Elle Todd of Reed Smith on innovation, regulations and the dangers of over-documentation

Elle Todd, a leading practitioner in digital and data law, advises on all aspects of privacy and security compliance, digital transformation and compliance in new forms of engagement and insights across apps, ecommerce, social media, IoT, AI and adtech.

Elle Todd, London-based partner at the global law firm, Reed Smith, is widely recognised as a leading practitioner in digital and data law, and has been working in data and tech law for nearly 20 years. Her clients range from the biggest international household names to disrupters and tech entrepreneurs. She also works with tech start-ups on a general advisory basis, and also as a board member. Specializing in work with clients in the media, consumer brands and technology sectors, Elle is known for her commercial and pragmatic industry-focused advice.

How did you end up in this branch of law?

“I spent six months in Brussels when I was a trainee lawyer. As I was lacking in any Flemish language skills to help the team, I used to spend a lot of time hanging out at the European Commission buildings instead. At the time, there were a lot of debates around interception rules, privacy and tech regulation. I found it fascinating to listen to the discussions (with the novelty of a multi-translator headset) and see the different positions from industry, consumer bodies and member states.“

“I carried this interest and focus into my career and was lucky to be advising some of the most innovative companies from an early point on such issues. I think expertise goes beyond pure knowledge, however, and I have always focused on digesting complex areas into clear, practical and tangible guidance which looks beyond just the regulation on the page, to solutions and an understanding of the wider political, public and cultural climate. It’s probably no surprise to readers that I studied social and political sciences rather than law at university.”

What trends are presenting themselves?

“We are seeing a new wave of tech and platform regulation emerging in a myriad of guises across online harms, child protection, copyright, privacy and competition. Combined with this is duplication in different parts of the world in an inconsistent manner. Keeping on top of this is no mean feat for clients, as well as ensuring that proper robust debate happens so that regulation is fit for purpose and does not have unintended consequences.”

What do you see as a big issue in the corporate world that is being overlooked?

“GDPR forced a lot of corporations to invest in data protection. Unfortunately, however, all too often I see companies have spent large sums of money on swathes of documentation and policies which don’t really change anything. This can also give a false sense of security.”

“The ‘accountability’ requirement attached to GDPR has not been helpful in that respect.”

“Focus is needed on identification of risks, operationalizing compliance and really thinking about how to make that relevant and actionable for different roles and business areas. For example, you can’t expect compliance to happen by just sticking a 20-page legal compliance policy in front of a junior sales team member. Another issue with this ‘new policy and documentation culture’ is that corporations spend more time updating them than actually changing behaviors and fixing real issues.”

What are some of the classic mistakes you help clients to clean up?

“The remedial work for the problem I identify above is to break down the business into its different areas and tackle each separately. Risks and behaviors in an HR team will be very different to those in a fast-paced sales team where people are incentivized to gain new customers. It calls for different compliance solutions.”

“GDPR forced a lot of corporations to invest in data protection. Unfortunately, however, all too often I see companies have spent large sums of money on swathes of documentation and policies which don’t really change anything. This can also give a false sense of security.”

Elle Todd, leading practitioner in digital and data law, Reed Smith

Based on your time in Singapore, what do you make of developments in APAC?

“I still work with Asia-based clients and my Singapore colleagues closely. When I was there, the new Singapore data protection legislation was just being brought in for the first time. That was a big change and there is now an experienced regulator and more mature legislation in place.”

“What hasn’t changed is the drive to embrace digital innovation in that market and the nurture of start-ups – easier to deliver with a smaller captive market with excellent wifi to encourage experimentation but no less admirable. I was very impressed by this when I was there and continue to be. It is undoubtedly paying dividends for the economy and international business now.”

When there is a data breach many first-timers are confused about the responsibility to notify and remedy, especially if a third party like a vendor or processor is in the chain. Can you clarify that process?

“Vendors and processors have to notify data controllers ‘without undue delay’. Once the controller has been notified, they become aware of the security incident (if they weren’t aware by other means already) and the clock starts ticking on their obligations to notify regulators and data subjects IF such notification obligations apply. The controller’s obligation to notify a regulator arises unless the personal data breach is ‘unlikely’ to result in a risk to data subjects, and this notification must be done within 72 hours. The obligation to notify data subjects arises where there is a high risk to the data subjects and should be done ‘without undue delay’.”

“Obviously this is UK/EU compliance and GDPR specific. Other notification obligations may arise under other legislation and in different countries.”

Can you give some practical advice to corporations wrestling with requests for the right to be forgotten, especially where they rely on third parties to do this?

“What is often forgotten (pun intended) about this and other rights under GDPR, is that they are not absolute. Many of the rights only arise in quite limited circumstances and there are also various exemptions which can often apply. A first step is getting to grips with whether the right really exists in the first place. My second bit of practical advice is to apply general good customer service practices to dealing with data subject requests. No need to get all legalistic and defensive but communicate as a human being and explain any difficulties or delays and areas where data may still need to be held. Unsurprisingly data subjects are far more likely to escalate to the regulator if they are annoyed with a response or the way they have been communicated with.”

How do you advise clients and vendors to negotiate fairly on liability and security issues around data in contracts so that there is practical balance?

“It can be frustrating, I know, that there is no ‘industry standard’ liability cap (although I get asked this question almost daily) so it really is a case of thinking individually about the risks under the contract in question. I often see companies starting from the perspective of the level of fines that could be imposed by a regulator. But that is misplaced in a contract, particularly in the UK where an indemnity, which seeks to push a regulatory fine imposed on one party onto the other party contractually, would almost certainly be unenforceable as a matter of public policy.”

“It is better to focus on the actual costs which may be incurred – for example forensics and other expert or legal costs, remediation security arrangements or payments to data subjects. Making sure those are properly covered is more important than just looking for a big sum without attention to what that really covers.”