How to Deal with Unfair Contract Terms

How to Deal with Unfair Contract Terms

How to Deal with Unfair Contract Terms

Rules Against Unfair Contract Terms Apply to B2B Transactions

As you can see, I’m on the road today visiting some clients and business meetings, and that is a plane I can hear in the background.

One thing I wanted to talk to you about today is we’ve got a client who has been involved in a business-to-business relationship. The relationship started early in 2017, so after the changes to Australian Consumer Law in November 2016, and some of the provisions in the contract that our client has entered into are unfair contract terms.

Under Australian Consumer Law, unfair contract terms are terms that, for example, will give one party the right to do something but not the other party. So for example, only one party being able to end the agreement.

In this particular instance, our client was signed up to do a certain thing for a certain period of time. The other party didn’t deliver, so they cancelled and they exited. But the person they signed up with is still trying to charge them money. It’s just not going to be enforceable under the changes to Australian Consumer Law, unfair business terms because it matches all the indicators that would enable the court to determine the provision void and unenforceable. As a business owner, you should be aware that unfair contract terms now apply in business-to-business transactions involving small business. 

How can Onyx Legal help you?

Contact us to review your contracts and bring them up to date for ease of understanding and legal compliance. If you worried that your contracts include unfair terms that affect you, or affect your customers, we can let you know your available options. 

What Should I Do When a Client Won’t Pay?

What Should I Do When a Client Won’t Pay?

What Should I Do When a Client Won’t Pay?

Any business, whether it is online or otherwise, will inevitably run into a situation where a client refuses to pay a debt owed to your business. How you respond may depend on the amount of the debt, type of debtor and specific regulations in the State or Territory in which you are seeking the money.

Some people have great difficulty asking for payment, even though they know the money is owed. If this is you, create a process that you can follow, or delegate to someone else to follow, to avoid the emotional hesitation attached to asking for money.

You might create a fictional admin person in your business with their own alias and email address and use that identity to follow up payment if it is confronting for you to do it by yourself. If you use a system like Xero or MYOB, you should be able to set up automated reminders in that system so you don’t have to do it manually. 

Although the process varies, the general outline for collecting on money owed is as follows:

1. Follow up

A quick, non-judgemental phone call might be your quickest way to get paid. It is possible that someone has simply forgotten to pay your invoice.

Follow up with a polite reminder within seven days of the overdue date. If you get no response, you can either call to ask about when the debt will be paid, or follow up with a slightly less friendly reminder.

Keep a record of all communications, whether via email, post or telephone. If reminders and phone calls don’t get a response, persist with a more personal form of communication, like a phone call. 

2. Letter of Demand

Whether you are seeking to recover a debt from an individual or from a company, start with a Letter of Demand. The Letter of Demand states that the company or individual has until a certain date to pay the debt. It also explains that failure to pay by that date allows you to initiate legal proceedings to collect the debt (usually without any further notice). The Letter of Demand is the customer’s last chance to pay on the debt, and it shows the court that you attempted to collect the debt before going to court.

3. Statutory Demand

If the debtor is a company, a Statutory Demand can be used if the company owes more than $2,000. The Statutory Demand gives the company 21 days to pay. You must make this type of demand to trigger the appointment of a liquidator or administrator to the winding up of the company if the company fails to respond within the 21 days. A Statutory Demand is a specific legal form and if there is no response, means that the company is presumed insolvent. You will need legal help to manage the specific legal requirements of this process. You don’t want to start out and get it wrong. There are very specific rules and time frames involved in that process.

Once the time limit on a Statutory Demand expires, that demand stays in place until the debt is paid and you can use the failure to respond to start court action to wind up the company. The whole process of getting to hearing of the application costs upwards of $7,000 on average and there is no guarantee that you will recover the funds you owed on top of that cost. So think carefully before starting this process.

4. Going to Court

If the customer does not respond to your demand letters, then the next step is to initiate legal proceedings. These proceedings vary a great deal depending on the type of debt and the debtor. Please contact us to discuss you situation.

5. Collecting on a Judgement

If you have won in court, you probably won’t just get paid. You are more likely to need to take steps to enforce your judgement. So, where the Court has made an order that the other party pay you an amount of money within a certain time frame and they don’t, you have to go back to the Court to take further steps to make them pay.

Your customer might be ordered to attend court and explain their financial situation and why they haven’t paid.  It is possible to get an order that a sheriff seize your customer’s property and sell it to pay you, although this is uncommon.  The court could also issue an order where the customer’s funds (including wages) are garnished and given to you instead—this includes accounts payable if the customer is a company.


How can Onyx Legal help you?

For debt recovery we usually recommend the ‘CollectMore App’, which you can purchase for around $6.99 on iOS or Android. That App includes processes for debt recovery and a series of templates all written by a debt recovery expert whom we know and respect.
We don’t profit from this recommendation, we simply believe it provides you with an inexpensive option that is immediately available.
If you don’t want to do it yourself, we can also review your circumstances and write a specific letter of demand and follow up the debtor on your behalf.

Legal Issues for Startups

Legal Issues for Startups

Legal Issues for Startups

The key is to identify the legal issues that put your startup business at risk of irreparable destruction or overwhelming cost, and deal with those issues first.

What impacts your startup business most will depend on where you are, and where you want to get to in the immediate future. Prioritise, don’t try and do everything at once.

Someone with an idea they want to develop with have different concerns to someone with a prototype looking for investors, which will be different issues to someone who has an MVP, investors and is looking to build their team.

@OnyxOnlineLaw we’ve put together a curriculum for start-ups covering –

MODULE 1 for Startups – Developing an idea

This is all about protecting and valuing your intellectual property (IP). Too many startups have great ideas and start developing them without understanding how to secure their IP. If you can’t show serious investors that you own the IP, you won’t get investment. Simple as that.

Can you image Microsoft paying $26b for LinkedIn if LinkedIn didn’t own the IP behind their systems? Probably not.

Understanding this legal topic can also help you identify the best tools and strategies for developing your business using other people’s IP.

MODULE 2 for Startups – Business structures

Your business structure is either going to give potential lender’s and investors confidence, or have them running for the hills. What your accountant might recommend for tax minimisation might not be the best structure for attracting an investor. So consider where you want to take your startup and what makes sense for you.

Understanding this legal topic will help you identify structures for investment, growth and diversification. We aim to give you the confidence to really ask questions of your advisers about what is best for your startup and challenge their recommendations to ensure you don’t waste heaps of time or money.

Trust structures might work well with property investment, but rarely in tech startups.

MODULE 3 for Startups – Building a team

When you are bootstrapping an enterprise you might not have the ability to pay yourself, let alone anyone else. This legal topic will help you identify options for bringing new skills in to the team without losing your shirt.

Learn about the legal opportunities and pitfalls for employment, contracting, outsource and joint ventures.

MODULE 4 for Startups – Protecting your business

Australia is a great part of the world, but probably not the easiest place in the world to do business. There are loads of rules and you need to have an understanding of what is relevant to your startup or risk having it shut down as soon as you go out and start interacting with customers. There are easy steps you can take to protect your business if you know what questions to ask and where to find the answers.

Risk management is not a scary topic and it isn’t nearly as hard as many risk management systems try to make it. We can help you to work out the key areas of your business that need attention and how to measure and manage that effectively.

Insurance is only one part of risk management and not always the saving grace that some people expect.

MODULE 5 for Startups – Sales and Marketing

What you promise to your customers is no joke, and Apple recently found that out when the ACCC went after them for misleading representations about consumer guarantees. The ACCC can impose fines over $1m on company’s that don’t comply with consumer laws. It’s important to know how your startup will deal with customer enquiries and complaints to avoid having to deal with regulators like the ACCC.

Each module can be delivered as a fast and full on 60 min information only session, webinar (heads up) or a 120 min interactive workshop. Feedback has been that people get more practical understanding from the workshops, but we understand there may be time constraints.

If there was one other thing you’d like to know more about, what would it be? 

Advanced workshops include:

  • A practical guide to copyright, protecting yours and managing cease and desist letters – 90 min
  • What, when, why and how to apply for a trade mark – 60 min
  • Understanding property leases – 60 min

How can Onyx Legal help you?

If you’re starting out on your own, have a team or are even part of an accelerator program and interested in getting some plain English legal training, please use our contact form to make a booking. We like to start by arranging a chat to work out what fits best for your organisation.

How To Use Copyright Images On Your Website And Avoid Legal Claims

How To Use Copyright Images On Your Website And Avoid Legal Claims

How To Use Copyright Images On Your Website And Avoid Legal Claims

Your Company has been Using Unlicensed Copyright Images

I’ve been getting lots of questions lately about what you can and can’t do with copyright images you find online. Loads of people seem to think that just because an image shows up on a Google search it must be available for use for free. It is a common misunderstanding and now that technology has caught up, is likely to get a few people in trouble.

You might be one of those businesses who got a web developer to put together a website for you years ago, and relied upon them to sort out your images. Actually, it might not have been that long ago!

Do you know where your images have come from?

Just last year my 74 year old mother wanted a website for her Life Coaching business and briefed a small independent developer to do it for her. The very helpful and inexperienced developer said she’d look after the images and told Mum not to worry about it. When I looked at the website I was immediately really worried – all stock images (some still showing watermarks) and no licences or permissions!  My immediate concern was to avoid getting any legal demands for payment for breach of copyright and a take down notice. We’ve since replaced all the images with appropriately licenced copies.

Before digital cameras, photographs weren’t likely to be shared

Copyright is something that is automatic. When a photographer takes an image, they have copyright in that image. Yes, there are exceptions, but let’s stick with the basics for now.  So if you take a photo, you own copyright in that image. Would you be OK if other people used your image to promote their business? Or would you send a legal letter of demand?

In the old days before digital cameras and Facebook, you had to get your photographs processed at the local camera shop or pharmacy. Then they moved into supermarkets, and now you can order your prints online and get them delivered in the post, if you get them printed at all.

When photographs were only really shared in hard copy, it was much easier to keep track of copies and how they were used. Today, you might share a photo on Facebook, Pinterest, Instagram or any one of a number of other social networking sites and think that no one will use it. That happened to a family who have a daughter with Down syndrome who is quite ill and undergoing life-saving treatment. They rarely posted photographs and when they did it was meant only for close friends and family.  Just one image they posted was taken by an unknown person and uploaded to a stock photo website.  The company that used the photo was advertising a prenatal test that often leads to abortions. It is not the first time a photo of a child with a disability has been misused.

Mother horrified after a company used photo of her young daughter for an offensive ad

Can you imagine how you would feel if you were incredibly protective of a member of your family, and suddenly saw their image plastered all over advertising at every bus stop and tube station you went past? All without your knowledge or consent. That is what happened to that family. The company using the image in their promotion were naturally equally distressed. They had followed the rules (about purchasing images, not about being sensible how they use them) and still ran into trouble!

With digital cameras and social media it’s so easy for images to spread internationally, overnight. That is the problem.  Because images are easily accessible, people think they are free. But the same rules that applied when images were hard copy, apply today.

See a picture you like – What should you do?

What a lot of people do is use a copyright image without any thought for the consequences. Most people have no idea they are doing anything wrong. The trouble is, that can come back and bite you! You could get a legal letter of demand any day!

People complain that if you put an image out there, you should want to share it. This isn’t limited to images. A company in South Australia recently announced that they have lost $3,000,000 in sales due to the illegal download of just one of their publications. Could you afford to lose that much from your business? Do you still feel that anything you find online should be free to share?

Copyright is meant to protect the livelihood of the author, artist or creator

So, what should you do if you find an image you like online, before you plaster it on your website or social media post?
Firstly, get permission.

Yes, getting permission can be a complete pain in the @rse. Speaking from experience, it is particularly difficult to get permission to use stills from movies. I don’t know why movie houses make it so hard. Maybe the studios that produce those movies don’t recognise the need, don’t care or don’t want people to use stills from their movies. Hey Dreamworks! There is potentially a whole added industry in stills, just saying…

Anyway, sorry, back to the topic at hand –

Getting permission

If you purchase stock images, you get permission in the form of a license to use that image. You’re not actually buying the image like you would a postcard; you are buying a limited copyright license attached to the image. All of the images in this post are subject to copyright license. An example of some license terms include:

  • …a non-exclusive, royalty-free, perpetual, worldwide, non-transferable sub-license to use, reproduce, modify and/or display the Work, for any purpose other than as prohibited…
  • By way of example, the above license may include the use, modification and/or display of the Work in connection with the following… Business and commercial purposes…
  • …may post and/or upload the Social-Media Enabled Works directly onto Social Media Websites and Applications as long as…
  • For greater clarity, it is noted that reproducing the unmodified Work on mugs, t-shirts, posters, or other similar merchandise for resale is not permitted, as primary value would still lie in the Work itself.

So, check the copyright license terms of your stock image or clip-art provider. Note that some have copyright terms that are time limited, rather than perpetual.

What if it is not a stock image?

If you want to use an image from somewhere else, you need their permission. If the owner is easy to find, then asking directly and keeping a copy of their written consent, is the easiest way to prove that you did have permission to use the image and the time you used it.

It is your responsibility to know the origin of your copyright images and to have the right permissions to use those images online.


How can Onyx Legal help you?

GDPR for business outside Europe

GDPR for business outside Europe

GDPR for business outside Europe

If your business is not in Europe, should you be worried about GDPR?

GDPR has the potential to impact any business that might be doing business with a European resident, whether the business is online or not. This article covers some of the most frequently asked questions we have received from clients, to help you decide what level of action you need to take to protect your business, and how soon. For those of you who haven’t heard anything about it yet, GDPR is the General Data Protection Regulation introduced by the European Parliament back in April 2016, and comes into effect on 25 May 2018.

What is GDPR?

The General Data Protection Regulation (GDPR) is an European Union law which comes into effect on 25 May 2018 across all European Union nations including the UK. The GDPR is designed to strengthen privacy rules and requirements around how information relating to individuals can be collected and used and updates and unifies data protection laws across Europe.

How does GDPR apply to Australian business?

Australian businesses may need to comply with the GDPR if:
  • they have an office in the EU (regardless of where they actually process personal data); or
  • they offer goods or services to individuals of the EU (these services can be free or for money); or
  • they monitor the behaviour of individuals in the EU.
A business will be considered to offer goods or services if they have actual clients or members who live in the EU or if their business could be used by and is intended to be used by individuals in the EU eg. you sell goods online and have a shopping cart that displays as an option the purchase amount in Euros.

How is GDPR different from current Australian Privacy Laws?

The good news is that both the Australian Privacy Act 1988 (Cth) and the GDPR have similar requirements. This means many businesses will have already started the process required to be GDPR compliant. The GDPR does however have additional requirements. It introduces higher standards for the manner and basis on which data is collected and gives more rights to an individual to control their data.

We have European customers, does GDPR affect us?

Short answer – yes. The intent of the legislation is to protect personal data of data subjects in the European Union. If you already have that data, you should comply. On the other hand, if you don’t already have that data, the legislation appears to consider your intent about collecting it. Does your business ‘envisage offering services’ to people in Europe? If you have random purchases from European residents, or surprise inquiries from European residents, then you might not actually have planned to do business in Europe, it could merely be coincidental. The recitals for GDPR (the 173 introductory paragraphs before the Regulation provisions) talk about whether a business ‘envisages offering services’ to people in Europe and infers that there must be an intent to do business in Europe, not merely happenstance. Just because people in Europe can find your website, or contact details, that is not enough to demonstrate that you plan to do business in Europe. On the other hand, if you’ve designed your business so that it can be translated, or has pages in languages most commonly used in Europe, enables people to pay with Euros and is otherwise targetting European customers in some way, you are demonstrating an intent to do business with EU residents and must comply with GDPR.  It is all very up in the air at the moment as to what some of the regulations actually mean, and there will be a period of settling in, as well as prosecutions of non-compliant companies, before we have a clear idea about how GDPR will be enforced. 

eg. Australian business not affected by GDPR

You have a website that displays pretty pictures about growing fruit in Queensland, Australia. When individuals go onto your site, cookies collect information about them and google advertising gets this information and uses it to target advertising to that individual about fruit trees.

In this example it is not clear if a goods or services are being offered as there is no actual connection between individuals viewing the site and the site owner. Potentially there is a service of information being offered but really it is not clear. Then you would go and use the next part of the article to determine if in fact the site owner does envisage offering goods or services in EU – you would look at the text languages on offer, currency (although not selling anything) and would conclude, no, they are not providing goods or services to individuals in EU.

eg. Non-European business affected by GDPR

An accountant in the United States does tax work for a client in the United Kingdom for money and keeps personal information of the client on file. Does the accountant offer goods or services to an individual in the EU – yes. We don’t think you then have to look any further at the business intentions etc. to decide if GDPR applies. 

To avoid GDPR, should I go through my client list and just delete anyone who is in Europe?

GDPR is certainly an opportunity to clear out those old email lists. I know of one person who never deletes their unsubscribed people and then ends up with them back on his list every time he changes auto-responder systems. Really annoying! Not to mention completely disrespectful of the people who’s information he holds. This is part of the reason for GDPR – encouraging business to be more aware of the value of the personal data they have collected, and giving individuals greater control over what happens to it.  There are lots of businesses that are taking action delete EU residents from their lists, and block EU access to their websites. If Europe isn’t your target market and you don’t want another regulatory burden, this is certainly an option. If other countries decide to adopt any of the GDPR provisions however, you may still face greater compliance burdens in future. 

How do we let people know we don’t want personal information from people in Europe?

If you really don’t want to deal with European residents, one option is to include a notice in your privacy policy, which could read something like this:
We do not promote our business in the European Union and aim not to collect personal information about EU residents. We have not taken action to comply with the General Data Protection Regulation (GDPR). We have taken reasonable action to block access to our services from EU residents.

Who is GDPR intended to protect?

Although the GDPR will have worldwide impact on business, it is only designed to protect the use of personal information for people in the EU.  There is no time limit on how long a person has to be in Europe for their collected data to be protected. The GDPR cover information collected about natural persons in The European Union, or their behaviour in the EU. If you think about travelers to Europe, local business that they collect personal data will have to comply with the protection of information about anyone in Europe, however temporarily. The collection must relate to the offer of goods or services to data subjects. So a tour operator who takes you name and passport number for a one day stopover will have to comply with GDPR.

What is a ‘data subject’ under GDPR?

A data subject for GDPR is a natural person whose personal information has been collected. A tourist coming through any European Union airport or seaport who is captured on surveillance video, even if they only transit through Europe, will be a ‘data subject’ because their personal information (image) has been captured on the way through. For business, a data subject is any natural person whose personal information you have collected, however briefly.

What data does GDPR cover? What data does GDPR not cover?

GDPR covers personal data about natural persons. Personal data is any information relating to a natural person that identifies that person, or can be used to identify that person. Some examples are set out under the next question below. You don’t have to worry about the birthday diary you keep (for those who don’t rely on social media reminders), because information collected by a natural person for purely personal or household activity is specifically excluded.

What is Personal Data for GDPR?

Personal data is , in general, any information relating to an individual. It can identify the person either directly (eg their name) or indirectly, in combination with other data (eg a location marker in combination with other information known about the individual may identify them). Personal data includes obvious information such as an individual’s name, address and contact details however it also includes things such as online identifications like IP addresses and location data. There is a special category of Sensitive Personal Data that includes information on racial or ethnic background, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, physical or mental health and sexuality or sexual orientation. The rules regarding Sensitive Personal Data are much stricter.

Should I keep personal data about European Union residents separate from data about my customers in other parts of the world? 

You could put in place systems to separate the information you hold about people in different countries, but consider which is the highest cost and most difficult for your business – having one set of policies you comply with, with different systems, or multiple policies and systems?

What are the GDPR principles?

There are 6 key principles. Data must be:
  • Processed lawfully, fairly and transparently.
  • Collected for specific and allowable purposes and only used for these purposes.
  • Adequate, relevant and limited to what is necessary.
  • Accurate and kept up to date.
  • Only kept for as long as necessary for the purpose it was obtained.
  • Processed in a manner which ensures appropriate security.

What does processing of personal data mean?

Processing is anything that is done with personal information whether by electronic means or otherwise. The term is very wide and includes everything from collection through to storage, use, manipulation and destruction.

What is the difference between a data controller and a data processor?

Basically, the data controller is the person or entity that determines the purpose and means of the processing ie they control why the information is collected and what it is used for. The data processor stores or manipulates the data at the request of the controller. Both the controller and the processor have significant obligations under the GDPR and your business may be a data controller, a data processor or both.

What are some examples of personal data under GDPR?

Some personal information typically collected by businesses are: • name and contact details – phone, email, social media profile link • role or title, school, occupation, employer, qualifications • age, date of birth, gender, ethnicity • residential address, business address, postal address, location • photograph, likeness, identification number • allergies, health conditions, dietary requirements • finger print, facial recognition, DNA scan • opinions and beliefs collected via surveys and questionnaires

What risk to my business if I don’t apply an EU geo-blocker to my website? It’s not worth me being in breach of the GDPR.

If you have a small business, located outside Europe, that is not intentionally aimed at European residents, your risk of prosecution under GDPR is likely to be very low.

It is likely that the EU regulators have already identified target companies for audit and potential prosecution to test the enforce-ability of their new provisions. As with all government regulators, they will only have limited funding available and will be looking to make an impact that gets picked up and shared in popular media. As with any new laws, there is usually a settling in period while everyone gets used to the new regime. Lots of regulators look for cooperation rather than prosecution, simply because it is cheaper and less time consuming. 

On what basis can I collect personal data under GDPR?

The allowable reasons that data may be collected/processed are:
  • By consent of the individual giving the data
  • Because it is necessary to take steps to enter into a contract with the individual or for the performance of a contract with the individual.
  • It is necessary for compliance with a legal obligation.
  • It is necessary to protect the vital interests of the individual or another person (eg in an emergency you access a data base you wouldn’t otherwise have access to, to check for allergies and advice OOO to save the individual’s life)
  • It is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority.
  • It is necessary for the legitimate interest of the controller (so long as this doesn’t harm the interests, rights or freedoms of the individual)
The allowable reasons for Sensitive Personal Data are even narrower and are quite specific.

What do I need to do to get consent from data subjects to be compliant with GDPR?

Consent is the quickest way to gain ‘permission’ for the allowable collection of data. The GDPR has set a high bench mark for obtaining consent. Some of the important elements of consent are:
  • The individual must actively consent eg. by actively ticking a box. Consent cannot be given by default. For instance, it will no longer be sufficient to say in your terms and conditions “by continuing to use this site you consent to our collection of your personal information
  • The consent must be explicit, clear, concise and specific. It should be very clear what the individual is consenting to. A blanket consent approach will not be sufficient.
  • Consent should not be a pre-condition for accessing a service.
  • An individual must be able to withdraw their consent.
  • Records must be kept with details of what individuals have consented to and how this was done. 
This may mean your business needs to change the way in which information is collected. You should also include this information in your privacy policy.

Once I have personal data what do I need to do with it?

The personal data:
  • May only be used for its intended purpose
  • May only be stored for the period required for the intended purpose.
  • Must be kept safe.
Businesses should make plans for how data is going to be destroyed after it has been used for the intended purpose. Privacy policies should include details of estimated time periods for storage if possible. Plans should also be put in place to protect the security of the data. If you don’t need to keep personal data, then don’t keep it! Put in place systems to securely delete information you don’t need. We have a client that has implemented a 30 day destruction cycle because that is a reasonable window for them to hold personal information for their business. 

What rights do individuals have under GDPR?

In relation to their data, individuals have the right to:
  • Be informed – they need to know what you are collecting and why.
  • Have access – you need to tell them what data you have.
  • Request rectification – an individual must be able to correct their data.
  • Request erasure – the ability to have their data removed.
  • Restrict processing – the ability to stop their information being used in a particular way.
  • Request data portability – the ability to have their data transferred.
  • Objection – the right to object to how their data is being used.
  • Have a say in the way automated decision making and profiling is happening.
A business must have a process in place to allow an individual to assert the above rights and should include this information in their privacy policy.

What must I do if I have a security breach of personal data I process that is covered by GDPR?

There are processes under the GDPR that require notifications if data security is breached. In some instances, individuals will also need to be notified, particularly if the breach means they may suffer harm due to, for example, identity theft. If you comply with Australian mandatory data breach laws, then you are likely to also be compliant with GDPR requirements. 

What are the penalties for non-compliance with GDPR?

The penalties able to be imposed under the GDPR are very high and vary according to the type of breach in question. The higher level of administrative penalties include fines of up to € 20 Million or 4% of annual worldwide turnover (whichever is the higher). Practically speaking, regulators are most likely to target multinationals like Facebook and Google, or European companies like Volkswagen and Allianz, before they pursue smaller companies that don’t have a European presence. 

What should I do next?

With this legislation due to commence on 25 May 2018, now is the time to consider the impact for your business. The above information is general in nature and is not intended to be specific legal advice for your particular business. You should consider:
  • Does the GDPR apply to my business?
  • Assess what information you collect (eg do you run cookies that collect information on location, do you collect email addresses).
  • Complete a review of how the collected information is used, will you still be able to do this under GDPR?
  • Look at your business structure to determine how the GDPR will impact how you collect information and what you do with it.
  • Update your processes to ensure your business can comply with the new privacy requirements.
  • Update your privacy policy and consider if your cookie policy and your terms and conditions (if required) are also up to date. We can help you with this.
  • Introduce a security aware culture into your business and make data protection part of your business and put procedures in place to view your policies and performance on a regular basis (we recommend every 2 years however, with the introduction of such large changes under the GDPR this may need to be sooner for the first review).

How does GDPR affect Google Analytics?

If you use Google Analytics you should have received an email recently suggesting you check and update your account settings. If you don’t your historical data will disappear. It is worth reading through the email from Google to better understand the impact on your account.

Do I need to collect consent from my database again for GDPR?

There are competing schools of thought here. There are a bunch of Articles (commentary to the GDPR) that absolve you of liability if you have consent, so for the risk averse, consent is what you want. However, there are also a bunch of Articles that say provisions don’t apply if… One of the ‘ifs’ is if the processing of information is necessary for the performance of a contract the individual is party to, which is what a lot of organisations appear to be relying on to avoid seeking consent. You already have an existing contract for services in place, and to be able to continue to provide those services, you do so under contract. If you are happy to ‘hang your hat‘ on that provision, then you can do what a lot of other organisations are doing and just give notice of update. The benefit of recording consent again is you then have a record of it… Some businesses are actually including in their policy update notices that users can change their settings and opt out at any time, rather than asking for renewed consent.

Does GDPR mean websites must first ask for consent before placing cookies?

The GDPR is set out in the Articles (rather than the recitals), which make no mention of cookies. GDPR doesn’t actually address cookie usage it deals only with personal information. Most cookies don’t collect personal information – session cookies and those used to remember login details are likely to collect personal information. GDPR works alongside cookie legislation. What is and is not consent is discussed in the recitals rather than the articles. For example recital 42 refers to ‘For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.’ That is not dealing with cookies necessarily, but addresses the use of personal information. So, if a person wants to have their login details remembered for next time, they need to be asked if they want them remembered (which is already what usually happens) rather than the details automatically being retained without their knowledge.

Should I appoint a Data Protection Officer?

No! Well, not unless you have to. The GDPR is very specific on the qualifications and experience required of a data protection officer and you are only required to appoint one as a government entity or if you are processing sensitive personal data on a large scale. However, you can opt-in and it is easy to do so. If you call someone in your business a Data Protection Officer, you opt-in. The trouble there is that you then have to meet all the obligations around the qualifications and experience that person must have and can be in breach of the Regulation if you don’t. You can appoint someone external who is qualified and these businesses are now popping up. Have a look at Sequoia Services   

How can Onyx Legal help you?