• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

ICO releases new privacy code to improve transparency and control

The Information Commissioner’s Office (the “ICO”) released a new code of practice (the “Code”) on the 7 October, stemming in part from the results of a survey that they conducted.

These results highlight that consumers have lost confidence in how their data is protected; only one in four adults trust businesses with their personal data. Individuals are taking enhanced measures to verify the use, and increase the protection, of their data. This comes as no surprise following the constant stream of high profile cyber-attacks on individuals’ personal data, which has been regularly reported in the news.[2]

Click here for a quick 5 point summary of key areas of emphasis emerging from the Code, otherwise we set out below a comprehensive explanation of what the Code will mean for organisations operating in the UK.

Who should take note of the Code?

  • Any organisation that collects personal data whether directly or indirectly, and the Code highlights specifically that it applies to situations where data is collected via smart devices or by an individual’s online behaviour.
  • Organisations collecting purely anonymised or statistical data do not need to be so concerned, however the ICO encourages notifying individuals when personal data is collected even for the purposes of using it in an anonymised form afterwards.

Notifying individuals when collecting personal data: what should be in your privacy policy?

An ‘off-the-shelf’/‘one-size fits all’ privacy policy is not endorsed, and the ICO advocates that organisations should map out information flows within the organisation to indicate what should be included within the privacy policy. 

Ideally, organisations should draft bespoke privacy policy notices that communicate clearly to individuals:

  • who the organisation is that will be collecting and processing the data;
  • how the individual’s personal data will be used (including if it is for a range of uses) and also how it will not be used;
  • who it will be shared with (other data controllers and processors);
  • how users can agree to the different types of processing, by providing users with a choice to positively opt-in (see ‘what does the Code say about consents?’ and ‘developing trust with individuals’ below);
  • the impact such collection and processing will have on the individual (or alternatively the consequences of not providing such information); and
  • the rights of access to the individual’s data.

There’s additional guidance that the notices should be written for the intended audience, specifically that notices governing the collection of data from children should be appropriate to their level of understanding.

What does the Code say about consents?

The Code makes it clear that consents should be obtained on an opt-in basis to comply with best practice (aligning with best practice when obtaining direct marketing consents) and, where organisations are using personal data for a range of purposes, there should be a clear and simple way for individuals to agree to each different type of processing.  This combined with the need to provide individuals with sufficient information to enable them to make a choice (note that the Code states that if organisations use solely an “I agree” box without further details, the consent obtained cannot be considered valid) is likely to be a challenge for organisations with complex processing operations to implement in a user-friendly way, particularly on mobile devices/smaller screens.  Appropriate use of just-in-time notices to provide relevant information to individuals at a suitable time may be a solution to this challenge.  We have used a number of different mechanisms and formats to build privacy notices into data collection/customer interaction points so that relevant information is communicated in a user-friendly way and in line with best practice.

Businesses also need to comply with the Privacy and Electronic Communications Regulations (PECR) when asking people for consent to receive direct marketing (in addition to the data protection requirements), which the Code says should involve a separate, prominently displayed, unticked opt-in box.  The Code contains standard wording that businesses can use when seeking consent for direct marketing to ensure that direct marketing consents are being sought in line with good practice.  This may not be the right language for every business, but it is helpful as a reference point.

How should you communicate privacy policies to individuals?

Organisations are encouraged to use the same method by which the data will be collected, for example, just-in-time notices next to the cells in forms filled in online.  Where notices are provided on mobile phones, the guidance is that these should be clear and readable.  In all mediums of communication, the Code recommends a layered approach to draw individuals’ attention to the key parts of the policy with links to where they can find further information/details.

When to actively communicate your privacy policy

There are instances when collecting personal data may require organisations to take a more pro-active approach to notifying individuals that their data is being collected.  The Code points to situations when:

  • collecting sensitive information;
  • the individual may object to the intended use of the information, or may not expect the intended use;
  • failing to provide personal information may have a significant effect on the individual; and
  • sharing the individual’s data with another organisation that would not be expected by the individual.

Developing trust with individuals

The Code encourages companies to develop the trust of their customers by including them in the management of their personal data and how it will be used, perhaps via a privacy dashboard.  This goes towards satisfying the legal requirement to ensure informed consent and will assist organisations to demonstrate fair collection of data. 

The Code highlights that individuals can struggle with privacy policies, therefore it’s vital to choose the right method and tone when communicating privacy policies to individuals.

The ICO recommends testing the policy on individuals and adapting the policy based on the feedback received to ensure the effectiveness of the privacy policy.  The advice is to test: (i) whether individuals understand the policy; (ii) if it is clear and appropriate to the audience; and (iii) whether it contains any errors.

Complying with the General Data Protection Regulations and the impact of Brexit

Compliance with the approach and good practice recommendations in the Code will help organisations to meet the enhanced privacy notice requirements set out in the General Data Protection Regulation (the “GDPR”).  Although organisations will still need to include further information in their privacy notices (listed in the GDPR section of the code/Articles 13 and 14 of the GDPR) to fully comply. 

The Information Commissioner has said it is extremely likely that the GDPR will start to apply before Britain leaves the European Union and, in any event, businesses will need to comply with the GDPR to do business in the EU.

What you should be doing

  • Review your privacy policies/notices to check whether they comply with the best practice recommendations set out in the Code and identify any gaps/improvements.  Note, the Code includes a helpful privacy notice checklist covering key points, which will be a useful tool to use when carrying out a review.
  • Agree updates/changes to fill the gaps or make improvements to your privacy policy (as appropriate), test such improvements on users, and set a timeframe for implementation (any updates required to comply with the GDPR will need to be implemented with time for communication before 25 May 2018).
  • Establish your legal basis for processing each category of personal data you collect and identify where you are relying on consent from individuals.  Review the consent mechanisms that you have in place against the guidance on consents in the Code and the standard of consent required by the GDPR and make any necessary changes to ensure consents are valid (again these updates need to be implemented with time for confirming any consents before 25 May 2018).
  • Consider the other contractual documents (such as terms and conditions) that users/customers agree to and ensure that the privacy policy and those documents work together (e.g. are they consistent? Are you asking individuals to “consent” to your privacy policy when you are not relying on consent as a basis for processing?  Are these appropriate for your audience?) 
  • Ensure that you have the technical functionality to keep: (i) records of the privacy policy individuals have been provided with; and (ii) the consents obtained, and start keeping those records to help you to meet the accountability principle under the GDPR.
  • Consider the changes you have made to your privacy policy and how you should communicate the updated privacy policy (the more significant the changes, the more you should be doing to bring the updated policy to people’s attention and, where appropriate, obtain consent or acknowledgement of the changes from individuals).

Final thoughts

The new Code provides businesses with more clarity on the practical steps they should be taking to comply with best practice and will help organisations to start their journey to compliance with the enhanced privacy notice requirements set out in the GDPR.    

It underlines the importance of transparency and trust and that things have moved on from the generic privacy policy for all.

If you need any further guidance on this or you would like us to help you review and update your privacy notices, please contact Nicola Fulford.

Contact our experts for further advice

Nicola Fulford, Chris Benn, Krysia Oastler