GDPR & PRIVACY
DPIA: DATA PROTECTION IMPACT assessment
Some uses of personal data are riskier than others.
Higher-risk processing may require you to document a formal data protection impact assessment, or DPIA. Normally, you must do the DPIA even before you start using the data.
Plain English Law can advise and support you to:
Got a question about DPIA? Take a look at our FAQs.
As with most things commercial, you get what you pay for. And with a business you really do need to know what state it’s in before you buy.
Remember that old saying: caveat emptor, buyer beware? That’s exactly what due diligence is all about: becoming aware.
There’s the whole financial side of due diligence, and your accountant is the best one to help you there, but to give you an idea of what they’ll be looking for let’s take a hypothetical case study.
Say the business you’re interested in turns over £10 million a year. Sounds great, but how is that revenue actually generated? Does it all come from one customer, or does even 50% come from a single source? Or is the spread so diverse that no customer on their own is responsible for bringing in more than a small percentage? You’d need to know this as part of your financial due diligence as having too many eggs in one customer basket is a potential risk and could affect how much you should be prepared to pay for the business.
You next need to look at how it’s structured. How robust are the customer and supplier contracts? Employee contracts? Do all staff have one, and what do they contain? Look at notice periods, redundancy pay, non-compete clauses — these are all potential minefields.
Does this business rely on intellectual property to operate? If so, who owns that IP? Pay particularly close attention if the IP is licensed to the business. What does the agreement actually say? (More about intellectual property in this FAQ.)
Your lawyer should create a due dil questionnaire for the seller to complete — we always do this at Plain English Law, and it can be as detailed as you want. The more due diligence you do, the more it’s likely to cost, but it’s the nitty gritty detail that can help tip the balance when deciding if the business is worth taking on.
The seller may also be surprised at what the exercise reveals — and especially by what the potential buyer considers a risk. That’s because buyer and seller priorities rarely overlap and it’s why getting legal support through the buying — or selling — process is so important.
It depends on how you look at it.
If the employer doesn’t want to own and run their business any more they really only have two options: close it, or sell it.
Closing a business usually involves significant expense, particularly if there are employees. The redundancy process is time-consuming, staff would be due payments, plus the business owner would be liable for paying their professional advisors’ fees. So just this aspect of winding up the company will be costly.
So it may be easier to sell it instead, and where the business is struggling, the owner may indeed be prepared to accept £1.
That, though, is very rare.
It’s more common for the owner to look within the business for senior employees who might consider a management buy-out, which can be a win-win for everyone — and while most MBOs involve much larger sums, some literally do take place for £1 because the owner’s priority is to move on.
Anyone taking over an existing business should understand that the seller’s top priority is to draw a line under their legal risks. Existing directors will almost certainly resign immediately after the sale, and the responsibilities then pass straight to the new directors.
So whether the asking price is £1 or £1 million, the process needs to be grounded in detailed financial and legal due diligence. Look at it this way: you’re not paying to protect an £1 investment. You’re investing to safeguard yourself from volunteering to wind up someone else’s insolvent business for free.
Few of us would deliberately go into business with someone we’re not on good terms with — whether that’s a personal friend, a colleague, or someone with a shared interest.
But there’s no guarantee that it couldn’t change down the line. Sometimes it can be purely personal, sometimes it can be down to wanting to take the business in different directions, but at Plain English Law we’ve also seen a surprisingly high number of conflicts over money. Either there’s too little of it in the business, or too much.
Too little money strongly indicates that the business is failing — but the partners may not agree on why. Here, it may be easiest simply to wind up the company as it’s not worth the stress and conflict involved in seeking solutions, especially if it’s also straining a personal relationship.
Too much money, however, points to a successful business generating lots of profit and this in turn — perhaps surprisingly — can expose existing areas of conflict between partners, or create new ones.
Their original objectives are now changing and perhaps one partner wants to step back because they have taken enough from the business and no longer want to be involved in the day-to-day running. Without a formal shareholder agreement in place, this can create difficulties for all involved.
So too can major life changes — people sadly die, people get divorced. With no shareholder agreement spelling out what happens ‘in the event of…’, finding solutions can be painful, complex, and costly.
For example, if your business partner were to die, their shares would become part of their estate. Suppose their will (over which you have zero control) says all their assets — including those shares — go to someone you know nothing about. This third party is now, without you having any say in the matter, your new business partner.
You can get off-the-peg shareholder agreements and articles of association when you register your business at Companies House, but they’re not designed to address any of the worst-case scenarios you may one day have to face.
Far wiser to put in place a comprehensive bespoke shareholder agreement — along with articles of association specific to your business — so that everyone agrees upfront what will happen should circumstances change.
At Plain English Law, we don’t just look at the legal implications of your business structure — we also consider how it will work commercially.
Templates are great — at Plain English Law we’re creating them for clients all the time.
But what we’re not doing is using the same basic template over and over and just tweaking here and there.
That’s in part because there is such a wide range of contexts — shareholder agreements, employment contracts, client contracts, supplier contracts, to name just a few. Sure you can download a lot of these for free, but are they actually relevant to your business? And then check you can even understand what they’re saying.
Why not download one right now, and then ask yourself: ‘Is this how I speak? Is this how I want to communicate with my staff? Or my customers and suppliers? And do we even need half these clauses?’
Lots of words don’t mean it’s doing a better job than something half the length: it’s usually wiser to stick to essentials in an easily digestible document rather than attempt to cover off every eventuality.
A ‘kitchen sink’ contract also makes it more likely your customer or supplier will fail to read it at all or come back demanding to know why you’ve included clauses that suggest a lack of normal business trust. And if it’s written in over-complicated legalese, that may also trigger the ‘are you trying to pull the wool over our eyes?’ response.
None of this builds confidence which, after all, is what should lie at the heart of all business relationships.
Using plain language and sticking to what’s relevant helps build trust and consolidate first impressions. And that’s what you want — customers, suppliers, and employees who see you reflect your day-to-day dealings with them in no-nonsense contracts written to be understood by real people.
At Plain English Law, we love creating great contract templates for our clients — and that’s driven as much by our own extensive business experience as our knowledge of contract law.
We believe there’s a real art to weighing up what on the balance of probabilities could happen — and so needs covering — against including reams of contractual terms addressing what most likely never will.
Here’s the dictionary definition: intellectual property is ‘an idea, a design, etc, that somebody has created and that the law prevents other people from copying’.
In Scotland, England, and Canada the key IP categories are copyright, trademark, patent, and registered design.
At Plain English Law we mostly deal with copyright and trademark, and do not handle patents at all. Patent law is a specialised area of practice and we always refer clients on to a specialist lawyer.
This is literally the right to copy something, and is automatically created whenever someone produces a piece of writing, artwork, or a sound recording. In a business context, you can include written materials along with drawings, illustrations, graphics, logos, videos, and other design-based artwork.
So whenever you design a new logo, for example, it will have copyright attached to it. The same applies to books, pamphlets, articles, blog posts, and so on. Whoever owns that copyright has the right to create copies of the work and — arguably more important — to stop others doing so.
Software code is also covered by copyright because — oddly — it’s considered a literary work. Code is a series of words in a specific order that together convey meaning, and if it’s capable of doing that then it’s protected by copyright.
It’s important to understand what copyright does and does not protect. The ideas expressed in copyrighted material are not protected — only how they’re expressed. So the specific phrasing in a piece of writing or a song, a unique branding interpretation, an architect’s drawings, or how a line of code is configured are all covered. The thinking, imagination, and initial creativity that lies behind them are not.
How does this work in practice? Let’s say a consultant engineer has been commissioned by a client to produce a report. The engineer in turn commissions a photographer to create a portfolio of images for use in the report.
The engineer then writes the words for the report, so they own the copyright for that text. The photographer meanwhile owns the copyright on the images but because the engineer paid for a licence to reproduce them, the photos can be used in the report without a copyright breach.
The engineer also holds overall copyright on the report, including reproduction of the photos, and just because it was commissioned by the client doesn’t mean the copyright automatically transfers once it’s handed over. The client and engineer would need to specifically agree that copyright will also transfer. If they choose not to, the client gets a physical copy of the report but no right to make any further copies. Should the client ignore this and make copies anyway, the engineer has the right to claim breach of copyright.
Whenever a client anticipates needing more than one copy of something protected by copyright, it’s crucial to specify that they will get the printed copy and the right to duplicate. We always advise getting legal advice on this — and all the other aspects of copyright — to prevent costly misunderstandings down the line.
A trademark is a physical mark showing who created the item, and it has to be sufficiently distinctive to differentiate it from anything created by other people.
We see them every day and they can also incorporate a word or a phrase. Think of Nike — the iconic trademark obviously covers the famous swoosh but also the words ‘just do it’.
How does that translate into everyday business life? Say another business wants to resell a product or service you’ve created and is keen to use your trademark in their promotional and marketing activities. Your solution is to grant them a licence backed by an agreement setting out exactly how, when, and where they can use your trademark and placing boundaries around what they’re allowed to do with it.
If your trademark plays a significant role in how your business operates, you may also want to register it with the UK Intellectual Property Office.
Whatever the intellectual property under discussion, it’s vital to stay specific and never grant a broad licence which amounts to saying ‘you can do whatever you want with our IP’.
A widely-used example is how you can best control the use of your logo by other people. Will you stipulate they’ll need your approval every time? Or will you include rules governing the use of your logo as part of your wider branding guidelines? This is a common solution, but the contract does need to say ‘follow the branding guidelines’ or those guidelines will not have any legal force.
The benefits of an explicit contract and guidelines also apply if you see your IP being used in ways that may compromise your brand — carefully-crafted clauses can put a swift stop to that.
And what happens if someone you don’t have a business relationship with uses your IP? At Plain English Law, we can tease out the issues. Is it actually solely your IP, for example? Are your IP rights being violated, or are these people just being annoying?
If it looks like it may get complicated, we’d of course refer you to a specialist IP lawyer for expert advice.
No. Not all contracts are written. Say you’re a graphic designer and somebody phones up and says ‘please design me a logo’. You say, ‘no problem — that’ll be £1,000’, and they say, ‘go ahead’.
Nobody’s committed anything to paper or created an email trail, but you’ve nonetheless just created a legally binding contract. And nine times out of 10, all will go well.
But supposing it doesn’t? Even apparently straightforward deals can become complicated, so you need a process for recording what deal has actually been agreed, and what the terms are.
In this example, the customer may not have realised that, in law, the designer holds the copyright over the intellectual property the logo represents. So does that £1,000 include the logo and transfer of the copyright, or is that vital bit going to cost extra?
This is why businesses include standard terms of business on their websites or on their contract templates.
Most of us want a planned outcome after we’ve spent years running and building a business. So have you created something that somebody else could run? Could you sell the business when you want to retire? Indeed, have you even earmarked the proceeds of a sale for your pension pot?
If this is the case, you will need to ensure your business is indeed something that somebody else could run and for this you will need an exit plan.
There are two main ways to go about it:
- Set an end date for your departure. Here your exit plan needs to ensure your business doesn’t rely on you being a part of it, by delivering a specific service, for example. You’ll need to find ways of providing continuity to maintain customer confidence.
- Start stepping away from the day-to-day gradually, perhaps by acting as a silent partner or an advisor while the business transitions to a version without you.
If you’re in your 20s or 30s, this may feel irrelevant but would you really want to get to 65 and only then discover you can’t walk away because the role you play is too pivotal?
Effective exit planning takes time and attention to detail, and at Plain English Law we often partner with specialists like DC Consulting who can advise you on how best to lay the groundwork, fund your business, grow it, and then exit from it. Our role is to ensure your business goals are supported by the law at every stage of life cycle.
The original GDPR — or the General Data Protection Regulation — is a piece of European legislation that came into force in 2018. The UK was still an EU member at that time.
The aim of the GDPR was to standardise privacy rules across the EU and replace a patchwork of laws with a single streamlined standard.
With Brexit, the UK adopted a somewhat modified version of the original GDPR under the Data Protection Act 2018. As a result, you may now see privacy professionals referring to the UK GDPR and the EU GDPR as separate laws.
Fortunately, for most businesses the UK GDPR is effectively the same as the EU GDPR. The rules haven’t changed (yet). And if the UK GDPR diverges from the EU version in the future, you’ll still need to comply with the EU GDPR when processing personal data about EU customers.
Underpinning the GDPR is the belief that privacy is a fundamental right. As digital technologies extend further into our lives, so too do the threats to that privacy.
For governments worldwide, there’s a balance to be struck. Some voters are happy for businesses to use their personal data to sell more and create jobs. Others demand robust privacy protection.
GDPR attempts to strike that balance by allowing businesses to use personal data, but only within strict parameters. Some view the GDPR as too restrictive — and definitely anti-business. Others argue there are too many loopholes, our data is easily mis-used, and GDPR isn’t enforced properly anyway.
Wherever you sit in the debate, the GDPR is still the law, and your customers probably expect you to comply with it.
No. They’re often used to mean the same thing, but they’re different.
Data security describes actions taken to protect data from unauthorised access — by hackers, for example, or other types of intruder. Included are technical measures like firewalls and two-factor authentication and physical measures such as controlled access to servers.
Data privacy meanwhile covers how we collect, use, and share data. Central to the concept of data privacy is our right as individuals to control the information we share and not to be identified, monitored, or profiled unless we’ve given consent.
In practice, they work hand-in-hand and both are needed to build and maintain customer confidence. You need to understand your customers’ data privacy rights and then ensure you put in place the measures needed to keep their data secure.
The official GDPR definition is ‘any information relating to an identified or identifiable natural person’.
What does that actually mean?
A ‘natural person’ just means a real, flesh-and-bone, individual human being. They are ‘identified or identifiable’ if it’s possible to work out who the information is about, and ‘any information’ is as broad as it sounds and includes databases, photographs, drawings, and documents.
‘Relating to’ means the information is about that person, and also covers inaccurate information because — even though incorrect — it’s still connected to them.
In practice, working out whether the information relates to ‘an identified or identifiable natural person’ is usually straightforward because the individual is named or the information can be tied to other data identifying them.
Examples of personal data include:
- Contact details — name, phone number, email address
- Personal details — age, gender
- Employment details — occupation, employer name
However, while it’s straightforward, it can be a monumental task to sort through your company’s data when faced with a data subject access request. Why?
A document isn’t personal data about someone just because their name is on it. Think about all the emails you receive at work. They all have your name, but most of them probably aren’t ‘about’ you. An email about a customer order, for example, is rarely going to be data about you, but since it includes your name and email address, it will probably come up in any search of the email system for data about you.
This term — also known as ‘Article 9 data’ — covers particularly sensitive personal data that could be misused to discriminate against or persecute an individual.
Under GDPR Article 9, special category personal data covers
- Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership
- Genetic data
- Biometric data — for example facial recognition, retina scans, fingerprints — when used to uniquely identify an individual
- Data about an individual’s health, sex life, or sexual orientation.
All special category personal data needs extremely careful processing, is subject to extra protections, and you should always ask yourself whether it’s necessary. And then ask yourself again — processing it without justification can lead to significant penalties, not to mention a potential PR disaster.
Although information relating to criminal convictions isn’t ‘special category’ data, the required protections are similar.
The GDPR definition is ‘performing any operation or set of operations’ on the data, but it basically means doing things with it, such as:
- Collection, storage, retrieval
- Analysis, organising, sharing
- Archiving, deletion, destruction.
So if you’re storing data without ‘doing’ anything else with it, you’re still processing it under GDPR.
Who does what under GDPR is closely defined and how you designate your data roles is key to proper compliance.
Data subjects are always individuals, so there’s no such thing as personal data about an organisation. Data subjects include business leads and potential customers, past and present employees, successful and unsuccessful job candidates, employees of contractors and sellers, and volunteers.
Whenever personal data is processed, someone is acting as a controller — usually an organisation such as a company or public sector agency.
Data controllers are the decision makers. They are the ones deciding why and how the data is being processed (in the GDPR, these are called the ‘purposes’ and ‘means’ of processing personal data).
To find out who the data controller is, ask which organisation decides what data to process, why it’ll be processed, who will do the processing, and where and how it will be done.
A controller can do their own processing, or contract out to another organisation — for example when you store company data on a cloud service such as Microsoft OneDrive. Here, the company is the controller of the data stored on OneDrive, with Microsoft acting as the processor.
You can have a single controller for a data processing activity, or several joint controllers. Similarly, one piece of data can have more than one controller with each controller managing it for different reasons.
The processor is essentially a service provider, processing personal data on behalf of — and as instructed by — a controller.
Data processors make no decisions about the ‘purposes’ and ‘means’ of processing. If they start making those decisions, they automatically become controllers.
So whether you’re a controller or a processor boils down to behaviour. What you are doing matters a lot. What you call it doesn’t. If the data processing agreement describes you as a processor only but you start using the data for your own purposes, you’re now also a controller.
Acting as a controller will trigger a number of compliance requirements, including letting all the data subjects know who you are and what you intend doing with their data.