Five Minutes With: A Data, Privacy and Cybersecurity Counsel

Former journalist and LA-based musician Edward Machin took the long way round to a career in the legal profession.

What was your route into cybersecurity?

My career path is somewhat unusual, with detours into playing music in Los Angeles and working as a journalist for six years after university. During my training contract, I spent six months focusing on privacy, data protection and cybersecurity shortly after the EU-US Privacy Shield had been struck down. After a few weeks in that team, I knew I’d found the area of law for me.

If you could retrain for a dream job, what would it be?

Since I was 17, my dream job has always been to work as a staff writer for The New Yorker. Failing that, I’d be a professional Bejeweled player (see final answer below).

What has been your most challenging role to date?

Juggling the job with a young family was tricky at times. But we made it through and – the last time I checked – still seem to like each other.

What cyber/privacy-related regulations do clients find most challenging?

Most new and upcoming cyber laws in Europe are, by themselves, capable of being understood and operationalised without significant challenges – particularly for organisations that can leverage a robust data protection and security compliance programme. An exception is the Digital Operational Resilience Act, which our clients have spent significant time and money addressing in the past year. The difficulties come when these laws have extra-territorial application and overlapping requirements, such as around breach notification. This will make an already challenging scenario – reporting under a single EU law – even more complex in 2025 and beyond.

How can compliance teams cope with mounting regulatory complexity?

It’s certainly not easy. New guidance, enforcement actions and court judgments appearing on almost a daily basis. Our industry moves so quickly, therefore, that it can be difficult for organisations to understand which developments are relevant, what they require, and what to do next. I advise clients to adopt an approach that comprises both the “what’s now?” and the “what’s next?”. They should be identifying and assessing the application of upcoming laws at least 12 months before they take effect and designing a roadmap for compliance. The period between a law being passed and coming into force always goes faster than you think. And however hard it seems to start the wheels turning on a new compliance process, it will always be easier than playing catch up once the law is in effect.

What’s the biggest misconception about cybersecurity?

That it’s all about technology. My experience has been that the people – the clients, the bad actors, the regulators and the law enforcement agents – are equally, if not more, important. Technologies change but people stay the same. And although a lawyer that is conversant with technology can be a strong combination, it won’t take you very far if you can’t understand, engage and empathise with your fellow humans.

Best and worst thing about your job?

The opportunity to help clients think about and devise solutions to their legal and compliance issues – and particularly to guide them through a wide range of security incidents – is a real privilege. Advising on laws and technologies that are developing at such a clip means that every day is a school day, and I genuinely feel lucky to have found a career that is as close to a passion as I could have expected. There is very little that I don’t like. But the pressure to get both full marks and one of the fastest times on the firm’s annual GDPR compliance training can sometimes weigh me down.

What advice would you give to industry n00bies?

“Be curious, be a good colleague, work hard and say yes to every opportunity.”

Be curious, be a good colleague, work hard and say yes to every opportunity. Even if you’re not sure that you can handle it, you almost certainly can.

What’s the biggest as-yet-unsolved problem in cybersecurity?

The question of whether or not to pay ransom demands – and if you are willing to pay, when to do so. With that in mind, it’s going to be fascinating to see how the UK government’s recent consultation on introducing a payment licence regime shakes out. If permission will be required for at least some private sector organisations to pay up, it will result in a significant change to the status quo.

Tell us a guilty secret.

I’m addicted to the puzzle game Bejeweled. It has an oddly therapeutic (my family would say hypnotic) effect on me – so much so that I can play it for hours on end. Every January I think about deleting the app, but I never quite manage it.