Azrights is an IP consultancy offering the A to Z of intellectual property rights services, hence the name. Our sister business, Azrights solicitors provides litigation support. To grow and protect your market position, you need strategic IP advice as you don’t know what you don’t know. We cover every area of IP your business needs.
The current system of registration for UK based data controllers was replaced by the UK’s Information Commissioner’s Office (“ICO”) with effect from 25 May 2018.
From that date, or once existing registrations come up for renewal, data controllers who are not exempt, will have to pay an annual data protection fee to the ICO.
Due to the way the rules are written, it is strongly recommended that you contact the ICO as soon as possible if your business is not currently registered.
Replaces Requirement to Notify
The new fee arrangements replace the requirement to ‘notify’ (or register) under the Data Protection Act 1998, in line with Recital 89 of the GDPR which suggested that Member States abolish general systems of registration.
The ICO has published a guide about the data protection fee. The fee payable depends on staff numbers and annual turnover. There are exemptions for micro businesses who don’t outsource bookkeeping or other functions.
Noteworthy is that all controllers will be regarded as belonging in the top tier band unless they tell the ICO otherwise, so this should motivate those businesses that do not have an existing data protection registration to address GDPR compliance immediately and apply to register.
What GDPR Involves
GDPR has certainly been taking up businesses’ time in terms of understanding the regulations, and taking actions to work towards compliance.
So I have put together a short mini training on GDPR which would be relevant to those who have not yet taken any steps towards compliance. There are 4 blog posts in the series:
Among other things, these give you tactical steps to put in place and explain some decisions to make as a business owner in order to work towards compliance.
If you’re unsure how to work out your strategy on issues like opt in and opt out boxes, and web forms, you may be interested to know that I’ll be releasing a marketing course as a separate module for GDPR. So to receive notification once this is available
There are more than a dozen documents you will need in order to work towards GDPR compliance. We have created a GDPR site with all the templates, where there are videos and written guidance on all this. There are FAQs, and we plan to constantly add news updates after 25 May to guide you in your compliance.
25 May is just the beginning in terms of implementing a compliance program. Most businesses will need to set aside time regularly to continue their work as there is so much to do.
In my Quick GDPR Compliance Plan yesterday I suggested GDPR presents an opportunity for businesses to sharpen their approach towards marketing by being more strategic. So, what should you specifically do to be able to use the contact details in your database for marketing purposes?
Marketing under the GDPR (whether postal, phone, email, SMS or any other form of marketing) is regulated like any other data processing activity. So, you must show that you have a lawful basis under Art 6 to conduct direct marketing, and this lawful basis does not necessarily have to be consent-based. In fact, it generally won’t be.
This is because the GDPR acknowledges that direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR.
PECR covers electronic communications such as phone, fax, email and SMS. It requires opt-in consent for email and SMS marketing unless an individual’s contact details were collected in the context of a sale or negotiations for a sale (prospects). The other exception is if you are marketing to corporate subscribers (here the problem is that it’s difficult to exclude partnerships and sole traders who do not constitute corporates).
For these cases it is possible to send marketing communications by providing an unsubscribe link. And phone direct marketing is also generally possible on the basis of opt-out provided the call list is first screened against the relevant country’s national do-not-call registry. Here is a useful guidance note provided by the ICO recently.
Two weeks to go
If you’re coming at this a couple of weeks before 25 May, you’ll likely want to know what you need to do to be able to continue communicating with your contacts. Specifically, what should you do to be able to use the email addresses you have in your database for marketing purposes.
Given the shortage of time available now, the question is to what extent you may use legitimate interest to continue to market to your contacts. That still entails sending an email to ask for an opt in but once you’ve done so you are unlikely to get many opt ins, so it comes down to analysing your database to understand who you may continue to market to.
Have you been doing any emailing?
So much depends on what you have been doing with the email addresses you’ve collected. How good are your systems in terms of recording permissions and background information.
For example, if you use Mailchimp and have been sending out emails, you will know who has been engaging with your emails and who has not even opened them. So, if you have records of that nature available to you it’s possible to separate your list of engaged contacts from your list of unengaged contacts. That will improve deliverability of your email to your engaged contacts.
That sort of data ultimately helps you to narrow down the number of names and email addresses you need to sift through manually when deciding which individuals you may legitimately market to even if they don’t opt in when you send your email requesting an opt in.
Improving the quality of your data
I’ve spent a good part of the last 2 years sorting out our CRM records to more accurately identify the different category of contact in our systems. We moved systems a few times over the last few years, including from Infusionsoft to Microsoft Dynamics 18 months ago. This resulted in some messing up of our data. So, if you’re starting off from a point where you haven’t had time to organise your database it would be very difficult to do anything else but seek consent from the entire list of contacts and then sift through your database to identify those names to remove and those to retain.
Therefore, whatever email or series of emails you may decide to send out to get opt ins, it will be necessary to review your records afterwards to pick out names of customers who have bought from you and prospects or others whose consent you will not need.
Any business card contacts whose names you added to your database with their knowledge and approval you would need to take a view whether to continue to send emails to them.
I imagine that you will want to set yourself up properly moving forwards so that you collect emails in the right way, with relevant permissions duly recorded. Certainly, for me GDPR brought marketing lists and email marketing to the fore in a way that PECR had not.
If you want to market effectively, and be in compliance with GDPR and PECR, you have to have some sort of strategy about what emails you will be sending people moving forwards. This becomes especially relevant for web forms.
To avoid the need for opt in tick boxes on your web form, you could comply with GDPR and PECR by including your newsletter as part of the offer. For example, if I’m offering a useful ebook on IP, I might say something like “Complete the form to receive our 7 Mistakes ebook and our monthly newsletter. If people don’t want the newsletter they can opt out at the earliest opportunity, but at least you don’t need to add tick boxes and go to extensive trouble if the whole reason for offering the ebook was to get an interested subscriber to whom you could send marketing communications.
This works if you know you will want to add everyone to one master list. It may not be transparent enough where you also want to send a sequence of emails relating to that ebook. If you do, then you would need to make this clear, or ask for further permissions in the email delivering the ebook.
Double opt in
Although not required by GDPR I recommend use of double opt in for delivering ebooks.
GDPR has given added reason to use this delivery mechanism. For one thing you can ensure it is a proper email address that the subscriber has provided. Secondly, you have more of an opportunity to get an opt in to something else if you send your request in the email delivering the valuable ebook because the email will be sitting in the subscriber’s emails whereas an opt in box is only fleetingly seen and may not be ticked.
Certainly, you should do some deep thinking about your future plans and objectives. If all you’re wanting is to know that you can send your sequence of emails relevant to that download then as long as you make it clear in the invitation to sign up to that download that it includes your regular sequence of emails you will have all the consents you need. So this should be one reason not to just collect email addresses without first having a clear overall plan.
If you don’t make it clear in the web page offer that you’ll be sending newsletters or other emails, or if you want to share data with third parties then you must have an opt in box on your web form.
I can’t stress enough how important it is that you properly understand the reasons for collecting email addresses, and whether you need to add opt in boxes.
If you would like help to comply with GDPR either now or after 25 May to review your marketing or other set ups, then do get in touch. We’d love to help.
In Why GDPR?I explained what the General Data Protection Regulations are aiming to achieve because understanding its underlying principles and rationale is key to protecting data appropriately in the new regulatory environment.
The principle of fairness and transparency runs through every aspect of data handling. We need to reconsider our approach so as to only collect as much information as we need to perform the service we’re delivering; ensure data is kept appropriately secure; that it is held no longer than necessary for the purposes for which it was collected; and we must ensure the data is accurate.
One simple way to deal with data accuracy is to organise a way for your contacts to have sight of the basic contact and marketing details you hold on them so they may update the details directly themselves.
While the transition to the new regime involves a substantial effort for many small businesses who are time poor, it will ultimately help us all to run better businesses with appropriate safeguards in place to protect others’ data.
However, given we now have about 2 weeks to go till 25 May, what should you be doing to work towards GDPR compliance? In an ideal world we would have all used the last 2 years to prepare for GDPR, but few small businesses were aware of GDPR until recently, so here are some steps you might want to take if you’ve only just decided to take action.
The starting point is to identify what type of personal data you hold, where you hold it, and why. Who has access to it? This is a major exercise but if you’ve got limited time in which to do it, focus on the big picture. Most businesses will have customers who have bought from them, prospective clients who have made enquiries, and a mixed bag of other contacts such as business card and other contacts.
A second category of contacts whose personal details you hold will be past and present employees and freelancers, and also past job candidates.
There will also possibly be a number of suppliers of services – call answering providers, external agencies you might use for web development and so on.
Once you’ve taken stock and done your mini audit you should have a better understanding of the information you’re holding about your clients, prospects, business card contacts, employees, contractors, suppliers and so on. In the process you will begin to notice who has access to your subscribers’ data. Depending on the nature of your business, it may be useful to look at your password lists to remind you of apps you use.
It’s a fundamental principle of any outcome focused regulation that we should be able to demonstrate the reasons for our decisions. So, having a system in place where you can document your reasons is key. If the Information Commissioner’s Office ever needs to look into your business they will ask to see the audit records, and will expect you to have a spreadsheet ready to explain your processing activities.
If you’re doing a rushed audit to get your privacy notice sorted quickly do plan in some time in the coming months to go back over the audit to update it. Compliance isn’t a one off event for anyone.
If you process sensitive data such as about people’s racial or ethnic origins, political opinions, religious or philosophical beliefs, data concerning health or a person’s sex life or sexual orientation do you need to obtain explicit consent? What will you do about past data and for the future? They involve different issues. Think it through, and document your situation, and if you need guidance, get proper legal help.
Data Protection Officer?
You will also need to make some incidental decisions such as whether your business is required to appoint a Data Protection Officer and to do a Data Protection Impact Assessment. As a general rule, if you’re a small business and you’re not doing any profiling or processing of data on a large scale it’s unlikely you’ll need either of these.
However, as businesses are so different in terms of their size and processing activities, and the rules are still changing, even now, I suggest you look on the ICO’s website to decide whether you need to appoint a Data Protection Officer or to do a Privacy Impact Assessment, and then document your decision.
As already mentioned, before you can draft your privacy notice, an important decision you need to make is the lawful grounds for each of the processing activities you have identified. For most businesses the choice will be between
performance of contract;
legal obligation to which the controller is subject;
If you decide that you have a legitimate interest to continue to email your list of contacts, document your reasons for this. Like that you will have an audit trail to remind you why you took the decisions you took months after the event when memories will have faded.
Once you’ve done all this you should decide what steps you will have to take to comply with GDPR and put in place a prioritisation plan. It’s highly unlikely that you will be able to do everything in one go, so you’ll need to decide how to focus your available resources.
Particularly noteworthy for GDPR compliance is the need to get processor contracts in place with non-employees or other third parties who process data that you’re responsible for as “controller”. The GDPR rules require you to have a written agreement with your third party processors (for example, payroll provider, freelancers, software providers, as well as apps you may be using). The terms that must be included in the agreement are prescribed. Make a list of all the individuals and sites you use, and plan from there.
There will be some processors who need to sign your processor agreements more urgently than others depending on the data to which they have access and where they’re located. Get a few contracts ready to send out for signature.
If your processors are based in countries outside the EEA then you have additional obligations, such as to find out whether the country they’re located in has an adequacy finding. Only a dozen or so countries are considered adequate and the USA isn’t one of them. So, for US entities like Mailchimp, you’ll need to find out if the organisation is certified under the Privacy Shield and add this information to your Privacy Notice. If you cannot find any other basis then introduce a contract using the Model Clauses provided by the EU.
While in theory you can introduce a contract and continue your current data transfer activities, the GDPR principles should prompt you to rethink your current practices.
For example, using a one man band freelancer in India who has access to your entire database of contacts might be a questionable decision. You may want to reconsider whether you can really justify continuing to give access to so much data to someone based in an inadequate jurisdiction. However, if you’re committed to using that resource for now then put in place the Model Clauses and make a note to revisit this decision in the near future.
Using these documents with a freelancer who is not worth suing is arguably not an appropriate safeguard long term. So, you should reconsider your resourcing policy to gradually change the nature of the responsibilities you outsource to jurisdictions outside the EEA.
Certainly if you’re choosing new freelancers this might be an ideal opportunity to use one within the EEA.
If you use an appropriate provider for your templates you should be able to get a decent privacy notice in place to send to your freelancers and employees, and another one to post on your website. Then send an email to your subscribers to notify them of your new privacy notice and if you get a chance, give them a way to update their marketing preferences.
As for cookies, we use this neat solution for cookies on our website. There are a few cookie issues which I need to consider more deeply for our site, and so this is something I will be revisiting, and I’ve made an appropriate note in our risk management policy about it.
In conclusion, while there is a lot to do to comply with GDPR, it is possible to begin working towards compliance even now at this late stage. If you’ve not yet addressed these GDPR issues in your business and want help, Azrights is there to support you.
In my final blog post I’ll be covering marketing and how to set your strategy for the future so you can build your marketing lists in a GDPR compliant way. It’s a real opportunity for your business to sharpen its approach to marketing.
In yesterday’s post What Not To Do When It Comes To GDPR I outlined the confusion that the GDPR laws have spawned. Understanding why the GDPR rules were introduced, and what they are aiming to achieve will help in complying with them.
GDPR is the first wholescale attempt to tackle the many privacy issues and risks that arise from the processing powers of modern technologies and the internet. Protecting people’s personal data is a fundamental human right and is enshrined in the law.
As business owners with access to other people’s information we have responsibilities to support those rights. The old data protection laws were introduced at a time when the world was a very different place. They pre-dated the internet. Google had only just been founded and it was another 7 years before the iPhone was released.
GDPR addresses a new world where social media, cloud technologies, and apps often require access to our location, images, emails and other personal information. All of this means that behind the scenes our “personal data” is being processed and is forming part of massive, and ever-growing datasets. This in turn has led to the development of other technologies with names like big data and artificial intelligence (AI), which have major implications for data protection law.
The new technologies provide such extensive abilities for businesses to profile us and use data about us in ways we may not even be able to imagine, that if things continued unchecked by legislation our privacy would be seriously endangered. It’s worth watching the Black Mirror TV films to realise how important privacy is. It shouldn’t be taken for granted.
Terms and Conditions
It’s true that nobody reads terms and conditions when they want to use a new app or useful tool. The upshot is that we tend to agree to all sorts of conditions without even being aware what we’ve signed up for. However, that’s not because we don’t care about our data. It’s because we assume there is no alternative. The reason we don’t read terms before we give consent to use of our information is that we often don’t have time, and want to avail ourselves of the services and tools on offer.
The GDPR regulations are designed to ultimately enable us to get access to products and services without giving away so much of our data. GDPR changes the existing scenario by ensuring we become better informed about the implications on the one hand, and are given real choices on the other.
For example, the regulations impose requirements on tech companies to educate us and to design their platforms with privacy considerations in mind. This means a “take it or leave it” stance to accessing our information in return for letting us use an app is unlikely be the prevailing attitude of future apps.
The legislation has teeth. There are eye watering fines for companies that ignore GDPR, which will have even the richest of them pay attention. All of us need to minimise the data we collect to what is really needed.
I’ve sometimes wondered whether some ecommerce sites really need to take my date of birth when all I’m doing is buying an item of clothing and paying by credit card or paypal. Why ask for my date of birth during the registration process? I used to abandon my shopping if a site asked for my date of birth, but then as more and more of them did so, I reluctantly gave them this information. But it didn’t mean I was happy to share this data.
GDPR discourages taking more information than necessary for the product or service to be delivered. By reducing the information we must give when signing up with a new provider we will be able to minimise the quantity of data that is collected about us. Data minimisation is an important GDPR principle.
GDPR Will Be Even More Important After 25 May
GDPR is no Y2000 or deadline driven momentum which will go away once we pass 25 May. Far from it.
It’s worth mentioning here that the UK is firmly committed to complying with GDPR long term so Brexit will not affect the applicability of GDPR to UK businesses. Even organisations outside the EEA are realising the implications GDPR has on them (because they process EU individuals’ personal data) so they’re busy making changes to their platforms to avoid being locked out of the EU market. They have little choice but to comply with the EU’s GDPR laws and nor have you.
Although there are powers to impose hefty fines and administrative penalties, the ICO has been at pains to let it be known that fines are not going to be their first line of attack. Instead they want to encourage and educate so that all businesses become aware of the new laws and implement necessary changes.
Work Towards Compliance Now
Still that doesn’t mean the ICO’s tolerant stance is condoning those business that are taking no action, and simply ignoring compliance with GDPR.
Coming to the attention of the regulator is never desirable, as it could take up time and resources you may not have, and end up costing you a lot more money as a result. Far easier to take stock now and deal with it, and get peace of mind that you’re on your way to complying with GDPR. What’s the point of delaying?
25 May will be just the beginning of a sea change in the way businesses manage and process data. GDPR is designed to make us all far more responsible and thoughtful about the data we hold. There will be a gradual cultural shift such as occurred with stop smoking campaigns, or seat belt wearing, or not drinking and driving. Our children and grandchildren will become savvy about their data, and will use the available controls to protect their data and minimise what they give access to.
GDPR Is Overwhelming
I’m not going to try to minimise it and tell you that complying with GDPR will be simple. The truth is that GDPR is all encompassing, impacting so many different areas of a business that it can be quite overwhelming for businesses. Business owners are already time poor and stretched thin. Taking on the onerous obligations of GDPR on top of managing a business is no mean feat. However, it is a legal requirement to comply. Also, it does present a chance to run a better business.
I’m confident that businesses that adopt the right approach and tackle GDPR by putting in place the right systems and procedures will improve their businesses in the process. They will also find it easier to work towards compliance on an ongoing basis ensuring that GDPR principles become second nature to them.
So, I would urge you to take the plunge and embrace GDPR, as you do so many other areas of your business. Begin to understand your obligations so you can put in place the steps to take responsibility for the data you’re handling.
Once you’ve set your strategy, including for matters like marketing, and drafted your GDPR compliant Privacy Notice you’ll need to send it to your clients and subscribers and add it to your website. Your data subjects have the right to know how you collect and process their personal data, for what purposes you use their data, the legal grounds of processing such data, and how you keep their data secure, as well as their rights in relation to such data. That’s what the new style Privacy Notice details.
In tomorrow’s blog we’ll look at the tactical steps to take to start complying with GDPR.
Every organisation is affected by Europe’s new General Data Protection Regulation or GDPR as it’s known. I’m sure you’ve heard plenty about it.
GDPR represents one of the biggest shake ups in the privacy and data protection laws since the internet. The recent Cambridge Analytica and Facebook incident involving misuse of hundreds of Facebook profiles has only added to the significance of GDPR.
GDPR is a complex piece of legislation which applies to every business whatever its size. If you have names, phone numbers, email addresses of customers, prospects, employees or suppliers, then GDPR affects you.
GDPR looks set to become one of the most substantial pieces of legislation that businesses of every size will have to tackle. Companies that had previously regarded non-compliance with data protection laws as low risk are beginning to re-evaluate their positions in the light of the substantial new fines, increased enforcement powers and grounds for judicial remedies that exist under the GDPR.
Chaos And Myths
So, there is chaos currently as myths have come about to the effect that after 25 May you cannot communicate any more with customers, or leads who came on board before 25 May. Some businesses sending out these emails have no clear idea why they are sending them. It’s sometimes a knee jerk reaction, and therefore ill thought through. They risk having to stop communicating with many of their existing lists, and past subscribers.
You don’t have to do that. However, there are certain processes you do need to put in place and decisions you need to make as a business owner to allow you to continue communicating with your subscribers.
GDPR isn’t the simplest of laws. There are numerous regulations that come under the GDPR umbrella. There are grey areas and until there is a body of case law, it’s not completely clear how certain aspect of the law will be interpreted. The key point is that you don’t have to send one of these emails telling your customers that you won’t be communicating with them anymore. There are strategies you can adopt to avoid being one of those businesses sending out these emails which are clogging up people’s inboxes.
Opt In Forms?
And if you capture data on a website by offering useful information, or letting site visitors request a call back or information, GDPR covers this too and there are a series of steps you need to take as a business to know how to carry on doing that. There are some myths that have built up around this too. You don’t necessarily need to add tick boxes. You can comply without one, and if you do add one you need to make sure you understand why you’re adding one. Otherwise, you could still end up non compliant despite paying web developers to add them. Depending on the form and what you want to achieve you may be able to avoid adding a tick box by changing the terms of your offers. I talk about that later in this series of 4 training blogs.
Compliance with GDPR involves a number of steps, including putting in place documents to be able to show your compliance should the Information Commissioner’s Office (ICO) need to investigate you for any reason. These are the key points to be aware of.
This mini training tells you what you need to know to work towards GDPR compliance. Whether you do this in time to meet the deadline of 25 May 2018, or come to it later after the deadline has passed, as many will, it’s important to realise that compliance with GDPR is not optional, just as operating PAYE, or other legal obligations are not optional. Nor is it something you do once and then forget about.
The Right Steps To Comply
Better to take some steps, albeit imperfect ones, than to take none at all towards compliance. But make sure they’re the right steps. Avoid taking quick decisions to send ill-considered emails asking for consent or to add tick boxes to your web forms. First make sure you have adequate information and legal guidance to properly assess the situation you face. Then decide what steps to take to address the different categories of data you currently hold. The aim is to preserve your ability to communicate with your people.
And nothing in the regulations require you to delete data in a hurry. If you conclude that you cannot market to a list of people you do not need to remove them from your system before 25 May.
In terms of how to deal with collection of email addresses in future, make sure you are clear about what you want to achieve. Then properly understand what you need to do to be compliant. For example, what will you do when you go out networking and collect business cards? What changes will you make to existing forms on your website? It will vary depending on the form in question. What changes do you need to introduce? Then proceed to organise changes once you have an overall plan. Don’t do things in a piecemeal fashion.
I will say this. You may not need to engage your web developers to add opt in and opt out boxes on your forms. Before you proceed with development work take stock and set an appropriate strategy and document your decision. In the Marketing element of this training I’ve got some ideas for you on how you might address this but first it’s important to understand what these GDPR laws are aiming to achieve, as you’ll be better placed to implement your compliance plan.
The next blog in this series will be posted here tomorrow.
Back in 1987 when I joined Reuters as a relatively junior lawyer, one of my first assignments was to audit the company’s data processing activities. I spent a few months visiting senior managers’ offices around Reuters to explain the new laws in a bid to understand the data each section was collecting and storing. I would tick off various charts in the process. I no longer remember what else I did to ensure Reuters would be compliant with the Data Protection Act 1984, but it was a simple exercise compared to GDPR.
In those days there was no internet so the landscape was far less complicated than it is today even though Reuters was a large tech company. The widespread use of cloud computing and dedicated apps for functions like accounting, marketing, time recording and more had yet to develop.
Since founding Azrights there have been some data protection projects involving data breaches or creation of new databases. Often these gave rise to legal questions such as whether IP addresses, or particular postcodes were personal data, and what is involved to anonymise data in order to exploit it. However, apart from these rare instances, by and large data protection has been of low interest to clients whose main priority was to obtain documentation for their websites.
Fast forward to today, and GDPR looks set to become one of the most substantial pieces of legislation that businesses of every size will have to tackle. Companies that had previously regarded non-compliance with EU data protection law as low risk are beginning to re-evaluate their positions in the light of the substantial new fines, increased enforcement powers and grounds for judicial remedies that exist under the GDPR.
There are many facets to GDPR, one of which is the ban on the transfer of data outside the EU. This will impact the widespread practice of using freelancers located in low cost countries like India, or the Philippines for various business functions. It’s worth mentioning here that the UK is firmly committed to complying with GDPR long term so Brexit will not affect the applicability of GDPR to UK businesses.
What Transferring Data Outside the EEA Means
Transfers of data outside the EEA are only permitted in limited situations, such as where the recipient country ensures ‘adequate’ protection for data subjects and their personal data. It’s important to note that “transfer of personal data” doesn’t just mean the sending of personal data in the form of paper documents or emails from one country to another. Many of us are routinely transferring data outside the EEA when we:
Communicate personal data by telephone, email, fax, letter, through a web tool or in person to countries outside the EEA;
Use IT systems or data feeds leading to personal data being stored on databases hosted outside the EEA;
Use freelancers or companies located outside the EEA who can access or “see” our personal data held in the EEA; and
Outsource, offshore, use cloud computing, or third party apps located outside the EEA for various business functions.
The online world is borderless, while the GDPR laws have clear boundaries. This means we either need to find a justifiable basis for continuing our existing data transfer activities or change our practices.
The GDPR imposes substantial and onerous new obligations on all of us. Because it impacts so many routine business functions that need to be reassessed nobody can ignore it. Some of the rules under GDPR are less onerous for small businesses, but it doesn’t exempt anyone, not even micro businesses. Many organisations outside the EEA are realising the implications GDPR has on them (because they process EU individuals’ personal data) so they are busy making changes to their platforms in order to avoid being locked out of the EU market. They have little choice but to comply with the EU’s GDPR laws.
Although there are powers to impose hefty fines and administrative penalties, the ICO has been at pains to let it be known that fines are not going to be their first line of attack. Instead they want to encourage and educate so that all businesses become aware of the new laws and implement necessary changes.
Implementing GDPR is time consuming, wide ranging, and even overwhelming. The more you do, the more you realise there is to be done. So, don’t delay. I would recommend reviewing the ICO’s resources, and if you want help, then Azrights is here to support you.
One benefit of using my guidance on GDPR is that I have a few grey hairs, and have a commercial approach to risk management. Many decisions involved in applying the GDPR regulations are not black and white. Until a body of case law develops to interpret the different aspects of the regulations, you need to make a judgment call as to how to apply the new laws to your business, what to prioritise and focus on, and how strict to be when implementing the different rules. If you want a lawyer who will help you to make sound choices I’m well placed to support you.
In the last blog, I looked at the issue of protecting your blog content and blog identity. This blog looks briefly at some of the issues concerning the inclusion of other’s material in your blogs.
As I mentioned in the last blog, as a blogger you need to look in both directions when talking about intellectual property (“IP”). In particular, you need to ensure that what appears on your blog – whether that be blog text, photos, or comments – does not infringe the IP rights of someone else.
Clearing your blog identity for use
Before you launch your blog, with your new blog identity, you should carry out trade mark searches to ensure that your logos, name or taglines do not infringe the registered trade marks of another person or company.
Public domain and copyright
Moreover, you should ensure that the contents of your blog presence do not infringe another’s copyright. Content is not necessarily in the public domain just because it is freely available to access on the Internet. Unless you have created the content yourself – for example, taken that photograph yourself – you cannot assume that it is not protected by copyright. In fact, you should usually assume the opposite.
Most content is protected by copyright and that copyright will only expire 70 years after the death of the author. This means that most current content is copyright protected. While it is true that there are exceptions which permit some use of protected material – fair dealing in the UK or fair use in the United States, these are limited in scope, as you will see below.
Use of stock images
These days, with search engines like Google, there are thousands of images online which bloggers may wish to use in their blogs. However, just because an image can be viewed or downloaded online, does not necessarily mean that it is freely available. Most such images are protected by copyright and downloading one for your blog may well amount to unauthorised reproduction contrary to copyright law.
Fair dealing of copyright material
What happens if, as a blogger, I want to use material such as photo from a news event, or if I want to quote from an article, poem, book or even if I should want to parody such material?
Well, assuming that the content you wish to use is protected by copyright (which is likely), the general position, at least in the UK, is that the reproduction by you of a substantial part may amount to copyright infringement. In order not to get bogged down here with the somewhat tricky issue of what amounts to a “substantial part”, we can say that fortunately, the law provides for limited exceptions which in the UK are described in law as fair dealing.
Although there are a number of fair dealing exceptions, only a few are likely to be relevant to bloggers. These include (a) criticism and review, parody and quotation, (b) reporting of current events, and, not strictly fair dealing but convenient to mention here, (c) incidental use.
If for your blog, you reproduce part of a copyright work – let’s say an online article or a poem – in order to criticise or review that work or another work, your use may qualify as fair dealing under the law in the UK. This includes also if you include a quotation. It is important to note that you are not free to reproduce at will. Your use must be “fair” so reproduction of an entire article or poem on your blog presence is unlikely to be fair. The exception applies only to published works. Moreover, you must normally include a sufficient acknowledgement of the original work.
The law in the UK also provides for fair dealing of third-party copyrighted material for the purpose of reporting of current events. However, photographs are excluded from this exception and so you cannot download and reproduce a photograph for the purpose of new reporting on your blog. While it might seem obvious, the events must be “current” and you must normally include a sufficient acknowledgement.
A blogger may also make incidental use of another’s copyright work without infringing copyright in that work. However, the law in the UK expressly excludes the deliberate inclusion of another’s music or lyrics. For example, you cannot add a song in the background of a video clip and if the song owner objects claim that your use was incidental use: it is not incidental use in this example because the music was included deliberately.
Creative commons licences
The last decade has seen the rise of open access forms of desseminating works. These provide for standard-form licences which allow any member of the public to reuse a work in particular ways. One popular method are creative commons licences which have sought to develop a suite of licences for many types of works, other than software.
Basically, creative commons (“CC”) offers copyright owners a suite or menu of licences. Some of these only allow reuse in an unmodified form. Some only allow reuse with attribution. Others only allow reuse for non-commercial purposes.
While CC licences have become extremely popular in recent years, it seems that the most common kind is the “attribution, non-commercial, non-derivative works” licence which only allows the user to reproduce, distribute, or play the work in a non-modified form, only for non-commercial purposes and with attribution of authorship. As a consequence, CC licences are generally better suited to users who do not seek remuneration from copyright.
Using other’s logos or trade marks
As a blogger, to what extent can I include the brand logos or trade marks of others in my blog content? In terms of logos – say, logos of famous companies such as Virgin, Barclays, or Coca Cola – the best advice is: “don’t”. Although brand logos are usually protected by trade mark registration, most of them are also protected by copyright and so any reproduction by you on your blog of another’s brand logo is potentially copyright infringement.
In contrast, the mere reference in your blog to a word trade mark – such as “BARCLAYS BANK” or “GAP” – is not necessarily trade mark infringement. This is because, generally speaking, trade mark infringement is based on consumer confusion and so a mere reference to BARCLAYS BANK in your blog is not necessarily going to confuse your readers. That said, if your use is such that the relevant consumer might be led to believe that your blog is somehow connected to or supported by Barclays Bank, your use could potentially amount to trade mark infringement. So, probably the safest approach is to stick to mere referential, or passing textual, use of another’s word trade marks and avoid using other’s trade marks in such as way as to cause consumer confusion.
So, now that you have some basic insights into the IP laws, happy blogging!
These days, any of us can be a blogger. Gone are the days when you needed to be a print journalist or published author to get your writings in front of the public. Now, with just a web presence and an interesting angle on life – be it about sport, politics, food, music, you name it – you can blog and, what’s more, you can be read by thousands or even millions.
However, in addition to the web presence and a literary flair, you should in fact have something else as well: at least some awareness of intellectual property (“IP”) and its impact on your blogging world. IP is essentially about protecting our intellectual creations, and that includes of course our blog entries. But whatever A has protected, B may infringe. So, when we look at blogging and IP, you need to look in both directions: how can you, as a blogger, protect your IP and also, how can you ensure that you, as that blogger, do not infringe the IP of another person? Here today we look at “A” – what you have protected. In the next blog, we look at “B” – avoiding infringing what some one else has created or protected.
While IP embraces a bundle of different rights, in this blog we are going to look briefly at the two most important rights for bloggers: trade marks and copyright.
It really is amazing that some bloggers enjoy a huge reputation online and yet they have never protected their blog identity by means of trade mark registration. For example, it seems that Turner Barr – about whom we say a little below – of “Around the World in 80 Jobs” fame, did not file a trade mark application until after he had settled what is probably one of the most high-profile IP blog disputes to date.
Blogs do not respect national borders
Blogs, being online, do not respect national borders which can make trade mark protection, being generally national in nature, potentially complex. However, it is advisable to file to register your blog name and blog identity as trade marks at least in your home country. By means of the priority filing system, you can file elsewhere in the world within 6 months of your initial home filing and maintain the original filing date.
Let’s turn to copyright. Copyright arises automatically as soon as your writings, photos, music or other creations are fixed in a recorded form. For example, as soon as you save your blog entry on your computer, it is protected by copyright as a literary work. Similarly, as soon as you take a photograph on your mobile phone, it too can be protected as an artistic work.
Although Internet Service Providers (ISPs) are not liable if another person takes your blog material and posts it elsewhere online, you still have options. For example, if the infringer refuses to take-down the lifted material, you may be able to achieve that result by filing a take-down notice with the website provider. Social media companies such as Facebook have well-established take-down procedures by which they will remove infringing content upon proof that it infringes your IP rights, including your trade marks and copyright.
What then about Turner Barr mentioned above? Turner created a highly-successful blog called “Around the World in 80 Jobs” which recounted his experiences as a young millenial in obtaining sometimes strange and wonderful jobs around the globe but which also provided information and advice to young people about gaining employment. In 2013, Swiss employment company Adecco produced their own version of his blog, and they filed trade mark applications in various countries for “Around the World in 80 Jobs”. Happily, all’s well that end’s well. After a sustained campaign on social media, Adecco agreed to drop its version of “Around the World in 80 Jobs”, and withdrew its trade mark filings.
It’s worth noting though that it might have been much more straight-forward for Turner if he had filed to protect his blog presence as a trade mark before his dispute with Adecco.
So, in sum, if you blog you have IP. Make sure both to protect your blog IP to avoid infringing the IP of others. In the next blog, we will have a look at some of the issues surrounding using the material of other people in your blog and how to avoid common mistakes.
GDPR is all about introducing greater transparency, increased accountability and enhanced privacy rights for all of us. For example, we can manage our permissions to tech platforms as a result of being notified about the data they hold and collect on us. These new rights are necessary in a world where the likes of Google collect the most mind boggling information.
The fact that GDPR requires tech companies to design their platforms with privacy built in, means a “take it or leave it” stance will no longer be the prevailing approach. The legislation has teeth. For example, there are eye watering fines for companies that ignore the regulations, which will have even the richest of them pay attention.
GDPR is all encompassing, impacting so many different areas of a business. So, it can be overwhelming.
A good place to start if you’re a small business wanting to understand your obligations under GDPR is the ICO’s site. There are plenty of resources provided to help you to comply, although I suspect the majority of small businesses will ultimately need help because it’s one thing to know about GDPR, but it’s quite another to know what to focus on when attempting to comply with the new laws given that there is so much to do.
There are certain actions that every business should be taking immediately to reduce GDPR risks. And that’s not the much publicised question whether or not to ask for consent to market to your lists which I previously wrote about on this blog GDPR – Why Consent Should Be Used As A Last Resort. Sadly too many advisers out there are still telling businesses that obtaining specific consent for everything is the way to go, which will place huge administrative burdens on those businesses that follow such blanket advice.
There are 3 steps every business should be taking in the light of the GDPR changes, that many businesses may be missing given the spotlight on email marketing. That is, to consider the data they hold in the cloud and take simple basic measures, such as:
Use strong passwords. If employees, virtual assistants, or contractors (such as your website development company) have access to your data, then are they using strong passwords so as to keep your data safe? They could easily compromise your security by their actions.
You should introduce clauses and contracts with your freelancers, and contractors. Explain the impact of GDPR. Are they using laptops with encryption? Do they know not to log into your sites in internet cafés? Are they always logging off when they leave their computers unattended? These basics are essential. You are responsible for educating your workers, contractors and other team members about GDPR and the actions they need to take so they don’t compromise security of your data or otherwise cause you to be in breach.
You want to let contractors such as your digital marketing agency, virtual assistance service, or web developers know that using outsourced staff and giving others access to your site without your knowledge is not permitted without your specific consent. These entities are processors of your data. They should not be appointing sub processors without your knowledge. You need to know if your agency is giving access to your data to a third party. Otherwise, what is the point of your doing due diligence checks when taking on an agency, only for them to engage a temporary helper (possibly using a less rigorous vetting exercise than you employ) to assist them when providing their services to you?
If you’ve not yet addressed these GDPR issues in your business then don’t delay as they are, in my view, one of the greatest security risks small businesses face.
If, on the other hand, you are an agency using outsourced team members to deliver services such as website design, form building, online questionnaire development, search engine optimisation, Facebook or Google advertising, and the like, then your business model may need some adjusting. You should be thinking about what your clients will need from you, and pre-empting their concerns.
With just over a month to go, and many contracts and steps to take immediately, you can’t afford to leave it any longer. While it’s unlikely you will face fines for failing to address every aspect of GDPR, doing nothing is not a sensible option. Come 25 May, your website will be a tell tale sign if you’ve not taken any steps to comply with GDPR.
We have various service options to help clients, ranging from access to templates and clauses, to providing some consultancy, or taking care of the entire process for you. Get in touch if you have would like a quote or have any questions.
While every agency understands how to use the creative process to create a brand name, few understand the legal implications of choosing one name over another.
Turning an idea into a business involves creating intangible elements like names. As these are governed by the law of intellectual property it means you are creating intellectual property.
Specifically, trade mark law protects names, and so one implication is that you need to choose a name that meets the requirements of the law.
To fully understand the impact of getting this right on both the agency and client side, it is worth reflecting on what value a brand brings to a business.
Value of a brand
A brand name is of the most valuable assets a business will have.
According to Forbes, the most valuable brand name in the world in 2017 was APPLE. It was worth $170 billion. GOOGLE takes second place, at $101 billion and MICROSOFT in third place, at $87 billion. Three words – APPLE, GOOGLE, MICROSOFT together are worth about $360 billion.
Just think about that for a moment. The world’s top three brands are worth many times the average country’s entire GDP (or annual economic output). That’s the value of a good brand name.
Based on the value of the world’s biggest brands, a good brand name needs to be:easy to pronounce and spell
• one that works internationally
• one that copes with business expansion or change of direction.
• one that is legally available
The final point is most important here.
The trade mark registers are cluttered, and the best .com domains are often already taken. Therefore, choosing a name invariably involves doing some due diligence.
An agency tasked with creating a name should really put forward a shortlist of 3-6 names for full legal clearance if the client is to stand a chance of finding one name that it may use.
Getting this wrong may not just mean the trade mark application is thrown out. The client may find itself on the wrong end of an enforcement action by another business whose trade mark is being infringed.
A name that infringes on someone else’s mark leaves the client with little choice but to rebrand. Some clients might sue an agency that created the identity for them, or require a free rebrand. Quite apart from the reputational damage for the agency, a name that the client can’t use would prove as problematic for the agency as it would for the client.
Not only is it worth getting this right to protect your agency, it also offers you an opportunity to deliver certainty and differentiation from other agencies who are less aware of the consequences.
An agency’s responsibility when creating a brand identity
When a client engages the services of a branding agency to create an identity, that agency is an adviser, and as such, is expected to understand the surrounding law.
While the agency might tell a client that certain actions that are required to clear a name for use should be undertaken by lawyers, it’s not possible to completely absolve itself of responsibility simply because some of the work involved in clearing a name is done by lawyers.
There are two levels of checks for brand names that should be undertaken:
1) Basic preliminary checks – often these do not require a lawyer and can be done through simple searches
2) Full clearance searching – in most cases done by lawyers
I’m of the view that while lawyers are always best placed to undertake full clearance and this is clearly the responsibility of the client, basic preliminary checks can and should be performed by the agency as part of the process of developing names.
This seems not to be the prevailing view.
One designer recently said to me that she does not believe she is responsible if a client of hers has problems with a name she selected for the client and the client decided not to register the name as a trade mark. According to this designer, if the client chooses not to trade mark the name then it’s the client’s fault if it later transpires there are problems with the name.
Quite apart from the fact that registering a name as a trade mark in no way helps if the name is not available to use, I have deep problems with this view. Protecting a name isn’t just about registering it as a trade mark. It’s more about checking that the name may be safely claimed.
If an agency is entrusted with creating a new brand identity, it’s reasonable for the client to expect that you will offer up names they have a fighting chance of using. This means doing some of the trade mark searches yourself, albeit leaving the full clearance searching to the lawyers.
While specialist full clearance searches might be left to the client to arrange with its own lawyers, any business choosing a new name for its clients does have a responsibility to ensure the name is legally available.
Understanding the legal requirements is essential if the selected name is to stand up to legal scrutiny. There are a number of searches that agencies should and could perform on a name – beyond a simple Google or .com search, which is often all that is done. If you fail to provide names which don’t even stand up to the most basic legal scrutiny, what is the client paying for when it pays to have a name created?
And, importantly, how does that reflect on your agency if a problem later arises?
The client’s responsibility when protecting their brand identity
Many clients don’t ask lawyers to do full clearance searches before applying for trade mark protection simply because they don’t realise this is an essential step in the process, rather than an optional step.
As clients frequently choose to not do further searches on names, (possibly because they have spent all their available budget on the brand identity work), it’s even more important for branding agencies to do “good enough” checks of names before proposing them to clients. Otherwise, what’s the point of branding a name the client can’t own? It would be building their business on a foundation of sand.
On one occasion when we were provided with a shortlist of six names by a designer, we found that the most basic search of the trade mark registers knocked out four of the names immediately. So, effectively, the client only had two names to choose from, and they were not the first choices on the list.
I hate to think what might have happened if the client hadn’t asked us to do clearance searches on the names. It might have gone with one of the names that were infringing with all the associated problems and risks.
This is why I would urge agencies to learn how to do some basic checks of the trade mark registers whenever they are creating a new identity for their clients. Indeed, a good agency should also perform its own checks on a name the client proposes using, even if the agency didn’t choose the name.
Again, it’s important to remember you’re not protected simply by virtue of registering a trade mark.
Taking steps to protect intellectual property
The identity of any well-known brand comprises a variety of elements. Trade mark law encompasses the name, and also any taglines, slogans, logos, designs, product shapes, sounds, smells, colours, and other features that distinguish a product or service from its competitors.
Bear in mind that whenever you turn an idea into a product or service you’re also creating intellectual property assets. Copyright law is highly relevant in brand creation. Therefore, copyright and other intellectual property issues need to be top of mind in the early stages of identity creation.
However, the primary identity of any successful brand is inevitably in its name. Protecting the future value of a business involves protecting the name, and also taking account of IP as a whole.
An agency should create internal processes to ensure names are properly checked out before any short list of names is offered to the client.
There are three steps that any business should take to protect its intellectual property if it is to build value, and avoid disasters such as the need to change its identity.
Imagine having to rebrand due to problems with a name or copyright work. While this might seem unimaginable for the likes of the world’s top brands, problems around names and IP can affect even them.
For example, Microsoft had to rebrand after being ordered to do so by a UK court for infringing on a trade mark owned by British Sky Broadcasting Group (BSkyB).
The value and safety of your own and your client’s intellectual property is more important than ever before. Do it right and the intangible assets you create could be worth far more than the cost of producing them. Do it wrong and you could miss vital opportunities, have your true value stolen or find yourself on the wrong side of an intellectual property dispute.
To find out how to protect your own agency’s intellectual property and that of your clients register your interest to learn about IP Fundamentals including the Azrights Naming course.