Ross McKenzie
It was hard to see in the early 2000s where we would be today in 2026, where data is absolutely the new oil and will continue to be.
Carly Gulliver
What are people talking to their lawyers about when it comes to tech? Welcome to Inside Tech Minds from Addleshaw Goddard. In this podcast, we're sitting down with technologists, investors, business leaders who are at the heart of the biggest tech deals, innovations and disputes. I'm Carly Gulliver. Let's dive into today's episode.
Hi Ross!
Ross McKenzie
Hey Carly.
Carly Gulliver
Ross, so pleased to have you on our pod today, Inside Tech Minds, where we talk to Addleshaws’ lawyers to find out what they're seeing in the world of tech in their practice areas. So Ross, it'd be great to hear a bit about yourself and what you do at Addleshaws.
Ross McKenzie
Well, I'm primarily a data protection lawyer. So that involves me making sure that our clients are using and processing personal data, information about you, and whether it's employee roles, consumers, in a way in which complies with data protection law. My background was a commercial lawyer and I still do a lot of commercial contracting work as well. It's really important to have that good baseline when you're advising on privacy issues, but ultimately my goal was to make sure that clients are complying with an ever-evolving area of law. It's in this digital age it's a really exciting practice area.
Carly Gulliver
And Ross, do you work with many tech clients? And because obviously data is absolutely integral to lots of tech companies and what they're doing.
Ross McKenzie
Yeah, all the time and we're regularly working with buyers of tech, obviously, and that requires an understanding of what tech companies can provide and the limitations and so on. So whether it's a software solution and what's involved, whether it's where the data's been stored or what processing abilities these solutions have. But we also work with lots of suppliers of that tech and over the years it has become more and more important that providers of tech are ahead of the regulatory curve because ultimately that's their big selling point as more businesses rely on these companies to provide services for them.
Carly Gulliver
I think we often hear actually, myself as a corporate lawyer when I'm working with tech clients, that obviously there's one piece around what's the data framework that they have to exist within. But also, as you mentioned, tech companies being the buyers of companies, potentially around the value of data and how that's valued these days. It's obviously becoming ever increasingly important on all of our radars.
Ross McKenzie
Yes, and there's lots of different layers to that, whether you're collecting data for analytical purposes and actually doing something really cool with information to develop new products and services that comes with challenges, but is encouraged in the UK. We have quite a regulator who's really keen to see innovation in the UK. But importantly, there will be clients who provide services for other customers and their main role is to make sure they are protecting, keeping data secure because all they're doing is acting on the instructions of their customer. So it depends really, we have to look at our clients through different lenses, depending on what they're doing, what they're offering to the market and with the advent of AI, it's inevitable that people are more curious about what's going into developing these large language models and whether any personal data is going into that to feed those amazing innovative solutions that clients are constantly coming up with. So a lot of the job when I work with you, Carly, on transactions is understanding how did you get here today and what do you want to do in the future and making sure that we can map all of that in a sensible way which meets the requirements of data protection law or the new AI frameworks that are coming along, or maybe even the cybersecurity rules that are out there.
Carly Gulliver
Definitely a lot to digest and lots to tackle. But before we do that Ross, tell us a bit about how you got into this job, both as a lawyer, but then more specifically data protection.
Ross McKenzie
It's hard to believe that we're coming up to the 10-year anniversary of the GDPR being finalised. That was a career pivot for me. I had always worked in the commercial contracting space in private practice and I always thought I would end up doing more around intellectual property work and technology licensing and so on. But obviously data protection was always there. I'd worked for a lot of public sector clients and Freedom of Information law, data protection laws were all introduced in sort of early 2000s, which in a much more prominent fashion impacted these public sector clients and it was hard to see in the early 2000s where we would be today in 2026, where data is absolutely the new oil and will continue to be, and ironically, I'm based in Aberdeen in the northeast of Scotland and our primary commodity is oil and gas, so I was constantly told, why would you want to get into data protection? Surely you want to be an oil and gas contracting lawyer. But there was something intriguing about data protection and it was something that you could really get into the weeds of and I’m naturally, from personality assessments, quite a creative individual and I think you have to come up with solutions and use data protection law as a bit of a compass to navigate your way through problems, and I quite enjoyed that as a lawyer. I was never great at property law or litigation. It had very formal steps and requirements. You must do A, then B, then C. I like to work around that to come up with solutions to clients' problems and data protection really leant into that for me. Of course, when the GDPR came into force in late in mid-2018, that has just kept us data protection practitioners really, really busy ever since and that will change now where every country in the world is introducing new data protection laws all the time. So it's a really exciting role to be involved in.
Carly Gulliver
So a decade of data protection law. If only I'd known I could have bought a bottle of champagne or something for us to clink that, but we'll have to put that on ice for us for next time we see each other. But what have you seen then in terms of major shifts over the course of that 10-year period in terms of, you know, has there been a change of approach in the industry in terms of what clients spoke to you about back then and what they're speaking to you about now?
Ross McKenzie
I mean, I should correct that you'd say that data protection laws be around for a lot longer than ten years. Any data protection practitioner we're listening to this going wanting to need to correct there, but you're absolutely right. The GDPR was that landmark moment in the space of privacy law. I think the big difference I see is that looking at our clients, I largely advise in-house lawyers with that specialist expertise to check where they are to make sure that we can compare what we're doing with other clients, perhaps to give a bit of market mapping, which clients usually really find valuable, and the big difference I see, particularly for in house general counsel lawyers, is that for smaller companies, there's far more focus around making sure data protection is done properly. It's part of the job description now that wouldn't have been there, say 10 years ago.
But for the larger clients, the listed ones who have always had perhaps some form of a privacy function, the GDPR introduced a requirement to have a data protection officer for certain organisations. So it has driven a whole new team mindset and different function that sits and complements the legal function. That's definitely, I think, the biggest change. It's very much seen now as its own specialist area because it's so important. And what's different now also is that if we look at the landscape of laws, data protection almost sits in the middle now of so much that's going on. I mentioned artificial intelligence frameworks and rules. They face into what data protection law said about AI processes called automated decision making. Cybersecurity rules overlap when we're using personal data and there's a data breach. You've got the Data Act as well in Europe and the Online Safety Act. So privacy lawyers and advisors are having to adapt really quickly and I hear often the expression it's ‘privacy and’. So it's you're not just a privacy lawyer anymore. It's a privacy and AI lawyer, a privacy and cyber lawyer because it’s still the practice of data protection, the skills we learn and have to deploy really complement in those new emerging laws. So I think that's the biggest change. Your desk is far more full of different laws to understand.
Carly Gulliver
And obviously businesses are kind of at different stages with their AI adoption and the challenges that AI and opportunities that AI are bringing to them. What are your clients talking to you at the moment about in terms of AI and the impact on their businesses?
Ross McKenzie
There's still, I would say, a gradual adoption for most clients. We are seeing use cases coming through, whether it's to improve a particular part of a process that can be done better with AI, or it could be in the HR space, we're seeing a lot more AI technologies coming through for running through CVs and so on. So skills and so on around knowledge of how AI works is becoming more and more important, and I think a lot of our clients are running to keep up with the speed of change, and boards all know that AI is going to change the way in which we all work. But how that changes the way we work is still, I think, early days and we all need to look at our own workloads, identify how can we really make the most of AI in our day-to-day world? And I think making sure that that adoption is done in a manner which is sensible and pragmatic is important. We can't be frightened of it because any organisation I think that ignores it will lose any competitive advantage that they might have had. So it's an exciting opportunity, but a lot of clients I see are still really mapping out where do things fit in what they already do to transform ways of working.
Carly Gulliver
Which has to be the right answer really, doesn't it? Because we hear a lot about AI, it's a buzzword, but actually it's part an evolution really of digital transformation, which businesses are always having to grapple with and this is just another part of that. And it has to be, I suppose, put the people, put the business first and then find the right solution rather than jumping in and launching into expensive, potentially risky AI projects just for the sake of it.
Ross McKenzie
I totally agree. I think it takes a lot of time and investment to deploy any technology. Any transformation project requires investment and buy-in and if you haven't identified the need properly, then you might as well just open your wallet up and let money blow out into the wind because it just doesn't really drive any change in your organisation. But you also need to explore and finding that balance of exploration to work out what's out there, and I'm finding myself quite often feeling far behind in the tools, the technology that are available in the market. So having people in your business who are constantly out there looking around is really important. We're very fortunate that we have a fantastic innovation legal tech team that do that for us.
Carly Gulliver
I mean, as you said, there's huge advantages if you can leverage them to the use of AI, and that speaks very much to the business case behind why you would adopt AI. But there's also reputational risk and cost overhead expenses of those failed projects, which brings us back around, I suppose, to some of these challenges we see in the data market around very complex landscape, enforcers, potentially regulators who are looking at how they can have more teeth when it comes to enforcement. Then obviously we're hearing lots around cybersecurity, the alliance of businesses and data breaches and things like that. What are the biggest challenges amongst all of that that you're seeing and that are coming across your desk in the data landscape, if you like?
Ross McKenzie
So I think the best way to articulate to aboard now data protection issues is using the phrase digital responsibility rather than technology regulation. I think the word regulation sounds like that's for the legal team. Digital responsibility for me really speaks to the challenge also that business has and that everyone in the business, at every board let position has a responsibility to safeguard their business. So if you look at a lot of the things we've been dealing with over the last year, clearly cybersecurity resilience has been the number one topic. There isn't a week that goes by where it isn't in the press and what's been interesting for me is seeing the evolution of thinking here.
Five years ago or six years ago, everybody was panicked about do I have to report a data breach to the regulator, where it's personal data? The seventy-two-hour notification window to the information commissioner's office in the UK, but over time and more recently, particularly after some quite major cyber incidents, clients are looking at things more granularly now and looking at what's their minimum valuable business proposition. In other words, if certain parts of our business were brought down by a cyber-attack, how would we deal with that? So I look back to that digital responsibility piece. The days of saying “well, that's for the cyber team” or “that's for the IT team”, I think misses the point because resilience in your business is all around looking at our supply chain and looking at what we would do if something was impacted by a cyber-attack.
So it could be a particular supplier. So if you think of an HR function, what is their minimum viable business proposition? Well, it's going to be making sure you're paying staff. That's fundamentally the most important thing you would need to keep going if your business was impacted by a ransomware attack. So what would be your backup in that scenario? And five, six years ago, we weren't seeing that discussion and that detail happening as much. There was a lot about cyber insurances. There was a lot about general cybersecurity planning, whether it might be having some sort of disaster recovery setups and having policies. But what's been interesting is seeing that change in mindset and looking at your full supply chain. So that would be probably the biggest change I've seen in the last year and what's keeping boards busy. And that will just carry on, particularly when we know there's new legislation coming out through the UK government. There's European legislation already on the books. So a lot more requirements around resilience. And if I'm allowed a second one, I would definitely say ChatGPT has transformed the way in which individuals can challenge businesses when they suspect something has happened with their data, and in many ways, ChatGPT would describe it as democratising the law in some ways. It's giving people the information just by asking a couple of questions around what should they do if they feel aggrieved, and of course, what happens is they will be recommended put in a subject access request, and then the next question is, could you draft me a subject access request? Yes, of course, Ross, I can draft you a subject access request. Here it is, and away it goes. Of course, the complexity of what we're seeing with these requests is becoming a massive compliance burden for our clients and clients who want to do the right thing. Nobody is trying to cover up anything. Clients that we work with want to do the right thing for their employees or ex-employees or their consumers, but the problem we're seeing is Chat GPT is layering up lots and lots of perhaps I would say other survey points and questions and not really addressing what the issue the person has and creating a challenging communication requirement to try and distil down what do you want and what can we do to help? And we've seen this increase through 2025 into 2026 and that won't change in any way, because I think people are still just realising how powerful things like ChatGPT are.
Carly Gulliver
And so presumably we might end up with a solution, if we haven't got it already, where on the other end, the businesses that are receiving the SARs - the subject access requests - will need to use AI to help them sift through them. So it would kind of be this battleground between AI bots or processing.
Ross McKenzie
Well, when the AI agents start speaking to each other, we're all out of jobs I fear. But a lot of the documentation review software has AI embedded in it now, so it can very quickly mass redact or group and combine documents together. Technology's come a long way in the last decade or so in document reviews, thankfully. The days of printing out documents and Tipexing out things and using black markers are way, way, way behind us now, and I had to go through those days.
Carly Gulliver
I think we'll be really showing our age there won't we if we start talking about the things that we used to do when we first started out as lawyers with red lines, Tippex, hole punches, all that sort of stuff.
Ross McKenzie
Yes, and Dictaphones.
Carly Gulliver
But I love the idea of digital responsibility. Will we be seeing a merchandise line from you on that coming soon? Perhaps t-shirts, mugs?
Ross McKenzie
Yeah, Taylor Swift watch out. If there's a merchandise opportunity, we will take it.
Carly Gulliver
Are you Taylor Swift fan Ross?
Ross McKenzie
That's a very controversial question to ask me. Unfortunately, she's not one of my top divas, I'm afraid. It's got to be Kylie, I'm afraid. I'm old school.
Carly Gulliver
Okay, so I was going to say that you're going to be in your digital responsibility era, but maybe I'll just say that instead it's digital responsibility, you just can't get it out of your head.
Ross McKenzie
Oh that's terrible, Carly. Terrible pun. I'm sure we could come up with better than that.
Carly Gulliver
Very good, you got there before me. I mean, on the theme of digital responsibility, and who would have known we would have gone down the Kylie Minogue versus Taylor Swift route.
Ross McKenzie
If anyone knows me, I would always find a way.
Carly Gulliver
Well, moving swiftly on, what can companies be doing as part of this digital responsibility to kind of trial and workshop some of these, you know, issues that they might be having? Is it something that they can be piloting and preparing for so that it's not just in a doomsday scenario that they have to test how, you know, how resilient they are?
Ross McKenzie
Unfortunately, it does require a lot of homework and a lot of time early on to work out what laws apply to us and doing that mapping really does help because what you find is that there will be crossover between different provisions. There will be certain things you've done to comply with the GDPR, which will help you to comply with other requirements. For example, in the AI governance space, if you're a European organisation or providing goods and services in Europe that use AI, it could be that your cybersecurity planning to deal with the technical and organisational requirement rules in the GDPR will have solved some of the more rigid requirements that are coming along in cybersecurity resilience. I think definitely giving yourself the space to start looking at that landscape, whether that's taking yourself away for a couple of days on some sort of company retreat to really properly map it and to try and find ways to track that. Because if you are, say, a company that's looking at in the future a potential acquisition, being sold, these steps are will be important to demonstrate to a buyer that you have looked at this and what we find is when we're doing due diligence in any company, maybe it's my approach, but I don't look often for perfection in any of this. You look for sensible and good governance. And that doesn't mean we're looking for absolute perfection in every single part of the law because it's quite a difficult area of law to do that in. That I think for me says a lot about the nature of the organisation and that they take digital responsibility seriously and can see the benefits. Ultimately it's a selling point for your business that you've done that.
Carly Gulliver
What are the quick wins if someone's listening to this podcast going, wow, you know, haven't got time for a retreat or to take myself away and give myself that space. This seems really complex. What are the kind of quick wins to get to that minimum viable position as you mentioned earlier?
Ross McKenzie
I think finding likeminded people in your business that maybe you can bring together in a regular workshop. So whilst you might not have the time, getting people in a room together for an hour to identify skills, issues, talk about what they're doing can really help map where you think there might be problems in the future. So trying to make sure that your business isn't working in silos for me is one of the most important things. We often find when we run data protection audits for clients and we do interviews across the whole business, you realise that people don't realise what different parts of the business are doing or different data products, solutions, or how they're using personal data. So I think that for me is a quick win in that you can bring together people who can understand the importance. And I suppose in terms of legislation and understanding what laws are out there, it's for me looking at what sort of data are you collecting is important. So if you're processing personal data and if you haven't done a data audit for a while, it's probably I would say still that's important because that will thread you through to different issues. So for example, if you find out that we are using sensitive health data of staff for purposes that you didn't know about. It might be that that leads you to realising you're using some AI solution that hadn't been checked. So it's a bit of a good way to look at what's one of their highest risk data sets that's still the information of people and your customers and what are we doing with it and from there you can build out.
Carly Gulliver
That’s some really helpful tips. I think it's always important for business leaders and businesses to get the right people engaged early on and that it's not a case of just the senior leadership team or the board having responsibility for this. It has to be part of a culture for the whole business.
Ross McKenzie
Yeah, exactly. And that's often what we find the role of a data protection officer is now. And then that broader role of being in charge of governance, it's culture and getting messages out to people and whether it's your cybersecurity training or your data protection awareness training, these things are really important.
Carly Gulliver
Something we ask all our guests is what piece of technology they would put into an AG tech time capsule. So any ideas on that one Ross?
Ross McKenzie
Well, I will confess to the audience that you did ask me this question yesterday, so it gave me a chance to think about my answer, sorry. And I did have an answer, which was going to be the Apple AirPod, but I realised what I would like to put in. It's not really technology, it's the little pin you use when you're changing your iPhone and you have to pop the SIM card out. The tiny little pin because if you think about all the years of iPhones we've had since I think about the iPhone four or three, that is the one piece of technology, if you want to call it that, that has been consistent through about fifteen iterations of the iPhone, and it's still essential to make sure you can transition from your old phone to your new phone. And I think it's just such a simple little tool and if you look at what you get in a box when you buy a new iPhone, you don't get very much. You get the phone and you get that pin and you're lucky if you get a charging cable these days. I think that represents transformation and technology growth in a way which is the one constant we've had in our life for about twenty years.
Carly Gulliver
That is a very good answer Ross. Not one that we've had either.
Ross McKenzie
Yeah, I did think it's not really technology, but there's a good reason for it.
Carly Gulliver
So before we wrap things up, Ross, are there any closing remarks that you want to leave with our audience around data protection and the impact on technology businesses?
Ross McKenzie
I think the main thing for me is to realise that data protection law isn't going anywhere. It is an area of law that will just continue to evolve. It tries to keep up with the pace of technology all the time. And if you are looking at any way in which to make sure your business assures itself with trust, privacy is a great place to start, I think, and taking the data protection principles really seriously will really help in your compliance journey and your attractiveness to you as a business, whether it's for employing people or for attracting customers into your business. I think back to, I was in New York this year and everywhere I leaped, there were privacy billboards around New York selling products around the features that they have for a privacy centric experience and I think investment in this area will just continue to be important.
Carly Gulliver
Are you seeing many differences? You mentioned the US there, but do you see any difference between the US's approach to data protection and our approach to data protection in the UK and the EU?
Ross McKenzie
Yeah, the US approach is a consumer centric approach. So it's you largely often regulated by the FTC. So things that businesses have said that they'll do, they have to follow up with. But of course, across the US there's fragmented laws with different state laws, different laws which regulate different types of data. So it's a really difficult market to get a good spread of compliance. But in comparison to Europe, which actually we have quite a consistent framework, relatively speaking, which makes actually doing business a little bit easier. Whilst there is tough penalties and a number of requirements, they're all relatively similar across all of the UK and Europe. So that does make things in some ways easier.
Carly Gulliver
So it sounds as if you'd need to take some advice if you're transferring data or you're dealing with data in the US.
Ross McKenzie
Yes, absolutely. But I I think people still some people assume there are no privacy laws in America. Yes, there is no federal data protection law, but there are plenty of other specific laws to take into account.
Carly Gulliver
Fab. Well, it's been really great to speak to you Ross. Thanks so much for coming on the podcast.
Ross McKenzie
No, I've been delighted to get to spend some time with you and to share some of the things we're seeing in this space.
Carly Gulliver
Thanks for joining us on today's episode of Inside Tech Minds. If you enjoyed the conversation, don't forget to follow and subscribe on Apple or Spotify or even leave us a review. Thanks for listening and we'll see you next time.