Welcome To Simplydocs

Category : Business News

Sign Here Please – Electronic Signatures and the Law

Whether your signature is an example of elegant calligraphy or of the scruffiest scribble, you have probably ‘signed here’ more times than you care to count. The 1677 Statute of Frauds required certain documents to be in writing and signed. This provision is still in force today.

But what of the documents being signed? Predications of the paperless office have become increasingly common over the past 100 years, particularly with the exponential growth of desktop and then mobile computing from the 1980s onwards. While a paperless business world is still, perhaps surprisingly, far from a reality, we are now closer than we have ever been before and think nothing of entire contracts being instantaneously transmitted from the other side of the world, ready for us to read on anything from a desktop computer to a smartphone.

Signing such a contract, though, often still catapults us back to 1677. Paper and biro might have replaced parchment and quill, but that all-important squiggle of ink on a physical page remains commonplace. Electronic signatures have been around for a while in various forms, but a question mark still hangs over them, particularly when it comes to important legal documents.

Clarification from the Law Commission

At last, clarification is at hand. Last month, the Law Commission confirmed that electronic signatures can be used to sign formal legal contracts under English law. Furthermore, the Law Commission has also confirmed that an electronic document is ‘in writing’ for legal purposes if it can be viewed on a screen in a legible form, and that deeds can both exist and be executed electronically.

Despite this, however, the Law Commission has said that there remains “a lack of clarity in the law” which is “discouraging businesses from executing documents electronically when it would be quicker and easier to do so”.

Law Commission Consultation on the Electronic Execution of Documents

With this in mind, the Law Commission has launched a formal consultation on electronic signatures and the electronic execution of documents. Specifically, the consultation seeks to:

“consider whether there are problems with the law around the electronic execution of documents and deeds (including deeds of trust) which are inhibiting the use of electronic documents by commercial parties and, if appropriate, consumers, particularly with regard to:

(a) Electronic signatures;
(b) Witnessing;
(c) Delivery…”

Following the consultation, the Law Commission will consider whether legislative or other changes are required to address these issues.

The consultation is open until 23 November 2018. Full details including a form to participate online are available on the Law Commission website.

Here at Simply-Docs, we are no strangers to electronic documents and if you’re here on our website, we suspect that neither are you. Do you distribute legal documents in electronic form? Do you use electronic signatures too, or do you prefer to execute documents using good old pen and paper? As always, we would love to hear from you in the comments below.

What Will Brexit Mean for SMEs?

Brexit Notes

A new study led by Dr Ross Brown and Professor John Wilson at the Centre for Responsible Banking and Finance at the University of St Andrews suggests that, through a reduction in capital investment, less access to external finance, reduced growth, lower levels of product development, and reduced business internationalisation, SMEs could be set to suffer more than larger businesses under Brexit.

In particular, the study’s authors suggest that reduced investment will hamper SME growth, in essence, preventing many small, innovative startups from getting off the ground. Indeed, it is such businesses that expressed the greatest concerns when approached by the researchers.

Will the Impact Be the Same for Everyone?

Amidst the uncertainty, it is interesting to note that not all types of SMEs had the same level of concern. Dr Ross Brown, one of the lead researchers of the study, observed that: “The results of our analysis suggest that Brexit-related concerns could result in a range of negative consequences for UK SMEs, especially the impact on reduced capital investment, which critically weakens and undermines their ability to grow and prosper”. The research also notes, however, that such concerns are not shared by all in the SME community, suggesting that high-tech, service-oriented, and export-oriented businesses are likely to experience a more significant negative impact.

As well as the differentiation between sectors, the study also suggests that SMEs based in Scotland and Northern Ireland take a dimmer view on Brexit than their English and Welsh counterparts (a view which, it is also noted, mirrors voting patterns in the 2016 referendum to an extent).

More information, as well as the full paper, is available here.

What Does Brexit Mean to You?

For better or for worse, Brexit appears to be continuing apace. Much speculative talk of a second referendum has appeared in Brexit news of late; but, at least for the moment, support for the idea appears to be flexible at best. What is also clear is that impacts are already being felt in the business world due to rising uncertainty over what shape Brexit and related economic and legal arrangements will finally take.

As ever, then, we want to hear from you about your experiences. How has your business changed since the referendum result? Have you encountered any negative effects attributable to Brexit in your business and do you have plans in place to counter those effects? On the other hand, perhaps your business has improved as a result of Brexit and is looking forward to further improvements in the future. Again, we are eager to learn more about your experiences!

Processing and Transferring Personal Data

If you process personal data, that processing is currently subject to the Data Protection Act 1998. As of next May, the EU General Data Protection Regulation – the GDPR – will take over. Continuing the changes, the new Data Protection Bill introduced recently will bring much of the GDPR, with a few minor differences, into UK law post-Brexit.

Changes in the Law

Much media attention has been devoted recently to the GDPR. Some of this has provoked questions about the future legal position on data transfer not only within the UK but also to other countries outside the EU or EEA. The good news is that, in our view, what you will need to do in the future will not really change in practical terms.

To Where are You Transferring Personal Data?

You might need to transfer personal data within or outside the UK, to a location within the EU or EEA, or to a non-EU/EEA country (a “third country”). In addition to general requirements for processing personal data, particular requirements apply to transfer of data within the UK or abroad as outlined below.

Transferring Personal Data Within the UK or EEA

Where a UK data controller has a data processor within the UK or the EEA processing personal data for it, currently the law requires a written contract obliging the data processor to act on instructions from the data controller and to comply with obligations equivalent to those in the Data Protection Act’s Seventh Data Protection Principle. The GDPR also requires the contract to detail the processing and the data processor’s obligations. Our template document Data Processing Agreement – Personal Data Security (UK/EEA) meets the current requirements for such a contract.

There are no officially recognised standard clauses for such a contract. There may be in future, but there are none on the horizon, so you may continue to use our template. If the position changes, we will, in addition to making any necessary changes to our template, advise you accordingly.

Transferring Personal Data Outside the EEA

The Act’s Eighth Data Protection Principle and the EU Directive 95/46/EC (often referred to as the “Data Protection Directive”) only allow data controllers to transfer personal data outside the EU if the destination country has an adequate level of protection for the rights of the data subjects concerned. A number of alternative methods of ensuring such protection exist, as follows, but we believe that the “model terms” option (see below) is the best and easiest solution. This is because in practice another method may not be available or it may be relatively difficult to use it. The alternatives are as follows:

1) Recognised Destination

The EU Commission website lists those countries which it recognises as satisfying the test of “adequate level of protection”. The current Act and the GDPR provide for such recognition as a means of satisfying the test for an adequate level of protection. Transfer of data from the UK to the USA is complicated. The USA is not listed as “recognised” but a transfer will be permitted if the USA recipient (“data importer”) has self-certified compliance with the Privacy Shield framework.

2) Adequate Level of Protection

If the destination country is not “recognised”, then the requirements of the Act’s Eighth Data Protection Principle may be met if the data controller concludes that there is an adequate level of protection for the person who is the subject of the data, having regard in particular to the “adequacy criteria” set out in the Act.

It may not always be easy to properly apply these adequacy criteria. Further, the self-assessment basis of ensuring an adequate level of protection will be different and reduced under the GDPR. All in all, we think it will be very difficult for you to make proper use of this method.

3) An Exemption

Schedule 4 of the current Act provides several exemptions from the application of the Eighth Data Protection Principle. Similar exemptions will apply under the GDPR. If one of them applies, you would not need to consider whether there is an “adequate level of protection” or to take any other special steps in relation to the transfer.

4) Agreement on “Model Terms”

In view of the uncertainties and difficulties of ensuring an “adequate level of protection”, it will often be easier and preferable to make use of the following means instead.

The relevant EU Directive provides that an adequate level of protection will be achieved if a data controller and data processor sign an agreement governing transfer of data on model terms issued by the EU Commission for such purposes. The Commission issued the model terms in 2010. The current Act gives effect to this means of compliance and the Information Commissioner authorised the EU Commission model terms. This creates a “safe harbour” for UK data controllers transferring personal data outside the EU or EEA. Our template document Data Processing Export Agreement – Personal Data Security (Non-EU) contains the model terms and it may be used where transferring personal data outside the EU or EEA.

Although the GDPR supersedes the EU Directive, it does not alter the model terms regime so our template can be used after the GDPR and, subsequently, the new Act come into effect. It appears unlikely that the model terms will be amended in the foreseeable future. If they are, we will amend our template to take account of those changes.

Your Experience

Do you transfer personal data to another organisation to process it in the UK/EEA or outside the EU or EEA? If so, we would like to hear about how you ensured compliance with the current Act and the Directive, and how you plan to ensure compliance with the GDPR and the new Act. If you transferred data outside the EU or EEA, then, in order to do so, have you made use of the “model terms”? Have you relied on some other option instead? Are you confident that you are complying with all legal requirements relating to data transfer?

 

The Data Protection Bill 2017

Back in August we published a post here on the Simply-Docs Blog with news of a new Data Protection Bill which the government planned to publish soon thereafter. That Bill has now been published and while it is likely to be chopped and changed as it makes its way through Parliament, there are some key things to know about it from the start.

What is the Data Protection Bill?

The main purpose of the Data Protection Bill 2017 is to bring the provisions of the EU General Data Protection Regulation – the GDPR – onto the UK statute book in readiness for Brexit. As many readers will now know, the GDPR comes into force on 25th May 2018, bringing with it new higher standards of data protection compliance and a privacy regime fit for the 21st Century. In its most basic form, the Data Protection Bill will lead to an Act of Parliament that replicates the GDPR, ensuring that UK data protection law remains consistent with EU law – something that will be essential for doing business in a post-Brexit world. There will, however, be some key differences.

What is the difference between the Data Protection Bill and the GDPR?

The GDPR will apply almost uniformly in all EU member states (including the UK until we leave). We say almost because it does provide for limited differences at the member-state level. A member state is able to introduce some exemptions from the GDPR, provided that those exemptions still respect the fundamental rights and freedoms of data subjects, and provided that an exemption is necessary with respect to highly important matters such as national security; the prevention, investigation, detection, or prosecution of criminal offences; judicial proceedings; and a number of other public interest, public administration, and legal matters.

The Data Protection Bill deals with some of these limitations, but it is not just a copy of the GDPR. It will, in some areas, go beyond it. The Bill will also cover:

  • ● Data processing that is not covered by EU law;
  • ● The implementation of the EU Law Enforcement Directive;
  • ● National security matters; and
  • ● The changing duties of the Information Commissioners Office in light of the new legislation.

 

What key changes will the Data Protection Bill bring?

The Data Protection Bill includes a number of key elements:

  • ● Making it easier for people to withdraw their consent to the use of their personal data;
  • ● Implementing the so-called “right to be forgotten” into UK law;
  • ● Requiring organisations to obtain explicit consent from data subjects when processing sensitive personal data;
  • ● Expanding the definition of personal data to make it more suitable in the modern world, including data such as IP addresses, cookies, and biometric data;
  • ● Improving subject access requests (including removing the right for organisations to charge for them in many cases);
  • ● Enhancing the remedies, such as compensation, available to data subjects in the event of data breaches where the effects of such breaches go beyond financial loss or distress; and
  • ● Creating new criminal offences that will apply in the case of certain severe data breaches.

 

Watch This Space!

As with any new piece of legislation, the Data Protection Bill now faces a long journey through Parliament where it will no doubt be subject to a number of changes – minor or otherwise – as it passes back and forth. Moreover, the European (Withdrawal) Bill, formerly (colloquially) known as the “Great Repeal Bill”, presently allows for significant modification of certain legislation by government ministers without it being subject to the normal levels of parliamentary scrutiny, so there is possibly even greater scope for changes that might not otherwise be palatable across the board. As ever, we will keep a close eye on things and keep you informed.

What Is The Data Protection Bill 2017?

First mentioned in the Queen’s Speech back in June, the proposed Data Protection Bill was in the news again last week after the Department for Culture, Media & Sport issued a press release outlining the proposed legislation in more detail. The Bill is expected to be published in September and, given its stated purpose, should be ready for the statute book by the time the UK leaves the EU in 2019.

What About the GDPR?

The EU General Data Protection Regulation comes into force on 25th May 2018. This will not be affected by the new Data Protection Bill. Indeed, the primary purpose of the Data Protection Bill is to bring the GDPR into UK law so that our legal standards of data protection remain consistent with those throughout the European Union after Brexit. Not only does this mean that businesses already complying with the GDPR will face little or no disruption in transitioning from the GDPR regime to that introduced under the Bill; but it also means that handling personal data across European borders will be undisturbed by Brexit. In short, carry on preparing for the GDPR. That comes into force first, and there shouldn’t be any major differences under the new domestic data protection legislation that follows.

What Will the Data Protection Bill Do?

As we’ve already stated above, the main purpose of the Bill is to bring UK domestic data protection legislation into line with the GDPR. The UK’s current data protection statute, the Data Protection Act 1998, is quite literally from a bygone era and is no longer adequate to deal with current methods of data collection and processing, nor with current forms of personal data, for that matter. The Data Protection Bill will bring data protection law up-to-date and, according to the DCMS press release, will include measures to do the following:

  • ● Make it simpler for data subjects to withdraw their consent for the use of their personal data;
  • ● Allow data subjects to ask for their personal data to be erased;
  • ● Enable parents and guardians to give consent to data processing on behalf of their children;
  • ● Modernise and strengthen data protection law to fit with the digital economy;
  • ● Make it easier (and free) for data subjects to require organisations to disclose the personal data those organisations hold about them; and
  • ● Make it easier for consumers to move data between service providers.

(Read the press release in full here)

 

Will There Be Any Differences Between the Data Protection Bill and the GDPR?

Yes, it appears that there will be some slight differences, exercising the derogations in the GDPR that the UK government originally negotiated. This will include giving young people the right to require social media websites to delete information held about them when they reach the age of 18. The government has also stated that the derogations will allow for ‘a simpler shift for both businesses and consumers as we retain many of the enablers of processing essential to all sectors of the economy, from financial services to academic research, under the new legislation’.

What Should I Be Doing to Prepare?

For now, simply keep getting ready (or start if you haven’t already) preparing for the GDPR. There are no indications that the Data Protection Bill will represent a radical shift from the GDPR – as we’ve already pointed out – its main purpose is to bring UK law in line with the GDPR, subject to some minor differences which aren’t likely to make a big difference to most SMEs in any case.

In the mean time, here at Simply-Docs we will be monitoring the progress of the Data Protection Bill, as well as publishing new documents and guidance focused on the GDPR as May 2018 draws nearer. As always, if you have any thoughts or questions about the Data Protection Bill, we would love to hear from you in the comments.

Is Politics in the Workplace Giving You a Headache?

Just when you thought you’d seen enough emotively divisive politics to last a lifetime, with the election of President Trump following hot on the heels of the Brexit referendum; along comes a general election just to make sure that peoples’ conversations don’t stray to anything quite so mundane as the weather and the weekend’s football scores. A general election is inevitably contentious at the best of times, and with Brexit front and centre, the 2017 election is shaping up to be even more so.

Now that’s all well and good, and it’s everyone’s prerogative to hold and share their political views or – as some quite understandably choose – to switch off and filter out the noise altogether. When in the company of colleagues, however, this isn’t quite so straightforward. Politics among friends can cause enough problems, and these can be come even more acute in the workplace. What, then, can employers do to keep things peaceful and productive?

Outside of the workplace, of course, there isn’t a great deal that an employer can do about their employees’ political activities unless those activities have a direct impact on their employment. An employer could, for example, take action against an employee whose political activities are bringing the employer into disrepute.

Ordinarily, however, politics in the workplace is something that should be handled with care. Even if an employee’s political affiliations may be seen as offensive, employers must take great care when considering disciplinary action or dismissal. If an employee is dismissed because of their political opinions or affiliation, the normal rules regarding unfair dismissal don’t apply: employees do not need to have had two years’ continuous employment.

There is however a line that, if crossed by an employee, entitles an employer to take action. For an employee to hold political opinions and affiliations is one thing (and don’t forget, employers can’t take any action on the basis of an employee’s membership of a particular political party), but if the expression of those opinions and affiliations crosses over into campaigning, employers are in a better position to do something about it.

As to the definition of campaigning, it can take many forms, ranging from heated political discussions between colleagues, to handing out leaflets, putting up posters, and organising political meetings. Imposing a ban on political conversations in the workplace is neither desirable nor practical, but prohibiting the more active types of campaigning is arguably quite reasonable. Politics is by its very nature a polarising subject and seems to be one that is becoming increasingly personal and, at times, hostile. By preventing staff from campaigning at work, employers can help to avoid a lot of disruption, not only to productivity but also to staff relations and morale. In more extreme cases, such behaviour could even be considered to be bullying or harassment and thus a reason for dismissal in itself. Political expression isn’t a defence to allegations of discrimination or harassment either, so be on your guard for the would-be activist on your staff that goes around upsetting everyone under the banner of free speech, and don’t take any nonsense! Action could also be taken against an employee that was found to be spending time on non-work activities like political campaigning during working hours, or perhaps using company equipment for political purposes.

As with many situations like this, it is better to be proactive than reactive, and our Political Activity in the Workplace Policy is on hand to assist, setting out the expectations and code of conduct that apply to all of your employees. Most importantly, the policy removes ambiguity by clearly setting out what is and what is not permitted and sets out the various consequences employees may face for failing to adhere to it.

It would be nice to think that after the 8th June election, politics might quieten down for a while, but with formal Brexit negotiations set to commence shortly thereafter, political temperatures seem set to remain high for the foreseeable future. Political awareness and involvement among the populous is vital, but at work it must have its limits. You can’t, after all, run a successful business if the remainers, re-leavers, and brexiteers on your staff are at each others’ throats all day long! How do you deal with political activity in your business? Is it something you would prefer to keep out? Perhaps you go the opposite way and provide specific forums for your employees to exchange and debate their political views? Your views, as ever, are welcome!

Zeroing in on Zero Hours Contracts?

According to the Office for National Statistics, over 900,000 employees in Britain are currently employed on zero-hours employment contracts. Zero-hours contracts often crop up in the news, and it’s fair to say that they’ve gotten something of a bad name – often not without good reason. Particularly with the rise of the gig economy, zero-hours contracts and other means of securing peoples’ labour without too much commitment have become very popular with some employers.

None of this is to say that the situation is settled, however, and some are now taking action to offer alternatives to their employees. McDonald’s, for example, recently offered fixed-hours contracts to its 115,000 zero-hours employees (according to the BBC, around 20% of employees at the Golden Arches have chosen to take the fixed-hours option. We certainly hope they’re lovin’ it).

On the political front, with a general election once again on our doorstep, the Labour Party’s 2017 manifesto includes a pledge to ban zero-hours contracts. The Liberal Democrats, while not planning to ban them, have pledged to create a formal right for zero-hours employees to request fixed contracts instead. The Conservative Party manifesto, on the other hand, is silent on zero-hours contracts themselves, but nevertheless emphasises the importance of protecting those working in the gig economy – a broad statement of policy to be sure, but one that arguably wouldn’t rule out future action on zero-hours contracts.

In October 2016, the government appointed Matthew Taylor, former policy chief to Tony Blair, and Chief Executive of the Royal Society of the Arts to lead a review of employment practices. Taylor has previously suggested improvements to zero-hours contracts including the payment of premium wages to zero-hours employees. As for the review, the deadline for the submission of evidence passed earlier this week, meaning that a final report shouldn’t be too far away. While the full results of the review have not yet been published, it is believed that Taylor will recommend a right for zero-hours employees to request fixed-hours contracts instead.

With such an emphasis on the negatives of zero-hours contracts, then, it may at first appear that the benefits are all one-sided, favouring only employers. While it is true that many employees prefer the certainty and security that zero-hours contracts simply can’t offer, there are those who like the flexibility that they provide. Indeed, according to a 2013 study (updated in 2015) by the Chartered Institute of Personnel Development, many zero-hours employees were happy with the arrangement and more content than their permanently-employed counterparts. Among the benefits, zero-hours contracts enable workers to take on a more diverse variety of work instead of being limited to one specialism or department. In other cases, they may facilitate a better work/life balance – ideal for those professionals that want to focus their energies on their families as well as their offices.

There is no question that zero-hours contracts have been used unfairly, and one may even be led to question whether their recent surge in popularity may have been buttressed by a government happy to see unemployment figures drop – even if the reality is that some of those who are “employed” have no work to do; but it is difficult to argue that the solution is simply to get rid of what can – when properly used – be a beneficial employment relationship for both employers and employees alike. What may be the better option for employers, then, is to offer employees a choice.

The future of the zero-hours contract may currently be a little uncertain; but for now at least, when used fairly and in the right circumstances, both employers and employees can benefit from their flexible nature. What’s more, thanks to the Small Business, Enterprise and Employment Act 2015, since 26th May 2015, exclusivity clauses in zero-hours contracts have been unenforceable, making them somewhat fairer than perhaps they once were.

To find out more about zero-hours contracts and to see whether they might have a place in your business, take a look at our Employment templates:

Zero Hours Contract
Zero Hours Policy
Zero Hours Employment Offer Letter
Casual Workers / Zero Hours Comparison

Does your business use zero-hours contracts? Perhaps you’re a professional that is on a zero-hours contract? We want to hear your thoughts. Not all zero-hours contracts deserve the bad rap, but with the election just around the corner, they’re in the spotlight again. Would you like to see them stick around as they are, reformed with restrictions designed to protect employees, or eliminated altogether?

Data Protection: The GDPR is Coming

In just over a year’s time, on the 25th May 2018, the new EU General Data Protection Regulation, more often known simply as the “GDPR” comes into force. The GDPR is designed both to harmonise data protection throughout Europe and to modernise it, taking into account significant advances in science and technology that have taken place in recent years. In particular, the growth of the internet and the huge increase in the amount of personal data being transferred, stored and processed online (looking at you, cloud storage and social media), means that data protection legislation is long overdue for a refresh.

The first thing to get out of the way, since the “EU” part will doubtlessly be leading some to question whether or not the GDPR will be around for long, is that the UK government has confirmed that the GDPR will not be affected by Brexit. It is quite likely, then, that the Great Repeal Bill (see our previous post, here) will take care of that. Now we’ve said “Brexit”, we’ll move on.

Who Does The GDPR Affect?

In the most basic terms, if you already have obligations under the Data Protection Act 1998, you still will under the GDPR. The GDPR will apply to organisations operating within the EU and to organisations outside the EU that deal with individuals inside it.

What Does The GDPR Apply To?

As with the Data Protection Act, the GDPR applies to “personal data”. This is where one of the key modernisation points arises, for the GDPR expands its definition of personal data to personal identifiers such as IP addresses. Even personal data that has been anonymised – by using coding or pseudonyms, for example – may still count as personal data if it can be traced to a particular individual. In short, almost any kind of personal data, whether it was previously caught under the Data Protection Act or not, will likely be included under the GDPR.

The good news, however, for many businesses – especially SMEs – is that in the case of things like HR records, customer lists, contact details and so forth, the new definition will make little practical difference. That being said, for those who do a lot with online data behind the scenes, it’s certainly worth brushing up to be on the safe side.

Another key point to note is that the GDPR now applies to “data processors” as well as “data controllers”. Those processing personal data purely in a service provider capacity for a data controller will thus now also need to ensure compliance.

What Does The GDPR Say About Consent?

Organisations will need to be more proactive, and clearer with the language they use, when it comes to obtaining consent to the collection and processing of personal data. Individuals must know how their information will be used, and organisations cannot rely on silence or inactivity on the part of those individuals as consent. Not only that, but if the purpose for which you want to use someone’s data changes after getting their initial consent to use it, you must get fresh consent for the new use.

Again, in some cases, particularly for those who already pay careful attention to privacy and data protection, this will simply mean business as usual; but for others, particularly those who use customer data for marketing purposes, consent mechanisms may need to be re-thought, and clear, detailed information must be made easily accessible to customers, explaining the whats, whys, and hows of the organisation’s personal data collection and use.

How Will This Change The Way I Do Things?

Simply put, organisations need to take a more proactive approach to data protection, maintaining a much sharper awareness of privacy throughout their activities, systems, and projects. One key way in which this should be done is through the use of Privacy Impact Assessments, another new requirement introduced by the GDPR. A Privacy Impact Assessment or “PIA” should be conducted wherever a particular activity presents a risk of privacy being breached so as to minimise the risks to the individuals whose data is involved.

You may also have heard about the so-called “right to be forgotten”, especially in the context of search engines. The GDPR now brings this one to your doorstep too. If an individual requests that you delete the data you hold about them, you must do so.

Will I Need A Data Protection Officer?

If an organisation’s “core activities” involve the “regular and systemic monitoring of data subjects on a large scale” or the “processing on a large scale of special categories of data”, then it will need to appoint a Data Protection Officer.

This will apply regardless of the size of the organisation itself, so small businesses are by no means off the hook. Particularly as a result of the growth in online business, even small businesses with only a few employees may potentially be dealing with the personal details of thousands of individuals.

Among the Data Protection Officer’s responsibilities will be the carrying out of Privacy Impact Assessments, designed to identify and assess privacy risks for a given project which will involve the use of personal data (see above).

What If Something Goes Wrong?

If there is a data breach, the GDPR requires that the local data protection authority (in the UK’s case, the Information Commissioner’s Office) be informed within 72 hours of discovering it. Not only does this mean increased accountability, but for many this will also mean changes to internal systems, policies, and procedures to make it quicker and easier to spot and respond to breaches.

It’s under this heading that it’s also worth mentioning the F word. No, not that one (although you’d probably say it in the circumstances). Fines: that’s the one we mean. The GDPR is serious about increasing data protection, and penalties are no exception. Organisations that fail to comply with their obligations can face fines of up to 4% of their annual global turnover or €20 million, whichever sum is greater.

I’m Going To Be Very Busy, Aren’t I?

That depends. If your organisation is already taking data protection and compliance with the Data Protection Act seriously, the GDPR shouldn’t be anything to be afraid of. What’s more, you have a year to determine what changes need to be made and to make them, and provided you don’t mess about, that should be plenty of time.

Start by getting all relevant staff up to speed, appoint someone to oversee data protection, then evaluate your existing methods of data collection, obtaining consent, holding data, processing it, and handling individuals’ requests to see that data or have it erased. Your next step should be to determine what (if anything) needs to be improved and to get a plan in place for implementing those improvements in the time available. Remember the new responsibilities of data processors too: make sure that your suppliers and service providers are aware of their responsibilities under the GDPR and are taking the necessary steps to comply. Last but not least, don’t panic!

As ever, we want to hear your thoughts. Will the GDPR come as a shock to the system or is your business already hot on data protection? Do you think the modernisation of data protection law is overdue or do you see it as adding unwelcome burdens? Have you already started preparing? What steps would you recommend to other businesses?

Over the coming weeks and months we will be adding a range of new documents to our portfolio to help you get up to speed and up to spec with the GDPR, plus comprehensive new information on the various aspects of the GDPR with best practice guidance on how to comply. Stay tuned!

10 Tips That Will Help Improve Your Customer Data Protection

In the wake of the UK’s Brexit vote this year, it remains to be seen how the EU General Data Protection Regulation (GDPR), slated to come into effect in 2018, will impact on British businesses in the long run. Businesses have until 25 May 2018 to prepare for GDPR, which sets out uniform rules for data protection rights across the EU, as it will have direct effect on all member states from this date.

Any company – no matter whether it is inside or outside the EU – that deals with data of European citizens will have to abide by the GDPR. We are clearly living in an age when data protection is becoming increasingly regulated, so here are a few tips that will help your business tighten up its policies on customer data.

1. Don’t forget your updates

Some companies, including SMEs, fall into the habit of running their software updates during quieter periods when they envisage less disruption to day-to-day business. However, pushing back these required patches could increase the potential for an attack which could compromise your customer data. There are hackers who are always on the lookout for new methods of exploiting gaps in security, so be prepared to sacrifice time and, where necessary, invest in new ways to secure your network.

2. Keep an eye on sensitive personal data

Sensitive personal data – such as political or religious beliefs or information about health or sexual orientation – is the customer data that you should be especially wary of allowing to fall into the wrong hands. You should know exactly who has access to your customer database and change passwords regularly.

3. Clarify your privacy policy

Ensure you have a comprehensive privacy policy which clearly explains to your customers how their data will be used. Building trust between your organisation and customer base should be a priority, and you will find customers are more likely to voluntarily share their personal information with a company they trust. Don’t risk legal issues and damage to your reputation by failing to explain to your customers how their data is collected and used.

4. Don’t store what you don’t need

Keeping hold of personal customer data which you no longer need is a breach of Principle 5 of the Data Protection Act. Information such as names and addresses might be useful to your marketing objectives, but storing data such as credit card details is often not required and is simply adding to the risk should a security breach occur.

5. Utilise encryption

Encryption technology should be used to ensure an extra layer of security is provided. Encryption basically encodes data so that only users with access to the correct ‘key’ can read that information. It works by providing a safeguard against the unlawful access of data.

6. Assess security across your supply chain

It is also important that the vendors and partners with whom you work are able to demonstrate a sufficient level of security, particularly if they have access to your customer data. Always ask third parties about their security procedures before you provide them with access to your IT systems or customer databases.

7. Form a disaster recovery plan

Are you prepared for all eventualities in the scenario of a cyber-attack? You should have a plan in place. If not, consider creating one to protect your customer data and ensure the continued smooth running of your organisation.

8. The importance of testing

Your in-house IT support, or a trusted outside agency, must test your system regularly in order to identify potential vulnerabilities that could lead to the exposure of customer information. Cyber security experts or “white hat” hackers can also be brought in to examine the robustness of your security measures.

9. Bake customer data protection into your company culture

The employees in your organisation should be given training on how to handle customer data properly. They must know the correct procedure for reporting any data breach (e.g. if one of their passwords is compromised). Extra security can be added by implementing a two-step login process for employees.

10. Get the right legal advice

Should the worst happen and a security breach occurs, not only damage to your organisation’s reputation but a financially crippling court case could feasibly be on the cards. That is why you need to understand your obligations, regarding customer data. A data protection lawyer can help decide on the language you use in your privacy policy and contracts with business partners.

At Simply-Docs, we have a wide selection of ready-to-use documents that will help you create IT and data protection policies. To talk more about how we can help you build procedures to protect customer data, simply contact our friendly team today.

Could Becoming a Freelancer Be the Correct Career Choice for You?

The freedom to pick and choose how, when and where you work are some of the big advantages of becoming a freelancer, and it can be tempting to jump right into the world of self-employment for these very reasons.

However, if you’re not fully prepared for the implications of freelancing, you could be surprised by many of the challenges which come with working for yourself. Consider whether you are ready to give up the day job by asking yourself the following five questions:

1. Do you have a portfolio of work?

No matter how much experience you have, clients will always want to look at examples of your previous work to see if you’re right for them. If you don’t have a portfolio yet, be sure to prepare one and publish it on your website – or at least build up your LinkedIn profile.

You could offer your services to friends or family for free or create your own projects. For example, those wishing to become a self-employed writer can create a blog to showcase their skills – and a budding freelance software developer could build an app or freely downloadable software.

2. Do you know how to pitch work?

Depending on the nature of your freelance work, you may be required to pitch your services to clients face-to-face, over the phone or via email. You should have a well-rehearsed and persuasive pitch and be confident in your ability to sell your service, as well as yourself. If you struggle to pitch your work you might struggle to find clients.

A successful pitch should explain exactly why you’re right for the job, bringing in prior experience and areas of expertise that are relevant to the client or job in front of you. Practise pitching to friends and family members first, and be sure to get your website copy right down to the[a2]  last detail before using it as a basis for your pitch.

3. Could you offer competitive rates?

Figuring out what you will charge for your freelance services is incredibly important but also pretty tough. You’ll want to earn enough to make your work worthwhile and to pay your basic monthly bills, whilst offering value for money to your client. You’ll also want to position your prices in line with your competitors in order to make your service appealing.

Many freelancers provide quotes to their clients on a project-by-project basis, so you can assess every request that comes in and tailor your prices in accordance with the amount of time required to complete the job. But it’s always a good idea to also have a basic hourly and daily rate in mind, as some clients prefer to work on this basis.

Remember that you need to offer clients value for money. Let’s say you’re a graphic designer who takes 10 hours to produce a logo. If you want to work at a rate of £40 per hour, you may quote a client £400 to create a logo design. If that same client has received a quote of £300 for the very same job from another freelancer, your pricing won’t seem like value for money. Will you be able to explain to your client why your pricing is higher, and what added value they’ll receive from paying you more? Perhaps it will be of superior quality, turned around faster or you’ll be able to provide the logo in multiple formats. Whatever your USP, be sure that you remain an appealing choice to potential clients by ensuring that you offer value for money.

4. Are you financially prepared?

The biggest downside to working as a freelancer is the lack of a reliable monthly income, which is very daunting when you have regular monthly expenses to pay such as rent, mortgage or utility bills.

Depending on the industry you work in, it may be possible to find clients who can provide you with work on a consistent enough basis that you can maintain a steady stream of income, but it is not a guaranteed wage. You also have to consider scenarios such as late payments from clients or unforeseen business expenses.

To ensure that you can stay afloat at times where business is slow or invoice payment is delayed, you should have some savings behind you. Aim to save three to six months’ worth of income before you quit the day job and go freelance, as this should give you a good safety net for those tougher times.

5. Could you successfully maintain professional client relationships?

One of the trickiest things about working as a freelancer is developing successful relationships with clients. Your clients pay your wages so they are the closest thing to a boss, but remember that you are running a business and do not rely too much on repeat business or view them like an employer.

You also need to make sure that you’re paid fully and on-time. No matter how pleasant and reliable a client may be, you should ensure that contractual terms are agreed in writing in advance of starting any work to avoid misunderstandings further down the line. The idea of drawing up legal contracts, invoices and terms and conditions may seem daunting to new freelancers, but putting these in place can help to secure the success of your fledgling business.

At Simply-Docs, we have a wide range of valuable business documents for freelancers, including invoice templates and a range of  service agreements .

Top