About Irene Bodle

Irene founded Bodle Law in 2010 after working for 8 years as corporate counsel for a global software company. Irene offers specialist legal advice on IT law in particular, Internet law, website law, cloud issues, international software contracts and SaaS agreements. Learn more about Irene Bodle
Read Irene's latest articles
Have a question? Contact Irene here

Does your BYOD policy comply with Data Protection Law?

June 24, 2014 by Irene Bodle 1 Comment

Companies increasingly allow their employees, agents and subcontractors to access business data and Text graphic of words relating to internet law and security customer data using privately owned devices (i.e. iPads, tablets, mobile phones and laptops). If staff access business data using a “bring your own device” (BYOD) you need to protect your own confidential business information from misuse. Additionally, you should be aware of, and comply with, your legal obligation to protect each customer’s personal data accessed via BYODs.

ICO Guidelines

In 2013 the Information Commissioner’s Office (ICO) published guidelines providing advice on how to protect personal data accessed using a BYOD. The Commissioner underlined that companies are obliged to look after personal data in accordance with the Data Protection Act 1998 (Act) regardless of who owns the device on which the processing is carried out. [Read more…]

Legal requirements when selling SaaS services online – BTB

April 29, 2014 by Irene Bodle Leave a Comment

If you sell SaaS services to business customers online in the UK you must have the following legal documents and information available on your website to comply with English law. Simply publishing SaaS agreement terms online will not cover your legal obligations in the UK. Collage of words, purple accessibility, blue internet law, green BTB and geography, pink privacy, red saas, orange contact information, copyright and at symbol and email

Below is a summary of the documents and information that you should make available on a UK website when selling SaaS services BTB (business to business).

SaaS Agreement

The terms and conditions under which you will be providing SaaS services to customers should be set out in your SaaS agreement. These should as a minimum include:

a licence to access the SaaS services only for the term of the agreement;
retaining ownership in all intellectual property rights in the software and services;
return of customer data on termination;
the Customer’s obligations as a data controller under the Data Protection Act 1998.

[Read more…]

Emailing Marketing and Consent

January 14, 2014 by Irene Bodle 2 Comments

EmailMarketingLawImage Do you send marketing emails to existing or potential clients to advertise your own products and services? If so, you should be aware that the Information Commissioner’s Office (ICO) has issued new guidance on direct marketing, with regard to complying with the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR) both of which apply to sending direct marketing to consumers (BTC).

Consent

Businesses must obtain “extremely clear and specific” consent from individuals in order to conduct direct marketing via email or through any other form of electronic marketing i.e. text or via the telephone. Businesses cannot simply rely upon implied consent unless this is adequate.

Implied consent will not be adequate if:

it is obtained via acceptance of a privacy policy which is hard to find, difficult to understand, lengthy, or rarely read;
it must be given in order to subscribe to a service;
it is not freely given;
the individual is not specifically informed about what they are consenting to; and
it does not involve a positive action indicating agreement.

Specific Consent

Businesses must obtain specific consent to the type of communication in question. For example, if an individual has consented to receive marketing texts a supplier is not permitted to send marketing emails and vice versa. Also, although a general statement of consent to receive marketing might be valid for email marketing, it will not cover telephone calls or texts as additional rules apply to these forms of marketing under the PECR.

Email Marketing Lists

The ICO guidance specifically refers to the issue of obtaining consent in relation to the use of third party email marketing lists. Often marketing lists are sold to businesses and the seller of the list claims to have obtained relevant consents from individuals. However, such third party consent cannot be relied upon – unless the individual intended their consent to be passed on to the buyer of the list who will be sending the marketing emails.

Businesses should also be aware that other regulatory bodies have rules that apply to social media and digital advertising that must also be complied with. For example the Advertising Standards Agency (ASA), the Digital Marketing Association (DMA) and the Office of Fair Trading (OFT) also have their own rules.

How to Obtain Consent

To avoid the above problems businesses should use opt-in boxes in order to obtain explicit consent to direct marketing from individuals. Clear records should be kept of all consents, showing when and how such consent was obtained. These records can then be used as evidence if a complaint is made.

On-going Marketing

The context in which consent is obtained will determine whether a business can rely on consent to all future direct marketing via electronic messaging. For example, consent for a one-off message, or consent that is clearly only intended to cover a short period of time or a particular context, will not count as on-going consent for all future marketing messages.

Fines for Breach

The ICO can fine businesses up to £500,000 for serious breaches of the DPA or PECR i.e. for sending unsolicited marketing emails, texts or live and automated marketing phone calls. If you are a business supplier who sends marketing emails to consumers, you need to ensure that you follow the ICO guidance on direct marketing to avoid facing a possible fine.

Cloud Computing and Customer Data

December 3, 2013 by Irene Bodle Leave a Comment

CloudComputing

If you are collecting, storing, processing or hosting data you must comply with the Data Protection Act 1998 (DPA). If you are collecting personal data or instructing a third party to process data on your behalf you are a data controller. If you are processing or storing data on behalf of a data controller, you are a data processor

Appropriate Technical and Organisational Measures

Under the DPA a data controller is required to take “appropriate technical and organisational measures” to prevent the unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data. The data controller is required to include such obligations in a written agreement with the data processor.

Written Obligation

For example you are providing a client with SaaS software which sends marketing emails to individuals on behalf of your client. You, the SaaS supplier, are a data processor and your client, the SaaS customer, is the data controller.

You must have a written contract with your client which states that:

you may only process data in accordance with the client’s instructions; and
that you undertake to comply with the “technical and organisational measures” requirements of the DPA.

This written obligation can be included in the terms of the SaaS agreement, the service level agreement (SLA) or a separate data processing agreement.

Encryption Requirement

In addition, last year the Information Commissioner’s Office (ICO) issued some guidance on cloud computing. Amongst other issues, this advised data controllers to ensure that personal data in transit is secure and protected from interception by:

encrypting data in transit;
using encryption that meets recognised industry standards; and
obtaining assurances from data processors that data in transit is appropriately secure.

The ICO advised that data “at rest” i.e. personal data which is stored, should also be encrypted, depending upon the nature of the personal data held i.e. sensitive personal data and the type of processing taking place.

Data controllers were advised to ensure that encryption keys are:

kept up to date, in order to maintain the level of protection; and
not lost, as this could render the data useless.

Compliance

In light of this ICO guidance clients are increasingly asking SaaS providers to include data encryption obligations in SaaS agreements.

For example Google cloud services now:

automatically encrypts all data before it is stored;
regularly updates keys;
implements access controls; and
permits auditing procedures.

In time this could become standard for all SaaS providers. In any event you may want to check with your data centre, where you are outsourcing hosting and storage to check whether they also offer this service, which is provided to Google cloud service customers at no additional cost.

Dealing with a Subject Access Request

November 19, 2013 by Irene Bodle Leave a Comment

SaaS Software suppliers are increasingly having to deal with subject access requests (SARs) in relation to data they store on behalf of customers. Excessive time and costs can be spent dealing with such requests, unless a SaaS supplier’s obligation to comply with or assist a customer with such requests is clearly defined in the terms of the SaaS agreement between the parties.

Subject Access Request (SAR)

Under the Data Protection Act 1998 (DPA), an individual has the right to access personal data held by a supplier by making a SAR. Such requests for data usually relate to customer data held by SaaS suppliers on behalf of SaaS customers. The SAR can be sent directly to the supplier or the customer. This is not the same as a request for information under the Freedom of Information Act (FOIA).

FOIA

Under the FOIA members of the public are entitled to request disclosure of:

non-personal information;
held by public authorities.

Requests are made to the customer directly who often passes the request on to their supplier.

SaaS suppliers should not confuse a FOIA request with an individual’s right to request personal information under a SAR, as if a SaaS supplier mistakenly discloses personal data under an FOIA request, this could breach the DPA and result in a large fine.

SARs

The Information Commissioner’s Office (ICO) has issued a Subject Access Code of Practice which all SaaS suppliers should read. This provides useful advice on how to respond to a SAR.

For example, supplier’s should upon receipt of a SAR:

identify whether a request is actually a SAR;
ensure they have enough information to be certain of the requester’s identity;
consider whether any of the exemptions apply; and
provide a response in a permanent form where appropriate, stating whether a fee is payable.

Contractual Provisions

Suppliers should include specific provisions in their terms and conditions setting out how disclosure requests will be dealt with. These should not be limited to SARs as there are other types of disclosure requests that can be made under English law.

The SaaS agreement should:

set out the extent of the assistance to be given by the supplier to customers when dealing with a disclosure request;
specify whether the consent of the customer is required prior to any data being disclosed; and
include relevant time limits for complying with any requests.

Additionally suppliers could consider having a data access policy setting out their specific obligations. This can be incorporated into the SaaS agreement by reference to it in the terms and conditions.

Image courtesy of caliorg on Flickr