''Understanding risks and helping my clients weather them- forms the core of my practice.''
An Interview with Paul Lanois
Our special interview with PAUL LANOIS, profiles the European technology, privacy and cybersecurity professional admitted to the bar in California, New York, Washington D.C., and the Supreme Court of the United States (SCOTUS). Executive Global sit down with the high-flying lawyer and director in the Technology, Outsourcing and Privacy group at FieldFisher to gain a fundamental insight into all matters privacy related.
EG: In our globalised world with companies needing to do business as a borderless enterprise, why is it critical to deploy an expert in cross-border privacy compliance?
PL: In today's globalised world, companies are increasingly using data to drive their business. Cross-border data flows are essential to ensure economic growth in the digital age, as businesses increasingly participate in global markets. At the same time, we are seeing an increase in the number of laws regulating privacy and data protection, particularly in the context of cross-border data transfers. For example, laws such as the European General Data Protection Regulation (GDPR) impose certain requirements where data is transferred outside the European Union, and penalties for non-compliance can be quite hefty. This is why privacy professionals are critical to help businesses navigate these requirements. In addition, business partners expect privacy requirements to be addressed in contracts they enter into.
EG: You impressively steered Credit Suisse through complex legal issues, thoroughly improving upon their global compliance standards. How may your technical expertise in cybersecurity, data management and privacy law, prove to be extremely invaluable to new businesses in this modern digital age?
PL: Thank you for the kind words! I have had the privilege to have worked in a wide variety of locations throughout my career – in France, the United Kingdom, Luxembourg, Switzerland, Hong Kong and the United States. My international background enables me to better understand the various legal frameworks and complex legal requirements that businesses around the world face, including how to address such challenges from a global perspective. In addition, I believe that privacy law and cybersecurity work hand in hand – there is no real privacy without cybersecurity – so my background in these areas comes in handy. With more legislation following in the wake of the GDPR, such as the California Privacy Rights Act, the Utah Consumer Privacy Act, the Colorado Privacy Act and the Virginia Consumer Data Protection Act, more organisations are at risk of potentially huge penalties if they make information security slip-ups.
EG: How did your experience as senior legal counsel of cross-border at Credit Suisse, deepen your insight into the world of digitalisation, privacy and technology law?
PL: My experience on a broad range of new business initiatives and projects, including digital onboarding of clients and the launch of new mobile apps, has been particularly valuable to gain insight in technical and legal requirements in various locations.
EG: As a recognised Fellow of Information Privacy (FIP) and Certified Information Privacy Manager (CIPM) what developments within the world of European, Canadian and US privacy legislation intrigue you the most?
PL: We have seen an uptick in privacy enforcement action over the past year. Importantly, regulators are expanding the lens from an early focus on data breaches alone to challenging companies’ data practices (including their legal bases for processing data and disclosures surrounding their disclosures of data) and, notably, cross-border data transfers. As new technologies develop – such as AI – law makers are looking to introduce new legislation to cover these new areas, such as the EU Artificial Intelligence Act. We are also seeing regulators focusing on issues such as protecting children’s data, such as the California Age-Appropriate Design Code Act (which is inspired by the UK’s Age Appropriate Design Code).
EG: What are the typical challenges that small and large companies alike, tend to face with cybersecurity and data privacy law?
PL: Internal resources and budget are the typical challenges, particularly because an investment in this area is often seen as a cost which does not immediately translate into a profit, or even a reduction in the number of incidents. It’s not just about increasing the budget to buy technology to patch cybersecurity holes. Instead, it is crucial for companies to take a more strategic approach in how they spend their budgets to start to see a real uptick in their security posture. While cybersecurity is a cost center for most companies, not investing enough in this area can prove very costly if an incident does occur.
EG: What pertinent trends do you see impacting the world of cybersecurity within the next 12-24 months?
PL: Unfortunately, I think we will continue to see an increase in the number of cybersecurity attacks. For example, ransomware attacks – a type of malware designed to hold a victim’s information at ransom in order to extort something of monetary value from them – are becoming more and more common. The accelerated digitization of many organizations created new targets for ransomware attacks. Similarly, social engineering attacks like phishing are not new threats but have become more troubling amid a widespread remote workforce. The trend towards remote working is also accelerating the growth of mobile. At the end of the day, cybercriminals are constantly looking for new ways to target and cause harm to individuals and organizations, which means that cybersecurity must perpetually continue to evolve.
EG: As an internationally renowned speaker and authority in privacy matters at conferences worldwide, what can prospective clients look forward to when working with you?
PL: I think it all starts and ends with listening to our clients, because each client is unique and has unique needs. Understanding risks – and helping clients weather them – forms the core of my practice. EG