Media & technology

GDPR – it’s not the whole story
28 June, 2018

By now hopefully the excitement of 25th May 2018 (or “GDPR Day”) has subsided. But the GDPR isn’t the only legislation that came into force then. The Data Protection Act (DPA) 2018, after some last minute wrangling and compromise, was given Royal Assent on 23rd May 2018, and much of it came into force just two days later.


You might wonder why we need another Data Protection Act when we already have GDPR to worry about. Well, despite it’s billing as a “one stop shop” that would make data protection law consistent across Europe, the GDPR does need national law to fill in the gaps in some areas. So each member of the EU needs to pass national implementing law to deal with those areas. At the date of writing, the majority of member states’ are still at the draft stage when it comes to their local implementing law. The UK managed to squeeze theirs in just before GDPR Day.

So What?

So what does the DPA 2018 do? Well, lots of things. It’s a hefty 353 pages (compared to the GDPR’s paltry 88) but many of the changes will only be relevant to public authorities, or activities like law enforcement or anti-terrorism measures. Much has been made about the minimum age of giving consent for data processing being lowered to 13 (from 16), but this only applies in relation to online services directed at children.

The key provisions of the DPA 2018, which will affect almost every business, relate to the use of “special categories of data”, i.e. particularly sensitive data. This includes information concerning an individual’s health. While many organisations won’t use any information relating to outside individual’s health, they almost certainly will in relation to any employees, when dealing with sickness absence, or accommodating any health-related requirements. The GDPR allows organisations to use this data as necessary to comply with employment law obligations, or exercise employment law rights, but only if local law authorises this use and provides appropriate safeguards.

Without the DPA 2018 then, it’s likely most organisations wouldn’t be able to use data about their employees’ health. The DPA 2018 sets out that organisations can use health data as necessary to carry out obligations or exercise rights in connection employment law, but requires them to have an “appropriate policy document” in place.

The appropriate policy document needs to explain the employer’s procedures for complying with the data protection principles in relation to that use of health data. It also needs to explain the employer’s policies around retention and erasure of that data, and indicate how long it is likely to be retained.

Without that policy document, any use of employee health data is likely to be in breach of the GDPR and DPA 2018. Any organisation which engages employees and uses any health data should review its policy documents to ensure they comply with the DPA 2018 requirements.

What next?

At Cripps we have prepared a Data Protection Toolkit which contains questionnaires, customisable template documents and related guidance (including a template “appropriate policy document” as part of an internal privacy notice) and we are offering half day and full day workshops to help our clients get up to speed with the data protection law – if you’d like more information on the toolkit or workshops you can contact us using the details on the right. You can see a list of the documents (and a description of some “GDPR Essentials”) here.

For more information on data protection, please contact Elliot Fry at or on +44 (0)1732 224 034

For updates from us and the latest Tech news follow us on Twitter @CrippsTechLaw

Lose Your Domain Name? It’s easier than you think…
19 June, 2018

You don’t ever ‘own’ your domain name; your registration is only a lease, subject to the payment of an annual fee. If you don’t pay that fee (you miss the renewal), you lose the domain and it’s then publicly available for anyone to register. 

As a business, your size or notoriety will not eliminate the potential risk of loss.

What’s the potential damage?

A domain name is the location at which your website is hosted: lose your domain and any website that was hosted at that address will go down, eliminating your online presence.

If a third party then quickly registers the domain name, they can take its goodwill and web traffic. Cybersquatting (registration of domain name in which there is no legitimate interest in order to ransom its return, or unfairly commercially exploit its popularity) is a risk for companies of all sizes.

Damage is not only the direct financial loss of losing online trade, but brand damage can also result if cybersquatters use the domain name to divert traffic to a website hosting indecent, counterfeit or malicious content.

Can it happen to anyone?

The BBC has reported that John Lewis recently allowed its wedding gift list domain name to lapse, resulting in the corresponding website going down. Rather than seeing the John Lewis gift list webpage, users were instead met with a domain name registry page, offering to sell them the John Lewis domain name.

John Lewis had apologised for the error, however it could have been a more complex and costly mistake if, for example, the domain had fallen into the hands of cybersquatters.

Can you recover a lost domain name?

If a domain name is lost, it is possible to seek its recovery at the relevant domain name registry (outside of the courts) using the ‘UDRP’.

We explain the UDRP process, and how Cripps can help if a domain name has been lost, in our UDRP Guidance Note

Can you reduce the risk of losing a domain name in the first place?

An auto-renewal can often be set up to minimise the risk of a domain name being lost, however nothing is risk-free: it’s worth also manually checking at renewal time to confirm a successful renewal, minimising the opportunities for cybersquatters.

However, if your renewal is missed, and your domain name is lost, we are on hand to advise in respect of its recovery.


For more information on domain names, cybersquatting issues, or intellectual property law in general, contact Will Charlesworth – / 01892 224 059.

A legal Battle Royale: World’s most popular video game sued for copyright infringement
7 June, 2018

The developer of the smash hit video game Fortnite: Battle Royale is being sued by developers of rival game PlayerUnknown’s Battlegrounds (PUBG) for copyright infringement.

The claim is being brought in South Korea where the developers of Fortnite – Epic Games – have a local office. The creator of PUBG is seeking an injunction on the grounds that Fortnite bears many similarities to its own game. Fortnite was originally launched in July 2017 as a team zombie-shooting game, but a new version of the game launched in September 2017 saw 100 players fighting each other across a shrinking environment to be the last person standing. This shrinking environment concept first appeared in PUBG and is the subject of the infringement claim, with PUBG claiming Fortnite is “replicating the experience” for its users.

The Fortnite game is entirely free to download and play. It makes its money from in-game purchases of different costumes and tools and it is estimated that the game made £226 million in April 2018 from these purchases alone. What is perhaps most interesting about this method of generating revenue is that these in-game purchases provide no tactical advantage when actually playing the game. Since its release, Fortnite has taken the gaming world by storm whilst the popularity of PUBG has waned.

Despite the copyright claim there are marked differences between the two games. PUBG has a realistic, military-style theme and includes the use of vehicles to traverse its large map. Fortnite, on the other hand, is of a cartoon style, does not use vehicles and – perhaps most importantly for this copyright case – includes a fort building aspect to the gameplay. This means that, in a shootout, the winner is often the player who is better at out-building their enemy rather than simply out-gunning them. This aspect is not present in PUBG.

These distinctions are important in copyright claims. Copyright does not protect the idea itself (e.g. a 100 player shooter with a shrinking map) but how that idea is expressed.

An injunction, if granted, may prevent Fortnite from distributing the game in South Korea. South Korea is the sixth-largest market by video game revenue, responsible for $4.2 billion in 2017, and would therefore cause huge financial consequences for the company. It could spur PUBG on to additional claims in different territories which, if successful, may see Fortnite players turning to PUBG if Fortnite is no longer available.

The case serves as a prime example of the potential value of intellectual property rights.

Under English law, copyright arises automatically for original literary, dramatic, artistic, and musical works, sound recordings, broadcasts, films, and the design of pages of published work. Broadly speaking, the owner of copyright has the right to prevent others from copying or making an adaptation of their original work. Injunctions preventing the infringing acts, damages, or an account of profits are amongst the available remedies.

For more information on intellectual property claims, please contact George Fahey at or +44 (0)1732 224 059.

GDPR: What now?
25 May, 2018



GDPR implementation day is here. The sky has not fallen in, but the true impact of GDPR is yet to be felt. For many of us who have been involved in GDPR compliance projects over the past months, the question remains, what now? We’ve set out some key areas of uncertainty, and a few predictions, below.


The new maximum fine limits of £17m (or 4 per cent of group turnover) for non-compliance might look terrifying, but how likely is it that current fines will be scaled up to these levels? The highest pre-GDPR fine that the Information Commissioner’s Office (ICO) has imposed is £400,000 (80% of a maximum limit of £500,000) and the ICO confirmed that enforcement “will be proportionate and, as it is now, a last resort” and it’s clear that only the worst infringers should be concerned about the new maximum fines. In any event, it is likely that any fines issued under GDPR will not be handed down until 2020 (given previous time-scales for enforcement), so it will take some time assess the impact of the new limits.

Individual rights and awareness

 Individuals have more rights under the GDPR in relation to their personal data, and recent media coverage alongside GDPR’s implementation date has certainly made people more conscious of data protection issues. Increasing press coverage concerning rights under GDPR, reports of high-profile breaches, and endless privacy notices that flood individuals’ inboxes are all increasing awareness. ICO investigations (even without fines) will often be reported in the press. Businesses that can’t show they practice good data security, or don’t have the necessary understanding of their responsibilities, will struggle to build trust and maintain their reputations. That reputational damage may be the most significant impact for any business that doesn’t treat GDPR seriously.

As a result of greater transparency, organisations will receive more requests from individuals (“subject access requests”) about how, why and where their data is held. This will inevitably result in more complaints being made to the ICO. We also expect to see increasing numbers of group litigation cases in relation to large-scale data breaches, since a data breach is likely to involve more than one individual’s personal data.

Service providers: comply to thrive

 Service providers who process personal data as part of their service must establish if they process data on behalf of their customers (as a “processor”) or not. Many processors have already updated their terms and conditions to include the provisions required by GDPR, some will do so soon as their compliance projects continue, others may not. But despite all these contractual changes, it’s not clear if customer-provider relationships will actually change, or how any liability issues will be dealt with in practice.

Changes in the office

 We don’t just mean more GDPR-related chat (thrilling as it is). Just as new health and safety regulations changed the way offices operated, the GDPR will affect business processes as organisations become more aware of data security and the risks of a breach. Individuals will begin to have a better idea of personal data flows within a business and are likely to face various measures, including clean desk policies, role based access, and restrictions on remote working.

Consent, consent, consent

 Despite being the buzzword for GDPR, the consent rules have misled many. The standard of what is acceptable as consent is changing. Consent forms will become more prevalent, and websites will evolve to provide more choice about how your data is used (although further changes around the law on cookies are still being debated at an EU level).


 The number of marketing emails to your work or personal accounts is likely to reduce, despite not all email marketing requiring “opt in” consent. Given the rules on electronic marketing are stricter, you may also receive more postal marketing.

It’s here to stay

 GDPR isn’t the whole story. The Data Protection Act 2018 (the UK legislation that supplements GDPR and will apply post-Brexit) was given royal assent on 23rd May. More guidance from the ICO and European authorities is still to come, and different sectors should settle into a broad consensus on the boundaries of compliance.

Even if GDPR requirements are crystal clear, once you have your organisation in order, your obligations under GDPR will not disappear. Businesses must continue to monitor compliance, and as your business develops, your obligations under GDPR will develop too.

For more information on data protection, please contact Elliot Fry at or on +44 (0)1732 224 034

For updates from us and the latest Tech news follow us on Twitter @CrippsTechLaw


Tech product recalls: How good is your Product Safety Incident Plan?
18 April, 2018

Whist it may seem, thankfully, a relatively rare thing for tech products to be recalled, those incidents that have hit the headlines in recent years (remember the Samsung Note?) cause a lot of brand damage, in addition to hitting manufacturers and retailers in the pocket.  Managed well, however, the result can underline a company’s commitment to its customers and their safety and in some cases even strengthen a brand.  So it is important to get the process right.  

The Government’s new Office for Safety and Standards teamed up with the British Standards Institute to launch, last month (March 2018), a new code of practice on product recalls (“the Code”).  This may be a good starting point for your business if you haven’t got a detailed plan in place for product recalls, or if you have a plan but haven’t reviewed it in a while.

The guidance is aimed at all sizes of businesses, and deals with issues affecting manufacturers, retailers and distributors (B2B and B2C).  Issues covered are:

  • how a business can plan for a recall, including establishing mechanisms to deal with any product safety issue identified;
  • managing a possible safety related product recall or other corrective action;
  • establishing mechanisms to monitor the safety of products;
  • investigating any potential product safety issue; and
  • reviewing corrective action programmes to ensure that product safety responsibilities continue to be met

The guidance also covers what should go into a product safety incident plan (“PSIP”), focusing on:

  • understanding where all component parts come from and ensuring that traceability records up and down the supply chain are clear and up to date; and
  • having in place detailed plans to cover:
  • monitoring to enable the swift identification of product safety-related trends;
  • risk assessment and root cause analysis processes;
  • legal notification requirements
  • internal and external communications; and
  • corrective action decision-making.

It’s also key not to under-estimate the importance of co-operation with regulators.   Make sure you understand the regulatory framework surrounding your product and any recalls and what regulators’ likely approach may be if possible.  It has been suggested that the Government intends the Code to be seen as mandatory, and so will be expecting businesses to follow it, but in any case the Code may also provide useful insight into what guidance regulators will be expected to follow in this context and therefore what you can expect from your interaction with them.

Having an up to date plan in place which you can implement quickly will help you take the right action to protect consumers, and therefore you and your business.

1 2 3 23