t connect with your colleagues until Thursday and you’re working on a joint project, then this can be problematic.”

How to Ensure Seamless Communication within the Team

To keep abreast of everybody’s work, it’s important to get everybody around a table in person on a regular basis. Monthly team meetings plus shorter weekly meetings bridge the gap on smaller topics with team members at the office. Some topics tend not be discussed remotely, but rather when the whole team is together during meetings. Indeed, each of the lawyers tends to be working with their business unit and team meetings are a great venue to update the rest of the team, on projects that are vertical or transversal.

Beyond team meetings, the right communication tools are essential to communication channels flowing both ways. Between telephones, email and Skype, keeping in touch on everyday tasks is not difficult. You can find a lot of information from your iPhone without having to be there and you don’t need to visit the library for legal texts either. While we take this access to information for granted nowadays, it was impossible 10 years ago and shows how much the world of in-house legal professionals has evolved.

A Trust-Based Team Organisation

To naysayers who argue that flexible working doesn’t mean equal pay, Maurice-Jones counters that his team lawyers are judged on their work output and not input. He says, “provided that everyone has very clear objectives to achieve, it doesn’t matter where or when the objectives are completed. People should only be judged on their output.”

To young general counsels or team leaders, Maurice-Jones recommends to try flexible working. “Go for it,” he says, “people find it motivating. It allows for work-life balance and it generates trust. It’s a very good thing to do. If you want to attract the best people, you need to offer flexible work options, otherwise you’ll be ruling out a lot of people and miss out on talent.”

On legal team topics, Bjarne Philip Tellman’s Building an Outstanding Legal Team: Battle-Tested Strategies from a General Counsel provides great insights for in-house legal professionals.

Handling Deadlines Within a Flexible Legal Team

Nestlé’s legal team members are expected to hit their deadlines wherever they are based. They are not dictated by how often people are in the office, but by the demands of the business. The deadline doesn’t change just because so-and-so is working from home.

When the press reports that Nestlé leads the way in terms of work flexibility, our interview with Maurice-Jones confirms that this is certainly true in the United Kingdom and Ireland even for one of the most traditional of corporate areas, the sacrosanct legal department. Who says that lawyers resist change?

Mark Maurice-Jones joined Nestlé as General Counsel and Head of Legal Services of Nestlé UK and Ireland in May 2015. Prior to joining Nestle Mark worked for 15 years at the US FMCG multinational Kimberly-Clark where he held a number of leadership positions in the EMEA Legal Department. He originally trained and practised as a competition lawyer with international law firms in London and Brussels.

In his current role, Mark heads up the Legal Department supporting all of Nestlé’s businesses in
the UK and Ireland which have a turnover of £ 2.4 billion and employ 8000 people across 20 sites. He
is passionate about developing legal teams that pro-actively shape and challenge the wider business
agenda and drive a culture of compliance and integrity.