Karen Holden is the Managing Director of A City Law Firm Ltd, and lives in London. Karen holds a degree in Law and a Masters in Criminology from the University of Cambridge.

A City Law Firm won the Most Innovative Law Firm, London 2016 award for its approach to investment & tech and the firm is Listed in the Legal 500. Karen was recently recognized with an award for her contribution to LGBT law, by the Lawyer Monthly Magazine. And that's listing just 2 of the many awards the firm and Karen herself have received.

Karen spoke at the June GDPR:SUMMIT London.

Could you please elaborate on your role with regards to assisting companies in their compliance efforts? What requests do you typically deal with?
As company and commercial lawyers, our services to companies are aimed at them organising themselves, understanding the new regulations, being able to train staff and also to monitor and be prepared for a breach.

Typically, we get asked about helping draft bespoke company data protection polices; carrying out GDPR audits on existing policies and documents, reviewing third party contracts (to ensure they are compliant and the client has the necessary safeguards in place especially if it's transferring data overseas). We have seen more requests for our lawyers to provide training to key company staff.

Karen-Holden
Karen Holden

Is there a notable difference in challenges your start-up clients struggle with, as opposed to bigger clients?
GDPR applies to any business regardless of how big or small they are, but costs and resources maybe stretched further for smaller businesses. I find that most start-up’s though seem to be more engaged, in that they have already written this into their business plans, budgets and starting out fresh rather than having to look back at historical data places them in a far better position to embrace the changes. They can have their policies in place and be compliant from the very beginning and continue develop this as they grow.

Larger companies tend to need more work done as they look to have an initial audit to see where they are at. Then they need to implement new changes to ensure they are compliant, which could mean an overhaul of their data protection polices, security policies and overhaul of the HR department.

There’s been a lot of scaremongering around the regulation. Talking to business customers in the US I feel a lot of that could be attributed to the difference in cultural interpretation of the law. In the EU we tend to think more in terms of the spirit of the law, instead of the letter of the law, where fees will be proportional and a last resort. What do you think?
It is difficult to comment on this because the GDPR has only come into effect on 25 May here in the UK. The regulations were designed to harmonise the law across Europe and to a certain degree keep up with those in the US. The UK has always had strict Data Protection provisions though so the spirit of the law has always been present.

However, it has not been laid out with enforcement provisions as much as this new regulation does. If there is a grey area or a breach the ICO (Information Commissioner's Office, the UK Data Protection Authorities) has said it will work with businesses to resolve before it comes in heavy, but presumably this will be where companies have made every effort to comply. The more you do to be complaint, the less likely a heavy handed approach may be taken.

In my opinion, as with most English Law, proportionality will be key when deciding on what actions will need to be taken against those not found to be compliant. A clear disregard and flagrant breaches of the regulations however, will be met with stiffer punishment.

We have seen more requests for our lawyers to provide training to key company staff.

We have all heard of companies shutting down their European business or restricting European visitors from visiting their publications (Los Angeles Times, Chicago Tribune, Instapaper, …). What is your opinion about this?
I can understand the decisions as talk of overseas breaches / privacy shields causes concern. The decisions appear to of been taken in order to prevent any potential breach of data protection laws but also to ensure that they have the necessary and adequate levels of protections in place before allowing European visitors to their websites. I think it is the right thing to do at this stage. It will avoid any potential issues down the line and it only shows that these companies are willing to do right by their customer base.

If there’s one lesson you wanted the audience to take away from your GDPR:SUMMIT London talk "Looking Ahead: continuing your GDPR journey", what would that lesson be?
Don’t be scared, be prepared. Preparation is key to staying compliant and if you haven’t started, then get compliant by starting now. Better late than never.

Now that the deadline has past, how many companies in your opinion are inclined to stay compliant and to regularly audit themselves? Or will (high profile) warnings and fines trigger waves of self-auditing?
I find our client companies are now more than ever taking data protection seriously and I hope they will make this a normal business process. I do also believe that there will be cases coming to light and these will serve as a deterrent to companies and as such they will do more. What many may not as of yet experienced / undertaken is a dummy run on how a reported breach should be handled and resolved.

Companies are now more than ever taking data protection seriously and I hope they will make this a normal business process.

What fuels your interest and enthusiasm for the topic of data privacy?
I look at it from both sides. As a company, this may seem a lot of hard work and for some its seen as a hammer to crack a peanut, however too often has personal data been sold and unreasonably shared. The spirit of the law is that we are only loaning our data to companies to use for a specific purpose, thereafter we want it back.

Holding on to data for long periods of time is not helpful to anyone, as out of date information is a risk to any business; if you use data for what it has been provided to you for there should be no issues; and in fact those companies complying can use it to their advantage as clients will more likely trust them and gravitate to those taking this seriously.