Enter your email address:

Delivered by FeedBurner

Mills & Reeve: Technology Law Update

Full_Scale_Ahead_campaign_banner

Mills & Reeve: Full Scale Ahead

  • Our thought leadership campaign, Full Scale Ahead, explores the challenges the owners of medium sized businesses face when deciding how to grow. Find out more here.

Disclaimer

  • The information on this blog is not legal advice. You should not rely on it and we don't accept liability in connection with it. Please read our full disclaimer and let us know if you would like us to advise on any legal issue.

eCommerce

General Data Protection Regulation (GPDR) Series, Part 2 - the importance of self-assessment

The General Data Protection Regulation (GPDR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next ten months, several European Union and United States law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline. 

Part 2 of this GDPR Series is brought to you by Mills & Reeve. Other blog entries in this series will be brought to you by the law firms of FIDAL (France), Graf von Westphalen (Germany) and Van Benthem & Keulen (Netherlands) as well as Robinson & Cole (United States).

The importance of self-assessment

In any major project there is an analysis phase – involving a careful examination of your organisation’s current set-up and what needs to be done to deliver the project successfully. Preparing for the GDPR is no exception. Depending on the structures and practices of your organisation, compliance could require a significant allocation of resources to ensure that you are ready by the implementation date: 25 May 2018.

So what can be done to get started?

Perhaps the best first step is to conduct a self-assessment audit. This will help organisations map the likely impacts of the changes in data protection law on their activities.

A few key points are worth looking at in detail:

Management awareness

The development and implementation of a GDPR strategy requires strong leadership and the most effective strategies will be those that begin life as a boardroom priority, not least because fines of €20m or more may be issued under the new legislation. Organisations should be updating their risk register and organising work-flows to ensure compliance – recording any issues and allocating responsibility from senior management downwards. Depending on the scale of your activities, this might include the appointment of a Data Protection Officer under GDPR Article 37.

Accountability

‘Accountability’ is a “red thread” that runs throughout the GDPR – Article 5(2) states that controllers “shall be responsible for, and be able to demonstrate compliance with” the data protection principles, whilst Article 24 refers to controllers being able to “demonstrate that processing is performed in accordance with this Regulation”.

Organisations ought to be reviewing their framework of policies and procedures as well communicating those policies to staff and monitoring compliance. Part 1 of this series on GDPR mentioned the importance of promoting a risk-based approach and changing internal processes to comply with accountability risks. The right documentation will be key.

Know your data flows

Mapping data flows should be a priority. Work out where in your system personal data is received and where it is transferred out. Who has access to it and is that access necessary? Are there any security issues to be aware of at any point in your network? (eg ”internet of things” devices that connect to both your network and the internet and often do not have a high level of security – a prime example is CCTV).

Identify which of your data flows pose the highest risk to individuals. Some examples are already being heavily scrutinised under the current law – international transfers, large-scale marketing, profiling, behavioural analytics and fundraising activities are all typically deemed high-risk activities.

Fair processing information

Article 5 of the GDPR requires that personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject. One of the best ways to comply with this will be to provide clear and full information up front to individuals about how, where and why you will be using their data.

A self-assessment exercise should focus on what fair processing information is currently given to individuals at the point of acquisition of their data. Information can be collected from various platforms – marketing lists, credit reference checks, Facebook / website sign-ups, or apps. Each platform may collect the data through different means, and require different processes. What is your condition for processing the data? Are you relying on consent and, if so, how is that consent obtained? Organisations should assess whether current consents are sufficient to meet the requirements under GDPR.

In particular, review whether any new projects are being planned and take a look at how privacy can be built into these from the start, particularly if they are likely to result in a high risk to the rights and freedoms of individuals.

Know your escape routes

There are a few ways in which the effects of the GDPR can be mitigated or disapplied. Remember that the GDPR only applies to data the falls within the definition of “personal data” – if you can effectively anonymise the data so that individuals are no longer identifiable then the principles of data protection will not apply (GDPR Recital 26).

Implementing technical and organisational security measures can also provide a safety net in the event of a data breach – Article 32 notes the importance of encryption of data and making back-ups. A strong self-assessment will look at what techniques are already being used to secure data, how these can be improved and how new techniques (eg pseudonymisation) can be harnessed.

Conclusion

Achieving GDPR compliance is a challenge and an early self-assessment is vital. Organisations wishing to know more can track the next instalment in this series, which will focus on consent and fair processing – two of the key topics that will require considerable thought to bring activities in line with GDPR compliance.

Edward Hadcock

Posted by on 15/06/2017 at 11:23 | | Comments (0)

Major cyber attack highlights need to be prepared

The recent crippling “WannaCry” cyber attack has affected businesses and public sector organisations around the world. Thousands of businesses, hospitals and government bodies have been subjected to the same ransomware attack, encrypting files and providing users with a prompt including a ransom demand, a countdown timer and a bitcoin wallet to receive the ransom. As the UK’s newly formed National Cyber Security Centre explains, while new attacks seem to have ceased, existing infections from the malware spread on 12 May may not yet have been detected and may yet come to light.

The NCSC is working with the National Crime Agency, and crucially, with international partners, to tackle the current threat, but this is a reminder for all organisations to review their policies and procedures around cyber security.

What do businesses need to do to be best prepared?

Technical measures

The NCSC has three key recommendations for all types of organisations:

  • Ensure that security patches and updates are applied in a timely way.
  • Use “proper” (ie good quality and up-to-date) antivirus software
  • Back up your important data. This is particularly important to fend off ransomware attacks. If you can access your backed up data you cannot be held to ransom.

Increasingly sophisticated counter measures are becoming available. One example is Antigena offered by cyber defence leader Darktrace. Antigena provides an automated response technology that augments human security teams by reacting autonomously to in-progress cyber threats.

Many businesses make use of penetration testing services, where skilled hackers are hired to try to get past your defences. Using a service provider authorised under the NCSC’s CHECK scheme will help to ensure that the provider is competent and secure.

Employee education and working practices

Harnessing the vigilance of your workforce is a vital component of cyber security. Areas of vulnerability include:

  • Mobile and remote working. Can a user’s device be overlooked, lost or stolen? Can security credentials be accessed? A range of measures can be taken to minimise the risk involved in working remotely. For example, organisations can keep the amount of data stored on a mobile device down to the minimum necessary to carry out the required business activity.
  • BYOD. Use by staff of their own devices for work presents its own security risks. If a device is stolen, for example, could you remotely remove any sensitive data stored on it? You’ll need a risk-assessed policy that is communicated to all relevant staff.  Remember that any personal data that is processed in this way is likely to fall within the responsibility of the employer as data controller and be subject to data protection laws.
  • Passwords. With individuals now expected to maintain numerous separate passwords, employers are re-visiting current thinking on password policies. Requiring users to regularly change their passwords is now considered to be potentially counterproductive, for example. Password rules are necessary, but they should be simple and easy to follow. 
  • Email. Training to help employees to spot increasingly sophisticated phishing and spoofing, and avoid clicking on links or attachments, can reduce the risk of malware being introduced into systems, although it can be difficult even for experienced users to identify criminal material.

Attacks like these present a serious threat to any organisation’s operations and productivity. In addition, where data relating to individuals is compromised, an organisation can become exposed to substantial regulatory penalties, the risk of compensation claims or awards, and adverse publicity through breach of data protection laws. These are soon to become tougher with the introduction of the General Data Protection Regulation from May 2018.

The UK’s approach is currently to work alongside and support industry to improve security across the network. (See for example, the National Cyber Security Strategy 2016.) However, increasing regulation and stricter penalties for failure cannot be ruled out for the future. 

David Hall

Posted by on 16/05/2017 at 12:03 | | Comments (0)

General Data Protection Regulation (GPDR) Series, Part 1 - introduction and overview

The General Data Protection Regulation (GPDR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next ten months, several European Union and United States law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline. 

Part 1 of this GDPR Series is brought to you by FIDAL, a French law firm. Subsequent blog entries in this series will be brought to you by the law firms of Mills & Reeve, Graf von Westphalen (Germany) and VanBenthem & Keulen (Netherlands) as well as Robinson & Cole (United States).

GPDR Effective Date & Geographical Scope of Application

The GDPR will apply as of 25 May 2018. It provides a single set of innovative rules directly applicable in the entire European Union (EU), without the need for national implementing measures – which means that any personal data processing ongoing at this date must comply with the GDPR.  This leaves one year for companies to ensure compliance.

The GDPR provides for a scope of application wider than processing undertaken in EU countries. It will also apply to data controllers or subcontractors not established within the EU, but which process data with the aim of providing goods and services to EU residents or monitoring EU residents’ behaviour. 

Several steps should be taken by businesses in order to achieve compliance with provisions of the GDPR:

  1. Changes to internal processes to comply with the accountability rules

In order to effectively manage personal data protection within your business, an individual should be nominated to take charge of information and counsel, as well as organization of personal data activities. For many organisations, it will make sense to appoint a Data Protection Officer or "DPO" as of now in order to assess compliance as soon as possible, even outside the three mandatory legal circumstances imposed by the GDPR (public bodies, large scale monitoring and large scale processing of criminal convictions etc). In any event, an audit of personal data held and processing undertaken makes sense.

The nominated person can then map data processing within the business and build a record of all ongoing data processing. On the basis of this information, a list of necessary actions can be prepared and prioritized in the light of risks to data subjects’ rights.

In practical terms, the principle of accountability means that businesses must track and document their compliance with data protection rules and keep these records available to respond to an inspection by state authorities.

  1. Promoting a risk-based approach

If any processing is identified as carrying a high risk to data subjects’ rights, the business should then conduct a Privacy Impact Assessment (PIA).

In addition, internal processes should be developed in order to respond to events likely to trigger the controller’s liability, such as security breach, requests to access or rectify data, update of processed data, change of subcontractor, etc.

Data protection safeguards shall be built into products and services from the earliest stage of development ("Privacy by Design"), making use of techniques such as pseudonymisation and encryption.

  1. Data transfers

Data transfers outside the EU are subject to EU law for any subsequent processing and transfer. Standard Contractual Clauses, Binding Corporate Rules and the Privacy Shield scheme may still be used for transfers outside the EU. 

  1. Agreements between data controllers and their subcontractors

Data controllers’ agreements with their subcontractors agreements will have to incorporate new mandatory elements set out by the GDPR. Existing long-term agreements may need to be redrafted. Subcontractors will now have their own direct obligations in certain key areas such as record-keeping and security, separately from the obligations on data controllers. 

  1. A single data protection authority

In future, businesses will deal with one single supervisory authority in the EU country in which they are mainly based, rather than having to engage with authorities in all relevant countries. The lead authority will then work with other national data protection authorities to achieve an EU-wide approach.

  1. Negative impacts in case of a legal breach

Whereas the existing EU legislation (Directive 95/46/EC) leaves to Member States the task of determining and applying sanctions, the GDPR is more prescriptive. It provides for administrative fines to be imposed on data controllers and subcontractors. The amount of those fines can go up to the greater of 20 million Euros, and 4% of annual global turnover.

In the event of a serious data breach, companies will have to inform the relevant data protection supervisory authority within tight timescales, as well as the data subjects themselves in the event of the most serious breaches.

Isabelle Gavanon

Posted by on 08/05/2017 at 12:06 | | Comments (0)

Brexit, Article 50 and what it means for innovative businesses

The shock of last June’s referendum result, with the UK electorate opting to leave the European Union, is starting to fade. Now the hard graft begins. Tomorrow British Prime Minister Theresa May will trigger Article 50, starting the two year process of negotiations that will end with a deal, an untidy departure or (maybe) an agreement to keep talking. Since the first analysis of what Brexit will mean for businesses we have learned more about what the UK intends to keep and discard. How are things looking now?

Patents

The long-planned European Unitary Patent, and its associated Unified Patent Court, looked at serious risk after last June’s vote. Although the creature of separate agreements, the Unitary Patent is closely interlinked with the EU. But the UK has repeatedly stated that it intends to press ahead with ratification and has taken steps to get this done. The UPC’s Preparatory Committee is targeting December 2017 as the start date, so it seems that the system will commence before Britain’s departure, with the UK considering ways to remain a part of it into the future.

With one of the Central Court locations in London, and the UK as a major patent filing economy, there is a lot of enthusiasm across the European IP community to keep the UK in the system. And disentangling the UK post-Brexit would be complicated. But a major concern from a UK perspective is the role of the European courts as final arbiter of Unified Patent Court disputes. "Taking back control" was one of the key messages of the 2016 Leave campaign. As the Unified Patent Court will be a creature of an international agreement, and not a UK court, this is not the same as UK courts having to treat the Court of Justice of the EU as determining UK law. But, politically, a system where ultimate decision making remains with an EU institution will be difficult to square with the "control" objective.

Fortunately, the European Patent Convention is separate from the European Union and so businesses can rely on that tried and tested route to protection until the dust settles. Opting patents out of the Unitary Patent - patent owners should have this on their to-do list before the opening of the new court - may be the wiser course until it is clear where we will end up.

EU registered rights: trade marks, designs, and protected food and drink registrations

Trade mark protection for brands, and design protection for innovative designs, operate on parallel national and EU tracks. The national routes to registered protection in the UK will remain unaffected, but the widely used EU Trade Mark and Community Registered Design (EUTM and CRD) will no longer cover the UK. It is likely that existing EUTMs and CRDs will be given protection within the UK, discussed below.

Also, the EU’s Protected Geographical Indication system (giving registered protection to the names of foods and beverages such as Melton Mowbray pies, Stilton cheese, Scotch whisky, Parma ham and Champagne) may no longer apply to the UK. As there is no parallel UK system these names are vulnerable to loss of protection within the UK, as are the names of UK produce elsewhere in Europe, and it is not at all clear what, if any, system will be put in place to protect these names.

The UK Government promises to transpose EU law wholesale into UK law through a Great Repeal Act. We expect to see the proposed text soon. But a straightforward copy and paste of existing EU law will not work. The Government has recognised this and intends to use delegated powers to tidy up the many areas of detail where a simple replication will not make sense. But there will be a good many devils lurking in the details.

We have yet to learn what will happen to existing EUTMs and CRDs.

  • The UK could adopt a model of automatic conversion of any existing EU registrations to UK registrations. But this would crowd the UK register with a substantial number of registrations that are used only in other parts of the EU. For example, a brand that is used in Eastern European countries but not in the UK could form the basis of an opposition to future applications for UK marks that look or sound the same or similar. However, if these registrations are not renewed in the UK (which is likely if the owners have no interest in the UK market), then they will cease to have effect here.
  • The UK could actively require all owners of EUTMs and CRDs to apply to convert their registrations to corresponding UK registrations (subject to payment of a fee and within a specific time). There has also been talk that any such EUTMs will be subject to re-examination by the UK Intellectual Property Office for registrability (e.g. to check that they are sufficiently distinctive), but this would be onerous and potentially unfair to those owners, and would put a huge burden on the UK IPO.
  • Another approach might be simply to extend UK protection to existing EUTMs and CRDs, without taking these onto the UK register, and for them only to be registered as UK rights when they fall due for renewal. But this raises its own administrative and regulatory issues, with the UK then outside the EU.

Businesses may want to seek parallel national and EU protection for their key rights. Doing this for all registrations, though, may be going too far until we know more about the future arrangements, and we would suggest taking stock a year into the Article 50 negotiations.

The IPO is alive to the issues and is "exploring various options" to find solutions. Moreover, new issues will arise in relation to those EU rights in relation to protection in the EU, on areas such as trade into the EU and whether such rights remain valid in the EU.

Data protection

International data flows are a feature of modern life. If the UK is to retain its place as an leading innovator in sectors like FinTech and gaming, data protection that meets EU requirements will be vital. For the personal data of EU citizens to be processed, or for services to be targeted at them, the UK will be looking for a formal decision recognising that its law and procedures come up to scratch. And with data protection law becoming tougher in May 2018, compliance with those higher standards will also be necessary.

The UK has said that it intends to implement the General Data Protection Regulation in time for the 2018 deadline, but this implementation will not by itself be enough. The formal recognition required to acknowledge equivalence of the UK regime will have to be in place by the time of Britain's exit from the Union. And if things are getting tricky in the negotiating process, there’s no reason why the EU Commission should feel compelled to play ball. What’s more, activist individuals or groups can use legal proceedings to challenge recognition of a non-EU country’s data laws. As those following the saga of the US Safe Harbor and its successor, the EU-US Privacy Shield will be aware, it can take years to get a settled arrangement in place to permit international data flows.

That said, alternative arrangements are available for many types of data transfer. Individuals can be asked to give their informed consent to transfer, for example, or standard contractual clauses can be inserted into contracts between the sender and recipient of the data. So it should be possible to find a way to continue operating, by following alternative procedures.

Regulated industries - life sciences, transport etc

For the life sciences sector, a major threat remains the upheaval of the regulatory landscape. European approvals processes for pharmaceutical, medical device, veterinary and crop protection products are closely integrated. While it is still possible to use UK procedures for sale on the UK market (with some exceptions), for most products the efficiency of using one of the EU systems is highly desirable. Some commentators are concerned that separating the UK from the EU systems will mean delays to the clinical testing or marketing of novel products in the UK. And the current London home of the EU pharmaceuticals and veterinary products regulator, the European Medicines Agency, seems likely to change. Countries around Europe have expressed interest in taking over the role of host. 

Similar concerns arise in other heavily regulated sectors like automotive and aviation. Recent reports suggest that Britain will aim to retain access to at least some EU regulatory agencies for a transitional period to avoid the need to establish new ones within a two-year period.

Research funding

The UK has offered a short term guarantee for EU funding for research projects agreed while the UK remains a member. While this is aimed to encourage UK research businesses and institutions to continue to apply for competitive funding it offers little comfort for the longer term. In the future, research funding is more likely to come from UK projects and initiatives like those announced in the Industrial Strategy Green Paper.

Steps towards greater certainty

It is difficult at this stage for businesses to plan for the future with the legal outlook so uncertain. We have not touched on some of the wider issues for industry as a whole – immigration restrictions and trade barriers for example. What business needs is certainty, and this can only develop as the "divorce" negotiations begin in earnest, and the UK’s approach to tidying up the legal mess that Brexit involves becomes clearer.

What is certain is that parties entering into, or with existing, long term agreements which relate to activities in the EU must think carefully about the implications for those agreements. Some changes can sensibly be made now to deal with a post-Brexit reality.

Posted by on 28/03/2017 at 11:46 | | Comments (0)

FOIA implications of a “digital workplace in our purses and pockets”

Digital communications (eg, on WhatsApp, Twitter or Facebook) can be disclosable under the Freedom of Information Act 2000 (FOIA).

A recent speech by Elizabeth Denham, the Information Commissioner, is a good reminder that “it’s the message, not the medium that matters” and public authorities need technology to manage their digital information.

Any digital communication sent by someone with a direct, formal connection with a public authority, an employee for example, could be disclosable under FOIA, if it relates to the business of the public authority.

But, as recognised in the Code of Practice on the Management of Records, “access rights are of limited value if information cannot be found when requested”. There is currently no legislated duty to document; what exists currently is a “patchwork of guidance”. Elizabeth Denham intends to investigate the scope of the problem to assess whether we need a legislated duty, with specific oversight and consequences.

In the meantime, organisations do need to make sure they have the appropriate technologies to organise and search existing digitally stored data. In terms of digital communications (such as on instant messenger), in Denham’s view, public authorities should consider whether it is appropriate for decisions to be made by such means, and any such decision should be subsequently recorded elsewhere.

The Information Commissioner is responsible for promoting good practice under this legislation. Watch this space - we could see her using her existing powers to promote better document management and even recommending a legislated duty.

Hannah Shaw

Posted by on 15/03/2017 at 12:44 | | Comments (0)

UK Digital Strategy – will it fill the skills gap?

The UK’s newly released Digital Strategy builds on the wider Industrial Strategy Green Paper published in January. While it outlines a promising series of initiatives to support digital industries, it fails to offer much positive news for those faced with a post-Brexit hiring crisis.

The Digital Strategy covers a lot of ground, with initiatives ranging from mobile and broadband infrastructure, to streamlining and enhancing digital government, funding R&D, improving regulation and promoting scale-up.

A particular focus of the Digital Strategy is improving digital skills, from those who are currently digitally excluded (around 1 in 10 of the adult population have never used the internet) to those studying for more advanced skills at school and university. While the Digital Strategy recognises that Brexit will present a challenge, as the pool of available talent contracts, attention is focused on home-grown skills. The National College for Digital Skills (Ada), for example, opened in 2016 to provide an industry focused alternative at sixth form and apprenticeship level. A new independent institute to improve degree level provision is also planned. And a new Digital Skills Partnership will aim to coordinate and target the range of training opportunities available across the country.

Chapter 3 of the Digital Strategy acknowledges the ongoing need for access to international talent, but offers little immediate comfort other than saying that the Migration Advisory Committee will be asked to consider whether the Tier 1 (Entrepreneur) route is appropriate, and make recommendations. While much of the impetus for Brexit revolved around immigration concerns, many in the digital field will want to see a strategy for skilled worker immigration routes sooner rather than later.  

Posted by on 02/03/2017 at 14:16 | | Comments (0)

Ground-breaking code of practice to tackle pirate websites

A ground-breaking new initiative targeting online piracy brings together the creative industries and leading search engines under a voluntary code of practice to tackle copyright infringing sites. The deal, brokered by the UK Intellectual Property Office, with the support of Ofcom and the Department for Culture, Media and Sport, will involve collaborative work to demote search results that link to illegal sites. There will be ongoing technical consultation and information sharing to improve the process and adapt to change.

While some individuals intend to access illegal sites, the code addresses a concern that many who are looking for legally available content will find themselves presented with copyright infringing material. Accessing infringing files through these sites can expose consumer devices to malware.

Founder signatories to the voluntary code number only four, with Google and Bing the only search engines. Although these are by far the largest, with Google alone amounting to some 87% of the UK search engine market, there are others (notably Yahoo!) and their participation would be welcome.

Geoff Taylor of the British Phonographic Industry welcomed the code:

“This initiative is a world-first. We are grateful for the support from UK Government both for this code and for the “Get It Right” campaign that encourages fans to support the artists they love. We look forward to working with Google, Microsoft and our partners across the creative industries to build a safer, better online environment for creators and fans.”

and UK IP minister Jo Johnson gave the deal his strong backing:

“Search engines play a vital role in helping consumers discover content online. Their relationship with our world leading creative industries needs to be collaborative. Consumers are increasingly heading online for music, films, e-books, and a wide variety of other content. It is essential that they are presented with links to legitimate websites and services, not provided with links to pirate sites.”

The code itself is not included with the announcement and so it is hard to judge how broad its impact will be, for example in influencing search results outside the UK.

Posted by on 21/02/2017 at 11:41 | | Comments (0)

Price promotions – making sure your price is right

New guidance on price promotions has been issued by the UK Chartered Trading Standards Institute to replace the previous Pricing Practices Guide by BIS (now merged into the Department for Business, Energy & Industrial Strategy). The guidance applies to all consumer sales of goods, services and digital content, and includes online transactions as well as those in retail premises. Enforcers are likely to allow traders until April 2017 to bring their practices into line with the guidance.

What is the law on price promotions?

English law doesn’t provide detailed rules about how to present your promotion to ensure that it is fair. Essentially, the trader must ensure, on a case by case basis, that each of its pricing practices is fair and transparent to consumers, enabling consumers to make informed transactional decisions. Traders must not providing unfair pricing information that would cause, or be likely to cause, the average consumer to take a different transactional decision than they otherwise would have made. This includes misleading customers about the price or the existence of a price advantage.

What’s changed?  

The new guidance is framed to encourage traders to make a self-assessment of each promotion on a case by case basis. It sets out advice on what types of pricing practices are more likely, and less likely, to comply with the law but it avoids providing specific criteria. This should discourage the practice of “selective interpretation” of the guidance without regard to legal obligations, a practice previously criticised by the UK Competition and Markets Authority. For example, the new guidance on price comparisons requires a holistic consideration of whether a higher price used for a comparison represents a genuine reference price indicating good value, rather than setting a fixed number of days for which the product must be promoted at the higher price.

What are the consequences of getting it wrong?

Getting it wrong could result in bad publicity, a complaint to the Advertising Standards Authority, claims for compensation and action by Trading Standards.

What steps should traders be taking?

Along with reviewing the guidance to ensure that your pricing practices stack up, you should ensure you keep relevant evidence of your compliance. This includes evidence of how your price promotions are communicated to customers, the terms and conditions of the promotion, evidence of stock and availability of the products concerned and evidence to back up any price comparisons with competitors’ products.

Hannah Shaw

Posted by on 02/02/2017 at 10:26 | | Comments (0)

A technology top ten for 2017

What should we expect in the technology space in 2017?

We take a look at current trends and focus on some of the legal opportunities and pitfalls that they present.

1. Cybersecurity

Hacking and data breach were major concerns in 2016, with a series of high profile incidents hitting the headlines, from the hacking of retail banks to ransomware demands on hospitals. Many predict an even greater impact in 2017. While it affects businesses across all sectors, cybersecurity is brought into sharp focus in those deploying data-rich technologies. The potential for legal and reputational penalties is huge and the issue is increasingly one for the boardroom. 

We expect to see businesses of all sizes looking for greater support with cybersecurity, while a lack of a joined-up market for 360 degree cybersecurity presents a problem. Many areas need to be addressed simultaneously, from technical excellence to staff training. We also expect to see mainstream providers of business insurance giving cyber risk increasing prominence in their product line-up.

2. AI 

The launch of CES 2017 in Las Vegas saw AI at the forefront, with Amazon, Microsoft and Google promoting their voice-controlled virtual assistants to link up with other products – speakers, table lamps and even toasters.

We see AI as key across a range of customer service contexts too. In fintech, for example, analysis of how account holders make financial decisions to offer customised advice, and AI service agents that can learn and improve are becoming available.

Legal issues here revolve around accessing and using customer data in compliance with the requirements of security, consent and control. Also important will be contractual clarity between the different players to ensure that safety is maintained and responsibility for proper functioning is clear.

3. Internet of Things

We expect that 2017 will see the release of more new products that really start to make IoT part of daily life. Connected products in areas like medical applications and home safety, for example in the retail and private rental sectors, will become increasingly familiar.

IoT requires the collection and processing of extensive customer data. While not all of it is especially confidential or sensitive in nature, issues around the collection and use of data are key. And because IoT involves connections between different products and networks, clear responsibility for safe functioning is important.

4. Robotics

CES 2017 highlighted a range of different bot technologies. Emotech’s Olly offers a smart assistant able to recognise and respond to different individuals. Modular robots offering a range of different functions able to be connected to a base station were on show.

As well as customer data, product safety and reliability will be key here. Offering services to elderly or disabled individuals, for example, will place a high degree of responsibility on producers to ensure consistent functioning.

5. Autonomous vehicles 

Google has rebranded its driverless car project and (importantly) its embedded driverless car software systems Waymo. And with Uber trialling autonomous vehicles in California, and several trials across the UK, and Volvo's Drive Me project expected to make available 100 cars to individuals later this year, autonomy is looking a lot less futuristic.

While regulations around the testing and use of autonomous vehicles have been put in place in a number of locations, international consistency is in short supply. United Nations-led efforts to move towards an agreed approach permitting greater autonomy on the roads take time, leaving individual countries and regions to set up their own programmes. This means that developers will have to adapt their approach to accommodate local rules and requirements.

Learn more about our analysis of autonomous vehicles and the law here.

6. UAVs

Drones are still high up on the agenda. Amazon has started making drone deliveries in Cambridge, but to a large, flat garden – will this really take off? The legal issues for drones range from compliance with specific rules and regulations applying in the area where the drone will be used, to wider considerations around data collection and use, insurance and possible liability for damage.

7. Gig economy workers

Growth in online services may leave the real people delivering the goods or providing the services exposed to insecurity and low pay. We expect to see increased activism for workers’ rights and government action to protect the rights of individual workers. Read more on how the UK is responding to these concerns here.

8. Fintech on the move

With mobile internet usage now ahead of desktop reliance on mobile devices for financial transactions is likely to increase. The EU’s Second Payment Services Directive, due to take effect early in 2018 will see fintechs gearing up for change. Our fintech specialist, Simon Warburton, analyses the legal implications and offers practical tips here.

9. Blockchain

Innovation foundation Nesta predicts that blockchain will find more mainstream applications, away from the techie world of Bitcoin, allowing individuals to cut out the middle man and take greater control over their own data. But many feel that some of the more extreme claims for blockchain are just hype. Specific use cases where the technology will offer real benefits will become apparent. In finance, for example, this is expected to be trade finance and capital markets.

10. Medtech - medical records hosting

Medical data presents its own set of problems. Ready availability and accurate processing of patient records are essential, but public concerns around the data sharing deal agreed between Google's DeepMind and the UK National Health Service highlight the difficulties.

We envisage an increasing trend of patient records increasingly being hosted on purpose-built systems hosted by private sector providers, facilitating increased availability, accuracy and sharing of medical records. The requirements for control, data security and patient consent are especially important in this context.

A new privacy framework - the GDPR

A common issue across these cutting-edge technologies is the collection, storage and use of customer data. Any business that collects and processes customer data having any connection with or presence in Europe will need to review their products and services to ensure they comply with the EU’s GDPR (General Data Protection Regulation).

This will take effect in May 2018 and will require data controllers to ensure “privacy by default”.  And products and services that store personal data will need to provide improved controls (including data portability facilities) for users. You can see an introductory guide to the GDPR here.

Posted by on 06/01/2017 at 12:11 | | Comments (0)

UK National Cybersecurity Strategy, and trying to predict the future

The UK government has released a National Cybersecurity Strategy for the next five years. It will always be a difficult enterprise to try to predict changes to the threat landscape for the digital economy, even over as short a time span as five years. But there is clearly a pressing need here with cyberattacks regularly in the news. A recent example was an attack on a group of hospitals that put patients at risk for several days.

A great illustration of the rapid changes in technology came earlier this year: on the atomic scale, 5 is an impossibly small number – but the first "5-atom quantum computer" developed out of MIT has the potential to break most traditional encryption systems. Such developments will revise how we look at cybersecurity in the future, and being adaptive to changes will be extremely important.

Whilst quantum computing doesn’t get an explicit mention in the UK cybersecurity strategy, the strategy covers a great deal of emerging threats as well as more traditional security issues.

So what’s the basis of the UK’s strategy?

The report opens with a frank statement that “we are critically dependent on the Internet” and recognises that in general such a system is “inherently insecure”. The resulting strategy is principally about reducing security risks whilst highlighting the benefits of digital technologies. The tagline is laudable: to make the UK “secure and resilient to cyber threats, prosperous and confident in the digital world”.

What role are businesses to play in this strategy?

Some key points:

  • The report places businesses at the forefront of the UK’s national response for the protection of personal data of individuals, and organisations’ general responsibility to “the citizen and consumer, and society at large”.
  • The link between cybersecurity and privacy concerns is enhanced by the government’s proposal to “make use of all available levers, including the forthcoming General Data Protection Regulation, to drive up standards of cybersecurity across the economy.”
  • "Security by default" is emphasised, going hand-in-hand with the GDPR’s focus on "privacy by design".
  • It is clear that the UK government expects big improvements in the resilience of organisations’ systems and is prepared to hold to account those who do not comply. The message is explicit: “Businesses and organisations must understand that, if they are the victim of a cyber-attack, they are liable for the consequences”.
  • The government also plans to support the creation of a UK cybersecurity sector through addressing funding gaps for SMEs to grow and expand, collaborating with the private sector to drive innovation, and working alongside academia to commercialise its science and technology innovations.

This is going to be an area of large-scale development, investment and opportunity. The UK government is taking an active approach to cybersecurity with the potential for new regulation and a commitment of £1.9bn to deliver on this strategy. The establishment of a new National Cyber Security Centre in October this year underscores the importance of this area.

Organisations wisely looking to enhance their cybersecurity measures will find the report a useful document to outline the UK’s cybersecurity "playbook".

Edward Hadcock

Posted by on 18/11/2016 at 09:43 | | Comments (0)

Next »