Monthly Archives: August 2022

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA), any business or organisation which suffers a personal data breach is required to carry out an assessment. Depending on the seriousness, it may be necessary to report a breach to the Information Commissioner’s Office (ICO). In this post, we will explain the circumstances under which it may be necessary to report personal data breaches, how to report them, and we will look at some of the potential consequences.

What is Considered a Data Breach?

The ICO defines a personal data breach as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”

In order to be considered a data breach under the regulations, the data which has been breached should have been of a personal nature; general data which does not relate to an identifiable living individual is not covered under the UK GDPR or DPA.

Data breaches are often caused by a cyberattack. In this case, malicious hackers might target a business and attempt to extract information held, for example, in databases. Alternatively, the organisation may fall victim to a computer virus which is circulating online, inadvertently enabling a trojan horse to automatically gain access to confidential data (when an employee accidentally clicks on a link in a spam email, for example).

That being said, a data breach does not always have to be the result of a cyberattack, or even occur online. There have been several publicised cases where members of staff have forgotten a USB stick or paper files containing personal data on a train or other public places. These are also considered to be data breaches, as are cases where an employee has accidentally emailed confidential files to an unintended recipient who is not authorised to access the personal data inside.

It’s also worth noting that the data does not necessarily need to fall into the wrong hands to be considered a data breach. If an authorised person deliberately or mistakenly alters or deletes personal data improperly, this also contravenes the rules.

How Serious are Data Breaches?

Depending on the circumstances, the ICO may fine any organisation which suffers a data breach up to a maximum of £17.5 million or 4% of its annual global turnover (whichever is higher). British Airways was fined £20 million for infringements of the GDPR in relation to a data breach in 2018 which exposed names, addresses, and payment card details of customers and staff.

In addition to potential ICO penalties, businesses in certain sectors may also have to contend with their own regulatory bodies. For example, law firms which suffer a data breach as a result of failure to implement sufficient cybersecurity measures may face enforcement action from the Solicitors Regulation Authority (SRA).

Furthermore, businesses which are publicly exposed as having incurred a significant data breach will inevitably suffer a certain degree of reputational damage. This can result in loss of clients and potentially missing out on future business opportunities.

Finally, data breaches which involve a cyberattack will result in damage to IT infrastructure, and there will often be extensive work which needs to be carried out to rebuild security protocols, issue new passwords and so on.

What is the Maximum Fine for a Data Breach?

The “higher maximum level” of fine for breaching the UK GDPR is £17.5 million or 4% of its annual global turnover (whichever is higher). This level can apply to infringement of key aspects of the UK GDPR including the data protection principles, the rights of individuals, and provisions relating to the transfer of personal data to third countries.

The “standard maximum level” of fine – which applies to other types of infringement (such as those relating to certain obligations of controllers and processors, and certain obligations of certification and monitoring bodies) – is the higher of £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year.

A number of factors will be considered when deciding whether or not to impose a fine and how much the fine will be. Some key factors taken into consideration will include (note that this is not an exhaustive list):

• The nature, gravity, and duration of the infringement, taking into account the nature, scope or purpose of the personal data processing involved, the number of individuals affected, and the level of damage suffered by them;
• The intentional or negligent nature of the infringement;
• Action taken to mitigate the damage suffered by individuals;
• The degree of responsibility taking account of the technical and organisational measures implemented by the data controller and/or processor involved;
• Previous infringements;
• The degree of co-operation with the ICO in remedying the infringement and mitigating its adverse effects;
• The categories of personal data affected by the infringement;
• The manner in which the infringement became known to the ICO (whether or not the organisation responsible for the breach notified the ICO themselves, for example);
• Compliance with approved codes of conduct; and
• Other aggravating or mitigating factors.

Fines under the UK GDPR must be “effective, proportionate, and dissuasive”. In practice, both of these maximum levels of fine only apply to the largest companies with the most significant infringements, caused by egregious data protection failings. The ICO notes that: “Any penalty that we issue is intended to be effective, proportionate and dissuasive, and will be decided on a case-by-case basis.”

When should a Data Breach be Reported?

Any business which suffers a personal data breach is required to carry out an assessment of the likelihood of any risk to the rights and freedoms of individuals. If a risk is considered to be likely, the data breach should be reported to the ICO.

Who Should You Report a Data Breach To?

The ICO should be notified within 72 hours of awareness of any reportable breach. Follow the ICO’s guidance on breach notification on their website.

In addition to notifying the ICO, any individuals whose data has been involved in the breach should also be personally notified if the breach is likely to result in a high risk to the rights and freedoms of these individuals.

What Processes Should You Have in Place to Report a Data Breach?

Businesses should put in place data breach policies which cover the following steps:

• Initial reporting – there should be a process for staff to report any suspected breach to management.
• Assessment – how a breach is recorded and assessed to determine whether it needs to be reported to the ICO etc.
• ICO reporting – the process for reporting relevant data breaches to the ICO.
• Individual notification – process for reporting data breaches to the individuals involved (where it meets the threshold).

Simply-Docs has a wide array of documents and policies relating to data breaches and other key areas of data protection.

What Happens After You’ve Reported a Data Breach?

Aside from reporting relevant data breaches, organisations will have a lot of work to do following a data breach, particularly where this is the result of a cyberattack.

An investigation should be carried out to find out exactly what caused the data breach. The immediate issues should be resolved, new passwords issued where relevant, and disciplinary action taken if appropriate.

New measures should also be put in place to avoid similar data breaches occurring in future, which may involve updating company policies, upgrading software, and carrying out staff training.

When starting out in business there are many decisions to be made, some of which can have a significant impact on the success of the new venture. Legal issues are particularly important, and entrepreneurs should spend some time considering this aspect. In this post, we will examine some of the legal decisions facing new businesses and provide a few legal tips for startups.

Choose The Correct Business Type

One of the first steps of setting up a business is deciding on its legal operating structure. The vast majority of businesses in the UK fall under one of the following models:

1. Sole trader

If an individual starts carrying out business activities on their own, without setting up a formal business structure such as a limited company, they will automatically be classed as a sole trader. In this case, there is no legal distinction between the individual and their business. Sole traders are therefore entirely responsible for the legal aspects of their business, notably any debts incurred.

2. Limited company

Anyone starting a business on their own or jointly with other entrepreneurs can choose to set up a limited company. This puts the business on a more formal footing and requires registration with Companies House along with a range of annual filings. Crucially, a limited company is considered to be a legal entity in its own right and essentially protects the business owners from debts built up by the company (beyond their initial capital investment). The business owners of a limited company will hold shares and will often also be company directors.

3. Partnership

If two or more people set up a business together without registering it as a limited company or LLP (see below), they will automatically be classed as an ordinary partnership. Partners are considered to be jointly and severally liable for any debts and obligations of their business; each and every partner is responsible for the acts, omissions, and debts of the partnership. There is therefore no protection from liability, as would be the case with a limited company.

4. Limited liability partnership (LLP)

A relatively new type of business structure which has become increasingly popular, especially amongst professional services providers such as lawyers and accountants, is the Limited Liability Partnership (LLP). An LLP needs to be registered with Companies House and combines the benefits of limited liability for business owners with the flexibility of ordinary partnerships.

Simply-Docs has a range of documents which can help with starting a business and company formation.

Distinguish Your Employee Types

When a business requires extra resources, it will need to decide whether to subcontract out the work, bring in temps or agency workers, or take the step of employing new members of staff. It is vital to determine the status of each individual who carries out work for the business, namely whether they are:

• a contractor;
• a worker; or
• an employee.

In the case of employees and, to some extent, workers, the business will have extensive legal responsibilities including:

• national minimum wage;
• sick pay and annual leave;
• maternity and paternity rights;
• protection from discrimination; and
• health and safety duties.

Employees are entitled to receive a “written statement of employment particulars” on the first day that they start work. It’s best practice to include this as part of a more comprehensive employment contract, which outlines the various rights and responsibilities of both the employee and employer.

Simply-Docs has a variety of employment contract templates and related documentation.

Ensure The Right Agreements Are in Place

Where two or more people start a business together, they should consider putting in place relevant agreements to set out the basis of their business relationship, such as a:

• shareholders agreement – in the case of a limited company; or
• partnership agreement – in the case of a business partnership.

Although these agreements are not mandatory, they help to ensure that each party knows where they stand and can avoid potential disputes arising further down the line.

Protect Your Intellectual Property

Although intellectual property (IP) is typically associated with creative industries, most businesses have IP of one form or another, such as:

• copyright – this covers literary, dramatic, musical, and artistic works, as well as computer software and databases;
• design rights – IP can include both registered and unregistered designs;
• patents – this is a highly specialised form of IP which covers inventions;
• trade marks – these include logos, slogans, and symbols which help to build a business’s brand and distinguish their products and services from those of competitors; and
• trade secrets – although it’s not possible to register a trade secret as a form of IP, non-disclosure agreements (NDAs) can help provide protection.

It’s vital that a business understands its IP and protects it where possible to ensure that competitors don’t capitalise on, or misappropriate its work. Although some forms of IP such as copyright do not require registration, it may become necessary to enforce such IP rights using infringement notices or a cease and desist letter.

Ensure You Have the Correct Legal Support

Depending on the nature of the business, different levels of legal support may be required. Heavily regulated sectors will often need substantial advice from a law firm, particularly when starting out, and larger organisations may even have an in-house legal team. Most SMEs, however, will be able to prevent many legal headaches by putting in place suitable documentation.

Simply-Docs has a wide range of legal document templates which can help many different types of business get on top of key legal issues and avoid disputes.

FAQs

What Legal Documents Are Needed to Start a Business?

This entirely depends on the legal framework of the business, whether it has any employees or valuable IP, and the sector in which it operates. It’s worth perusing the range of legal documents available from Simply-Docs to find out if any are suitable for your particular business.

What Are Legal Issues in Business?

Legal issues in business generally involve rules and regulations set out by a range of government legislation, as well as a number of important aspects involving contracts and terms & conditions. We stay on top of the latest regulatory updates so you can rest assured that our legal documents will have you covered.

What Legal Issues Do Small Businesses Face?

Although larger companies tend to face more regulatory hurdles, SMEs are also exposed to the full gamut of business legislation, from the Companies Act 2006 to the Equality Act 2010.

What Legal Services Do Businesses Need?

The legal support requirements of each organisation are unique, depending on their size, sector, and nature of their business. Although most SMEs will require advice from a solicitor at some point, many will be able to avoid legal issues from arising, particularly if they put the right documentation in place.