Kristen Pennington to speak at Global Privacy Day

Livestreaming on 25 January 2024 as part of Data Privacy Day, Global Privacy Day brings together thought leaders and senior industry professionals to discuss the present landscape of data protection and privacy, and the current and future challenges that professionals face.

Partner in Canadian Privacy Law at McMillan LLP, Kristen Pennington maintains a dynamic practice in privacy, data protection and employment law. She assists emerging and established companies across a range of industries, including manufacturing, retail, food & beverage, and technology, and provides insights into Canada’s distinct laws in these disciplines to support businesses entering or investing in the Canadian market.

Kristen will be at Global Privacy Day to discuss data transfers, looking at real-world examples, best practice and strategy.

We spoke with Kristen to learn more about her professional journey, and for an introduction to the key themes of her Global Privacy Day session.

Could you outline your career pathway so far?

I am a lawyer and partner in the Privacy and Data Protection Group at McMillan LLP, a full-service Canadian law firm that assists businesses of all sizes and types. I am fortunate to be a member of McMillan’s Technology Team, giving me the opportunity to work with colleagues specializing in intellectual property, data management, technology contracting and technology transactions.

My legal practice has changed significantly over my five years at the firm, in particular as we help clients tackle changing regulatory and risk landscapes related to emerging technologies like AI. Our clients are increasingly operating in and transferring data to and from multiple countries, and I have enjoyed collaborating with international counsel on multijurisdictional projects to ensure our clients are complying with various regional laws in this respect.

What are the primary challenges that organisations face when building data transfer practices that align with established policies, data privacy demands and consumer expectations?

It can be challenging for organisations to develop policies and practices that reconcile the data transfer requirements across various jurisdictions, which are sometimes overlapping but can be at odds with one another.

It is important to work with qualified experts in each jurisdiction to make sure that policies and procedures reflect local nuances. Data mapping and identifying common situations in which data transfers arise within the organisation can also help ensure that all applicable laws are being taken into consideration when developing data transfer policies and practices.

On a practical level, organisations can also struggle with actioning the contents of their data transfer policies and procedures. If these requirements are buried in documents that business units are not aware of or do not know how to locate, they are unlikely to be put into practice. Regular role-specific training for personnel who are involved in arranging or approving data transfers is imperative.

How are these challenges changing as we move into the era of AI?

Organisations need to consider whether the use of AI tools involves transferring personal information across borders.

Personal information, or information derived from personal information, that is input into AI systems may be transferred or stored in other jurisdictions, potentially necessitating risk analyses and/or notices to individual data subjects, among other compliance measures.

Keeping track of these additional potential data transfers adds another layer of complexity to data transfer compliance programs.