April 26th, 2019

Legal Talk 14: What is Data Law?
 
We meet. You say that things are going well. Investors are showing a lot of interest, but you still haven't hired a lawyer yet. You've just been relying on me up until now.

Anyway, the key thing you want to talk about is data law.

Nowadays, tonnes of people are doing seminars about data, but you just haven't got the time to turn up or read reems of legal stuff on it. There’s not really that much to it really. If you know the basics then you can go a long way without a lawyer’s help. Also, you can build upon your knowledge once you have a general framework. 
 
1. Data, particularly big data (i.e. a lot of it) is obviously really important. For example, the more useful data you have (e.g. email addresses, names) the more you can engage with your customer base, which means ultimately the more things you might be able to sell to your followers/customers. This in turn will lead you to making more money, acquiring larger investment and growing your company faster.

2. Most lawyers talking about data law will tell you about the Data Protection Act and European Regulations. Let's call these the Data Regs for short. The majority of stuff they will talk about will be completely irrelevant to what you are doing and probably will never happen to you, but are nice legal technicalities which they like to swim in, but which you haven't got time for. 

So, key points note: 

(a) personal data is data that relates to individuals. If personal data is truly anonymised (e.g. for statistical purposes re: web visits etc.) then the Data Regs won't apply. 

(b) the Data Regs generally just want to make sure that data that you obtain is obtained fairly and with the user's consent, kept safe and used for proper purposes, which your users are content with. So, you shouldn't be spamming them or using their data for nefarious activities.  
Also, there are a few requirements that come up all the time which are:

(i) if you are processing personal data then you need to register (or notify as it is called), the Information Commission (which is the data regulator). Details about this can be found at: www.ico.org.uk and it is all pretty straight forward. 

(ii) you can't transfer data to a country outside Europe unless it has equivalent data protection laws to Europe. So, for example, transfers to the US have to be looked at carefully and there are various ways of transferring data to the US, such as via special contracts (model contracts) or safe harbour schemes (which is the subject of much debate).

(iii) you are always on the hook for any breaches of the Data Regs even if the damage was actually done by one of your sub-contractors. So, this means you need tough written contracts with your sub-contractors (if you have any) regarding their use and handling of your data so if you get in trouble with the Regulator then at least you might have some recourse against your sub-contractor, if it was your sub-contractor's fault.

(iv) to keep your data secure password protect it and encrypt your data if you can. Encryption isn't as scary as it sounds, check this link for further information: https://digitalguardian.com/blog/what-data-encryption. Also, just make sure your employees don't leave laptops on the bus or train or something like that (and just encrypt data anyway so even if this does happen no one can get to the data). You might be surprised at the number of times this happens.

Let's call these requirements in (b) Proper Usage. 

(c) In the UK the penalties for breaching the Data Regs can go up to £500,000 (worst case) but there are new Data Regs which can make the penalties higher. Anyway, if you are involved in Proper Usage then penalties don't really come into play. 

Anyway, in the event that you do have a data breach (e.g. you lose data or are hacked) then you need to think about whether it is serious enough to notify the regulator about it.

So, that's it. End of.

“But”, you say. “Surely there is more to it than that. These lawyers are charging thousands to speak at seminars, what else is there?”
 
Okay, so underlying each Proper Usage is detail about how to gather data (basically have a privacy policy), how to store data (have technology that keeps data safe), how to transfer data (have some written contracts in place) and have a staff policy (so staff know how to keep data secure etc.).

But, dare I say it, some lawyers need to scare the living daylights out of you so that you get them to do some detailed analysis of your systems and at significant cost. Yes, sometimes this analysis is necessary, but you can really limit the amount of time you need to use these lawyers if you know the basics.

We finish our coffees. You look relieved.

Looking forward to hearing how your tech start-up is growing.

Yours truly
 
Jimmy Desai
Your Legal Coach

​P.S. Don't forget to subscribe and get even more exclusive content and legal insight. As always, this legal talk and all the legal talks are subject to our disclaimer, which you can find here.

​© 2019. Coaching Law Limited. All rights reserved.