Tag Archives: Data Protection and Privacy

GDPR – Data Protection Fee

The current system of registration for UK based data controllers was replaced by the UK’s Information Commissioner’s Office (“ICO”) with effect from 25 May 2018.

From that date, or once existing registrations come up for renewal, data controllers who are not exempt, will have to pay an annual data protection fee to the ICO.

Due to the way the rules are written, it is strongly recommended that you contact the ICO as soon as possible if your business is not currently registered.

Replaces Requirement to Notify

The new fee arrangements replace the requirement to ‘notify’ (or register) under the Data Protection Act 1998, in line with Recital 89 of the GDPR which suggested that Member States abolish general systems of registration.

The ICO has published a guide about the data protection fee. The fee payable depends on staff numbers and annual turnover. There are exemptions for micro businesses who don’t outsource bookkeeping or other functions.

Noteworthy is that all controllers will be regarded as belonging in the top tier band unless they tell the ICO otherwise, so this should motivate those businesses that do not have an existing data protection registration to address GDPR compliance immediately and apply to register.

What GDPR Involves

GDPR has certainly been taking up businesses’ time in terms of understanding the regulations, and taking actions to work towards compliance.

So I have put together a short mini training on GDPR which would be relevant to those who have not yet taken any steps towards compliance. There are 4 blog posts in the series:

GDPR And What Not To Do

Why GDPR?

Quick GDPR Compliance Plan

GDPR Marketing – Consent vs Legitimate Interest

Among other things, these give you tactical steps to put in place and explain some decisions to make as a business owner in order to work towards compliance.

If you’re unsure how to work out your strategy on issues like opt in and opt out boxes, and web forms, you may be interested to know that I’ll be releasing a marketing course as a separate module for GDPR. So to receive notification once this is available

opt in to our GDPR updates

There are more than a dozen documents you will need in order to work towards GDPR compliance. We have created a GDPR site with all the templates, where there are videos and written guidance on all this. There are FAQs, and we plan to constantly add news updates after 25 May to guide you in your compliance.

Conclusion

25 May is just the beginning in terms of implementing a compliance program. Most businesses will need to set aside time regularly to continue their work as there is so much to do.

All the best with your GDPR compliance work.

GDPR Marketing – Consent vs Legitimate Interest

In my Quick GDPR Compliance Plan yesterday I suggested GDPR presents an opportunity for businesses to sharpen their approach towards marketing by being more strategic. So, what should you specifically do to be able to use the contact details in your database for marketing purposes?

Marketing under the GDPR (whether postal, phone, email, SMS or any other form of marketing) is regulated like any other data processing activity.  So, you must show that you have a lawful basis under Art 6 to conduct direct marketing, and this lawful basis does not necessarily have to be consent-based.  In fact, it generally won’t be.

This is because the GDPR acknowledges that direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR.

What about the E Privacy Directive?

However, as well as GDPR we need to take account of the Privacy Electronic Communications Regulations (known as the E Privacy Directive or PECR).

PECR covers electronic communications such as phone, fax, email and SMS. It requires opt-in consent for email and SMS marketing unless an individual’s contact details were collected in the context of a sale or negotiations for a sale (prospects).  The other exception is if you are marketing to corporate subscribers (here the problem is that it’s difficult to exclude partnerships and sole traders who do not constitute corporates).

For these cases it is possible to send marketing communications by providing an unsubscribe link. And phone direct marketing is also generally possible on the basis of opt-out provided the call list is first screened against the relevant country’s national do-not-call registry. Here is a useful guidance note provided by the ICO recently.

Two weeks to go

If you’re coming at this a couple of weeks before 25 May, you’ll likely want to know what you need to do to be able to continue communicating with your contacts. Specifically, what should you do to be able to use the email addresses you have in your database for marketing purposes.

Given the shortage of time available now, the question is to what extent you may use legitimate interest to continue to market to your contacts. That still entails sending an email to ask for an opt in but once you’ve done so you are unlikely to get many opt ins, so it comes down to analysing your database to understand who you may continue to market to.

Have you been doing any emailing?

So much depends on what you have been doing with the email addresses you’ve collected. How good are your systems in terms of recording permissions and background information.

For example, if you use Mailchimp and have been sending out emails, you will know who has been engaging with your emails and who has not even opened them. So, if you have records of that nature available to you it’s possible to separate your list of engaged contacts from your list of unengaged contacts. That will improve deliverability of your email to your engaged contacts.

That sort of data ultimately helps you to narrow down the number of names and email addresses you need to sift through manually when deciding which individuals you may legitimately market to even if they don’t opt in when you send your email requesting an opt in.

Improving the quality of your data

I’ve spent a good part of the last 2 years sorting out our CRM records to more accurately identify the different category of contact in our systems. We moved systems a few times over the last few years, including from Infusionsoft to Microsoft Dynamics 18 months ago. This resulted in some messing up of our data.  So, if you’re starting off from a point where you haven’t had time to organise your database it would be very difficult to do anything else but seek consent from the entire list of contacts and then sift through your database to identify those names to remove and those to retain.

Therefore, whatever email or series of emails you may decide to send out to get opt ins, it will be necessary to review your records afterwards to pick out names of customers who have bought from you and prospects or others whose consent you will not need.

Any business card contacts whose names you added to your database with their knowledge and approval you would need to take a view whether to continue to send emails to them.

I imagine that you will want to set yourself up properly moving forwards so that you collect emails in the right way, with relevant permissions duly recorded. Certainly, for me GDPR brought marketing lists and email marketing to the fore in a way that PECR had not.

If you want to market effectively, and be in compliance with GDPR and PECR, you have to have some sort of strategy about what emails you will be sending people moving forwards. This becomes especially relevant for web forms.

Web forms

To avoid the need for opt in tick boxes on your web form, you could comply with GDPR and PECR by including your newsletter as part of the offer. For example, if I’m offering a useful ebook on IP, I might say something like “Complete the form to receive our 7 Mistakes ebook and our monthly newsletter. If people don’t want the newsletter they can opt out at the earliest opportunity, but at least you don’t need to add tick boxes and go to extensive trouble if the whole reason for offering the ebook was to get an interested subscriber to whom you could send marketing communications.

This works if you know you will want to add everyone to one master list. It may not be transparent enough where you also want to send a sequence of emails relating to that ebook. If you do, then you would need to make this clear, or ask for further permissions in the email delivering the ebook.

Double opt in

Although not required by GDPR I recommend use of double opt in for delivering ebooks.

GDPR has given added reason to use this delivery mechanism. For one thing you can ensure it is a proper email address that the subscriber has provided. Secondly, you have more of an opportunity to get an opt in to something else if you send your request in the email delivering the valuable ebook because the email will be sitting in the subscriber’s emails whereas an opt in box is only fleetingly seen and may not be ticked.

Certainly, you should do some deep thinking about your future plans and objectives. If all you’re wanting is to know that you can send your sequence of emails relevant to that  download then as long as you make it clear in the invitation to sign up to that download that it includes your regular sequence of emails you will have all the consents you need. So this should be one reason not to just  collect email addresses without first having a clear overall plan.

If you don’t make it clear in the web page offer that you’ll be sending newsletters or other emails, or if you want to share data with third parties then you must have an opt in box on your web form.

I can’t stress enough how important it is that you properly understand the reasons for collecting email addresses, and whether you need to add opt in boxes.

If you would like help to comply with GDPR either now or after 25 May to review your marketing or other set ups, then do get in touch. We’d love to help.

 

 

 

Quick GDPR Compliance Plan.

In  Why GDPR? I explained what the General Data Protection Regulations are aiming to achieve because understanding its underlying principles and rationale is key to protecting data appropriately in the new regulatory environment.

The principle of fairness and transparency runs through every aspect of data handling. We need to reconsider our approach so as to only collect as much information as we need to perform the service we’re delivering; ensure data is kept appropriately secure; that it is held no longer than necessary for the purposes for which it was collected; and we must ensure the data is accurate.

One simple way to deal with data accuracy is to organise a way for your contacts to have sight of the basic contact and marketing details you hold on them so they may update the details directly themselves.

While the transition to the new regime involves a substantial effort for many small businesses who are time poor, it will ultimately help us all to run better businesses with appropriate safeguards in place to protect others’ data.

However, given we now have about 2 weeks to go till 25 May, what should you be doing to work towards GDPR compliance? In an ideal world we would have all used the last 2 years to prepare for GDPR, but few small businesses were aware of GDPR until recently, so here are some steps you might want to take if you’ve only just decided to take action.

Data Audit

The starting point is to identify what type of personal data you hold, where you hold it, and why. Who has access to it? This is a major exercise but if you’ve got limited time in which to do it, focus on the big picture. Most businesses will have customers who have bought from them, prospective clients who have made enquiries, and a mixed bag of other contacts such as business card and other contacts.

A second category of contacts whose personal details you hold will be past and present employees and freelancers, and also past job candidates.

There will also possibly be a number of suppliers of services – call answering providers, external agencies you might use for web development and so on.

Once you’ve taken stock and done your mini audit you should have a better understanding of the information you’re holding about your clients, prospects, business card contacts, employees, contractors, suppliers and so on. In the process you will begin to notice who has access to your subscribers’ data. Depending on the nature of your business, it may be useful to look at your password lists to remind you of apps  you use.

Keep records of your audit in the form of spreadsheets and a journal. You’ll be ready to draft your privacy notice as soon as you’ve decided the legal bases on which you hold the different types of data. Your old privacy policy is unlikely to be suitable so make sure you get access to a new style privacy notice, such as to our GDPR templates.

Documenting

It’s a fundamental principle of any outcome focused regulation that we should be able to demonstrate the reasons for our decisions. So, having a system in place where you can document your reasons is key. If the Information Commissioner’s Office ever needs to look into your business they will ask to see the audit records, and will expect you to have a spreadsheet ready to explain your processing activities.

If you’re doing a rushed audit to get your privacy notice sorted quickly do plan in some time in the coming months to go back over the audit to update it. Compliance isn’t a one off event for anyone.

If you process sensitive data such as about people’s racial or ethnic origins, political opinions, religious or philosophical beliefs, data concerning health or a person’s sex life or sexual orientation do you need to obtain explicit consent?  What will you do about past data and for the future? They involve different issues. Think it through, and document your situation, and if you need guidance, get proper legal help.

Data Protection Officer?

You will also need to make some incidental decisions such as whether your business is required to appoint a Data Protection Officer and to do a Data Protection Impact Assessment.  As a general rule, if you’re a small business and you’re not doing any profiling or processing of data on a large scale it’s unlikely you’ll need either of these.

However, as businesses are so different in terms of their size and processing activities, and the rules are still changing, even now, I suggest you look on the ICO’s website to decide whether you need to appoint a Data Protection Officer or to do a Privacy Impact Assessment, and then document your decision.

As already mentioned, before you can draft your privacy notice, an important decision you need to make is the lawful grounds for each of the processing activities you have identified. For most businesses the choice will be between

  • consent;
  • performance of contract;
  • legal obligation to which the controller is subject;
  • legitimate interests.

If you decide that you have a legitimate interest to continue to email your list of contacts, document your reasons for this. Like that you will have an audit trail to remind you why you took the decisions you took months after the event when memories will have faded.

Once you’ve done all this you should decide what steps you will have to take to comply with GDPR and put in place a prioritisation plan. It’s highly unlikely that you will be able to do everything in one go, so you’ll need to decide how to focus your available resources.

Pocessor Agreements

Particularly noteworthy for GDPR compliance is the need to get processor contracts in place with non-employees or other third parties who process data that you’re responsible for as “controller”. The GDPR rules require you to have a written agreement with your third party processors (for example, payroll provider, freelancers, software providers, as well as apps you may be using). The terms that must be included in the agreement are prescribed.  Make a list of all the individuals and sites you use, and plan from there.

There will be some processors who need to sign your processor agreements more urgently than others depending on the data to which they have access and where they’re located. Get a few contracts ready to send out for signature.

If your processors are based in countries outside the EEA then you have additional obligations, such as to find out whether the country they’re located in has an adequacy finding. Only a dozen or so countries are considered adequate and the USA isn’t one of them. So, for US entities like Mailchimp, you’ll need to find out if the organisation is certified under the Privacy Shield and add this information to your Privacy Notice. If you cannot find any other basis then introduce a contract using the Model Clauses provided by the EU.

While in theory you can introduce a contract and continue your current data transfer activities, the GDPR principles should prompt you to rethink your current practices.

Freelance Resources

For example, using a one man band freelancer in India who has access to your entire database of contacts might be a questionable decision. You may want to reconsider whether you can really justify continuing to give access to so much data to someone based in an inadequate jurisdiction. However, if you’re committed to using that resource for now then put in place the Model Clauses and make a note to revisit this decision in the near future.

Using these documents with a freelancer who is not worth suing is arguably not an appropriate safeguard long term. So, you should reconsider your resourcing policy to gradually change the nature of the responsibilities you outsource to jurisdictions outside the EEA.

Certainly if you’re choosing new freelancers this might be an ideal opportunity to use one within the EEA.

For some businesses this use of freelancers or cloud technologies may present the biggest risk. See my blog post 3 Steps Every Business Will Need To Take To Comply With GDPR 

If you use an appropriate provider for your templates you should be able to get a decent privacy notice in place to send to your freelancers and employees, and another one to post on your website. Then send an email to your subscribers to notify them of your new privacy notice and if you get a chance, give them a way to update their marketing preferences.

As for cookies, we use this neat solution for cookies on our website. There are a few cookie issues which I need to consider more deeply for our site, and so this is something I will be revisiting, and I’ve made an appropriate note in our risk management policy about it.

In conclusion, while there is a lot to do to comply with GDPR, it is possible to begin working towards compliance even now at this late stage. If you’ve not yet addressed these GDPR issues in your business and want help, Azrights is there to support you.

In my final blog post GDPR Marketing – Consent vs Legitimate Interest I’ll be covering marketing and how to set your strategy for the future so you can build your marketing lists in a GDPR compliant way. It’s a real opportunity for your business to sharpen its approach to marketing.

Why GDPR?

In yesterday’s post What Not To Do When It Comes To GDPR I outlined the confusion that the GDPR laws have spawned.  Understanding why the GDPR rules were introduced, and what they are aiming to achieve will help in complying with them.

GDPR is the first wholescale attempt to tackle the many privacy issues and risks that arise from the processing powers of modern technologies and the internet.  Protecting people’s personal data is a fundamental human right and is enshrined in the law.

As business owners with access to other people’s information we have responsibilities to support those rights. The old data protection laws were introduced at a time when the world was a very different place. They pre-dated the internet. Google had only just been founded and it was another 7 years before the iPhone was released.

GDPR addresses a new world where social media, cloud technologies, and apps often require access to our location, images, emails and other personal information. All of this means that behind the scenes our “personal data” is being processed and is forming part of massive, and ever-growing datasets. This in turn has led to the development of other technologies with names like big data and artificial intelligence (AI), which have major implications for data protection law.

The new technologies provide such extensive abilities for businesses to profile us and use data about us in ways we may not even be able to imagine, that if things continued unchecked by legislation our privacy would be seriously endangered. It’s worth watching the Black Mirror TV films to realise how important privacy is. It shouldn’t be taken for granted.

 Terms and Conditions

It’s true that nobody reads terms and conditions when they want to use a new app or useful tool. The upshot is that we tend to agree to all sorts of conditions without even being aware what we’ve signed up for. However, that’s not because we don’t care about our data. It’s because we assume there is no alternative. The reason we don’t read terms before we give consent to use of our information is that we often don’t have time, and want to avail ourselves of the services and tools on offer.

The GDPR regulations are designed to ultimately enable us to get access to products and services without giving away so much of our data. GDPR changes the existing scenario by ensuring we become better informed about the implications on the one hand, and are given real choices on the other.

For example, the regulations impose requirements on tech companies to educate us and to design their platforms with privacy considerations in mind.  This means a “take it or leave it” stance to accessing our information in return for letting us use an app is unlikely be the prevailing attitude of future apps.

The legislation has teeth. There are eye watering fines for companies that ignore GDPR, which will have even the richest of them pay attention. All of us need to minimise the data we collect to what is really needed.

I’ve sometimes wondered whether some ecommerce sites really need to take my date of birth when all I’m doing is buying an item of clothing and paying by credit card or paypal. Why ask for my date of birth during the registration process? I used to abandon my shopping if a site asked for my date of birth, but then as more and more of them did so, I reluctantly gave them this information. But it didn’t mean I was happy to share this data.

GDPR discourages taking more information than necessary for the product or service to be delivered. By reducing the information we must give when signing up with a new provider we will be able to minimise the quantity of data that is collected about us.  Data minimisation is an important GDPR principle.

GDPR Will Be Even More Important After 25 May

GDPR is no Y2000 or deadline driven momentum which will go away once we pass 25 May. Far from it.

It’s worth mentioning here that the UK is firmly committed to complying with GDPR long term so Brexit will not affect the applicability of GDPR to UK businesses. Even organisations outside the EEA are realising the implications GDPR has on them (because they process EU individuals’ personal data) so they’re busy making changes to their platforms to avoid being locked out of the EU market. They have little choice but to comply with the EU’s GDPR laws and nor have you.

Although there are powers to impose hefty fines and administrative penalties, the ICO has been at pains to let it be known that fines are not going to be their first line of attack. Instead they want to encourage and educate so that all businesses become aware of the new laws and implement necessary changes.

Work Towards Compliance Now

Still that doesn’t mean the ICO’s tolerant stance is condoning those business that are taking no action, and simply ignoring compliance with GDPR.

Coming to the attention of the regulator is never desirable, as it could take up time and resources you may not have, and end up costing you a lot more money as a result. Far easier to take stock now and deal with it, and get peace of mind that you’re on your way to complying with GDPR.  What’s the point of delaying?

25 May will be just the beginning of a sea change in the way businesses manage and process data. GDPR is designed to make us all far more responsible and thoughtful about the data we hold. There will be a gradual cultural shift such as occurred with stop smoking campaigns, or seat belt wearing, or not drinking and driving. Our children and grandchildren will become savvy about their data, and will use the available controls to protect their data and minimise what they give access to.

GDPR Is Overwhelming

I’m not going to try to minimise it and tell you that complying with GDPR will be simple. The truth is that GDPR is all encompassing, impacting so many different areas of a business that it can be quite overwhelming for businesses. Business owners are already time poor and stretched thin. Taking on the onerous obligations of GDPR on top of managing a business is no mean feat. However, it is a legal requirement to comply. Also, it does present a chance to run a better business.

I’m confident that businesses that adopt the right approach and tackle GDPR by putting in place the right systems and procedures will improve their businesses in the process. They will also find it easier to work towards compliance on an ongoing basis ensuring that GDPR principles become second nature to them.

So, I would urge you to take the plunge and embrace GDPR, as you do so many other areas of your business. Begin to understand your obligations so you can put in place the steps to take responsibility for the data you’re handling.

Once you’ve set your strategy, including for matters like marketing, and drafted your GDPR compliant Privacy Notice you’ll need to send it to your clients and subscribers and add it to your website.  Your data subjects have the right to know how you collect and process their personal data, for what purposes you use their data, the legal grounds of processing such data, and how you keep their data secure, as well as their rights in relation to such data.  That’s what the new style Privacy Notice details.

In tomorrow’s blog Quick GDPR Compliance Plan we’ll look at tactical seps to complying with GDPR.

GDPR And What Not To Do

Every organisation is affected by Europe’s new General Data Protection Regulation or GDPR as it’s known.  I’m sure you’ve heard plenty about it.

GDPR represents one of the biggest shake ups in the privacy and data protection laws since the internet.  The recent Cambridge Analytica and Facebook incident involving misuse of hundreds of Facebook profiles has only added to the significance of GDPR.

GDPR is a complex piece of legislation which applies to every business whatever its size. If you have names, phone numbers, email addresses of customers, prospects, employees or suppliers, then GDPR affects you.

GDPR looks set to become one of the most substantial pieces of legislation that businesses of every size will have to tackle. Companies that had previously regarded non-compliance with data protection laws as low risk are beginning to re-evaluate their positions in the light of the substantial new fines, increased enforcement powers and grounds for judicial remedies that exist under the GDPR.

Chaos And Myths

So, there is chaos currently as myths have come about to the effect that after 25 May you cannot communicate any more with customers, or leads who came on board before 25 May.  Some businesses sending out these emails have no clear idea why they are sending them. It’s sometimes a knee jerk reaction, and therefore ill thought through. They risk having to stop communicating with many of their existing lists, and past subscribers.

You don’t have to do that. However, there are certain processes you do need to put in place and decisions you need to make as a business owner to allow you to continue communicating with your subscribers.

GDPR isn’t the simplest of laws. There are numerous regulations that come under the GDPR umbrella. There are grey areas and until there is a body of case law, it’s not completely clear how certain aspect of the law will be interpreted. The key point is that you don’t have to send one of these emails telling your customers that you won’t be communicating with them anymore.  There are strategies you can adopt to avoid being one of those businesses sending out these emails which are clogging up people’s inboxes.

Opt In Forms?

And if you capture data on a website by offering useful information, or letting site visitors request a call back or information, GDPR covers this too and there are a series of steps you need to take as a business to know how to carry on doing that. There are some myths that have built up around this too. You don’t necessarily need to add tick boxes. You can comply without one, and if you do add one you need to make sure you understand why you’re adding one. Otherwise, you could still end up non compliant despite paying web developers to add them. Depending on the form and what you want to achieve you may be able to avoid adding a tick box by changing the terms of your offers. I talk about that later in this series of 4 training blogs.

Compliance with GDPR involves a number of steps, including putting in place documents to be able to show your compliance should the Information Commissioner’s Office (ICO) need to investigate you for any reason. These are the key points to be aware of.

This mini training tells you what you need to know to work towards GDPR compliance. Whether you do this in time to meet the deadline of 25 May 2018, or come to it later after the deadline has passed, as many will, it’s important to realise that compliance with GDPR is not optional, just as operating PAYE, or other legal obligations are not optional. Nor is it something you do once and then forget about.

The Right Steps To Comply

Better to take some steps, albeit imperfect ones, than to take none at all towards compliance.  But make sure they’re the right steps. Avoid taking quick decisions to send ill-considered emails asking for consent or to add tick boxes to your web forms. First make sure you have adequate information and legal guidance to properly assess the situation you face.  Then decide what steps to take to address the different categories of data you currently hold. The aim is to preserve your ability to communicate with your people.

And nothing in the regulations require you to delete data in a hurry. If you conclude that you cannot market to a list of people you do not need to remove them from your system before 25 May.

Future Proofing

In terms of how to deal with collection of email addresses in future, make sure you are clear about what you want to achieve. Then properly understand what you need to do to be compliant. For example, what will you do when you go out networking and collect business cards? What changes will you make to existing forms on your website? It will vary depending on the form in question. What changes do you need to introduce? Then proceed to organise changes once you have an overall plan. Don’t do things in a piecemeal fashion.

I will say this. You may not need to engage your web developers to add opt in and opt out boxes on your forms. Before you proceed with development work take stock and set an appropriate strategy and document your decision.  In the Marketing element of this training I’ve got some ideas for you on how you might address this but first it’s important to understand what these GDPR laws are aiming to achieve, as you’ll be better placed to implement your compliance plan.

The next blog in this series is Why GDPR?

 

Your GDPR To Do List

GDPR And Your BusinessBack in 1987 when I joined Reuters as a relatively junior lawyer, one of my first assignments was to audit the company’s data processing activities. I spent a few months visiting senior managers’ offices around Reuters to explain the new laws in a bid to understand the data each section was collecting and storing. I would tick off various charts in the process. I no longer remember what else I did to ensure Reuters would be compliant with the Data Protection Act 1984, but it was a simple exercise compared to GDPR.

In those days there was no internet so the landscape was far less complicated than it is today even though Reuters was a large tech company. The widespread use of cloud computing and dedicated apps for functions like accounting, marketing, time recording and more had yet to develop.

Since founding Azrights there have been some data protection projects involving data breaches or creation of new databases. Often these gave rise to  legal questions such as whether IP addresses, or particular postcodes were personal data, and what is involved to anonymise data in order to exploit it. However, apart from these rare instances, by and large data protection has been of low interest to clients whose main priority was to obtain documentation for their websites.

Fast forward to today, and GDPR looks set to become one of the most substantial pieces of legislation that businesses of every size will have to tackle. Companies that had previously regarded non-compliance with EU data protection law as low risk are beginning to re-evaluate their positions in the light of the substantial new fines, increased enforcement powers and grounds for judicial remedies that exist under the GDPR.

Cambridge Analytica

The recent events surrounding Cambridge Analytica and Facebook’s subsequent actions have only added to the significance of GDPR. I touched on this in a recent blog 3 Steps Every Business Needs To Take To Comply With GDPR Apart From Email Marketing.

There are many facets to GDPR, one of which is the ban on the transfer of data outside the EU. This will impact the widespread practice of using freelancers located in low cost countries like India, or the Philippines for various business functions.  It’s worth mentioning here that the UK is firmly committed to complying with GDPR long term so Brexit will not affect the applicability of GDPR to UK businesses.

What Transferring Data Outside the EEA Means

Transfers of data outside the EEA are only permitted in limited situations, such as where the recipient country ensures ‘adequate’ protection for data subjects and their personal data. It’s important to note that “transfer of personal data” doesn’t just mean the sending of personal data in the form of paper documents or emails from one country to another. Many of us are routinely transferring data outside the EEA when we:

  • Communicate personal data by telephone, email, fax, letter, through a web tool or in person to countries outside the EEA;
  • Use IT systems or data feeds leading to personal data being stored on databases hosted outside the EEA;
  • Use freelancers or companies located outside the EEA who can access or “see” our personal data held in the EEA; and
  • Outsource, offshore, use cloud computing, or third party apps located outside the EEA for various business functions.

The online world is borderless, while the GDPR laws have clear boundaries. This means we either need to find a justifiable basis for continuing our existing data transfer activities or change our practices.

The GDPR imposes substantial and onerous new obligations on all of us. Because it impacts so many routine business functions that need to be reassessed nobody can ignore it. Some of the rules under GDPR are less onerous for small businesses, but it doesn’t exempt anyone, not even micro businesses. Many  organisations outside the EEA are realising the implications GDPR has on them (because they process EU individuals’ personal data) so they are busy making changes to their platforms in order to avoid being locked out of the EU market. They have little choice but to comply with the EU’s GDPR laws.

Although there are powers to impose hefty fines and administrative penalties, the ICO has been at pains to let it be known that fines are not going to be their first line of attack. Instead they want to encourage and educate so that all businesses become aware of the new laws and implement necessary changes.

Implementing GDPR is time consuming, wide ranging, and even overwhelming. The more you do, the more you realise there is to be done. So, don’t delay.  I would recommend reviewing the ICO’s resources, and if you want help, then Azrights is here to support you.

One benefit of using my guidance on GDPR is that I have a few grey hairs, and have a commercial approach to risk management. Many decisions involved in applying the GDPR regulations are not black and white. Until a body of case law develops to interpret the different aspects of the regulations, you need to make a judgment call as to how to apply the new laws to your business, what to prioritise and focus on, and how strict to be when implementing the different rules. If you want a lawyer who will help you to make sound choices I’m well placed to support you.

If you’ve not yet done so already do opt in to our GDPR updates and get our updates on how to comply with GDPR.

3 Steps Every Business Needs To Take To Comply With GDPR - Apart From Email Marketing

3 Steps Every Business Needs To Take To Comply With GDPR – Apart From Email Marketing

3 Steps Every Business Needs To Take To Comply With GDPR - Apart From Email MarketingGDPR is all about introducing greater transparency, increased accountability and enhanced privacy rights for all of us. For example, we can manage our permissions to tech platforms as a result of being notified about the data they hold and collect on us. These new rights are necessary in a world  where the likes of Google collect the most mind boggling information.

The fact that GDPR requires tech companies to design their platforms with privacy built in, means a “take it or leave it” stance will no longer be the prevailing approach. The legislation has teeth. For example, there are eye watering fines for companies that ignore the regulations, which will have even the richest of them pay attention.

So, I think GDPR will introduce a sea change into the handling of data as is apparent from the changes introduced by Facebook following the recent Cambridge Analytica revelations.

Complying with GDPR

GDPR is all encompassing, impacting so many different areas of a business. So, it can be overwhelming.

A good place to start if you’re a small business wanting to understand your obligations under GDPR is the ICO’s site. There are plenty of resources provided to help you to comply, although I suspect the majority of small businesses will ultimately need help because it’s one thing to know about GDPR, but it’s quite another to know what to focus on when attempting to comply with the new laws given that there is so much to do.

There are certain actions that every business should be taking immediately to reduce GDPR risks. And that’s not the much publicised question whether or not to ask for consent to market to your lists which I previously wrote about on this blog GDPR – Why Consent Should Be Used As A Last Resort. Sadly too many advisers out there are still telling businesses that obtaining specific consent for everything is the way to go, which will place huge administrative burdens on those businesses that follow such blanket advice.

3 Steps

There are 3 steps every business should be taking in the light of the GDPR changes, that many businesses may be missing given the spotlight on email marketing. That is, to consider the data they hold in the cloud and take simple basic measures, such as:

  1. Use strong passwords. If employees, virtual assistants, or contractors (such as your website development company) have access to your data, then are they using strong passwords so as to keep your data safe?  They could easily compromise your security by their actions.
  2. You should introduce clauses and contracts with your freelancers, and contractors. Explain the impact of GDPR. Are they using laptops with encryption? Do they know not to log into your sites in internet cafés? Are they always logging off when they leave their computers unattended? These basics are essential. You are responsible for educating your workers, contractors and other team members about GDPR and the actions they need to take so they don’t compromise security of your data or otherwise cause you to be in breach.
  3. You want to let contractors such as your digital marketing agency, virtual assistance service, or web developers know that using outsourced staff and giving others access to your site without your knowledge is not permitted without your specific consent. These entities are processors of your data. They should not be appointing sub processors without your knowledge. You need to know if your agency is giving access to your data to a third party. Otherwise, what is the point of your doing  due diligence checks when taking on an agency, only for them to engage a temporary helper (possibly using a less rigorous vetting exercise than you employ) to assist them when providing their services to you?

If you’ve not yet addressed these GDPR issues in your business then don’t delay as they are, in my view, one of the greatest security risks small businesses face.

If, on the other hand, you are an agency using outsourced team members to deliver services such as website design, form building, online questionnaire development, search engine optimisation, Facebook or Google advertising, and the like, then your business model may need some adjusting. You should be thinking about what your clients will need from you, and pre-empting their concerns.

Conclusion

With just over a month to go, and many contracts and steps to take immediately, you can’t afford to leave it any longer. While it’s unlikely you will face fines for failing to address every aspect of GDPR, doing nothing is not a sensible option. Come 25 May, your website will be a tell tale sign if you’ve not taken any steps to comply with GDPR.

We have various service options to help clients, ranging from access to templates and clauses, to providing some consultancy, or taking care of the entire process for you. Get in touch if you have would like a quote or have any questions.

 

GDPR – Why Consent Should Be Used As A Last Resort

If your inbox is anything like mine, it will be full of emails about GDPR – news updates, invitations to training events, webinars and more.  That’s not surprising given that GDPR represents one of the biggest shake-ups in the privacy and data protection laws since the internet.

Europe’s new data protection law, the General Data Protection Regulation is a complex piece of legislation. The text of the GDPR has changed many times so that some of the provisions that were originally proposed were dropped or changed substantially. If you’re wondering what actions you need to take to comply with the new laws by the end of May, which is when they come into effect, it’s important that you base your actions on well informed, current information.

However, if you’re a small business you probably don’t have the resources and the time to understand and deal with every minutiae in the regulations.

You may want to focus on some top-level risks. Working towards GDPR compliance, by focusing on the big picture, and addressing the most serious risks now, while committing to making other changes gradually. In my view this is a good approach. I’m not advocating that anyone should bury their head in the sand and ignore the new regulations. Just to bear in mind that complying with GDPR when you have a budget of a quarter of a million pounds to spend, (as many big businesses do have), looks very different when your budget and available time is tiny in comparison.

What GDPR Impacts

GDPR impacts the way you collect identity information, how long you store it, what processes you need to introduce to control its use, what you may do with the data, and what security arrangements you need to implement to protect that data against risks such as loss or disclosure following a cybersecurity attack, and more.

A good starting point is to make a list of the data you collect and think about how you use it, how long you store it, where you store it, and who has access to it. The purpose of this exercise is to document what you’re currently doing so you can decide what you need to do in order to better comply with GDPR. What controls and processes will you be able to put in place immediately, and what might you introduce in the future?

Consent Is Not Always Necessary

A common area of confusion is whether you must obtain consent to process people’s data. While in some cases consent may be the right way to go, it is not always the right basis on which to found your decisions.

For example, processing data for many marketing activities may be better based on “legitimate interest” (that is, you have a lawful business interest in processing the data). The term “legitimate interest” is not clearly defined but is likely to be interpreted widely. Legitimate interest or other lawful “bases” under the GDPR, apart from consent can sometimes be a much better basis to rely on than consent.

In our view consent should be used as a last resort, not a first resort.  Only rely on obtaining explicit consent from data subjects where none of the other bases are engaged.

Incorporate Prominent Unsubscribe Links

Some simple steps like incorporating a prominent unsubscribe link on all your marketing emails and not emailing people from no reply emails would go a long way to avoiding annoying recipients of your emails.

For example, one email sender I’ve been trying to unsubscribe from for months is Law.com. They are sending us daily emails from a no reply mailbox. They provide no unsubscribe link. Instead you are expected to login to their site to manage your email alerts. Why should one have to do this just to unsubscribe? I have tried blocking their emails but somehow their daily emails continue to arrive into our inbox instead of being diverted to the junk folder.  (I’d love to know why this is happening)

They’re by no means the only ones. IELPE is another organisation that emails us whose emails I just can’t seem to divert to the junk box. They too send their emails from a no reply email address, and don’t have an unsubscribe link.

In many cases, even where an unsubscribe link is provided in emails, I would be worried about clicking on the link unless I know the company. After all, it’s basic security management to not click on links. So this is why it would be good practice to not only provide an unsubscribe link, but to also not send marketing emails from a no reply email address.

I mention these as examples of what not to do. In my view it’s important to avoid attracting unwanted attention, and potential fines.

Conclusion

So, there are practical steps that you could and should prioritise because they’re easy to implement, and matter a lot.

I appreciate that unless you’re familiar with the regulations it can be difficult to know how to see the wood for the trees. That is why we are introducing a low cost GDPR service designed to support small business clients to implement a GDPR solution appropriate to their needs.

If you want help to tackle GDPR in a pragmatic way, so you can know how to deal with marketing emails, and whether you need to seek consent from everyone, then our solution will be relevant to you. Just register your interest to receive more details as they become available.

Register Your Interest Here

FTC ruling on blog paid reviews

Intellectual Property Value – Do You Need Specialist Skills to Value IP?

What Is Your IP Worth?As intellectual property (IP) becomes more recognised as an asset class, interest in it is increasing – so much so that apparently according to the IPKAT Hong Kong property surveyors have been trying to break into assessing the intellectual property value in a business.

They recently called upon overseas bodies (for example, the Royal Institution of Chartered Surveyors to promote the virtues of having surveyors perform IP valuations.

As the IPKAT says, the question is whether

  1. IP valuation is a sub-category of business valuations or a self-contained professional endeavor; and
  2. (ii) in either case, to what extent must an IP valuation professional understand the legal context of IP rights?

The starting point is to consider what we mean by IP

What is IP?

The term IP is generally associated with registrable rights like trademarks, patents and designs.  However, SMEs also have many non registrable IP issues to consider, such as copyright, know how, trade secrets, database rights, organisational knowledge and more.

Unless an SME takes advice to identify, manage, and protect its IP assets it could be seriously exposed because intangibles are a poorly understood asset class.

There is no one size fits all when it comes to determining a business’s risks and opportunities. Even  two businesses in the same industry, with similar business model, may have different issues to address depending on how they develop their businesses and what contracts and other arrangements they have in place, For one business copyright may be the critical asset, while for another it may be the database or a patent.

They will not necessarily be equally desirable to an investor as their value on exit would be impacted by a number of factors unique to each business.

Why have an IP valuation?

One issue a valuation will consider is whether there is key IP underpinning a company’s competitive advantage. If so, another question is whether that competitive advantage is adequately protected.

Banks and investors may accept IP assets as valuable security to finance an SME’s growth if the business can demonstrate that those IP assets underpin revenues and forecasts, and impact cash flow.

How the strength of the IP asset is critical

A fictional example may help convey how IP works.

Say a company has developed an innovative solution that becomes well known in its industry. That competitors will copy a good idea is inevitable. So, if a company’s asset isn’t protected with a patent or other barrier to entry, it is more vulnerable to copy cats.

However, where there are no patents to protect the product, it is a mistake to assume there is little you can do to prevent a competitor stealing market share. You may not be able to stop them creating similar products but you may be able to protect your competitive position and create barriers to entry through the name you choose for the product.

The name is a potential barrier to entry because it can stop competitors using similar ones to identify their offerings – but only if it is a name that the business can uniquely use.

If the business chooses a generic name (that is, one that describes what the product does, rather than an actual name), the name will not be capable of protecting the company’s asset. This is so even if the company registers that name as a trademark combined with a logo. Such a registration would effectively only protect the logo where the name is generic.

So the upshot is that the business has a product that gives it a competitive advantage. It has a valuable asset, but not as valuable as it would be if the name was capable of stopping competitors stealing market share when providing ‘me too’ solutions.

That not all names are equally effective at containing IP value is not generally well understood

Shifting value of IP

IP value is rarely static. Intellectual property rights can change in value over time for a variety of reasons. For example, when you first patent something, it’s possible you have a unique solution to a problem so that your patent provides a strong competitive advantage. But then as other solutions to the problem emerge, the value of your patent may be reduced. On the other hand, if you have successfully marketed your product, despite your patent becoming less critical to your competitive advantage, your trademark may have gained value as your name recognition has increased.

So, failing to give a product a distinctive name that is capable of functioning as a trademark, or not checking whether other people’s rights might prevent use of the chosen name long term impacts the value that is generated, and that would inevitably depress the value of your IP.

IP value is impacted by the choices you make

The above example is designed to illustrate how the IP in question, or the choices you make impact IP value. You need to be ready to make changes if needs be. However, names are not the sum total of IP. There are so many other issues that impact IP value.

There are a number of IP actions required in order to build value and wealth. Implementing effective contracts is a hugely important, but misunderstood aspect of IP protection.

Because it is never possible to foresee what problems and scenarios might arise for a business in the future, it is prudent to secure its IP rights to the fullest extent, so the business has adequate protection to protects its position in the market.

Therefore, identifying IP rights, and protecting and managing them, is essential for any ambitious business.

Conclusion

Clearly IP valuation is not an area in which surveyors would have appropriate transferable skills.

IP and business are closely intertwined. In practice, you need to take both into account. That is why it requires the combined skills of business and IP experts to get the most effective IP valuation and strategic advice.

In a future post, I will explore the different methods for valuing IP.

Intellectual Property Revolution – Book Launch – Video Highlights

IP Revolution Book Launch 1

The Intellectual Property Revolution, my second book, was launched with great success on 13 October 2015 at the Institute of Directors in London.

For those of you who were unable to attend the event the next best thing is to watch the videos of the night.

Daniel Priestley of Entrevo, who runs a global entrepreneurship accelerator programme known as Key Person of Influence (that I myself have attended) gave the introductions for the night.

He also took us through the ages pointing out that at one time it was ownership of land that enabled people to build fortunes, these people built themselves a reputation and became influential. Then after this agricultural age came the industrial revolution where people built their fortunes by  owning the means of production. In the digital economy it is intellectual property that is the means to building fortunes. He said millennials would rather spend all their time and money to build start-ups  than purchasing houses or land.

 

Next up was Will Critchlow of Distilled, CEO of a digital marketing agency based in London with offices in the USA. He reinforced the importance of using the right name and protecting intellectual property rights very early on, an issue he himself had encountered at the early stages of his business ventures while at school. Intellectual Property, in particular securing a trade mark helps provide businesses big or small with strong foundations to securely expand and build a reputation they establish. This will strengthen branding strategies becoming real investments rather than failing later on.

 

 

Then finally, I spoke about the importance of taking early IP advice in order to position yourself for maximum value if you succeed, and reduce the risk of disaster. When overlooked, IP can be damaging to the core features of any business. For example, a poor choice of name can be a real set back. This is something I discuss in more detail in my blog Intellectual Property Value – Do You Need Specialist Skills to Value IP?

IP is so important to any business, as the internet now dominates our daily lives, it is the ownership of these intangibles which is so necessary to protect. At Azrights, we offer a fixed price service that provides early stage businesses with comprehensive advice concerning Intellectual Property rights and strategic building of them.

 

There was a chance for guests to mingle over canapes and here are some vox pox and highlights of the event. The vox pox discussions give some insight into why attendees believe IP is so important in today’s society.

While the highlights below will give you a general flavour of the eventful evening.

Since the launch, I have revised the conclusion of the book, as this was a chapter I struggled to write last year. At the time, I wanted to finish the book so I used something. However, having had time to  reflect over the festive period, I have changed the conclusion, and am now very happy that the book will be an easy, insightful read for businesses interested in IP.

The new conclusion fits much better with the book as a whole being a kind of synopsis of the book and summarises the transformative effects of Intellectual Property rights. If you don’t have time to read the whole book, you’d now get a strong indication of what the book is all about by reading just the conclusion and perhaps revisiting the book when time allows.