• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

How the General Data Protection Regulation will affect IoT firms

Data protection legislation, as it exists at the moment, dates back to 1995 when only the largest of organisations had the capacity or the desire to collect and store large amounts of data.

Twenty years on, the technological landscape for the collection and manipulation of data is completely different.

Huge numbers of businesses now process personal data extensively, especially in tech sectors such as the Internet of Things (IoT), where many businesses' value lies in their collection, analysis and monetisation of personal data.

The aims of the forthcoming European General Data Protection Regulation (GDPR) include driving better security and privacy in the IoT, directly and indirectly through investors and users.

Breaches of the GDPR will attract much higher financial penalties than the current legislation, potentially up to five percent of annual global turnover, providing a sharp incentive for businesses to pay attention to their compliance strategies.

The GDPR is still in draft form, but it is currently being negotiated and a final version is expected in late 2015 or early 2016. As the drafts stand, some of the key changes which are most relevant to IoT businesses include the following areas.

A broader definition of personal data

This is potentially the most significant change. Current legislation applies only to data which directly identifies an individual (either on its own or in combination with other information to which a data controller has access), so generally excludes ‘alias' data such as pseudonyms and IP addresses.

The new legislation will also apply to data which identifies an individual indirectly, meaning that the legislation has a much wider scope and pseudonymous (data provided under a false name) and IP data will now be ‘caught'.

Many IoT businesses have chosen to process only pseudonymous data to avoid being subject to the existing legislation, but this strategy will cease to be effective once the GDPR comes into force and such businesses will find themselves subject to a dramatically increased regulatory burden.

Greater restrictions on profiling and higher levels of consent from data subjects

Under the GDPR, data subjects' (living individuals to whom personal data relates) consent must be obtained if their data is to be used for profiling (a broad term which can be applied to most data analytics), and such consent should be freely given, specific, informed and, crucially, revocable.

The European Commission's draft also states that consent should be ‘explicit'. It is unclear whether the word ‘explicit' will be adopted, but either way the new consent threshold will make it much more difficult to rely on customers' implied consent.

There will also be further restrictions as to when big data or further processing is compatible with the purposes originally stated, which will limit IoT businesses which perform extensive analytics.

This will give the public much greater control over their personal information, and businesses which rely on complex analytics and/or proprietary data would be advised to consider their customer engagement strategies, user interfaces and terms and conditions to ensure that they have the necessary consents in place.

Data portability

The GDPR will introduce a new right of data portability (the ability to move data among different application programs, computing environments or cloud services), extending the existing right of data subjects to make a subject access request by obliging data controllers to provide subjects' data in a machine-readable format which can be provided to another controller.

Businesses operating in the IoT should consider how this might affect them. The GDPR's aim was to give customers greater control over their data by preventing them from being ‘locked in' to services, so additional customer incentivisation may be necessary.

Conversely, though, to the extent that IoT businesses are based on hardware purchased by a customer, businesses may find that retaining customer loyalty is less of an issue than in other sectors, for example utilities.

Increased obligations on data processors

Whereas the current legislation applies only to data processors (i.e. parties that decide how personal data is used), the GDPR will also impose security obligations on data processors and will make them directly liable to claims by data subjects.

These new measures will make it much more difficult for analytics businesses to allocate risk, and processors may find themselves subject to data protection legislation for the first time.

Privacy impact assessments will be compulsory

Current legislation does not require data controllers to perform privacy impact assessments (PIAs), although the Information Commissioner's Office states that they are ‘best practice', especially for organisations which deal with sensitive personal information.

This is likely to change under the GDPR. The current drafts of the text disagree over the exact circumstances in which PIAs will become compulsory, but PIAs are likely to be mandatory for large companies and for ‘high risk' processing involving biometric or health data.

Businesses which process health data or other sensitive personal data are advised to lay the foundations for this now and to bring their PIA procedures up to date to ease the transition from ‘good to have' to ‘must have'.

As they operate in a data-rich sector, many IoT companies will find that they will need to make significant and systemic changes to their businesses in order to accommodate the new legal framework.

But the good news is that there will be a grace period of two years after the GDPR is agreed before it comes into force, allowing some breathing space to consider the implications of the GDPR and prepare accordingly.

This article originally featured on V3.co.uk. For further information please contact Nicola Fulford.