An interview with Nicola Lucas, legal counsel for Kodak Alaris about what data rights, if any, we have, GDPR, and where we go from here.
Welcome to Data Dives, from Alaris, a Kodak Alaris Business
"Isle of Hope, Isle of Tears" performed by The Whistlin' Donkeys
Subscribe to Data Dives on any of the following platforms:
Erik Oehler: Welcome to Data Dives. My name is Erik Oehler. Today we're bringing you an interview with Nicola Lucas. Nicola is our in house counsel at Kodak Alaris. I recorded this interview in summer and had plans of pairing it with some other interviews around data privacy that never materialized. And, revisiting it, I realized it's really strong enough to stand on its own. We cover a lot of ground in not a lot of time. And Nichola's perspective really offered me some insights into the legal side of these questions that we still haven't answered as a society, and frankly, I don't know if we ever will. But it's crucial that we do.
Erik Oehler: The gap in our perception of how our data is used and how it's actually being used is widening. And I don't see that changing. We don't solve that in this episode, but we do have a good time talking about. So, now I bring you Nicola Lucas.
Nicola Lucas: I'm Nicola. I'm the legal counsel for Alaris in Europe and Asia.
Erik Oehler: How did you get interested in law to start? Like what was the path that led you here?
Nicola Lucas: Oh, good question. I was about 15 years old and, my dad being a policeman, there was lots of opportunities to go to courts to see what was going on for work experience. So, I really enjoyed that. Unfortunately, there just weren't many rolls around at that particular time. So, I started to look into supporting in voluntary roles for women in domestic violence refuges. And that really sparked my interest in getting into law. And then, over time, I have developed quite a keen interest in tech. And that's how I found myself working for Alaris at the moment.
Erik Oehler: Did you ever do anything with women in domestic violence professionally?
Nicola Lucas: Yeah. Yes. So, I supported in voluntary roles for a number of years while I was studying. And then, now what I do is sit on a board for a not-for-profit homeless organization back in England. We're one of the largest in the region that I live in. So, I try and use my legal skills, not just for the day job, but also helping those less fortunate outside of work as well in a professional capacity.
Nicola Lucas: I've always had this thing to just give back in some kind. So, I sought out a trustee role, and then separately a non exec director role for another board. So, that's an interesting one. It's the... they received funding from the football association in the U.K. and it's we have it run at county level, so your state level, I suppose. And I came on board as an independent non exec director to try and support them in what they're doing.
Erik Oehler: That's great. So, it's a good-
Nicola Lucas: Increasing diversity as the only woman as well.
Erik Oehler: I would say the profession is skewed men. I kind of know that, but like how skewed is it?
Nicola Lucas: In general, so in the U.K., there's lots of really interesting debates going on about the gender pay gap because they had some legislation that came in that made sure that we had to... and what is the actual pay difference or the gender pay difference. So, it sparked a lot of debate. I think it's changing. There's a lot happening. But it's still quite accepted that, to reach the top of the really big law firms is incompatible with family life. But what you are also seeing is, not just women benefiting from saying, okay, that doesn't quite work. What are the new models that are coming through? Alternatively, we're seeing guys also saying, do you know what? I want to be at home with my family more.
Erik Oehler: Yeah.
Nicola Lucas: So, it's working in both ways.
Erik Oehler: That's good.
Nicola Lucas: Good stuff though.
Erik Oehler: So, we'll eventually, I promise, get into GDPR, which is kind of the premise under which I lured you and the audience to this. But I wanted to take a step back and talk about data and privacy, starting with what you think about what rights, if any, we have around data and privacy, if we were just born today.
Nicola Lucas: I think we would have to take a step back and look at where we've come from. So, when the previous legislation was around, we had no cloud computing. We had none of the advanced technology that we have today. So, what we had in place before was very, very simple. Now, if we were born today and we are educated, we come with a much greater awareness of what our personal data is, who has got the right to it, and, going forward, who is doing what with that. So, I think can come with a greater awareness and we have greater rights now.
Erik Oehler: But as we go through life, do you think most people consider the trade offs, privacy for things like security and freedom, for instance? Or that we adequately... not we as in Kodak Alaris, but we as in a society inform people about those trade offs?
Nicola Lucas: I don't think we do enough. No. I think there's a fine balancing act. And I don't think there's one answer that fits all because you're always going to get some people that are all one side and the other. So, it's all about catering for a middle ground that makes people feel comfortable that it's not invasive, but at the same time, that their data is secure as well.
Erik Oehler: How could we do it better than we currently do?
Nicola Lucas: I think we need to just continue the conversation with what's happening with our data. There needs to be a greater transparency of what is actually going on now and how the tech is going to develop in the future and what that means we may be giving up if we're not properly educated. I think we should try and educate ourselves with what is changing in the market. And don't expect big companies to talk to us about it, because they won't. I don't think they will, because it's not in their advantage to do so.
Erik Oehler: It's funny, you used the word giving up because like sometimes sacrificing privacy enables you, in a sense. So, it enables you the freedom to make purchases easier. It enables you all sorts of freedoms that you don't know. But it also restricts freedoms in a way that I don't think that we always fully understand.
Nicola Lucas: You've got the example of Amazon recently, haven't you? Where they were trying to create shops. Was it Amazon?
Erik Oehler: They've done some crazy things with data and privacy.
Nicola Lucas: Yeah. You know when you go into the shop and you just walk around, and you can pick up the items, and then you walk back out again, it uses facial recognition.
Erik Oehler: Yeah. It was Amazon or maybe one of the grocery chains maybe.
Nicola Lucas: Yeah. But, essentially, now what that's doing is people are saying, that's too much. And certain states in the U.S. are banning that because they don't want that to be the future.
Erik Oehler: Because it's almost like you're really going against a whole series of algorithms and data scientists who are gaming you to capitalize on moments of weakness and to make it so easy to purchase things that you don't even think about it. Do you think we've left the age of having like full autonomy over our decisions? Or is every decision influenced in some way by the sacrifices that we've made around data and privacy?
Nicola Lucas: I don't think we're at that stage. I reckon, if we're not careful, we could be there quickly.
Erik Oehler: Sort of the dying gasps.
Nicola Lucas: Yeah. Exactly. I think you need to empower yourself to make sure that you know exactly what data... it comes down to what data is precious about you? What do you not want to be passed on? Now, no one wants their information to be hacked from anywhere. And no one wants their credit card details used by a fraudster, and then taking purchases off your credit card. No one wants that. But do you want targeted marketing that's going to mean, if you go to that website, you've got someone else saying, oh by the way, we noticed you were shopping for this. But also do you want that? Do you want this? There's a level... it will keep building. And I think we'll get to the point... there'll be a tipping point where we're either outraged by something or we'll be comfortable because that's enhancing our shopping experience.
Erik Oehler: What would that take though? Like what would the ultimate overreach be where we drew the line and said, hey, that's too much?
Nicola Lucas: Well, I wonder if all the politics around what's on social media, creating fake news, and how that's all spread, the Cambridge Analytica, that caused absolute outrage.
Erik Oehler: Yeah.
Nicola Lucas: So, in hindsight, actually perhaps it's already happening. It's just that we're only just finding out to really understanding the impact of it now.
Erik Oehler: Mm-hmm (affirmative).
Nicola Lucas: Even thought it could have been happening previously.
Erik Oehler: Yeah. So, that finally gets us to GDPR. Do you think the spirit of that was rooted in informing people about how their data was being used and maybe reclaimed some of that autonomy? Like what was your interpretation of the original intent of that? I know what the formal statement was, but what was that?
Nicola Lucas: Yeah. My interpretation was bringing it all, the whole subject, up to date. And yes, I believe what you're saying, enhancing our knowledge and rights a bit.
Erik Oehler: Mm-hmm (affirmative).
Nicola Lucas: I think it's brought data protection to the real forefront of people's minds now. It's so unusual for people to comment on whether they like particular home entertainment systems. Do they like the fact that you would have an Alexa in their home? Some people don't for the reasons that they're concerned about privacy. And I think we often have a bit of suspicion that comes with it now as well. So, we needed to update our laws. And the focus was definitely on trying to update it. So, we'll just have to see how it develops in years to come.
Erik Oehler: Yeah. So, in your previous role, you mentioned you were involved in GDPR at the ground level when it was implemented. What was it like helping that organization get to a place of comfortable compliance?
Nicola Lucas: You saw a mixture really, saw clients who were incredibly proactive and wanted to really understand, and you saw clients who would come to you a day before GDPR was actually being launched saying, what's GDPR and what do I do about it? I think the key takeaways though that made people pay attention is the financial risks that companies can face if they get that data breach happening and what that means for their business. To just remind those that may be listening, you can face the fine up to 20 million or up to 4% of your turnover for any kind of breach. And that's decided by the authority in your region. That's a lot of money, especially for medium sized businesses. That could put companies out of business if you're not big enough to be able to take that hit.
Erik Oehler: Yeah. So, in the week we're recording this, we've seen not just one, but two hefty fines come down, British Airways and then Marriott. And both stemming from data breaches. So, in the British airways case, the site is hacked, they take action, they notified customers within a day of it, they reimbursed all the affected customers, which seems to be in compliance with GDPR. Like, as I read it, you have to notify... it said without undue delay.
Nicola Lucas: Mm-hmm (affirmative).
Erik Oehler: So, why do you think they come down so hard on them in that case?
Nicola Lucas: I think a number of reasons. So, the emphasis with GDPR is essentially saying, just because your systems aren't sophisticated enough, ignorance is not defense. You have to make sure that you're proactive and protecting everyone's personal data that you have been trusted with by your consumers. So, a lazy security approach, I mean, I'm not techie, so I wouldn't be able to say whether that was really the case for British Airways or Marriott at all. But saying, we didn't realize that we weren't secure enough, it's just not good enough.
Nicola Lucas: Considering that we are becoming an ever increasingly tech reliant society, it's pushing the onus on those companies that are handling data to make sure that they are really looking after everything. And, if you don't, there's a financial repercussion.
Nicola Lucas: The second part of that question, I think to the information commission in the U.K., it's the largest fine that it's handed out so far. And it was 183 million pounds that British Airways faced. I read a statement to say that their spokesman was incredibly disappointed, naturally. But I think they got off quite lightly because that's around 2% of the maximum fine that they could have received of their overall turnover. It could have been closer to 500 million.
Nicola Lucas: So, I think they will go ahead and appeal it. But they're being made an example of, at least at this stage. And I think it's interesting timing that the ICO has come out and issued a notice for a fine of Marriott as well because I think they're really strong arming their powers now and saying, look guys, this is something we're really serious about. So, pay attention or else we'll hit you where it hurts.
Erik Oehler: Do you think they'll start enforcing smaller breaches without as great a consequence as those two have?
Nicola Lucas: I think they have been doing that over the past year. I think they've been testing to sort of see what happens and come out and how far can they take it.
Erik Oehler: Right.
Nicola Lucas: I think it's an interesting strategy in my mind. Because I think they're making an example of the big guys to make sure the little guys are petrified enough to not let that happen and force everyone to increase their standards and set a benchmark, which is needed. But, at the time of what's happening, there's no rhyme or reason to the exact numbers at the moment. It depends on a case by case basis.
Erik Oehler: Right. So, assuming like nearly every major company is going to experience a data incident, maybe not a full fledged breach, is this fair? Like is it fair to... almost every company handling e-commerce at some point is going to be the target of an attack. And you're fighting against a whole army of hidden hackers out there who are trying to get at this data. Can anybody avoid it completely?
Nicola Lucas: I don't think anyone could ever avoid it completely. So, I see your point. That could be unfair. But I think, given the constant turnover of new technology that's coming out, it pushes the onus on businesses to make sure that we're up to date. Now, you could argue that that means that everyone is having to invest quite heavily in lots of expensive tech constantly. But, if that meant that I don't have my passport details stolen or my credit card details stolen and I don't have to go through the fath of having to reclaim things that I've spent on my card, then yeah, I don't care. It's the customer's details. I would want them protected. So, it just adds to the consumer's experience to know that you're shopping online, if you go back to e-commerce retailers, you're shopping online with reputable companies.
Erik Oehler: So, you kind of alluded there to a potential future consequences of huge investment and more info security, those jobs and those technologies. What do you see for the future of acts like GDPR? I know in the states California is about to institute a consumer privacy act. Do you think this gets further reaching? Do you think there is a line in which governments will stop trying to legislate this because they realize it's out of control?
Nicola Lucas: I think they're trying to control it now so it never becomes out of control. So, they're being preemptive. GDPR most probably should have come in sooner to prevent such a long gap. In the U.K., certainly, we didn't have any legislation on this for 20 years. I mean, 20 years of technology, that's a lifetime, isn't it?
Erik Oehler: Yeah.
Nicola Lucas: So, it was already very vastly outdated. I don't know what's going to happen with the future on that. I wouldn't be surprised if we saw more regular installments of legislation and different points to try and keep everyone up to date.
Erik Oehler: And do you have any advice for companies that might still be kind of behind and trying to catch up?
Nicola Lucas: I would say speak to your legal advisors and make sure you're on board with what you should be doing. Because the risk far outweighs the lax attitude in towards GDPR. We've seen this week that the ICO and all sorts of data regulators are really using their powers. So, action is better than no action in this case.
Erik Oehler: They mean business.
Nicola Lucas: Yeah. Exactly. Especially if you want to stay in business.
Erik Oehler: All right, thank you for your time.
Nicola Lucas: Thanks!
Erik Oehler: My thanks again to Nicola for the interview and the patience of being delayed about six months before it was published. This and every episode of Data Dives is brought to you by Kodak Alaris, delivering scanner software and services that enable businesses to go paperless and automate workflows. Additional thanks to all of you who listened this year. We crossed a milestone this month with 2,000 downloads. And I'm thankful that, with the broad range of options you have vying for your attention, that you choose this one. I promise I'll do my part to keep making it interesting in 2020. For Data Dives, my name is Erik Oehler. Happy holidays, happy new year, and thank you for listening.