Tag Archives: data protection compliance

IP Law Makes Waves In Piracy

Online Piracy Doesnt Hurt SalesOr Does ItShireen Smith, intellectual property law expert and founder of London based law firm Azrights , has expressed her concern about the ongoing battle the games industry faces over piracy issues.

Writing in MCV (The Market for Computer and Video Games) 4 December issue, Shireen discusses how the digital revolution has bought IP law to the fore of every modern business and how the computer and video games industry is “experiencing an intellectual property revolution.”

UK games companies on average grew by 22% between 2011 and 2013 according to Ukie with digital game sales larger than digital video and music sales combined.  Given the commercial significance of the games market, Shireen believes that the computer and video games industry need to take a more serious overview of intellectual property law.

Commenting on Nintendo’s recent high profile legal breakthrough against circumvention devices, Shireen explains that IP issues are threatening large corporations as well as entrepreneurial firms.

“In an ongoing legal battle, Nintendo has made a breakthrough against circumvention devices with the case reaching Europe’s highest court in January 2014.”

“The ‘first instance criminal decision against the defendant puts an international spotlight on what is the legitimate use of devices such as mod chips, which can have non-infringing uses as well as infringing ones.”

“It is likely that similar cases across Europe will soon follow suit as anti-piracy campaigns continue to grow.  It also means that national courts in all EU member countries have a framework to assess whether security measures are protected – a huge success for the international computer and video games industry.  The high profile nature of the case has EU-wide implications on independent software developers, as well as gamers.”

Shireen, who recently launched her new book Intellectual Property Revolution  also provides some guidance for smaller businesses.

“Entrepreneurial businesses may have some misconceptions regarding the approach to IP law.  The advice in employing an IP expert is the earlier the better.  Nowadays SMEs are exposed to a global audience in ways that simply did not occur in the industrial era.  We have more businesses today than we’ve ever had before.”

“In a market which is constantly flooded with innovative concepts, smaller businesses can find themselves at a serious risk of losing out if IP infrastructure is not put in place.  There is greater risk in both the short and long run as smaller businesses often don’t have the time or resources to overcome a legal setback.”

It is not just the video and computer games market that is effected – the intellectual property revolution is happening across industries.

“In the fashion industry, the Kering group (who own Gucci), have recently challenged Alibaba on piracy issues.  There is also ongoing problems faced by the music and film industries with illegal downloads and streaming.”

Shireen’s MCV article titled “IP law clamps down on pirates” can be found here.

Azrights website

Azrights on YouTube

Azrights on Twitter

Intellectual Property Revolution on Amazon

Games Industry Must Ensure it Takes IP Law Seriously

Facebook users mourning the removal of scrabulousAccording to Ukie , the trade body for the games and wider interactive entertainment industry, the UK games industry was worth over £3.9 billion in consumer spend in 2014 and the sector is expected to grow at an annual rate of 8%.

The games industry is relatively new and therefore 95% of companies are microbusinesses or SMEs.  Leading intellectual property (IP) lawyer Shireen Smith thinks that many of these companies could be at risk of losing out as a result of an IP dispute, if they don’t take the necessary steps to protect themselves.

“If names are chosen without involving a trade mark expert, the business is at risk of losing out.  A poor choice of name can lead to a constant loss of value or difficulty in securing registration either in the UK or in other countries.

“An IP expert should always be consulted at the early stages of launching a new business or product.

“Otherwise, as soon as a new business starts up, the business owner might receive notice that it is infringing on another brand.  This can have serious consequences for those that have invested significantly in their branding and search engine optimisation.  Sadly for some, they don’t have the time or resources to overcome such a setback.”

Shireen Smith, who is the founder of London-based law firm Azrightscontinues to give an example.

Scrabulous was an app, created by two Indian brothers, which allowed people to play a Scrabble-like game online with friends anywhere in the world.  It was a huge hit – attracting 600,000 users per day – when in 2008, Hasbro, the owner of the Scrabble trademark, shut it down because their name suggested to the market that this was a similar game to Scrabble.  As trademark law helps to prevent piggybacking off the success of others’ brand, Scrabble was able to get Facebook to pull the Scrabulous app even though it was extremely popular.

“The founders had even applied to register a trademark for their name, clearly unaware of the wide scope of protection that trademarks give.  Had they taken advice before using the name they would have realised the choice was unwise.

“The fact that their app had gone viral did not stop Facebook from simply removing it.  This paved the way for Zynga to create what is now a highly successful app: Words with Friends.  The brothers’ advantage of being the first to build a Scrabble-like app on Facebook was lost, and we will never know how big Scrabulous would have been today if it had opted for a better name.”

Shireen Smith has recently launched a new book called ‘Intellectual Property Revolution’, published by Rethink Press which is all about how to successfully manage IP assets, protect brands and add value to your business in the digital economy.  It is written in plain English and is helpful for business owners and ‘brand guardians’.

A video explaining more about how the digital economy is changing IP can be found here


Azrights website
Azrights on You Tube
Azrights on Twitter


Leading IP Law Firm Goes Digital

buying the sucks.com version of your brandIn order to raise the profile of her London-based firm Azrights, her book and the importance of intellectual property (IP) as a whole, lawyer Shireen Smith has put her faith in video.

She enlisted the help of London-based video production company Element 26  to produce an animated film  that explains how essential it is for small businesses to protect their IP.

Azrights specialises in helping owners of businesses in the digital economy to use legal frameworks to create intangible assets.  When properly protected, these assets can often become more valuable than the products or services that the business sells

Shireen Smith said, “Lots of people don’t understand the value of IP because they can’t see it or hold it.  To address this, we asked Nathan Haines, Managing Director at Element 26, to produce a video to increase understanding of this vital area of the law.  In the digital economy, IP is changing rapidly and small business owners need to prioritise it to avoid pitfalls.

“By educating business people of the importance of IP law, the video Nathan pro
duced encourages them to approach Azrights for advice or to read my recently launched book ‘Intellectual Property Revolution’.”

Such was the interest in ‘Intellectual Property Revolution that it was a bestseller in its category on Amazon before it had even been launched and continues to be so a week after the launch.

Written in plain English, it explains to business owners and brand ‘guardianshow to successfully
manage IP assets, protect brands and add value to businesses in the digital economy.

Shireen Smith adds, “The new currency in our digital economy is information, know-how, brands, systems and data. Whether people are building a brand identity, launching a new product or service worldwide, or even a start-up business, they’re also creating intellectual property.

“The value and safety of intellectual property has become more important than ever before.  Do it right and the intangible assets you create could be worth more than the products or services themselves.  Do it wrong and you could miss vital opportunities, have your true value stolen or find yourself on the wrong side of an intellectual property dispute.

“Once IP is on the business owners’ radar, it’s crucial for them to consult an IP lawyer in the early stages.  So often, people in business commit to brand names, website URLs and costly designs before speaking to an IP specialist, only to find that their so-called assets lack value.  The video that Azrights had produced will educate start-up owners before they reach this stage.”

Nathan Haines said, “We’re thrilled that the video we produced has been such a success for Shireen and the team at Azrights.  At Element 26, we believe every business has a special story which makes them unique.  As a company we make it our mission to understand our clients’ objectives by collaborating early on in the process, which ensures that the messages to be conveyed are tailored to their specific target audience, not just any audience.

“When Shireen asked us to work with her on the production of her film, we were very excited because animation is more vibrant and colourful than the more traditional interview-led videos.

“By commissioning a film, Shireen is leading by example and has proven that she really believes in the importance of creating intellectual property.  We are proud that this film will be one of the intangible assets that contributes to Azrights’ ongoing success.”

The video, which explains more about how the digital economy is changing IP, can be found on YouTube here.



Azrights website

Azrights on You Tube

Azrights on Twitter

Element 26

Intellectual Property Revolution on Amazon

FTC ruling on blog paid reviews

Intellectual Property Value – Do You Need Specialist Skills to Value IP?

What Is Your IP Worth?As intellectual property (IP) becomes more recognised as an asset class, interest in it is increasing – so much so that apparently according to the IPKAT Hong Kong property surveyors have been trying to break into assessing the intellectual property value in a business.

They recently called upon overseas bodies (for example, the Royal Institution of Chartered Surveyors to promote the virtues of having surveyors perform IP valuations.

As the IPKAT says, the question is whether

  1. IP valuation is a sub-category of business valuations or a self-contained professional endeavor; and
  2. (ii) in either case, to what extent must an IP valuation professional understand the legal context of IP rights?

The starting point is to consider what we mean by IP

What is IP?

The term IP is generally associated with registrable rights like trademarks, patents and designs.  However, SMEs also have many non registrable IP issues to consider, such as copyright, know how, trade secrets, database rights, organisational knowledge and more.

Unless an SME takes advice to identify, manage, and protect its IP assets it could be seriously exposed because intangibles are a poorly understood asset class.

There is no one size fits all when it comes to determining a business’s risks and opportunities. Even  two businesses in the same industry, with similar business model, may have different issues to address depending on how they develop their businesses and what contracts and other arrangements they have in place, For one business copyright may be the critical asset, while for another it may be the database or a patent.

They will not necessarily be equally desirable to an investor as their value on exit would be impacted by a number of factors unique to each business.

Why have an IP valuation?

One issue a valuation will consider is whether there is key IP underpinning a company’s competitive advantage. If so, another question is whether that competitive advantage is adequately protected.

Banks and investors may accept IP assets as valuable security to finance an SME’s growth if the business can demonstrate that those IP assets underpin revenues and forecasts, and impact cash flow.

How the strength of the IP asset is critical

A fictional example may help convey how IP works.

Say a company has developed an innovative solution that becomes well known in its industry. That competitors will copy a good idea is inevitable. So, if a company’s asset isn’t protected with a patent or other barrier to entry, it is more vulnerable to copy cats.

However, where there are no patents to protect the product, it is a mistake to assume there is little you can do to prevent a competitor stealing market share. You may not be able to stop them creating similar products but you may be able to protect your competitive position and create barriers to entry through the name you choose for the product.

The name is a potential barrier to entry because it can stop competitors using similar ones to identify their offerings – but only if it is a name that the business can uniquely use.

If the business chooses a generic name (that is, one that describes what the product does, rather than an actual name), the name will not be capable of protecting the company’s asset. This is so even if the company registers that name as a trademark combined with a logo. Such a registration would effectively only protect the logo where the name is generic.

So the upshot is that the business has a product that gives it a competitive advantage. It has a valuable asset, but not as valuable as it would be if the name was capable of stopping competitors stealing market share when providing ‘me too’ solutions.

That not all names are equally effective at containing IP value is not generally well understood

Shifting value of IP

IP value is rarely static. Intellectual property rights can change in value over time for a variety of reasons. For example, when you first patent something, it’s possible you have a unique solution to a problem so that your patent provides a strong competitive advantage. But then as other solutions to the problem emerge, the value of your patent may be reduced. On the other hand, if you have successfully marketed your product, despite your patent becoming less critical to your competitive advantage, your trademark may have gained value as your name recognition has increased.

So, failing to give a product a distinctive name that is capable of functioning as a trademark, or not checking whether other people’s rights might prevent use of the chosen name long term impacts the value that is generated, and that would inevitably depress the value of your IP.

IP value is impacted by the choices you make

The above example is designed to illustrate how the IP in question, or the choices you make impact IP value. You need to be ready to make changes if needs be. However, names are not the sum total of IP. There are so many other issues that impact IP value.

There are a number of IP actions required in order to build value and wealth. Implementing effective contracts is a hugely important, but misunderstood aspect of IP protection.

Because it is never possible to foresee what problems and scenarios might arise for a business in the future, it is prudent to secure its IP rights to the fullest extent, so the business has adequate protection to protects its position in the market.

Therefore, identifying IP rights, and protecting and managing them, is essential for any ambitious business.


Clearly IP valuation is not an area in which surveyors would have appropriate transferable skills.

IP and business are closely intertwined. In practice, you need to take both into account. That is why it requires the combined skills of business and IP experts to get the most effective IP valuation and strategic advice.

In a future post, I will explore the different methods for valuing IP.

Are privacy policies dead?

In 2009 there was a controversial view that “Privacy is dead and social media hold smoking gun”. Essentially, the author presents a somewhat pessimistic view of Privacy’s position in the public sphere. He considers it to be a choice between either having privacy and not sharing with others or sacrificing privacy for the benefit of participating in social media. However, a Pew survey found that 71% of social network users have changed their privacy settings on their profile to limit what they share with others.

Essentially people want to socialise online, are concerned about their privacy and have begun to actively manage who sees what.

But one of the main challenges in trying to protect the privacy of individuals within the sphere of social media is keeping up to date with the constant pace of innovation.

New ways of sharing an individual’s personal details, such as their location, their preferences, are introduced, but it takes time for the law to catch up and, in the meantime, businesses are left with little guidance and individuals proceed with little awareness of consequences.

In this ever-changing environment, it may be important to re-assess the adequacy of tools used to protect privacy and consider whether any additional tools may be used to supplement these.

Just in time notification
TrustE is a privacy services provider and offer certification of websites. Unlike the above author, it is their view not that ‘privacy is dead’ but rather ‘privacy policies are dead’.

Obviously privacy policies are not dead as they are an immovable legal fixture, but from reading the remarks of the author, Fran Maier, it is not so much that privacy policies are dead, but that additional tools are needed to face new challenges to privacy.

Here TrustE suggests the concept of ‘just in time’ notification. This would be relevant whenever a new piece of technology is introduced and new types of data are being collected. The idea is that whenever an individual is about to share their data using a new feature a notification would be available to a visitor to explain to them the implications of going ahead.

An example of this would be the ‘Like’ feature from Facebook. This is a feature where users of Facebook may share the websites or videos they recommend with their friends. This feature is added to third party sites so that a visitor would simply click on the feature on the site to express their approval of the content.

When this was originally launched, TrustE wrote a blog recommending to businesses who were integrating the feature on their website to add a Just-in-time notice. They suggested to add a ‘?’ next to the feature which, when rolled over with a mouse, would inform the visitor about the privacy implications of the Like button, such as that this information will appear on your friends’ newsfeed.

However, as you can see from the above post they have decided that it is no longer necessary to have this notice due to “the ubiquity of the Facebook like button across the internet and the time users have had to familiarize themselves with the button”.

Essentially the public need time to build familiarity with a new piece of social media technology and they benefit from short notices when their privacy is at risk so they can make informed decisions before proceeding. Once the public are familiar with a new feature or practice then these little warning signs can be phased out. Obviously the information on how data is used should also be found in a privacy policy and in no way could these notices become replacements of the role of privacy policies. They would merely be supplements.

Fran Maier’s definition of privacy is interesting: “confident in the expectation of the outcome”. This implies that an individual knows what is going to happen when they click on a button to, for example, share their location with friends. Underpinning this definition are the key principles of transparency, trust and accountability.

Businesses striving, therefore, to build a relationship with their customers on the basis of these three principles are likely to be reassuring their customers. The bottom line is, if customers can trust you with their privacy then this is likely to produce a halo effect where your customers feel they can extend their trust to your business as a whole and buy from you.

Data Protection and Email Marketing

When a site stores personal details for subscriptions, memberships or the like, there are certain legal regulations it has to take into consideration to stay on the right side of the law.  The Data Protection Act sets out eight principles for the lawful processing of data. Generally individuals’ personal data such as name, phone number or address should be used in the way envisaged by these principles, and they have certain rights under the Act such as the right to ask and see the information a site holds about them – known as subject access requests. The body which presides over the Act and ensures compliance is the Information Commissioner’s Office (ICO) and provides a wealth of guidance materials for businesses.

Beyond the Data Protection Act there are a number of other laws which clarify and add to the obligations placed upon businesses when using data.

The Privacy and Electronic Communications Regulations seeks to regulate the collection and use of an individual’s contact details for marketing purposes. This would cover sending marketing emails to individuals after having obtained their email address in exchange for a newsletter or an eBook.

A key question here is whether the individual has to specifically opt in to receive certain types of communication, or is it sufficient to give them an opportunity to opt out of certain uses you may want to make of their data?

For most forms of marketing, the general principle under the Regulations is that of ‘prior consent’, namely the individual should ideally give consent to the use of their details envisaged by the business before they can be contacted. In practice this consent can be sought by providing an ‘opt-in’ or an ‘opt-out’ tick box at the point of collection. The difference between the two is that of an individual expressly permitting or prohibiting marketing emails from the business.

An alternative means of showing consent under the Regulations are through ‘soft-opt-ins’. This is where essentially prospective customers or clients provide their details. Soft opt ins have a number of conditions attached, namely: the details should be collected in the context of a sale or negotiation of a sale to the individual; the marketing emails should relate to similar products and services only; the individual must be provided with an opportunity to opt out at the point when the details are collected and every time they receive a marketing email (this can be done by way of an ‘unsubscribe’ link in the email). For more details on best practice for email marketing see Direct Marketing Association’s guidelines.

For B2B marketing emails, however, the above restrictions do not apply. The opt-in restrictions in article 22 of the Regulations only apply to ‘individual subscribers’ and not ‘corporate subscribers’.  But beware of sole traders and partners who are effectively businesses in the guise of individuals. If there are any such individuals in your business database, they need either to be treated separately as individuals, or the whole database needs to provide the opt-out and other facilities required for individuals.

Obviously individuals from companies may, in practice, be providing their individual details, but where, for example, the marketing email is addressed to the company itself and the recipient’s email address is non-personal then no opt in provisions should be necessary. That being said every marketing email should always display the identity, contact details of the sender and, if sent by a company, contain the respective details of the organisation such as the company’s registration number.

In addition to this, any individual can at any time under the Data Protection Act request an organisation to cease or not to begin direct marketing to him. Such a request does not need to wait for the organisation to contact him. It must be complied with in a reasonable time. In practice it often takes time to set up the mechanism, so it may be worth sending him a brief email saying that his message has been received and will be acceded to, but that it may take a week or so to set this up, in which case it is just possible he will receive another direct marketing email in the mean time. It is good practice to keep all such requests in a Stop List, to be run against any future emailing before it goes out, so that if at some future date the organisation acquires his details again it does not start sending him more direct marketing material. This particular opt-out is not confined to emails but may apply to other types of communication.

An interesting point to flag up is that the legislation may set the threshold of what is acceptable in relation to email marketing, but the contract with the Email Service Provider may have even more stringent clauses. Some hosting companies may be contractually entitled to seek damages from customers engaged in unsolicited bulk mail. So as a rule of thumb the terms of business from a hosting service should always be reviewed before engaging in direct marketing.

In all, best practice for  ensuring compliance with legal requirements is by using  opt-in based marketing as much as possible, and stating how you will use  personal details (for example, by featuring a link to your privacy policy).

Ultimately, it depends on the business you are in as to how you comply with the requirements of the legislation.

Organisations must in any event provide individuals with information as to their identity, and the purposes for which the data is sought from the individual and other relevant matter (eg if the data is to be passed to a third party), and all this is usually wrapped up in the general Privacy Policy on which the Commissioner’s guidance can be found here . You can either link your Privacy Policy to the easy way for individuals to opt out of your emails, or you may wish to put both these requirements (Privacy Policy and Opt-out) in one web page.

However, if you intend to share data with third parties, or to sell the data then you do need to be careful how you set up your data collection facility, and ensure that the data stays ‘clean’.

Also it is important to have a good system in place for handling complaints about unwanted emails. Failure to comply with data protection regulations could prove embarrassing in certain situations, and could even lead to a criminal conviction.

Outsourcing/ offshoring – Compliance with Data Protection Laws

Globalisation has given the possibility to think further afield. Not only in terms of selling products abroad and market expansion but also in terms of outsourcing work abroad to cut costs, (offshoring). The beginning part of the last decade saw around 10% of companies involved in offshoring their operations (see ONS and OECD presentation and  2009 OECD reports for further details).To give a brief example of offshoring: you might be a medium sized accountancy practice wanting to outsource your bookkeeping to India so that you can provide a more competitive service for your clients.  This is where it is important to understand that the export of such services would also entail the export of your client details, which would be subject to the Data Protection Act 1998.

The EU introduced Directive (Directive 95/46/EC) which forms the basis of the Data Protection Act. This Act regulates how information is stored about individuals and controls the geographical movement of such information. In particular, the transferral of data outside of the European Union falls under a specific regime. Principle 8 of the Data Protection Act sets out that personal data shall not be exported to a country outside the EEA unless the receiving country can provide an adequate level of data protection. It is important to note that other principles from the Act will still apply such as lawfully processing data (first principle) which would require you to seek consent from your clients before exporting their data. The EEA is an area slightly larger than the European Union and includes Iceland, Liechtenstein and Norway. Also, the European Commission decides which countries outside the EEA provide ‘adequate’ protection, such as the USA and Canada.

If the country you are offshoring to is not in the EEA on the mentioned list then you must fulfill a number of conditions to be in compliance with the Data Protection Act. The Information Commissioner Office (ICO) states that you should ‘assess the adequacy’ of the third countries’ data protection laws.  Due to the comprehensiveness of this assessment, it is probably not an approach that every company can afford to undertake. If this is not possible then emphasis should be placed on the contract between the data exporter and the data importer to ensure that a similar level of data protection is guaranteed.  So, if we were to take the example above, the accountancy practice would be the data exporter and they would enter into an agreement with the Indian bookkeeping service, the data importer. This agreement should cover, amongst other things, the allocation of responsibilities between the exporter and importer, including any sub-processing of data by the bookkeepers.

The European Commission assists businesses in adding specific content to these contracts by supplying model clauses. These model clauses can be added to an offshoring contract (please see Commission decision 5 February 2010 here for updated clauses), but obviously they should accord in substance with the remainder of any negotiated contract. The ICO gives a detailed good practice guidance for offshoring (please see here). One of the salient suggestions is to ensure that the contract you enter into with the data importer is enforceable in both countries. But what if your company has merely set up a branch in a country outside the EU (a subsidiary) rather than offshoring to third parties? In this case the Information Commissioner has suggested that binding corporate rules (BCR) are the means to fulfill the data protection requirements (please see here for more information on this subject).

Offshoring is a growth market as technological developments continue to increase the ‘internationalisation […] of the service economy‘. Recent developments include cloud computing which may push for further growth. But as these opportunities become more accessible to businesses, it is paramount to check compliance with the Data Protection Act before leaping ahead. Are you offshoring or considering offshoring any work? Have you thought about your data protection compliance?  For a consultation about your requirements please contact us.

Azrights provides Outsourcing Trademark Services and White Labelling Services.

Data Protection Non Compliance

It was interesting to read this report in Out-law that a quarter of Government’s databases are probably illegal.  This follows a report by the Joseph Rowntree Reform Trust (JRRT) into UK’s public databases.

If so many public databases are non compliant my guess is that double that number are non compliant in the private sector.  A typical area of non compliance is the sharing of data between related companies.  Another area where the law is flagrantly disregarded, certainly by small businesses, is in giving access to data from outside the EU.

The problem with Data Protection laws is the lack of adequate budgets to allow for  real and effective enforcement of the law.  However, any FSA regulated business needs to beware as the FSA imposes draconian fines.  For example in January last year it fined HFC Bank Ltd for filing to take reasonable care, among other things, to have adequate systems and controls for the sale of its insurance
and in June last year it fined Merchant Securities Group Limited for not adequately protecting its customers from the risk of identity fraud.
These are just two random fines I found by searching for Data Protection fines on the FSA’s website.
It is important that companies appreciate that even if the Information Commissioner does not impose hefty fines on them for breaches of data protection, they would suffer serious  damage to reputation if their data breaches were to be discovered and highlighted in the public domain.

Data Protection Compliance

As reported a couple of days ago by Outlaw.com, HMRC have in recent years been criticised like many other bodies for their failures in complying with the Data Protection Act 1998 by the Information Commissioner’s Office (ICO). The data breaches and the publicity generated has obvious implications for public confidence in the ability of public bodies in particular to administer personal information in compliance with the legislation.

Businesses should be on guard as they are far from immune to negative publicity generated when a breach of data security is revealed. Financial institutions such as banks and building societies have had their own share of negative publicity due to non compliance with data protection law.It is only a matter of time before such adverse publicity stretches further out into industry as a whole. Data protection laws are no longer a marginal issue, if they ever were.Nor is ignorance an excuse for non compliance.

How do such a vast number of organisations, be it public or private, get data protection compliance so wrong? Whilst the legislation itself is by no means clear, and there are wide industry calls for reform of the current legislation, the ICO have published many editions of data compliance manuals for different industry sectors, and there is no shortage of businesses offering their own data protection compliance services. This is perhaps what makes it more surprising when larger businesses have flagrant breaches of data protection law exposed in the media.

What seems to be at the root of the problem is that businesses may well register with the ICO, develop or enhance their own data protection policies, but fail to put data protection compliance into practice on a day to day basis. What could be fuelling the problem is that policy is filtered through so many channels and departments before it actually reaches the individuals actually delegated to handle data, or perhaps a lack of genuine understanding of obligations from the core policy makers of a business. Whatever the internal causes, making sure all those handling data understand the business’ obligations is key to successful compliance and avoiding the likelihood of a hugely damaging public embarrassment.