It could be that something as seemingly simple as taking online payments has exposed a business to new rules and regulations
The coronavirus pandemic has forced new ways of operating on businesses large and small. While this has sped up innovation and encouraged leadership teams to try things they might previously have not prioritised, it has also increased exposure to different types of risk and potential pitfalls.
In partnership with international law firm Morrison & Foerster , Be the Business has looked at some of the technology changes that may have been made. Breaking it down into “key issues”, “action items” and “enforcement”, use our expert advice to make sure your business is operating ethically, legally and effectively in this very different economic climate.
Some of our explanations may seem quite detailed, but it’s vitally important to make sure your business is addressing crucial compliance considerations. We’ve broken it down into scenarios you might now face yourself in so it’s easier to digest and take any relevant actions away.
We’ve also got an article looking specifically at legal compliance relating to employment changes made during the pandemic. Make sure you see if there’s something you need to be looking at there.
This information, brought to you in partnership with Morrison & Foerster, is provided for general information only. It is not intended to amount to advice on which you should rely. Neither we nor Morrison & Foerster act as legal advisor for those who accesses the content on our site. Please see our full terms and conditions below and our more detailed website terms of use .
Here are the scenarios we have some advice about below:
So you’ve started taking transactions online
So you’ve started capturing customer data (in a way you hadn’t before)
So you’ve implemented new digital communication tools for your staff
So you’ve started transacting in other countries (having only operated in the UK before)
So you’ve developed new intellectual property during the coronavirus outbreak
So you’ve developed an online social media presence
So you’ve started using outside agencies and you’re sharing sensitive data
So your staff are at home with company hardware but on their own networks
So you’ve started a joint venture
So you’ve started giving some of your digital products and services away for free
So you’ve started taking transactions online
Key issues
Terms and conditions. Your website should have legal “Terms of Use” already. Do those terms also cover online sales? If not, do you need to amend your existing terms (or put in place a whole new set of terms) that do this?
Consumer laws. There is an extensive and, at times, complicated set of laws designed to protect consumers from unfair trading practices. These impose wide-ranging obligations on traders so you’ll need to comply with them if you’re selling to consumers (B2C). Some will still apply even if your sales are to other businesses (B2B). The rules cover mandatory information that has to be provided to customers, unfair terms that can’t be used and statutory rights and remedies that you must offer to customers. This will vary depending on the nature of your business and its customers
Pre-contract information. Traders must supply certain information to customers before a contract of sale is concluded. Some of the legal requirements apply to traders supplying business customers as well. There are different obligations as to when, where and how this information must be provided
Accessibility. Traders must make reasonable adjustments to ensure that their website can accommodate all users, including the disabled. This doesn’t just mean font size, because this may place those with a visual impairment at a disadvantage, and may prevent them from accessing the website (which may constitute unlawful disability discrimination)
Payment services. Depending on the nature of your business, you may also need to consider the legal rules around taking or facilitating online payments. If you are just taking payments online, you are most likely to just need a third party provider to actually take and process those payments – something like PayPal, SagePay or WorldPay, for example. However, the payment services industry is a heavily regulated and complicated area of law, with different registration and authorisation requirements depending on the nature of your business
Action items
Make sure that your online sales process is correctly constructed. For example, make sure that it’s your customers who offer to buy from you rather than you offering to sell – and then the last step in the process ought to be in your control. Don’t be like the retailer who mistakenly offered to sell TVs for £50 instead of £500 – and then had to honour the orders received at the wrong price because, legally, the process was designed to conclude a contract with the buyer’s online click
Have a legal professional look over your terms and conditions, to ensure that they contain suitable provisions to cover the way in which you’re doing business. If your customers are consumers, you’ll need to make sure that these terms and conditions are drafted fairly and transparently – so avoid using legal jargon, and make them as easy to understand as possible. There are a number of provisions that are automatically deemed to be unfair and therefore unenforceable against consumers (including provisions that exclude liability for death or personal injury, for example), but there is the much harder area of potentially “grey listed” terms that might not apply to consumers, depending on the circumstances. A legal professional will be able to look over your terms and advise you whether or not they are suitable and compliant with applicable consumer laws, as well as what practical steps you can take to help mitigate the risk of “grey listed” provisions being found unfair
Separately, another thing to consider is, if your customers will be a mix of both other businesses and consumers, would you want to have two separate sets of terms to apply to each type of customer, or would you want to deal with different types of customers in the same document? Or would you want to afford your business customers the higher level of protection that you are obliged to give consumers? Discuss these issues with a legal professional, who will be able to help you draft your terms and conditions in the most appropriate way for your business
Check that your current policies align with what your customers are legally entitled to – i.e. make sure that consumers are not saddled with return costs for faulty products, and that your returns period is in line with statutory minimums
You should also check what information you are legally obliged to provide, depending on the nature of your business. You should consult a legal professional to provide tailored information for your business, but the types of information that are typically required include delivery restrictions, main characteristics of the goods, services or digital content being provided, identity of the trader (i.e. your company), address and contact details of the trader, total price of the goods or services (or how this will be calculated), additional delivery charges or other costs, payment, delivery and performance arrangements, complaint handling, cancellation rights, payment obligations on return of goods, details of any after-sales services or guarantees, and many more
Discuss with your website designer the measures to adopt to make it easier for the visually impaired to view your website. For example, the correct coding can provide text or audio descriptions of the graphics or animation, or you could provide a text only version or a non-flash multimedia version. You should consider how the website works with screen readers and other accessibility tools used by the visually impaired
Take a look at the FCA website on electronic money and payment institutions, specifically the page that sets out key considerations when determining if your business provides payment services . If you think this might apply to you, seek specialist legal advice on what your legal obligations might be.
Enforcement
Consumers may be able to bring private actions against your business for breach of contract, or apply to a court to force you to comply with your consumer law obligations, or rescind the contract entirely, depending on the circumstances
Any terms or conditions that are deemed to be “unfair” will not be enforceable against consumers
Enforcement bodies such as Trading Standards or the Competition and Markets Authority may apply to court for enforcement orders against you in respect of breaches of consumer protection legislation
So you’ve started capturing customer data (in a way you hadn’t before)
Key issues
What data are you collecting? In particular, assess whether it includes personal data. If so, the GDPR and UK Data Protection Act 2018 will apply. Note also that specific requirements will bite if you are collecting “special category data” or data relating to children (i.e. anyone under the age of 13)
Do you need to carry out a Data Protection Impact Assessment (“DPIA”)? If your use of the data is likely to result in a high risk to individuals, you will also need to conduct a DPIA prior to collecting and/or otherwise using the data
What is your lawful basis? If you are collecting (and/or otherwise using) personal data, you will need to have a lawful basis for doing so. Your lawful basis may depend on the circumstances, but often it will be that you have a “legitimate interest” to collect the data.
Have you informed the individuals concerned? You will need to ensure that the individuals whose data you are collecting are informed, particularly if you are using their data in a new way. This may involve updating your privacy notices or other customer-facing documentation
Have you got systems in place to deal with data subject requests? Individuals have a number of rights in respect of their personal data, including – among other things – subject access rights (a right to see all personal data that you hold about them), as well as rights to erasure and rectification. You should have processes in place to review and respond to requests from customers (typically within a month of receipt, as required by the GDPR)
Do you have an internal data protection policy? The GDPR requires “Data Protection by Design”. This means that you must have in place appropriate technical and organisational measures so that data protection is “baked in” to your business practices. This means that, for example, you should have internal data protection policies so that your employees know how to handle personal data. You might also consider whether you need to provide training to your employees about data protection. You may already have these policies in place, but should consider whether you need to make any updates in light of your new collection of customer data
Do you need to update your records? If you have over 250 employees, you must maintain a record of your processing activities (if you have fewer than 250 employees, you may still need to record parts of your processing activities e.g. if the processing will result in a risk to the rights and freedoms of individuals). If you are already required to document your activities, you may well need to update your records to reflect this new collection from customers.
Do you have an Incident Response Plan? You should have processes in place to be able to deal with data breaches, and bear in mind that personal data breaches must be reported to the ICO as soon as possible (and within 72 hours)
Will you be engaging in direct marketing? Note that specific requirements apply if you intend to market directly (e.g. by telephone, email or by direct message on social media) to individuals (as opposed to other businesses). Typically, you will need consent before you can send a marketing message, and such consent must be specific, informed and freely given
Action items
Identify what personal data you will be collecting (if any) and whether this gives rise to any further, more specific obligations, such as a DPIA. You will only need to conduct a DPIA where your use of the personal data is likely to result in a high risk to individuals (eg. if you are processing special category data on a large scale, profiling individuals on a large scale, or collecting genetic or biometric data)
Identify what lawful basis is most appropriate for your collection and use of the data
Ensure that you have informed individuals of certain details, including your identity, the data you intend to collect, why you are collecting it (and on what basis), any potential recipients of the data (if you intend to transfer it) as well as whether you intend to transfer it outside of the EEA. You can do this by updating your privacy notice or other customer-facing documentation
Consider whether this new collection of data requires you to update your internal data protection policy, or to put in place any data protection training for your employees (or any other measures – whether technical or organisational – to ensure that you are adequately securing the data)
If you are required to maintain a record of your processing activities, update your records to reflect the new customer data you will be collecting (as well as how you will be using it).
If you intend to use customer data for marketing, and the customers are individuals (as opposed to other businesses) ensure that you have their consent prior to sending them any marketing messages
If this is the first time that you are collecting personal data:
you may need to pay a data protection fee to the ICO (this ranges from £40 for small organisations (with a maximum turnover of £632,000 for the financial year or no more than 10 employees); £60 for medium organisations (with a maximum turnover of £36m or no more than 250 employees); or £2,900 for large organisations (who do not meet any of the criteria listed above)
you may need to develop the documents/records above for the first time, rather than update them
you will need to have processed in place to review and respond to requests from individuals who are exercising their rights under the GDPR
you will need to develop an incident response plan to take into account personal data breaches (including eg. relevant deadlines for notifying the ICO)
Enforcement
Failure to comply with data protection legislation can ultimately result in a fine from the ICO, up to a maximum of 4 per cent of annual turnover or €20m (whichever is higher). That being said, the ICO has said in its Regulatory Action Policy that fines are likely to be a last resort – in the first instance the ICO will investigate any infringement of data protection law (and will, in the first instance, ask you to stop the infringing activity). However, this will depend on the nature of the infringement – for example, a fine might be more likely if you suffer a particularly severe data breach and are found to have had inadequate security measures in place
Note that, while many of the rules discussed here stem from the EU GDPR, the UK has essentially written the GDPR into English Law. So even after the Brexit Transition Period comes to an end after 31 December 2020, these rules will continue to be relevant and enforced in the UK
So you’ve implemented new digital communication tools for your staff
Key issues
Understand what data will be collected . You need to know what sort of data is likely to be created and shared in whatever digital communications tools you use
Create an internal data protection policy. The GDPR requires “Data Protection by Design”. This means that you must have in place appropriate technical and organisational measures so that data protection is “baked in” to your business practices. This means that, for example, you should have internal data protection policies so that your employees know how to handle personal data. You might also consider whether you need to provide training to your employees about data protection. You may already have these policies in place, but should consider whether you need to make any updates in light of your new collection of customer data
Explain the rules . Make sure that your employees understand how to use the digital communications tools – but also the “rules” that they need to follow; and that misuse will not be tolerated. Explain what constitutes “misuse”
Think about security and access . What rules apply to passwords and how often they are changed? How do you stop unauthorised access? How do you terminate access when an employee leaves the company? Are there different rules on access by mobile devices outside the workplace?
Think about confidentiality . Are there things you don’t want to be shared on employee communications platforms – things like trade secrets or client lists, for example?
Action items
Make sure that you have appropriate policies in place. This will include a privacy policy – but also an “acceptable use policy” which makes it clear that it’s not OK for employees to use the company’s platforms for things like harassment, discrimination or to circulate offensive material
Train everyone. It sounds simple but the biggest issue in maximising value from digital communications tools is lack of user up-take because of poor understanding of the benefits and ways of using platforms
Decide who is responsible for the effective operation of your policies and for ensuring compliance – that ought to be the IT head on a day-to-day basis, but ultimately the Board.
Will you monitor what goes on between employees? If so, you need to be careful to only do so legally and in compliance with GDPR for example
So you’ve started transacting in other countries (having only operated in the UK before)
Key issues
Do you need a local set-up? Selling internationally doesn’t necessarily mean that you need to establish a separate company for each (or any) foreign country. To start with, you could just sell remotely from the UK – and just have a cross-border contract with your customers. You may even be able to use your existing sales terms under UK law
Local law issues . You’ll need to comply with some laws of the place you’re selling to. Have you considered whether local tax, e-commerce, product liability, data protection, advertising or corporate laws might apply? The laws that apply vary by country and also depend on what products or services you’re selling. If your customers are individuals, you’ll probably have to comply with local consumer protection laws
Setting up abroad . At some point, you may want to set up local subsidiaries – but that doesn’t need to be immediately It’s more important when you get to the point of needing local on-the-ground support for marketing, sales or post-sales support. Doing things like setting up a company or employing local people are likely to constitute a “permanent establishment” which will have tax consequences that you need to understand. But you could choose instead simply to sub-contract local support issues to a local partner
Employment issues . Have any of your employees had to move, or otherwise shifted their responsibilities to a new jurisdiction? Or have you hired locally? Employment laws vary greatly and many countries offer more protective employment laws than the UK. Check the requirements before you employ people locally, and get the right employee contracts in place.
Import and export laws . Make sure you complete the correct customs formalities if products have started moving across borders
Action items
Check if you need a UK licence or certificate to export your products or services, as well as any duties, rules and restrictions for your products or services in the destination country
Consider whether to obtain legal, tax and accounting advice in any new countries that you have started operating in to ensure that you comply with any national laws that might apply to foreign companies doing business in that country. Remember that the rules may be different if you’re sending goods through the post – a summary of these, as well as links to the forms that you need to fill in, is available here
From 1 January 2021, companies moving goods between the UK and the EU will need an EORI number to do so. This is already a requirement for non-EU exports. This only takes a few minutes and can be done online on the UK government website
Read the UK government’s exporting country guides for an overview of economic and industry information, local legal requirements, how to protect your intellectual property, and language and cultural issues
Check whether you need to translate anything into local language – such as user manuals or product safety information. If you’re selling to consumers rather than businesses, it’s probably going to be necessary. Even if it’s not necessary, might it help boost sales?
Work out how what currency you want to be paid in – and how you’re going to be paid? Will you use a third party payment platform? Do you have the right bank accounts to accept foreign currency receipts? At what point does exchange rate risk become an issue for you?
Understand how your VAT position will change. For sales to customers outside the EU, you will probably not have to charge VAT
Enforcement
Goods will not make it through customs in the UK or the destination country if the relevant formalities around registration have not been complied with
Other consequences and enforcement options will depend on the relevant legal system and what enforcement measures are in place under applicable domestic laws
So you’ve developed new intellectual property during the coronavirus outbreak
Key issues
Are you creating intellectual property? Intellectual property (IP for short) can be a valuable asset – although an intangible one. It’s worth knowing if you’re creating IP and taking steps to protect it. The most common forms of IP are patents (on inventions, for example), trade marks (on a brand name or logo), designs, or copyright (which covers things like software, written materials, recordings, videos)
Infringement of IP. Consider whether it would be helpful to conduct a search to clear the relevant IP rights (eg. trademarks, patents and registered design rights).
Do you own or license? If you own IP, that’s great. Keep a list of it and know what you have. If you don’t own IP, then the alternative is to take a license of it from the owner. If you use IP that you don’t own or don’t license in, you could get sued. Identify any third party software, data and other IP used in the development of, or incorporated into your IP, and consider whether you have the necessary rights for your intended use
IP strategy . Is registration needed or beneficial to protect your IP or can it can be protected as unregistered IP (i.e. copyright or trade secret), or a combination thereof?
Protection from unauthorised exploitation. Make sure you have the necessary protocols in place to protect your IP and to prevent others from exploiting your IP without authorisation
Action items
Ensure that you own all the IP that ought to be yours. If an employee develops new IP, then legally it will be owned by the employer – but it’s best practice to reinforce this with a specific clause in the terms of employment
If you contract with an external consultant or company to develop IP, then unless the contract says otherwise, the IP will belong to them – so check and amend contracts with any developers before you sign them. Your contract ought to include an appropriate assignment of IP rights created from your consultants and third party developers. You might need to negotiate with the developer over IP ownership – and they’ll probably want to own the IP. In some cases, where they merely amend their pre-existing materials or software for you, maybe it’s OK for them to own it (as long as you get a license to use it); but if they create something from scratch that you’ve paid for, maybe you need to own it
Try not to assign IP to your customers. When you agree contracts with customers where you will provide outputs incorporating your IP, the best thing is to allow them a limited license to use your IP. Work out what license rights they need to have and act accordingly. If you end up assigning your IP, that’s it – you can’t use that IP again and you’ll have to start from scratch the next time
Consider what IP strategy is appropriate to protect your new IP or consult a legal professional. You don’t need to register some IP rights to prevent others from using it (i.e. copyright) but for other types of IP rights you need to apply for registration to get the benefit that such registration confers. You’ll probably need professional help to make any IP registration applications.
Patents protect inventions, i.e . new and inventive technical features of products and processes. Patents are only available for new innovations that consist of a novel inventive step over what already exists (the so-called “prior art”). So, it’s important that you don’t publicly disclose or use an invention before considering whether to apply for patent protection (because, if it does so, the invention may fall into the prior art and disqualify a subsequent application for a patent)
Ensure you have appropriate agreements in place, such as non-disclosure agreements, to maintain the secrecy of your invention prior to application, including for employees and service providers working from home
The UK Intellectual Property Office (UKIPO) controls the application process and applications can be made through the UKIPO website ( e.g ., patents , registered trade marks and registered designs ). Applications for EU registered design rights may be made on the EU Intellectual Property Office’s website
Consider taking out insurance to protect against any financial loss caused by the loss of confidential information, if relying on trade secret protection
You should take appropriate measures to protect your IP by legally enforcing your IP rights against unauthorised users (infringers) of those IP rights. Make sure that any licenses or other exploitation agreements that you enter have clear restrictions on the use of your IP and that the licensee either: (i) does not have access to sensitive information (e.g., source code); or (ii) is under strict obligations of confidentiality for such information. You may also implement information security measures to protect your IP; eg . limiting access to trade secrets to specific employees
Enforcement
There may be civil or criminal liability for IP infringement, depending on the type of IP and your use of third party IP
If you don’t maintain the confidentiality of your invention prior to registration, you might lose the ability to register the IP and prevent others from exploiting it. If you own valuable IP, make sure that you get a non-disclosure agreement in place before you tell anyone else about it
So you’ve developed an online social media presence
Key issues
Confidential information . Are your employees using social media in a way that might disclose your business’ confidential information, whether they mean to or not? This could be anything from posting about company statistics, business strategies, product releases, to accidentally posting photos with sensitive documents in the background. The unauthorised release of such information can obviously lose the competitive edge for your business, or even open you up to privacy-related issues, depending on the nature of the information that has been disclosed
Intellectual property. Can you be sure that you’re not misusing or infringing a third party’s IP rights? Whose content are you posting, and do you have the right to do so?
Lawsuits. Take care that the things you or your employees post are not discriminatory or defamatory, because you may end up with civil or even criminal liability. Also, be mindful of misleading social media posts – particularly in the context of comparative marketing, where your business directly compares its products or services to those of a competitor in an attempt to make your business look more appealing to customers
Reputational damage . From a practical perspective, consider what impact any of the above issues could have on the reputation of your business, and what steps would be prudent to tackle these things, particularly in your industry
Marketing . Sending marketing messages to individuals via direct message on social media falls under the general rules for direct marketing in the UK (see responses to scenario 2 above), so you will typically need consent before doing so
Action items
Put in place policies on confidentiality and social media use which are widely available and consistently enforced. Consider disciplinary action where employees breach the policy
Put in place a set of company guidelines outlining best practices for use of social media if you actively encourage employees or use social media for marketing, recruiting or other business purposes
Respond to any third party complaints or takedown notices promptly and consistently – ideally, there should be a dedicated internal response team to deal with such issues
When using third-party social media sites for business-related purposes, ensure that you review the relevant third party’s terms of use and comply with them. Pay particular attention to any restrictions on use, and on provisions relating to ownership of any IP that is uploaded to the site (which often resides with the social media platform itself, rather than the content creator)
Commercial general liability insurance policies may not cover liability arising out of certain online activities, so review existing insurance policies to ensure appropriate coverage and consider whether any additional insurance is desirable and appropriate. Additional insurance could include, for example: cyber-liability insurance that covers data breaches, privacy and data security; business interruption; or liability for website content
Your human resources and/or marketing team should have a plan of action in place which kicks in in the event of any adverse litigation or publicity. This should outline your strategy in terms of the internal message you wish to communicate to your own staff, as well as the practical strategy as to how to do damage control on reputational issues publicly, if applicable
Enforcement
There may be civil or criminal liability for defamation, harassment, or similar offences
Certain regulatory bodies, such as the Advertising Standards Authority, the Competition and Markets Authority or the Financial Conduct may also take enforcement action against businesses who have misleading posts on social media or who use social media to make financial promotions
So you’ve started using outside agencies and you’re sharing sensitive data
Key issues
What data are you collecting? Identify what data is being shared – is it special category data under the GDPR? Special category data includes data relating to race/ethnic origin; political opinions; religious and philosophical beliefs; trade union membership; genetic data; biometric data; health data; data relating to sex life or sexual orientation).
Why do you need it? Consider why you need to collect and/or share the sensitive data. You will likely need to satisfy one of the conditions in Article 9 of the GDPR to process the data (for example by obtaining consent from relevant individuals), and identifying your purposes for processing it will help to determine which of the conditions is most appropriate
Consent. If you are required to obtain consent from individuals, note that consent must be explicit, informed and specific. Note also that consent from employees is often considered to be invalid, because of the imbalance in power between employer/employee
Data Minimisation. Ensure that you are only collecting (and retaining) a minimum amount of sensitive data (and can justify why you need to collect that data)
Transparency. You must make individuals aware that you are collecting and sharing their data, including sensitive data (you must specify what categories of data you are using, as well as your lawful basis for doing so). Consider if you need to update any privacy policies or otherwise make individuals aware that you will be sharing their sensitive data with outside agencies
Security Measures. Consider whether any additional security measures are required for the sensitive data, particularly when you transfer it
Documentation. If you’re processing special category data, you must keep records of the data that you are processing. You must also identify whether you need an “appropriate policy document” under the UK Data Protection Act 2018. If so, your general documentation must include your condition for processing the data, how you satisfy a lawful basis for that processing, and specific details about whether you have followed your retention and deletion policies – and if not, why not
Where is the agency located? Specific requirements may apply if the outside agency is located outside of the EEA. Organisations cannot transfer data outside of the EEA unless certain conditions are met, such as the use of standard contract clauses
Agreement with outside agency. Any agreement you have with the outside agency should cover data protection considerations, including terms to the effect that the outside agency will comply with any applicable data protection legislation in its handling of the data
Action items
Consider what information needs to be provided to individuals about the data that is being collected and/or shared with the outside agency (if they are not already aware)
Consider what conditions under Article 9 GDPR apply to your sharing of the data, including whether consent is required from individuals
Update your records of processing to include the data that you will be sharing
Consider whether you need to enter into standard contractual clauses with the outside agency (if the agency is located outside the EEA)
Ensure that any agreement with the agency adequately covers data protection
Enforcement
Failure to comply with data protection legislation can ultimately result in a fine from the ICO, up to a maximum of 4 per cent of annual turnover or €20Mn (whichever is higher). That being said, the ICO has said in its Regulatory Action Policy that fines are likely to be a last resort – in the first instance the ICO will investigate any infringement of data protection law (and will, in the first instance, ask you to stop the infringing activity). However, this will depend on the nature of the infringement – for example, a fine might be more likely if you suffer a particularly severe data breach and are found to have had inadequate security measures in place
Note that, while many of the rules discussed here stem from the EU GDPR, the UK has essentially written the GDPR into English Law. As such, even after the Brexit Transition Period comes to an end after 31 December 2020, these rules will continue to be relevant and enforced in the UK
So your staff are at home with company hardware but on their own networks
Key issues
Policies. Make sure that you have applicable policies, procedures and guidelines for staff on homeworking, including on accessing, handling and disposing of personal data
Email . Staff working from home will inevitably lead to more use of email. As such, you should ensure that you have measures to either prevent the ability to forward to external email addresses (or that you have a method in place to detect such forwarding). Remind staff to use corporate email solution rather than relying on their own email or messaging accounts, particularly in the context of personal data. You should also make staff aware of phishing scams, and ensure that they can easily report any suspicious emails they receive
BYOD. You should consider what approaches to home working suit your business best. Where employees are using company hardware at home, you should ensure that: (i) such devices can be updated and supported remotely; (ii) mechanisms in place to prevent data leakage (e.g. data loss prevention technology); and you have considered security measures like multi-factor authentication to allow for remote access
Security measures. Different measures may be appropriate depending on the technology you use to facilitate home working:
Cloud storage – If you are using cloud solutions that employees can access from home, ensure that such solutions are not set to public, or at least that they require usernames/passwords etc. Further, ensure that staff are only given access to the cloud solution to the extent required
Remote access – You may allow staff to access the company network from home. You should ensure that you have account lockouts in place, so that the account is disables if there are too many unsuccessful log-ins. A long-term strategy might be to have your remote access solution behind a gateway or virtual private network (VPN)
Remote desktop – You may allow staff to access their work desktops and other corporate applications from home. You should ensure that any remote application solutions you use do not allow access to shortcut keys or help keys that could be used to open applications or other features that employees are not authorised to use. Further, plain text usernames and passwords should not be included in any files, folders or scripts
Action items
Consider if any policies need to be updated or provided to employees, and ensure that employees are aware of possible scams
Ensure appropriate security measures are in place, as appropriate in light of the technology that you intend to use to facilitate homeworking
Enforcement
Failure to comply with data protection legislation can ultimately result in a fine from the ICO, up to a maximum of 4 per cent of annual turnover or €20m (whichever is higher). That being said, the ICO has said in its Regulatory Action Policy that fines are likely to be a last resort – in the first instance the ICO will investigate any infringement of data protection law (and will ask you to stop the infringing activity). However, this will depend on the nature of the infringement – for example, a fine might be more likely if you suffer a particularly severe data breach and are found to have had inadequate security measures in place
Note that, while many of the rules discussed here stem from the EU GDPR, the UK has essentially written the GDPR into English Law. As such, even after the Brexit Transition Period comes to an end after 31 December 2020, these rules will continue to be relevant and enforced in the UK
So you’ve started a joint venture
Key issues
Do your diligence . Have you checked out your joint venture partner? Have you worked with them before or just been introduced? Do you know how secure they are? Trust is nice, diligence is better
Choose your approach . You really have two choices: set up a jointly-owned company or enter into an agreement. Setting up a jointly-owned company is more formal and structured, and harder to unwind or exit – but there are more procedural rules and that provides a structure to follow. JV companies tend to be for longer term arrangements.
Decision-making . Making decisions is the hardest thing about a joint venture. When you both agree, it’s fine. But as soon as you disagree, how do you break the deadlock? Try to agree on as many things as possible up-front
Agree funding . Who’s going to pay for what? Are you both going to put in the same amount of money? Will you contribute money or other resources like time or effort? Who’s going to be responsible for new investments or debts?
Exclusivity . Will the JV be exclusive or will you both have the ability to do other things? Presumably, you won’t compete with the JV – so that should be clearly stated
Action items
Be practical: decide what the scope of the JV will be – because, presumably, you may still be doing other things outside the JV
Agree roles and responsibilities: who’s going to do what. Is it simple in that one of you puts up the cash and the other does all the work? Or will you both be active partners?
If you’re going to set up a company jointly with your JV partner, decide who your directors will be and decide how you’ll manage the company
Decide where the money will go. You hope that the JV will make income – so how is that split between you? When does the JV pay debts or re-invest and when does it pay out?
Decide when and how you might want to unwind the JV. Some people say that a JV is like a marriage: it’s not – because most marriages endure, whereas all JVs eventually come to an end. So try to decide in advance when will happen at the end to the JV’s assets, especially valuable assets like contracts, cash, people
The best advice for a JV is to write things down and, ideally, agree in advance
So you’ve started giving some of your digital products and services away for free
Key issues
Terms and conditions. Do you have terms and conditions in place relating to your digital products and services provided for free, including the rights granted and any limitation on the scope of allowed use?
IP rights. Make sure you have all the necessary rights to use and distribute the digital products and services, including for any third party content (e.g. images, videos, objects) incorporated in or used in the development of your digital product or services
Consumer laws. There is an extensive and, at times, complicated set of legislation in place that aims to protect consumers from unfair trading practices by imposing wide-ranging obligations on traders selling to consumers (B2C). The rules cover mandatory information that has to be provided to customers, unfair terms that can’t be used and statutory rights and remedies that you must offer to customers. This will vary depending on what you are giving away, i.e ., whether it is services or digital content, the nature of your business and its customers. Consumers may, for example, have a remedy for damage caused by digital content or service, even if you are giving it away for free
Pre-contract information . Traders must supply certain information to consumers before a contract of sale is concluded, including for digital content, regardless of whether a price is paid. There are different obligations as to when, where and how this information must be provided.
Data protection. Do you collect personal data as part of providing the product or services or in exchange for providing it for free, i.e . as part of delivering the product or service to customer? If you do, you must comply with data protection laws (including GDPR) on the collection, processing and storing of personal data
Accessibility . Traders must make reasonable adjustments to ensure that their website can accommodate all users, including the disabled
Action items
Make sure that you own or have sufficient contractual rights such as through assignments or licenses, to use all the IP included in the digital products and service you are giving away for free
If your customers are consumers, you must make sure that these terms and conditions are drafted fairly and transparently – so avoid using legal jargon, and make them as easy to understand as possible. There are a number of provisions that are automatically “blacklisted” as unfair and therefore unenforceable against consumers (including provisions that exclude liability for death or personal injury, for example), but there is the much harder area of potentially “grey listed” terms that might not apply to consumers, depending on the circumstances
Check that your current policies align with what your customers are legally entitled to and that you provide sufficient information to the customer prior to such purchase. What rules apply may vary depending on whether any price is paid (which can include a token, virtual currency, or gift voucher, that was originally purchased with money) or if it’s bundled with another product for which a price is paid. If you want to limit what the recipient is allowed to do with your digital products and service (e.g. only non-commercial use), you should convey such information as part of the process
You should consult a legal professional to provide tailored information for your business, but the types of information that are typically required include delivery restrictions, main characteristics of the goods, services or digital content being provided, identity of the trader ( i.e. your company), address and contact details of the trader, delivery and performance arrangements, complaint handling, cancellation rights, return of goods, details of any after-sales services or guarantees, and many more
Consider what information needs to be provided to individuals under data protection laws (including GDPR) about the data that is being collected and how it is used. Update records of processing and consider whether you have taken adequate measures to protect the data in accordance with data protection laws
If you are giving away products for free on your website, discuss with your website designer the measures to adopt to make it easier for the visually impaired to view your website and access your content. For example, the correct coding can provide text or audio descriptions of the graphics or animation, or you could provide a text only version or a non-flash multimedia version. You should consider how the website works with screen readers and other accessibility tools used by the visually impaired
Enforcement
There may be civil or criminal liability for IP infringement, depending on the type of IP and your use of third party IP
Consumers may be able to bring private actions against your business for breach of contract, or apply to a court to force you to comply with your consumer law obligations, or rescind the contract entirely, depending on the circumstances
Any terms or conditions that are deemed to be “unfair” will not be enforceable against consumers
Enforcement bodies such as Trading Standards or the Competition and Markets Authority may apply to court for enforcement orders against you in respect of breaches of consumer protection legislation
Failure to comply with data protection legislation can ultimately result in a fine from the ICO, up to a maximum of 4 per cent of annual turnover or €20m (whichever is higher).
Non-accessibility of your website may constitute unlawful disability discrimination, which can result in civil liability