Tag Archives: Business and Entrepreneurship


What is Intellectual Property and What You Need to Know About It

What_is_intellectual_propertyWhen you’re starting any new venture it’s a good idea to ask yourself some searching questions. Why are you in business? Or why are you planning to start one? What’s the motivation driving it? Are you aiming to make it big? Would you aspire to be the next Richard Branson or Anita Roddick? Or are you just intending to be self-employed?  Certainly, when I founded my law firm, Azrights 13 years ago I just wanted to work flexibly around my two daughters so I could be there for them instead of handing over to a nanny to raise them.

Aspirations change over time. Certainly, for me a love of entrepreneurship was the catalyst to growing the Azrights business into a proper law firm. My ambitions grew and I have seen a need to create another business, Azrights International Ltd to provide eLearning now, and essentially to offer potential clients different options to the done for you legal services that Azrights provides. You may find your aspirations change over time too. Bear them in mind as the IP actions you need to take do depend on the direction you’re taking.

I am convinced that Intellectual Property is a business skill that entrepreneurs and creatives need to learn just like finance, or any other subject that’s so intrinsic to their business success. The IP I teach in my current course, Legally Branded Academy, is relevant to a worldwide audience because it is business insight not legal minutiae. By understanding the big picture businesses can address IP issues early on, and avoid mistakes. IP is the nuts and bolts of business. It translates to value, so upskilling yourself to protect your IP is important.

To get free videos like this one on IP why not subscribe to my Legally Branded YouTube channel.

How Not To Grow A Business – My Experience Since Starting Azrights

When I set up Azrights back in 2004/5 it was after a few years bringing up my daughters. I had no existing client base so I built it from the ground up.

Luckily, I discovered a love for entrepreneurship which saw me through the extremely steep learning curve to develop my marketing and business skills. The IP work I’d done before had been for big blue chip companies whose needs and focus are very different to that of SMEs. As SMEs were my target clients. I had to discover their needs, and learn how to communicate to them.

In due course my ambitions for the business soon had me renting a big office and recruiting a team to fill it. The only trouble was that the role of managing the office fell on me as the owner of the business. Yet I need flexibility and freedom, and found the need to supervise an office felt like having a job all over again.

I made the best of it for years although I increasingly felt like a slave to this monster I had created. I dreamt of growing the business quickly – to a size where it would be feasible to pay a highly experienced manager to run the office. In my mind’s eye it would be easy for someone else to step in to fill my shoes, leaving me free to work flexibly from home.

A couple of years ago, it dawned on me that I wasn’t going to reach my goals by staying on the path I’d embarked on. The lifestyle was not one I enjoyed or wanted. I needed to make some radical changes in the business.

Virtual Legal Life

So, when an opportunity presented itself to downsize the office, I took it because I didn’t want to be chained to an office anymore. I gave up our main office with the idea of becoming a virtual law firm.

The ensuing 18 months involved quite a transition. Initially it all felt great. I knew I would lose a few team members who wouldn’t want to work from home. But for those who were open to home working it struck me as a suitable way to operate. Azrights would provide all equipment, and as legal work doesn’t need team collaboration with much of the work being done in a solitary way, we would be fine. After all we’re connected online by email, Skype, phone etc. There was our meeting room too where we could meet physically.

However, in practice I’ve realised that while things work fine with the business the size it now is, to grow the firm will involve getting a team together in a physical workplace. Filling paralegal and more junior roles with virtual workers is not easy. They find it unappealing to work from home. Many of them want the social life that working in an office provides. So, for now I’ve chosen not to replace paralegals who left and instead restructured the way we work to reduce the role of the paralegal.

I found freelancers with specialised skills such as in operating Dynamics CRM, so that now tasks like file opening, filing, and many client related admin matters are dealt with by them instead of paralegals. Surprisingly, I realised there was only limited legal work left that paralegals had previously dealt with. I had been employing 3-4 paralegals, partly because I kept a larger team than I needed, just so we could grow quickly.

Working remotely has allowed me to attract a wider pool of quality talent from far and wide, some of whom work on occasional projects, while others are more regularly involved in the business and are making a big difference to its future success.

I use solicitor consultants with particular specialisms, so when their skills are needed by a client’s matter, they either support me in the background, or they work directly with the client depending on the project. One of the biggest upsides to this new way of working is the amount of my time it has freed up now I no longer need to go into an office every day.

At long last I’ve managed to finish a project I had been trying to get done for years. I’ve created the Legally Branded Academy Online course which my separate business Azrights International will be providing shortly.

Growing Azrights Solicitors

I’ve still got plenty of ambition. Let’s see if I can grow the Azrights Solicitors business in a different way to how I approached it in the past.

I still firmly believe you need the right team around you as that’s crucial to success. However, hopefully now that I have structured the business to suit remote working, and have created online courses so we can provide a more complete suite of products and services, Azrights Solicitors will be able to attract that rare entrepreneurial solicitor to help drive the business forward. They could ultimately recruit a team and get a physical office space too.

For me personally the changes in the business these past 18 months have been the best thing I could have done. The business hasn’t suffered, although it hasn’t grown either. I’ve had time to develop an online course at Azrights International Ltd which had always been the missing link in our IP offerings.

Everything I’ve learnt about entrepreneurship tells me that the mindset and attitude of the business owner is crucial to success. So, now that I’ve taken care of my own needs, let’s see if the firm can attract that rare solicitor who will be able to help me grow the business and drive it forward. Of course, if you know anyone who might be interested in the challenge, or if you’re interested then email me at [email protected]

GDPR Marketing – Consent vs Legitimate Interest

In my Quick GDPR Compliance Plan yesterday I suggested GDPR presents an opportunity for businesses to sharpen their approach towards marketing by being more strategic. So, what should you specifically do to be able to use the contact details in your database for marketing purposes?

Marketing under the GDPR (whether postal, phone, email, SMS or any other form of marketing) is regulated like any other data processing activity.  So, you must show that you have a lawful basis under Art 6 to conduct direct marketing, and this lawful basis does not necessarily have to be consent-based.  In fact, it generally won’t be.

This is because the GDPR acknowledges that direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR.

What about the E Privacy Directive?

However, as well as GDPR we need to take account of the Privacy Electronic Communications Regulations (known as the E Privacy Directive or PECR).

PECR covers electronic communications such as phone, fax, email and SMS. It requires opt-in consent for email and SMS marketing unless an individual’s contact details were collected in the context of a sale or negotiations for a sale (prospects).  The other exception is if you are marketing to corporate subscribers (here the problem is that it’s difficult to exclude partnerships and sole traders who do not constitute corporates).

For these cases it is possible to send marketing communications by providing an unsubscribe link. And phone direct marketing is also generally possible on the basis of opt-out provided the call list is first screened against the relevant country’s national do-not-call registry. Here is a useful guidance note provided by the ICO recently.

Two weeks to go

If you’re coming at this a couple of weeks before 25 May, you’ll likely want to know what you need to do to be able to continue communicating with your contacts. Specifically, what should you do to be able to use the email addresses you have in your database for marketing purposes.

Given the shortage of time available now, the question is to what extent you may use legitimate interest to continue to market to your contacts. That still entails sending an email to ask for an opt in but once you’ve done so you are unlikely to get many opt ins, so it comes down to analysing your database to understand who you may continue to market to.

Have you been doing any emailing?

So much depends on what you have been doing with the email addresses you’ve collected. How good are your systems in terms of recording permissions and background information.

For example, if you use Mailchimp and have been sending out emails, you will know who has been engaging with your emails and who has not even opened them. So, if you have records of that nature available to you it’s possible to separate your list of engaged contacts from your list of unengaged contacts. That will improve deliverability of your email to your engaged contacts.

That sort of data ultimately helps you to narrow down the number of names and email addresses you need to sift through manually when deciding which individuals you may legitimately market to even if they don’t opt in when you send your email requesting an opt in.

Improving the quality of your data

I’ve spent a good part of the last 2 years sorting out our CRM records to more accurately identify the different category of contact in our systems. We moved systems a few times over the last few years, including from Infusionsoft to Microsoft Dynamics 18 months ago. This resulted in some messing up of our data.  So, if you’re starting off from a point where you haven’t had time to organise your database it would be very difficult to do anything else but seek consent from the entire list of contacts and then sift through your database to identify those names to remove and those to retain.

Therefore, whatever email or series of emails you may decide to send out to get opt ins, it will be necessary to review your records afterwards to pick out names of customers who have bought from you and prospects or others whose consent you will not need.

Any business card contacts whose names you added to your database with their knowledge and approval you would need to take a view whether to continue to send emails to them.

I imagine that you will want to set yourself up properly moving forwards so that you collect emails in the right way, with relevant permissions duly recorded. Certainly, for me GDPR brought marketing lists and email marketing to the fore in a way that PECR had not.

If you want to market effectively, and be in compliance with GDPR and PECR, you have to have some sort of strategy about what emails you will be sending people moving forwards. This becomes especially relevant for web forms.

Web forms

To avoid the need for opt in tick boxes on your web form, you could comply with GDPR and PECR by including your newsletter as part of the offer. For example, if I’m offering a useful ebook on IP, I might say something like “Complete the form to receive our 7 Mistakes ebook and our monthly newsletter. If people don’t want the newsletter they can opt out at the earliest opportunity, but at least you don’t need to add tick boxes and go to extensive trouble if the whole reason for offering the ebook was to get an interested subscriber to whom you could send marketing communications.

This works if you know you will want to add everyone to one master list. It may not be transparent enough where you also want to send a sequence of emails relating to that ebook. If you do, then you would need to make this clear, or ask for further permissions in the email delivering the ebook.

Double opt in

Although not required by GDPR I recommend use of double opt in for delivering ebooks.

GDPR has given added reason to use this delivery mechanism. For one thing you can ensure it is a proper email address that the subscriber has provided. Secondly, you have more of an opportunity to get an opt in to something else if you send your request in the email delivering the valuable ebook because the email will be sitting in the subscriber’s emails whereas an opt in box is only fleetingly seen and may not be ticked.

Certainly, you should do some deep thinking about your future plans and objectives. If all you’re wanting is to know that you can send your sequence of emails relevant to that  download then as long as you make it clear in the invitation to sign up to that download that it includes your regular sequence of emails you will have all the consents you need. So this should be one reason not to just  collect email addresses without first having a clear overall plan.

If you don’t make it clear in the web page offer that you’ll be sending newsletters or other emails, or if you want to share data with third parties then you must have an opt in box on your web form.

I can’t stress enough how important it is that you properly understand the reasons for collecting email addresses, and whether you need to add opt in boxes.

If you would like help to comply with GDPR either now or after 25 May to review your marketing or other set ups, then do get in touch. We’d love to help.




Quick GDPR Compliance Plan.

In  Why GDPR? I explained what the General Data Protection Regulations are aiming to achieve because understanding its underlying principles and rationale is key to protecting data appropriately in the new regulatory environment.

The principle of fairness and transparency runs through every aspect of data handling. We need to reconsider our approach so as to only collect as much information as we need to perform the service we’re delivering; ensure data is kept appropriately secure; that it is held no longer than necessary for the purposes for which it was collected; and we must ensure the data is accurate.

One simple way to deal with data accuracy is to organise a way for your contacts to have sight of the basic contact and marketing details you hold on them so they may update the details directly themselves.

While the transition to the new regime involves a substantial effort for many small businesses who are time poor, it will ultimately help us all to run better businesses with appropriate safeguards in place to protect others’ data.

However, given we now have about 2 weeks to go till 25 May, what should you be doing to work towards GDPR compliance? In an ideal world we would have all used the last 2 years to prepare for GDPR, but few small businesses were aware of GDPR until recently, so here are some steps you might want to take if you’ve only just decided to take action.

Data Audit

The starting point is to identify what type of personal data you hold, where you hold it, and why. Who has access to it? This is a major exercise but if you’ve got limited time in which to do it, focus on the big picture. Most businesses will have customers who have bought from them, prospective clients who have made enquiries, and a mixed bag of other contacts such as business card and other contacts.

A second category of contacts whose personal details you hold will be past and present employees and freelancers, and also past job candidates.

There will also possibly be a number of suppliers of services – call answering providers, external agencies you might use for web development and so on.

Once you’ve taken stock and done your mini audit you should have a better understanding of the information you’re holding about your clients, prospects, business card contacts, employees, contractors, suppliers and so on. In the process you will begin to notice who has access to your subscribers’ data. Depending on the nature of your business, it may be useful to look at your password lists to remind you of apps  you use.

Keep records of your audit in the form of spreadsheets and a journal. You’ll be ready to draft your privacy notice as soon as you’ve decided the legal bases on which you hold the different types of data. Your old privacy policy is unlikely to be suitable so make sure you get access to a new style privacy notice, such as to our GDPR templates.


It’s a fundamental principle of any outcome focused regulation that we should be able to demonstrate the reasons for our decisions. So, having a system in place where you can document your reasons is key. If the Information Commissioner’s Office ever needs to look into your business they will ask to see the audit records, and will expect you to have a spreadsheet ready to explain your processing activities.

If you’re doing a rushed audit to get your privacy notice sorted quickly do plan in some time in the coming months to go back over the audit to update it. Compliance isn’t a one off event for anyone.

If you process sensitive data such as about people’s racial or ethnic origins, political opinions, religious or philosophical beliefs, data concerning health or a person’s sex life or sexual orientation do you need to obtain explicit consent?  What will you do about past data and for the future? They involve different issues. Think it through, and document your situation, and if you need guidance, get proper legal help.

Data Protection Officer?

You will also need to make some incidental decisions such as whether your business is required to appoint a Data Protection Officer and to do a Data Protection Impact Assessment.  As a general rule, if you’re a small business and you’re not doing any profiling or processing of data on a large scale it’s unlikely you’ll need either of these.

However, as businesses are so different in terms of their size and processing activities, and the rules are still changing, even now, I suggest you look on the ICO’s website to decide whether you need to appoint a Data Protection Officer or to do a Privacy Impact Assessment, and then document your decision.

As already mentioned, before you can draft your privacy notice, an important decision you need to make is the lawful grounds for each of the processing activities you have identified. For most businesses the choice will be between

  • consent;
  • performance of contract;
  • legal obligation to which the controller is subject;
  • legitimate interests.

If you decide that you have a legitimate interest to continue to email your list of contacts, document your reasons for this. Like that you will have an audit trail to remind you why you took the decisions you took months after the event when memories will have faded.

Once you’ve done all this you should decide what steps you will have to take to comply with GDPR and put in place a prioritisation plan. It’s highly unlikely that you will be able to do everything in one go, so you’ll need to decide how to focus your available resources.

Pocessor Agreements

Particularly noteworthy for GDPR compliance is the need to get processor contracts in place with non-employees or other third parties who process data that you’re responsible for as “controller”. The GDPR rules require you to have a written agreement with your third party processors (for example, payroll provider, freelancers, software providers, as well as apps you may be using). The terms that must be included in the agreement are prescribed.  Make a list of all the individuals and sites you use, and plan from there.

There will be some processors who need to sign your processor agreements more urgently than others depending on the data to which they have access and where they’re located. Get a few contracts ready to send out for signature.

If your processors are based in countries outside the EEA then you have additional obligations, such as to find out whether the country they’re located in has an adequacy finding. Only a dozen or so countries are considered adequate and the USA isn’t one of them. So, for US entities like Mailchimp, you’ll need to find out if the organisation is certified under the Privacy Shield and add this information to your Privacy Notice. If you cannot find any other basis then introduce a contract using the Model Clauses provided by the EU.

While in theory you can introduce a contract and continue your current data transfer activities, the GDPR principles should prompt you to rethink your current practices.

Freelance Resources

For example, using a one man band freelancer in India who has access to your entire database of contacts might be a questionable decision. You may want to reconsider whether you can really justify continuing to give access to so much data to someone based in an inadequate jurisdiction. However, if you’re committed to using that resource for now then put in place the Model Clauses and make a note to revisit this decision in the near future.

Using these documents with a freelancer who is not worth suing is arguably not an appropriate safeguard long term. So, you should reconsider your resourcing policy to gradually change the nature of the responsibilities you outsource to jurisdictions outside the EEA.

Certainly if you’re choosing new freelancers this might be an ideal opportunity to use one within the EEA.

For some businesses this use of freelancers or cloud technologies may present the biggest risk. See my blog post 3 Steps Every Business Will Need To Take To Comply With GDPR 

If you use an appropriate provider for your templates you should be able to get a decent privacy notice in place to send to your freelancers and employees, and another one to post on your website. Then send an email to your subscribers to notify them of your new privacy notice and if you get a chance, give them a way to update their marketing preferences.

As for cookies, we use this neat solution for cookies on our website. There are a few cookie issues which I need to consider more deeply for our site, and so this is something I will be revisiting, and I’ve made an appropriate note in our risk management policy about it.

In conclusion, while there is a lot to do to comply with GDPR, it is possible to begin working towards compliance even now at this late stage. If you’ve not yet addressed these GDPR issues in your business and want help, Azrights is there to support you.

In my final blog post GDPR Marketing – Consent vs Legitimate Interest I’ll be covering marketing and how to set your strategy for the future so you can build your marketing lists in a GDPR compliant way. It’s a real opportunity for your business to sharpen its approach to marketing.


In yesterday’s post What Not To Do When It Comes To GDPR I outlined the confusion that the GDPR laws have spawned.  Understanding why the GDPR rules were introduced, and what they are aiming to achieve will help in complying with them.

GDPR is the first wholescale attempt to tackle the many privacy issues and risks that arise from the processing powers of modern technologies and the internet.  Protecting people’s personal data is a fundamental human right and is enshrined in the law.

As business owners with access to other people’s information we have responsibilities to support those rights. The old data protection laws were introduced at a time when the world was a very different place. They pre-dated the internet. Google had only just been founded and it was another 7 years before the iPhone was released.

GDPR addresses a new world where social media, cloud technologies, and apps often require access to our location, images, emails and other personal information. All of this means that behind the scenes our “personal data” is being processed and is forming part of massive, and ever-growing datasets. This in turn has led to the development of other technologies with names like big data and artificial intelligence (AI), which have major implications for data protection law.

The new technologies provide such extensive abilities for businesses to profile us and use data about us in ways we may not even be able to imagine, that if things continued unchecked by legislation our privacy would be seriously endangered. It’s worth watching the Black Mirror TV films to realise how important privacy is. It shouldn’t be taken for granted.

 Terms and Conditions

It’s true that nobody reads terms and conditions when they want to use a new app or useful tool. The upshot is that we tend to agree to all sorts of conditions without even being aware what we’ve signed up for. However, that’s not because we don’t care about our data. It’s because we assume there is no alternative. The reason we don’t read terms before we give consent to use of our information is that we often don’t have time, and want to avail ourselves of the services and tools on offer.

The GDPR regulations are designed to ultimately enable us to get access to products and services without giving away so much of our data. GDPR changes the existing scenario by ensuring we become better informed about the implications on the one hand, and are given real choices on the other.

For example, the regulations impose requirements on tech companies to educate us and to design their platforms with privacy considerations in mind.  This means a “take it or leave it” stance to accessing our information in return for letting us use an app is unlikely be the prevailing attitude of future apps.

The legislation has teeth. There are eye watering fines for companies that ignore GDPR, which will have even the richest of them pay attention. All of us need to minimise the data we collect to what is really needed.

I’ve sometimes wondered whether some ecommerce sites really need to take my date of birth when all I’m doing is buying an item of clothing and paying by credit card or paypal. Why ask for my date of birth during the registration process? I used to abandon my shopping if a site asked for my date of birth, but then as more and more of them did so, I reluctantly gave them this information. But it didn’t mean I was happy to share this data.

GDPR discourages taking more information than necessary for the product or service to be delivered. By reducing the information we must give when signing up with a new provider we will be able to minimise the quantity of data that is collected about us.  Data minimisation is an important GDPR principle.

GDPR Will Be Even More Important After 25 May

GDPR is no Y2000 or deadline driven momentum which will go away once we pass 25 May. Far from it.

It’s worth mentioning here that the UK is firmly committed to complying with GDPR long term so Brexit will not affect the applicability of GDPR to UK businesses. Even organisations outside the EEA are realising the implications GDPR has on them (because they process EU individuals’ personal data) so they’re busy making changes to their platforms to avoid being locked out of the EU market. They have little choice but to comply with the EU’s GDPR laws and nor have you.

Although there are powers to impose hefty fines and administrative penalties, the ICO has been at pains to let it be known that fines are not going to be their first line of attack. Instead they want to encourage and educate so that all businesses become aware of the new laws and implement necessary changes.

Work Towards Compliance Now

Still that doesn’t mean the ICO’s tolerant stance is condoning those business that are taking no action, and simply ignoring compliance with GDPR.

Coming to the attention of the regulator is never desirable, as it could take up time and resources you may not have, and end up costing you a lot more money as a result. Far easier to take stock now and deal with it, and get peace of mind that you’re on your way to complying with GDPR.  What’s the point of delaying?

25 May will be just the beginning of a sea change in the way businesses manage and process data. GDPR is designed to make us all far more responsible and thoughtful about the data we hold. There will be a gradual cultural shift such as occurred with stop smoking campaigns, or seat belt wearing, or not drinking and driving. Our children and grandchildren will become savvy about their data, and will use the available controls to protect their data and minimise what they give access to.

GDPR Is Overwhelming

I’m not going to try to minimise it and tell you that complying with GDPR will be simple. The truth is that GDPR is all encompassing, impacting so many different areas of a business that it can be quite overwhelming for businesses. Business owners are already time poor and stretched thin. Taking on the onerous obligations of GDPR on top of managing a business is no mean feat. However, it is a legal requirement to comply. Also, it does present a chance to run a better business.

I’m confident that businesses that adopt the right approach and tackle GDPR by putting in place the right systems and procedures will improve their businesses in the process. They will also find it easier to work towards compliance on an ongoing basis ensuring that GDPR principles become second nature to them.

So, I would urge you to take the plunge and embrace GDPR, as you do so many other areas of your business. Begin to understand your obligations so you can put in place the steps to take responsibility for the data you’re handling.

Once you’ve set your strategy, including for matters like marketing, and drafted your GDPR compliant Privacy Notice you’ll need to send it to your clients and subscribers and add it to your website.  Your data subjects have the right to know how you collect and process their personal data, for what purposes you use their data, the legal grounds of processing such data, and how you keep their data secure, as well as their rights in relation to such data.  That’s what the new style Privacy Notice details.

In tomorrow’s blog Quick GDPR Compliance Plan we’ll look at tactical seps to complying with GDPR.

GDPR And What Not To Do

Every organisation is affected by Europe’s new General Data Protection Regulation or GDPR as it’s known.  I’m sure you’ve heard plenty about it.

GDPR represents one of the biggest shake ups in the privacy and data protection laws since the internet.  The recent Cambridge Analytica and Facebook incident involving misuse of hundreds of Facebook profiles has only added to the significance of GDPR.

GDPR is a complex piece of legislation which applies to every business whatever its size. If you have names, phone numbers, email addresses of customers, prospects, employees or suppliers, then GDPR affects you.

GDPR looks set to become one of the most substantial pieces of legislation that businesses of every size will have to tackle. Companies that had previously regarded non-compliance with data protection laws as low risk are beginning to re-evaluate their positions in the light of the substantial new fines, increased enforcement powers and grounds for judicial remedies that exist under the GDPR.

Chaos And Myths

So, there is chaos currently as myths have come about to the effect that after 25 May you cannot communicate any more with customers, or leads who came on board before 25 May.  Some businesses sending out these emails have no clear idea why they are sending them. It’s sometimes a knee jerk reaction, and therefore ill thought through. They risk having to stop communicating with many of their existing lists, and past subscribers.

You don’t have to do that. However, there are certain processes you do need to put in place and decisions you need to make as a business owner to allow you to continue communicating with your subscribers.

GDPR isn’t the simplest of laws. There are numerous regulations that come under the GDPR umbrella. There are grey areas and until there is a body of case law, it’s not completely clear how certain aspect of the law will be interpreted. The key point is that you don’t have to send one of these emails telling your customers that you won’t be communicating with them anymore.  There are strategies you can adopt to avoid being one of those businesses sending out these emails which are clogging up people’s inboxes.

Opt In Forms?

And if you capture data on a website by offering useful information, or letting site visitors request a call back or information, GDPR covers this too and there are a series of steps you need to take as a business to know how to carry on doing that. There are some myths that have built up around this too. You don’t necessarily need to add tick boxes. You can comply without one, and if you do add one you need to make sure you understand why you’re adding one. Otherwise, you could still end up non compliant despite paying web developers to add them. Depending on the form and what you want to achieve you may be able to avoid adding a tick box by changing the terms of your offers. I talk about that later in this series of 4 training blogs.

Compliance with GDPR involves a number of steps, including putting in place documents to be able to show your compliance should the Information Commissioner’s Office (ICO) need to investigate you for any reason. These are the key points to be aware of.

This mini training tells you what you need to know to work towards GDPR compliance. Whether you do this in time to meet the deadline of 25 May 2018, or come to it later after the deadline has passed, as many will, it’s important to realise that compliance with GDPR is not optional, just as operating PAYE, or other legal obligations are not optional. Nor is it something you do once and then forget about.

The Right Steps To Comply

Better to take some steps, albeit imperfect ones, than to take none at all towards compliance.  But make sure they’re the right steps. Avoid taking quick decisions to send ill-considered emails asking for consent or to add tick boxes to your web forms. First make sure you have adequate information and legal guidance to properly assess the situation you face.  Then decide what steps to take to address the different categories of data you currently hold. The aim is to preserve your ability to communicate with your people.

And nothing in the regulations require you to delete data in a hurry. If you conclude that you cannot market to a list of people you do not need to remove them from your system before 25 May.

Future Proofing

In terms of how to deal with collection of email addresses in future, make sure you are clear about what you want to achieve. Then properly understand what you need to do to be compliant. For example, what will you do when you go out networking and collect business cards? What changes will you make to existing forms on your website? It will vary depending on the form in question. What changes do you need to introduce? Then proceed to organise changes once you have an overall plan. Don’t do things in a piecemeal fashion.

I will say this. You may not need to engage your web developers to add opt in and opt out boxes on your forms. Before you proceed with development work take stock and set an appropriate strategy and document your decision.  In the Marketing element of this training I’ve got some ideas for you on how you might address this but first it’s important to understand what these GDPR laws are aiming to achieve, as you’ll be better placed to implement your compliance plan.

The next blog in this series is Why GDPR?


Your GDPR To Do List

GDPR And Your BusinessBack in 1987 when I joined Reuters as a relatively junior lawyer, one of my first assignments was to audit the company’s data processing activities. I spent a few months visiting senior managers’ offices around Reuters to explain the new laws in a bid to understand the data each section was collecting and storing. I would tick off various charts in the process. I no longer remember what else I did to ensure Reuters would be compliant with the Data Protection Act 1984, but it was a simple exercise compared to GDPR.

In those days there was no internet so the landscape was far less complicated than it is today even though Reuters was a large tech company. The widespread use of cloud computing and dedicated apps for functions like accounting, marketing, time recording and more had yet to develop.

Since founding Azrights there have been some data protection projects involving data breaches or creation of new databases. Often these gave rise to  legal questions such as whether IP addresses, or particular postcodes were personal data, and what is involved to anonymise data in order to exploit it. However, apart from these rare instances, by and large data protection has been of low interest to clients whose main priority was to obtain documentation for their websites.

Fast forward to today, and GDPR looks set to become one of the most substantial pieces of legislation that businesses of every size will have to tackle. Companies that had previously regarded non-compliance with EU data protection law as low risk are beginning to re-evaluate their positions in the light of the substantial new fines, increased enforcement powers and grounds for judicial remedies that exist under the GDPR.

Cambridge Analytica

The recent events surrounding Cambridge Analytica and Facebook’s subsequent actions have only added to the significance of GDPR. I touched on this in a recent blog 3 Steps Every Business Needs To Take To Comply With GDPR Apart From Email Marketing.

There are many facets to GDPR, one of which is the ban on the transfer of data outside the EU. This will impact the widespread practice of using freelancers located in low cost countries like India, or the Philippines for various business functions.  It’s worth mentioning here that the UK is firmly committed to complying with GDPR long term so Brexit will not affect the applicability of GDPR to UK businesses.

What Transferring Data Outside the EEA Means

Transfers of data outside the EEA are only permitted in limited situations, such as where the recipient country ensures ‘adequate’ protection for data subjects and their personal data. It’s important to note that “transfer of personal data” doesn’t just mean the sending of personal data in the form of paper documents or emails from one country to another. Many of us are routinely transferring data outside the EEA when we:

  • Communicate personal data by telephone, email, fax, letter, through a web tool or in person to countries outside the EEA;
  • Use IT systems or data feeds leading to personal data being stored on databases hosted outside the EEA;
  • Use freelancers or companies located outside the EEA who can access or “see” our personal data held in the EEA; and
  • Outsource, offshore, use cloud computing, or third party apps located outside the EEA for various business functions.

The online world is borderless, while the GDPR laws have clear boundaries. This means we either need to find a justifiable basis for continuing our existing data transfer activities or change our practices.

The GDPR imposes substantial and onerous new obligations on all of us. Because it impacts so many routine business functions that need to be reassessed nobody can ignore it. Some of the rules under GDPR are less onerous for small businesses, but it doesn’t exempt anyone, not even micro businesses. Many  organisations outside the EEA are realising the implications GDPR has on them (because they process EU individuals’ personal data) so they are busy making changes to their platforms in order to avoid being locked out of the EU market. They have little choice but to comply with the EU’s GDPR laws.

Although there are powers to impose hefty fines and administrative penalties, the ICO has been at pains to let it be known that fines are not going to be their first line of attack. Instead they want to encourage and educate so that all businesses become aware of the new laws and implement necessary changes.

Implementing GDPR is time consuming, wide ranging, and even overwhelming. The more you do, the more you realise there is to be done. So, don’t delay.  I would recommend reviewing the ICO’s resources, and if you want help, then Azrights is here to support you.

One benefit of using my guidance on GDPR is that I have a few grey hairs, and have a commercial approach to risk management. Many decisions involved in applying the GDPR regulations are not black and white. Until a body of case law develops to interpret the different aspects of the regulations, you need to make a judgment call as to how to apply the new laws to your business, what to prioritise and focus on, and how strict to be when implementing the different rules. If you want a lawyer who will help you to make sound choices I’m well placed to support you.

If you’ve not yet done so already do opt in to our GDPR updates and get our updates on how to comply with GDPR.

Blogs and Intellectual Property Rights – Don’t Just Blog It, Protect It

These days, any of us can be a blogger. All you need is somewhere to post your content, and an interesting angle on life – be it sports, politics, travel, food, music, you name it – you can blog your perspective on it. What’s more, you can attract a worldwide audience of thousands or even millions.

However, as well as a web presence and a flair for writing, you should also develop an awareness of intellectual property (“IP” for short) and its impact on your blogging activities.

IP is essentially about protecting our intellectual creations, and that includes of course our blog entries. But whatever A has protected, B may infringe. So, when we consider blogging and IP, you need to look in both directions: how can you, as a blogger, protect your IP and also, how can you ensure that your blog does not infringe the IP of others? Here today we look at “A”  – what you have protected. In next week’s blog, we look at “B” –  avoiding infringing what someone else has created or protected.

While IP embraces a bundle of different rights, in this blog we are going to briefly look at the two most important rights for bloggers: trade marks and copyright.

It really is amazing that some bloggers enjoy a huge reputation online and yet they have never protected their blog identity by means of trade mark registration. For example, it seems that Turner Barr – about whom I say a little below – of “Around the World in 80 Jobs” fame, did not file a trade mark application until after he had settled what is probably one of the most high-profile IP blog disputes to date. It’s an unfortunate fact of life that many people take IP for granted until some issue crops up, and then they really value their IP and wish they had better protected it at the outset.

Blogs Are Global – Trade Marks Are National

Blogs, being online, are global in nature. They don’t respect national borders which can make trade mark protection, which is generally national in nature, potentially complex. However, it’s advisable to file to register your blog name and blog identity as trade marks at least in your home country. In trade mark law there is something known as the “priority filing system”  which enables you to apply to register your trade mark elsewhere in the world within 6 months of your initial home filing and maintain the original filing date.

Let’s turn to copyright. Copyright arises automatically as soon as your writings, photos, music or other creations are fixed in a recorded form. For example, as soon as you save your blog entry on your computer, it is protected by copyright as a literary work. Similarly, as soon as you take a photograph on your mobile phone, it too can be protected as an artistic work.

As for your blog content – such as your blog entries, photographs, music etc– it’s advisable to always keep a dated record (for example, in your computer files) in case you should ever need to prove that you created the work, and on what date you did so.

It’s a good idea too to use the copyright symbol –  © – alongside your creations, such as your photographs. Use of the © symbol is generally not obligatory but it gives notice to the world that the material is protected by copyright and Courts will often proceed on the assumption that it is protected by copyright.

Although Internet Service Providers (ISPs) are not liable if another person takes your blog material and posts it elsewhere online, you still have options. For example, if the infringer refuses to take-down the lifted material, you may be able to achieve that result by filing a take-down notice with the website provider. Social media companies such as Facebook have well-established take-down procedures by which they will remove infringing content on proof that it infringes your IP rights, including your trade marks and copyright.

 Turner Barr

So what about Turner Barr mentioned earlier? Turner created a highly-successful blog called “Around the World in 80 Jobs” which recounted his experiences as a young millenial in obtaining sometimes strange and wonderful jobs around the globe but which also provided information and advice to young people about gaining employment. In 2013, Swiss employment company Adecco produced their own version of his blog, and they filed trade mark applications in various countries for “Around the World in 80 Jobs”. Happily, all’s well that end’s well. After a sustained campaign on social media, Adecco agreed to drop its version of “Around the World in 80 Jobs”, and withdrew its trade mark filings.

If this pressure from social media hadn’t happened, then it would not have been at all straight-forward for Turner. The right approach is to always file to protect your blog presence as a trade mark before disputes arise such as Turner’s with Adecco.

So, in conclusion, if you blog you have IP. Make sure both to protect your blog IP, and avoid infringing the IP of others. In the next video, we will have a look at some of the issues surrounding use of the material of other people in your blog and how to avoid common mistakes.


3 Steps Every Business Needs To Take To Comply With GDPR - Apart From Email Marketing

3 Steps Every Business Needs To Take To Comply With GDPR – Apart From Email Marketing

3 Steps Every Business Needs To Take To Comply With GDPR - Apart From Email MarketingGDPR is all about introducing greater transparency, increased accountability and enhanced privacy rights for all of us. For example, we can manage our permissions to tech platforms as a result of being notified about the data they hold and collect on us. These new rights are necessary in a world  where the likes of Google collect the most mind boggling information.

The fact that GDPR requires tech companies to design their platforms with privacy built in, means a “take it or leave it” stance will no longer be the prevailing approach. The legislation has teeth. For example, there are eye watering fines for companies that ignore the regulations, which will have even the richest of them pay attention.

So, I think GDPR will introduce a sea change into the handling of data as is apparent from the changes introduced by Facebook following the recent Cambridge Analytica revelations.

Complying with GDPR

GDPR is all encompassing, impacting so many different areas of a business. So, it can be overwhelming.

A good place to start if you’re a small business wanting to understand your obligations under GDPR is the ICO’s site. There are plenty of resources provided to help you to comply, although I suspect the majority of small businesses will ultimately need help because it’s one thing to know about GDPR, but it’s quite another to know what to focus on when attempting to comply with the new laws given that there is so much to do.

There are certain actions that every business should be taking immediately to reduce GDPR risks. And that’s not the much publicised question whether or not to ask for consent to market to your lists which I previously wrote about on this blog GDPR – Why Consent Should Be Used As A Last Resort. Sadly too many advisers out there are still telling businesses that obtaining specific consent for everything is the way to go, which will place huge administrative burdens on those businesses that follow such blanket advice.

3 Steps

There are 3 steps every business should be taking in the light of the GDPR changes, that many businesses may be missing given the spotlight on email marketing. That is, to consider the data they hold in the cloud and take simple basic measures, such as:

  1. Use strong passwords. If employees, virtual assistants, or contractors (such as your website development company) have access to your data, then are they using strong passwords so as to keep your data safe?  They could easily compromise your security by their actions.
  2. You should introduce clauses and contracts with your freelancers, and contractors. Explain the impact of GDPR. Are they using laptops with encryption? Do they know not to log into your sites in internet cafés? Are they always logging off when they leave their computers unattended? These basics are essential. You are responsible for educating your workers, contractors and other team members about GDPR and the actions they need to take so they don’t compromise security of your data or otherwise cause you to be in breach.
  3. You want to let contractors such as your digital marketing agency, virtual assistance service, or web developers know that using outsourced staff and giving others access to your site without your knowledge is not permitted without your specific consent. These entities are processors of your data. They should not be appointing sub processors without your knowledge. You need to know if your agency is giving access to your data to a third party. Otherwise, what is the point of your doing  due diligence checks when taking on an agency, only for them to engage a temporary helper (possibly using a less rigorous vetting exercise than you employ) to assist them when providing their services to you?

If you’ve not yet addressed these GDPR issues in your business then don’t delay as they are, in my view, one of the greatest security risks small businesses face.

If, on the other hand, you are an agency using outsourced team members to deliver services such as website design, form building, online questionnaire development, search engine optimisation, Facebook or Google advertising, and the like, then your business model may need some adjusting. You should be thinking about what your clients will need from you, and pre-empting their concerns.


With just over a month to go, and many contracts and steps to take immediately, you can’t afford to leave it any longer. While it’s unlikely you will face fines for failing to address every aspect of GDPR, doing nothing is not a sensible option. Come 25 May, your website will be a tell tale sign if you’ve not taken any steps to comply with GDPR.

We have various service options to help clients, ranging from access to templates and clauses, to providing some consultancy, or taking care of the entire process for you. Get in touch if you have would like a quote or have any questions.


How Agencies Can Protect Their Clients When Branding And New Identity Creation

While every agency understands how to use the creative process to create a brand name, few understand the legal implications of choosing one name over another.

Turning an idea into a business involves creating intangible elements like names. As these are governed by the law of intellectual property it means you are creating intellectual property.

Specifically, trade mark law protects names, and so one implication is that you need to choose a name that meets the requirements of the law.

To fully understand the impact of getting this right on both the agency and client side, it is worth reflecting on what value a brand brings to a business.

Value of a brand

A brand name is of the most valuable assets a business will have.

According to Forbes, the most valuable brand name in the world in 2017 was APPLE. It was worth $170 billion. GOOGLE takes second place, at $101 billion and MICROSOFT in third place, at $87 billion. Three words – APPLE, GOOGLE, MICROSOFT together are worth about $360 billion.

Just think about that for a moment. The world’s top three brands are worth many times the average country’s entire GDP (or annual economic output). That’s the value of a good brand name.

Based on the value of the world’s biggest brands, a good brand name needs to be:easy to pronounce and spell

•    one that works internationally

•    one that copes with business expansion or change of direction.

•    one that is legally available

The final point is most important here.

The trade mark registers are cluttered, and the best .com domains are often already taken. Therefore, choosing a name invariably involves doing some due diligence.

An agency tasked with creating a name should really put forward a shortlist of 3-6 names for full legal clearance if the client is to stand a chance of finding one name that it may use.

Getting this wrong may not just mean the trade mark application is thrown out. The client may find itself on the wrong end of an enforcement action by another business whose trade mark is being infringed.

A name that infringes on someone else’s mark leaves the client with little choice but to rebrand. Some clients might sue an agency that created the identity for them, or require a free rebrand. Quite apart from the reputational damage for the agency, a name that the client can’t use would prove as problematic for the agency as it would for the client.

Not only is it worth getting this right to protect your agency, it also offers you an opportunity to deliver certainty and differentiation from other agencies who are less aware of the consequences.

An agency’s responsibility when creating a brand identity

When a client engages the services of a branding agency to create an identity, that agency is an adviser, and as such, is expected to understand the surrounding law.

While the agency might tell a client that certain actions that are required to clear a name for use should be undertaken by lawyers, it’s not possible to completely absolve itself of responsibility simply because some of the work involved in clearing a name is done by lawyers.

There are two levels of checks for brand names that should be undertaken:

1)     Basic preliminary checks – often these do not require a lawyer and can be done through simple searches

2)     Full clearance searching – in most cases done by lawyers

I’m of the view that while lawyers are always best placed to undertake full clearance and this is clearly the responsibility of the client, basic preliminary checks can and should be performed by the agency as part of the process of developing names.

This seems not to be the prevailing view.

One designer recently said to me that she does not believe she is responsible if a client of hers has problems with a name she selected for the client and the client decided not to register the name as a trade mark. According to this designer, if the client chooses not to trade mark the name then it’s the client’s fault if it later transpires there are problems with the name.

Quite apart from the fact that registering a name as a trade mark in no way helps if the name is not available to use, I have deep problems with this view. Protecting a name isn’t just about registering it as a trade mark. It’s more about checking that the name may be safely claimed.

If an agency is entrusted with creating a new brand identity, it’s reasonable for the client to expect that you will offer up names they have a fighting chance of using. This means doing some of the trade mark searches yourself, albeit leaving the full clearance searching to the lawyers.

While specialist full clearance searches might be left to the client to arrange with its own lawyers, any business choosing a new name for its clients does have a responsibility to ensure the name is legally available.

Understanding the legal requirements is essential if the selected name is to stand up to legal scrutiny. There are a number of searches that agencies should and could perform on a name – beyond a simple Google or .com search, which is often all that is done. If you fail to provide names which don’t even stand up to the most basic legal scrutiny, what is the client paying for when it pays to have a name created?

And, importantly, how does that reflect on your agency if a problem later arises?

The client’s responsibility when protecting their brand identity

Many clients don’t ask lawyers to do full clearance searches before applying for trade mark protection simply because they don’t realise this is an essential step in the process, rather than an optional step.

As clients frequently choose to not do further searches on names, (possibly because they have spent all their available budget on the brand identity work), it’s even more important for branding agencies to do good enough” checks of names before proposing them to clients. Otherwise, what’s the point of branding a name the client can’t own? It would be building their business on a foundation of sand.

On one occasion when we were provided with a shortlist of six names by a designer, we found that the most basic search of the trade mark registers knocked out four of the names immediately. So, effectively, the client only had two names to choose from, and they were not the first choices on the list.

I hate to think what might have happened if the client hadn’t asked us to do clearance searches on the names. It might have gone with one of the names that were infringing with all the associated problems and risks.

This is why I would urge agencies to learn how to do some basic checks of the trade mark registers whenever they are creating a new identity for their clients. Indeed, a good agency should also perform its own checks on a name the client proposes using, even if the agency didn’t choose the name.

Again, it’s important to remember you’re not protected simply by virtue of registering a trade mark.

Taking steps to protect intellectual property

The identity of any well-known brand comprises a variety of elements. Trade mark law encompasses the name, and also any taglines, slogans, logos, designs, product shapes, sounds, smells, colours, and other features that distinguish a product or service from its competitors.

Bear in mind that whenever you turn an idea into a product or service you’re also creating intellectual property assets. Copyright law is highly relevant in brand creation. Therefore, copyright and other intellectual property issues need to be top of mind in the early stages of identity creation.

However, the primary identity of any successful brand is inevitably in its name. Protecting the future value of a business involves protecting the name, and also taking account of IP as a whole.

An agency should create internal processes to ensure names are properly checked out before any short list of names is offered to the client.

There are three steps that any business should take to protect its intellectual property if it is to build value, and avoid disasters such as the need to change its identity.

Imagine having to rebrand due to problems with a name or copyright work. While this might seem unimaginable for the likes of the world’s top brands, problems around names and IP can affect even them.

For example, Microsoft had to rebrand after being ordered to do so by a UK court for infringing on a trade mark owned by British Sky Broadcasting Group (BSkyB).

”Changing the name of a product as loved as SkyDrive wasn’t easy,” Microsoft’s Ryan Gavin reportedly told a journalist.

The value and safety of your own and your client’s intellectual property is more important than ever before. Do it right and the intangible assets you create could be worth far more than the cost of producing them. Do it wrong and you could miss vital opportunities, have your true value stolen or find yourself on the wrong side of an intellectual property dispute.

To find out how to protect your own agency’s intellectual property and that of your clients register your interest to learn about IP Fundamentals including the Azrights Naming course.


Register Your Interest Here