We’ve had a data breach – what do we do and who’s going to do it?

Having in place a policy and procedures will make it absolutely clear who is responsible for sorting things out when they go wrong.

We’ve recently provided advice to an organisation that’s had a data breach. They hadn’t done anything wrong but they were the target of a web hack.

A number of people – including us – were involved in rapidly sorting out the response but as the dust began to settle it was clear that there was (and is) a gap at the top of the organisation where the responsibility for data protection and information security should have been.

Policies aren’t necessary in every organisation or in every case but if there are more than a handful of people in your company then the chances are that it will benefit from documentation that makes it clear to everybody (no matter the topic):

  • What is to be done (the required outcome)
  • How the required outcome will be achieved
  • Who is responsible for achieving the required outcome (hint – responsibility should be very closely matched to the authority to make things happen)
  • The roles that others in the organisation must play to help it achieve its required outcomes

Policies bring structure to an organisation and can be very brief and high level documents. They should however mostly be supplemented by procedures which set out the specific actions to be taken in any given circumstance. In the case of the data breach, there was no policy in place setting the required outcomes for the handling of personal data, nor was there a procedure for the action to be taken in the event of a data breach. Had they been in place then it would have been clearly understood who was to be doing what and to what end. The breach might even have been avoided in the first place.

It’s not quite the Story of Everybody, Somebody, Nobody and Everybody but a policy framework can help bring calm when things go wrong.

If you need to find out more about how we can help develop policies for your organisation, not only for keeping data secure, book a free 15-minute initial consultation.

Book a free consultation

Why should I bother with Terms and Conditions for my business?

It’s fair to say that most consumers would be wrong to claim that they always read the Terms and Conditions before agreeing to use a product or service.

Millions of people across the UK are guilty of failing to read the Terms and Conditions, otherwise known as the boring bits or the small print, and that’s a pretty big deal. But why?

Terms and Conditions act as a legally binding contract between a company and its clients.

The agreement doesn’t only set out the rules and guidelines that must be followed, but it clearly sets out expectations from all sides of the party too.

There can be serious ramifications for companies who trade without Terms and Conditions. This can lead to unwelcomed headaches for customers too.

Within this blog, our spotlight is on some of the top issues Crimson Crab have encountered as a result of companies not having clear Terms and Conditions.

 

  1. Lack of ability to limit liability. As a business, if you don’t bother having Terms and Conditions, there are all sorts of liability that you may have to accept when you don’t need to.

 

  1. Difficulties if your client fails to make payment. Without Terms and Conditions, you may find yourself in a costly situation if court action needs to be made due to a client failing to make a payment on the work you have completed. By ensuring they agree to your payment terms within your Terms and Conditions, you’re protecting yourself from unwanted surprises and difficulties in Court.

 

  1. Unrealistic expectations. Without Terms and Conditions, clients may claim the work you are doing isn’t sufficient and fails to meet their expectations. By drawing up clear and easy-to-understand Terms and Conditions, you’re making it clear what work you will complete for the price agreed.

 

  1. Misunderstanding about compliance with legislation. Many businesses struggle to understand that Terms and Conditions play an important role in ensuring you are complying with the law including for example Trading Standards legislation. Having a set of Terms and Conditions allows companies to publish essential details, such as its name and address or consumer cancellation rights as required.

 

  1. Limited ability to protect intellectual property. This is all about protecting the creations of the mind, like inventions, literacy, and artistic work. Without highlighting in your Terms and Conditions the use to which your client may put your intellectual property, people may steal your ideas which could have otherwise been making you money. Setting out your stance on Intellectual Property will reduce the likelihood of this happening and will make it easier to deal with if it does.

 

There is so much to think about when you are trying to manage your own business, so it’s easy to prioritise another matter over Terms and Conditions.

But by having these you will establish an essential legal binding contract, on your terms as long as they are fair, which can protect you and your clients for years to come.

It’s good practice to regularly review your Terms and Conditions as circumstances can change as can the law, but also how your business operates may change over time.

Whether you are a start-up or an established business, Terms and Conditions are crucially important today more than ever.

At Crimson Crab, we can help with anything related to the Terms and Conditions belonging to your business. From reviewing to drafting your Terms and Conditions, a great starting point is our Business MOT get in touch to take it today.

How are you following the rules and regulations that affect your business?

The rules and regulations your business is required to follow may differ from one industry to the next.We're open

It’s your responsibility to ensure you are following what’s right for your type of business and that your team are copying your good example too.

Certain organisations are regulated differently. For example, financial services providers, investment firms and consumer credit firms alike are regulated by the Financial Conduct Authority, while care homes and hospitals are monitored by the Care Quality Commission. Food businesses are regulated by the Food Standards Agency and have to be registered with the local authority.

Even though they are three different sectors, they are accountable to a regulatory body that will ensure everything the business does is ethical, responsible and aligned with the law.

So, who are you regulated by and why is this important? Well, it depends. Ultimately, most businesses are regulated by an industry-specific regulator – but other sectors have less regulation.

The industries which aren’t heavily regulated in the UK include cleaning services, plumbing and recruitment.

That doesn’t mean to say that there is a free for all, everyone must follow the various and continually-changing UK rules and regulations set by Parliament, regardless of whether they have an industry-specific regulator or not.

Rules and regulations can be complicated and maybe a challenge to follow, especially if you’re not an expert on this matter.

But there’s a simple way to build on your understanding of how it works – and we call it the Onion Analogy.

There are several layers to rules and regulations and, aligning our explanation to the Onion Analogy, we’re going to uncover three layers.

Layer one of the onion – The regulatory bodies you must follow

These include, but aren’t limited to the Information Commissioner’s Office (ICO), the Advertising Standards Authority (ASA), the Competition and Markets Authority (CMA), the Health and Safety Executive (HSE) and more.

Generally, these bodies give guidance on the area they cover but they also have enforcement powers when it comes to breaches of the law.

Every company – including yours – must follow various authorities if it is to adhere to UK law.

Layer two of the onion – The industry-specific regulatory bodies you are accountable to

Similar to the earlier examples for the financial, health-sector and food sectors, industry-specific regulatory bodies are the organisations that specialise within the area your business works.

Other examples include the Environment Agency (EA), the Solicitors Regulation Authority (SRA), Ofcom, the Gambling Commission and more.

Layer three of the onion – The industry norms. What are others doing which is right? 

The final layer within the Onion Analogy is your industry norms – what are others within your sector doing which is right for your consumers.

It’s impossible for us to give you a definitive answer on whether you are following the rules and regulations for your sector. However, if you’re looking for some expert insight and guidance into whether what you are doing is right or requires improvement, our Business MOT is a great place to start.

Business MOT

Secure your cash flow: Disclose your legal trading entity

Your clients have the legal right to understand exactly who they are dealing with. If they don’t, you could find yourself with agreements being void and not getting paid for the work you do…

Imagine it – business is booming and you have just had one of the strongest quarters to date.

Then suddenly, your customers stop paying and you have no legal way to get your money as a result of not abiding by trading laws and disclosing your legal trading entity.

But what is the legal trading entity?

In a nutshell, it’s the name of the business used for tax purposes. It’s the ‘legal’ name of the person or entity that owns it.

If you’re a sole trader, a plasterer for example, then the legal trading entity of your business is your name with or without your initials or forenames.

So, if your name is Richard James Smith, the legal name for your business could be Richard James Smith, Richard J Smith, Richard Smith R. J. Smith, R Smith or simply Smith.

If you trade under a name which does not include your surname, for example, Phoenix Plastering Services you would have to give your surname to every current or potential client.

For example Smiths Phoenix Plastering Services or Richard Smith trading as Phoenix Plastering Services together with an address at which you can be contacted. In legal parlance an address at which you will accept the service of documents.

For unincorporated partnership in gets a little more complicated as the legal trading name is the last names (with or without initials or forenames) of all of the partners.

For limited liability companies, partnerships and corporations, the business’ legal name is the one that was registered with Companies House including Ltd, LLP, PLC etc. In addition, there are specific disclosure requirements for these types of business including full corporate name, registered office address, registered number and place of registration.

The trade or business name is the name a company uses for advertising and sales purposes. It’s imperative you understand that this is different from the legal trading names previously described.

It’s a legal requirement that your legal trading entity is included on all business documents and their electronic equivalents which include invoices, letters, emails and websites.

If you’re a business that may trade under a different name to your legal trading entity and may be unsure of the rules, get in touch with the Crimson Crab team today.

Crab Insight January 2021

Red Tape Busters Volume 8, Issue 04, COLLABORATION

 

Welcome to the January edition of Crab Insight

The first edition of Crab Insight for 2021 (Crimson Crab’s tenth anniversary year) so a very happy new year from us all at Crimson Crab and may 2021 be infinitely better than 2020 for us all. 

As we enter lockdown three we have been thinking a lot about collaborative working. Essentially there is a golden thread of collaboration running through Crimson Crab.The golden thread of collaboration.

We collaborate on things like 

 
 
 
Mainly because it’s a great opportunity to add extra value. It’s also a hugely beneficial way of working on many levels especially during lockdown.
 
If you would like to discuss a potential collaboration with us please don’t hesitate to get in touch.
 
 

Claudia Crab’s January Focus

Claudia the Crimson Crab icon

Trading Disclosure

“Your customers and clients have a legal right to know who they are dealing with.” Robert Briggs – Compliance Director Crimson Crab Ltd

This means that they are entitled to know your legal trading entities name, be it yourself as a sole trader, the names of all the partners for a partnership or the corporate name of a registered body.

If you trade under a name other than that of the legal trading entity then you should disclose the full details of the legal trading entity including an address where you will accept service of documents.

For corporate bodies, there are specific requirements to give the full registered name, registered office address, registration number and place of registration.

All of this information needs to go on business documents including letters and emails and websites.

We can provide a “letterhead” check to make sure you have it right

 
Top tip – A great starting point for any business review is our Business MOT
 

F2 Business Huddle Online

Friday 12 February 2021

12 noon to 2 pm

Get your ticket on Eventbrite

 

Reputation Advocates

When you need a reliable and dependable expert click on the crabAccredited Crimson Crab Reputation Advocate Logo

 

 


Feedback

We love to receive feedback and it really helps us to improve our services for everyone.

Until next month look after your reputation!!

Ethical, legal, responsible trading wave
T:023 9263 7190 | E: enquiries@crimsoncrab.net | W: www.crimsoncrab.co.uk 

Copyright (c) 2021 Crimson Crab Ltd, all rights reserved.

 

Three don’ts to protect your customer relationships

The relationships any organisation has with its customers is important if it is to succeed. Also, the retention of clients is a pretty big deal.  

But, at times, we understand our working lives can be testing and offering excellent customer service may be a challenge.

However, within any context, business owners and their teams must strive to deliver a strong service to its clients if it wishes to achieve a positive reputation… while protecting it too!

That’s why our top three don’ts are to support you with protecting the relationships you have with your customers.

  1. When things go wrong, don’t ignore them!

Most businesses treat their consumers well. How do we know this? Because, if they didn’t, there would be no business.

But what happens when things do go wrong? Firstly, it’s important you don’t bury your head in the sand if something, such as a complaint, takes place. Be prepared for any negative response from your clients; have a clear complaints process and be genuinely ready to help people when they’re not happy.

  1. Breathe! Don’t respond on the hoof…

Your focus must always be on protecting the relationships you have with your customers.

To have someone walk away after using your service or product with a negative opinion can be detrimental to how other people perceive your offering.

We’re only human, so it’s understandable if you’re upset as a result of some negative feedback.

Nonetheless, take a moment to consider how you are going to approach your response, as well as how what you say will have the ability to preserve an existing relationship.

  1. Understand the law behind consumer complaints, and don’t neglect it!

There is law around dispute resolution, complaints and mediation, so it’s important you understand what is appropriate/what isn’t if you’re to address the negative experience of a consumer correctly.

Let’s use a complaint from a customer as an example. Businesses have to comply with rules and regulations when dealing with an issue.

These rules don’t necessarily change from one industry to the next, but some sectors do offer an alternative dispute resolution.

Fancy some bedtime reading? The Consumer Rights Act 2015 is a good place to start.

The Act consolidates consumer protection law and legislation while also providing consumers with their rights and remedies, so it’s an essential read for any business that deals with consumers.

For further details on how to protect your consumer relationships, and the best tips on what to do if something does go wrong, get in touch with Crimson Crab today.

 

Is my company’s website legal?

Building a website is easy, right? With the click of a few buttons and some vibrant graphics, you’re ready to go. Yes, perhaps, but is it compliant?

Even though your website is your organisation’s shop window, it’s important for it to look good and entice your target audience, it’s also crucial for it to be legally compliant.

But – what does that mean and how can you ensure it is compliant? 

All websites must conform to the Data Protection Act (and GDPR Regulations).

“If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation.”

“Three-quarters of us don’t trust businesses to do the right thing with our emails, phone numbers, preferences and bank details. I find that shocking.”

Elizabeth Denham UK Information Commissioner

Your website is a powerful tool to grow your business – but can also be detrimental to the business if it isn’t compliant.

That’s why our tips are some of the top things to consider when it comes to your company’s website.

Always have a valid reason: Personal information from individuals and organisations can be useful for many reasons – but do you have a valid reason to use it for your intentions? Be clear about WHY you’re collating peoples’ details – and what it’ll be used for. Always give them the opportunity to give you permission in the correct way if you need to.

Security is key: If your website isn’t secure, you’re leaving yourself and your visitors susceptible to hackers and cyber-attacks. Don’t be responsible for this!

Is your privacy information in check? One of the most important documents on your website – above any information about what you sell – should be your privacy notice. Many businesses use a privacy policy, whatever you call it, it must contain specific information about your use and processing of personal data and if it’s not there you are not covered. Feel free to get in touch for more details.

Data Protection Essential Questions

Data protection essentials, 23 questions do you know all the answers?

  1. Do you understand what data flows through your business and have recorded:
    • what personal data you hold;
    • where it came from;
    • who you share it with; and
    • what you do with it?

  1. Have you recorded at least one of the six legal reasons for processing the data?
    • If you use consent
      • it is good consent;
      • you record how it has been given; and
      • you record and manage ongoing consent.
    • If you are relying on legitimate interests
      • you have done the three-part test; and
      • you can demonstrate that you have fully considered and protected individual’s rights and interests.

  1. Are you are currently registered with the Information Commissioner’s Office?

  1. Do you provide privacy information to individuals, e.g. clients, customers, employees and suppliers?

  1. Can you deal with a Subject Access Request i.e. requests from people to access their personal data within one month?

  1. Do you make sure that the personal data you hold remains accurate and up to date?

  1. Do you securely dispose of personal data that is no longer required or where an individual has asked you to erase it?

  1. Do you know what to do when someone asks you to restrict the processing of their personal data?

  1. Can someone move, copy or transfer their personal data from your system to another safely?

  1. Can you deal with an individual’s objection to the processing of their personal data?

  1. Do you know if you carry out automated decision making and if so, do you have procedures in place to deal with the requirements?

  1. Do you have a data protection policy, and demonstrate your compliance with it?

  1. Do you regularly review the effectiveness of your data handling and security controls?

  1. Do you provide data protection awareness training for all staff?

  1. If you engage third parties to process your businesses personal data on your behalf (e.g. email marketing companies, database providers, cloud-based service providers), do you have a written contract with them which meets the legal requirements and carry out suitable and sufficient diligence?

  1. Do you know the information risks you have and their business impact so that you can manage them in a structured way?

  1. Have you have implemented technical measures and policy to integrate data protection into your data processing?

  1. Do you understand when you must conduct a Data Protection Impact Assessment?

  1. Have you nominated a data protection lead, or a Data Protection Officer (DPO) if required or preferred (note this role can be outsourced)?
    • If you have a DPO have you notified the ICO?

  1. Do you champion a positive culture of data protection compliance in your business?

  1. Do you have an information security policy supported by suitable security measures?

  1. Do you record all personal data breaches no matter how trivial?
    • Can you manage and resolve them?
    • Do you know which must be reported to the ICO?
    • Do you know which must be reported to the data subject?

  1. Do you know what must be done if any personal data processed by others on your behalf is transferred outside the European Economic Area?

If you don’t know an answer you had better find out fast!

Remain resilient during the COVID-19 outbreak, yes, but keep compliant too

It will be some time before life returns to “normal” in the UK and even then, things will no doubt be different.

Teams up and down the county have responded to what’s happening and stayed resilient by working from home.

But, how is remote working supporting many companies in their attempt to be resilient through these strange economic times? And, how are they remaining compliant every step of the way?

Working from Home

Thousands, if not millions, of employees, are working from home as a result of this pandemic.

From Microsoft Teams calls to Zoom, progress in using technology has proven to be an excellent benefit for businesses across the country.

Technology (and a reliable Internet line) hasn’t been relied on as much as it has in these unprecedented times.

While working away from the office is allowing businesses to continue efficiently, it does come with risk:

Data Protection

With an increase in the number of employees working from home, your people must understand the importance of protecting personal data on the IT they are using.

It’s all well and good if your company is following Data Protection legislation within an office environment, you must still ensure this doesn’t get thrown out the window with your remote workers. Especially if they are new to working at home or remotely.

If you need any help check out our Data Protection Solutions here: https://www.crimsoncrab.co.uk/our-solutions/data-protection-information-risks

Cyber Security

Producing an effective Cyber Security Policy comes with an understanding of where your own security is currently at.

If your business is susceptible to a cyber-attack then you must be ready to deal with this unfortunate risk… both for those working in an office and from their own home. Any system is only as good as the weakest link and regrettably, this is most likely to be an individual away from the discipline of the office environment.

Similar to protecting data, think about how you can remain compliant while keeping resilient throughout the lockdown.

Understand more about Cyber Security at the NCSC website here: https://www.ncsc.gov.uk/section/about-ncsc/what-is-cyber-security

Scams

Stay safe from online scams by taking simple steps while working from home.

Check your privacy settings, be aware of unsolicited emails, always use unique, strong passwords (use a trusted password manager – not the browser), update your software regularly, make sure your network is set up correctly, change all the default passwords on devices to a secure one and avoid using public Wi-Fi connections.

There is more information about Fraud and Cyber Crime on the Action Fraud website here: https://www.actionfraud.police.uk

Remember – your business must trade legally and it is your responsibility to do so ethically – no matter where your staff are based. Take full responsibility and get in touch with us on how you can remain compliant while focused on being resilient.

Operating Ethically – Do you have an anti-bribery policy?

“Desperate Times Call for Desperate Measures” is the phrase that comes to mind when someone bribes another for their gain in a business context.

Crimson Crab explores bribery and the means to protect your company from this illegal action which can have serious consequences.

So, what is bribery?

The dictionary definition “to bribe a person is to “dishonestly persuade someone to act in one’s favour by a gift of money or other inducement: they attempted to bribe opponents into losing.”

Bribery is unethical. It’s bad for business, can lead to a hefty jail sentence and other unpleasant sanctions.

It is illegal to offer, promise, give, request, agree, receive or accept bribes – an anti-bribery policy can help protect your business.

We hear you, business is important. Whether it’s your own company or one you work for, having a stable model offers an element of security for everyone. Therefore, it’s pretty important you invest in protecting it.

Regards the concern of being affected by bribery, you can safeguard your business with an anti-bribery policy.

Your anti-bribery policy needs to be written with the level of risk your company faces in mind and gives reassurance to your people about what to do in potentially difficult situations.

It should include:

  • Your approach to reducing and controlling the risks of bribery
  • Rules about accepting gifts, hospitality or donations
  • Guidance on how to conduct your business, e.g. negotiating contracts
  • Rules on avoiding or stopping conflicts of interest

Even though it is not a legal requirement to have an anti-bribery policy, you are obliged by law to manage the business risks effectively. That’s why we’d suggest having the policy.

For more information on how to manage business risks – and to discuss anti-bribery policies in detail – please get in touch!