Client expectations have pushed information-risk experts into core business decision-making roles
Not that long ago, privacy was the sleepy corner of the legal world. It lived in policy binders, website footers and PIPEDA checklists, usually handed to the one person in the room who didn’t flinch at the thought of reading a statute from cover to cover.
That world is gone.
Today, privacy law and data security are reshaping how law firms design their systems, how in-house teams define their responsibilities, and even how we draw the line between “legal work” and everything surrounding it. The demand is only increasing. What has changed radically is how sophisticated clients expect lawyers to be regarding the underlying technology, data-driven business models, and governance structures that surround them.
You can see that shift in the career of people like PwC Canada’s chief privacy officer, Dina Maxwell. When she was called to the bar in 2010, “you didn't necessarily have the same opportunities to focus on privacy and data in the same way that you do now,” she recalls. What started as a niche interest, nurtured “off the corner of [her] desk,” is now a full-time mandate running PwC’s internal data protection and IP program – from incident response and anti-spam compliance to data impact assessments and vendor terms. That is no longer a side specialty; it is a redefinition of senior in-house practice.
At Geotab, legal counsel Deepak Iyer followed a similar path. Filling a privacy leadership gap helped build a “data-as-a-business” strategy. Now, at a global telematics company, he treats privacy and cybersecurity as “inextricably tied” pillars of the business model. Geotab deliberately applies GDPR standards even where it is not strictly required, “because it’s the highest standard,” using privacy to future-proof operations across Brazil, the EU, Australia and beyond. Privacy has become a commercial differentiator, not just a compliance obligation.
On the law firm side, the conversation has moved just as quickly. A few years ago, cloud debates centred on whether firms could safely store documents off-premises. Now, as Alexi CEO Mark Doble argues, the real fault line is between traditional multi-tenant tools and single-tenant, private cloud environments built for serious legal work. He likens shared platforms to building your practice on someone else’s marketplace – the Amazon of legal tech – where the provider sees every workflow pattern and learns which use cases are most valuable. His point is not just about confidentiality; it is about ownership. If the “critical intellectual property of a law firm” – the inputs and outputs of its AI-assisted work – ends up training someone else’s models, firms are helping to build their own competitors.
That infrastructure question is part of a broader shift in how we manage AI and data. When we looked at how artificial intelligence is transforming law firm operations, experts like Colin Lachance and Joshua Lenon warned that AI introduces “a potential leakage” not because lawyers suddenly care less about privilege, but because AI-backed vendors now sit inside the trust circle. Firms must trust not just their own systems and people, but also the opaque layers of third-party providers and their service chains. The answer is not to avoid AI but to build “smarter systems and frameworks” – private clouds, granular access controls, and policies that pair solid metadata discipline with natural-language search.
The same maturity is badly needed on the corporate side. When I recently spoke with BCF tech and AI practice co-lead Misha Benjamin about AI governance gaps that put Canadian businesses at risk, he was blunt about the limits of generic AI policies. Boilerplate rules that ban “any confidential information” without defining the term or offering compliant alternatives do not reduce risk; they drive employees toward “shadow AI” tools outside any formal controls. His experience, from Ubisoft to Element AI to Sama, is that real governance starts with a granular understanding of where value and risk live in a particular business: training data for foundational models, shop‑floor operational data, or creative outputs whose IP status may be uncertain.
What ties these stories together is not just more work for privacy lawyers. It is a qualitative shift in privacy and data security work. The most effective lawyers in this space are no longer just specialists in statutes and breach-notification rules. They are infrastructure strategists, product counsellors and internal diplomats, sitting at the junction of technology, business and ethics.
That is good news for those willing to put in the hard work to understand both the code and the contracts. It also means that for firms and in-house teams alike, privacy and data security can no longer be treated as bolt-on specialties. They are now part of the core architecture of legal practice – and they will define who is still competitive a decade from now.
