What information do I have to publish on my website?

Andy, checking out websites as part of his workAs you might imagine, I spend quite a lot of time looking at websites. I look at client sites to see what can be improved, I look at potential client sites to put bids and proposals together and I look for sites that I can prospect to. I also look at other sites to keep my knowledge up to date – and that’s just during the working day.

I see good sites, OK sites, indifferent sites and some real shockers but it does not matter how good (or how poor) the site, whether pennies, pounds or thousands was spent on the development loads miss out on the provision of basic information. A lot of which is a legal requirement when a business is using a website to promote themselves.

As an example, a lot of businesses provide a web form as a means of communication despite the fact that a lot of people don’t like forms – especially ones that ask for too much information. Part of the dislike is due to the fact that sending a form leaves no record of what was sent, nor when it was sent, unless it automatically forwards a copy to the senders email address but there’s no way to know this – until you’ve sent the form (unless the form actually informs you of this)

Gavel - representing a legal requirementThere was a piece of legislation passed in 2002 called the eCommerce Regulations that applied to ALL companies using the internet, not just those selling online and perhaps that’s why a lot of businesses don’t comply. Either that or it’s simply a lack of knowledge either within the organisation or by the web developer. Either way, ignorance of the law is no excuse – as the law says.

So, what does the law require you to publish in an “easily, permanently and directly available location” on your website?

Minimum information to be provided on your website

  • The name of your business, which might be different from the trading name and any difference MUST be explained. For example, ABC.co, is the trading name of ABC Enterprises Ltd.
  • The geographic address of the business must be provided
  • Your email address. A “Contact us” form without providing an email address is not sufficient
  • Your Company Registration Number, if yours is a Registered business, together with the place of registration
  • Your VAT Registration Number, if you are VAT registered
  • If you are subject to an overseeing body, such as the FCA, then you need to provide the governing agency AND your registration number.
  • Prices – if you are quoting prices (or selling) online your pricing should be clear, unambiguous and state whether prices are inclusive of tax and delivery costs, or not.

If you need help with compliance, or with anything else relating to your website or marketing activities then give me a call for an initial, free and zero obligation chat on 01793 238020 or email andy@enterprise-oms.co.uk

How much should you budget for SEO services?

How much does SEO cost?

Person looking confusedThe real answer is “how long is a piece of string” but you don’t want to hear that, you want to nail down your costs so that you can shop around and get the best deal for your business – note that I did not say “cheapest”

The first problem is that every SEO requirement is different, there are many variables that impact on the amount of work required and here’s a small selection;

  • How up to date is your website?
  • How SEO “friendly” is your web design?
  • How fast do you need SEO to take effect?
  • How does your site compare to the competition?
  • How many competitors do you have?
  • How well optimised are their sites?
  • What’s their likely budget?

This latter is not about understanding their absolute spend, more about an overview based on the simple fact that the larger the competitor the more likely that they will have a greater budget than you.

Good, Cheap, Fast. Yoou can have any 2 but not all 3Looking at the Quality, Fast, Cheap Venn, you’ll see that you can have

  • Cheap & Fast
  • Fast & Good
  • Cheap & Good

but you can’t have Cheap, Fast AND Good, it’s just not possible

In reality, it’s not about how “good” your SEO is, it just has to be better than the competition. I’ve worked with a couple of businesses where the competition was clueless about SEO so it was a relatively simple task to push them higher in the rankings but most businesses these days are aware of SEO so the task is tougher.

Expectations & Reality

A recent survey reported that less than half of all small businesses have an SEO budget. Of those with one the majority (71 percent) spent less than £100/month. That’s right – 71 percent of small businesses budget £0 – £99/month for SEO.

This is further supported by the inquiries I receive from prospective clients. Here’s the breakdown for a pretty typical quarter in 2017

Monthly SEO enquiries/budget

This is why your inbox is spammed with promises of “guaranteed first-page results” for £99. SEO spammers know the market. Their promise of first page results is hard to resist and, in my experience, most business owners have no idea how SEO works, they are far too busy running their businesses to spend time learning SEO and so may very well opt for the least expensive quote.

Most businesses are process driven, to get from A to B you follow certain process to get there. A lot of people assume SEO works in a similar way, they tend to treat it as a commodity and, as a consequence select their SEO on price, frequently choosing the least expensive [cheapest]

The Cost of Cheap SEO

I’ve been doing SEO since 2001 and over the years I been a member of many internet marketing groups on Linkedin and I never cease to be amazed by the number of people with a little knowledge who pose as SEO professionals and take on clients. How do I know they lack experience? It’s questions like “I have just taken on a client that wants to rank for “keyword x” – how do I do it?” that tends to give the game away.

A close second to asking “how” is the use of link schemes, specifically private blog networks (PBNs), without ever explaining the risk to clients. If you were to simply throw your money away by hiring an incompetent to carry out your SEO that would be bad enough. The problem is that the damage does not stop at the waste of money – it’s far more serious than that. The damage that someone who does not know what they are doing can go much deeper. It could attract a Google penalty and virtually wipe out a website’s visibility on the web.

As a consequence, even if you don’t choose EOMS to conduct your SEO I would encourage you to insist on using tactics that comply with Google Webmaster Guidelines, as I do.

Managing Your Resources

With Google using more than 200 ranking factors it’s easy to become intimidated and paralysed. However, there are some key areas that, if properly managed, will go along way towards great SEO results. Your site should 

  • be easily accessible to search engines.
  • follow Google Webmaster Guidelines for SEO best practices.
  • perform quickly (pages opening in 3 seconds or faster).
  • work well on all devices, mobile, tablet, and desktop.
  • feature content that is unique,interesting and of value
  • have regular fresh content added

Set Goals

As with everything in business, Goals are good. They help focus the mind and ensure that everybody knows what’s expected.

When setting goals, it’s important to keep a few things in mind.

  • Your goals need to be SMART
    • Specific
    • Measurable
    • Achievable
    • Realistic – Stretch goals are fine, but pie in the sky benchmarks can actually work as a disincentive.
    • Timed – You need to give the campaign time to work. According to Google, “in most cases, SEOs need four months to a year to help your business first implement improvements and then see potential benefit.”

At one time, success was measured solely by where your website would be featured on the Search Results Pages. While this remains an important metric, it’s no longer the most important metric. The most important are those that deliver real value, such as:

  • Improving organic sessions by x percent.
  • Increasing conversions by y per month.
  • Increasing revenues by z percent.

Developing a Budget

And here we get to the nub of the matter. Your goals will define the strategy required needed to succeed. This will then provide the information required to develop an action/implementation plan which defines the work required and, consequently, the budget necessary to achieve the desired goals.

Remember though, that the budget needs to take account of the time to properly plan, implement and tweak a campaign in order to evaluate its success.

That said, the right budget is one you can afford, without losing sleep, for a minimum of four (and ideally 12) months and the lower the budget, the longer the journey

How much should you spend on your SEO?

Well, £99/month just isn’t enough to do it properly. If you are hiring an SEO company expect to pay from £200-300 per month.

If you can’t afford to retain a top level SEO, there are some options. The most common being a one-time website SEO audit with actionable recommendations that you could implement yourself.

Just fixing your website will often lead to a meaningful boost in organic traffic. Content development and keyword analysis are other areas where you can get help from a pro for a one time fixed rate. Another option is to become an expert and do it yourself.

SEO Cost Calculator: Measuring Organic Search (SEO) ROI

Following is a calculator commonly used (incorrectly) for measuring return on investment for SEO.Best Widget Ever - ROI calculator

 

 

 


Of course, the above calculation has a major flaw,
it fails to take into consideration the lifetime value of a new customer.

Online businesses need repeat orders/sales in order to grow. By not calculating the lifetime value of a new customer the true ROI is grossly understated.

The right way to calculate ROI is to build lifetime value into the calculator as seen here:

Best Widget Ever - ROI over a customer lifetime

 

 

 

 

The Takeaway

Unlike Pay Per Click – (Google/Bing Ads etc) an organic search campaign won’t yield immediate results and, even when executed to perfection, it takes time for Google to recognise and reward these efforts.

That said, the traffic earned from these efforts is often the most consistent and best converting among all channels.

 

To Carousel or not to Carousel, that is the question.

Carousels, (aka Image Sliders) the name given to those annoying sliding images that seem to feature on most websites these days. As you might have gathered, I’m not a fan but is my dislike subjective (taste) or objective (they don’t add anything).

It’s objective and here’s why

1/ the human eye doesn’t respond well to movement – or maybe it responds too well.
We may not live in the jungle anymore, but we did once. Our brains are wired to react to sudden movement, and this movement is called a saccade. It’s our retina’s uncontrollable response to movement, and the speed of movement during each saccade can’t be controlled. The eyes move as fast as they are able.

This might have been great when hunting prey in prehistoric times whilst trying to make sure the odd sabre toothed tiger can’t creep up on us, but today, it’s your slider fighting for your attention.

2/ They take control away from the visitor
Visitors like to be in control when they arrive on your website. They don’t want to see something they have no use for, and frankly, the whole point of your website should be to give your visitor what they came for.

When you put an auto-rotating image slider on your homepage you take control out of your user’s hands and give it to the slider. You know what follows? Disaster. Image sliders keep rotating, attention keeps being grabbed and web visitors loose patience. This is not only frustrating, but is terrible for usability according to UX Movement.

3/ They take up Space and hardly get clicked?
How many times have you watched a slider waiting for something useful to appear? If it’s more than once then you’re in the minority.

You already know image sliders are so fast and distracting, visitors tend to ignore them. Erik Runyon ran a study at Notre Dame University  to test and measure the number of clicks made on the sliders in comparison to homepage visits and you know what?

The study revealed a mere 1% of visitors clicked on a feature on the slider. That’s like the unicorn of bad conversions.

4/ They reduce visibility
The Neilson Norman group (founded by Jakob Nielsen, “the Guru of website usability” New York Times) group ran a usability study, where a user was attempting to search special deals on Siemens washing machines. The user arrived on the Siemens homepage that looked like this with a deal on a washing machine at the top of the page.

  • The user didn’t spot the deal
  • She ignored the offer placed in a small box in the left-hand corner.
  • Then she ignored the big banner splattered on the page, even though it had an image of a washing machine on it.

Because the image slider looked so much like an ad, she left the website without buying the machine, costing Siemens an easy sale.

Jakob Nielson also pointed out that international users and users with low literacy get easily distracted and frustrated by the image sliders, as they are unable to read through one offer before another slides into place.

The bottom line is image sliders are ineffective. And to reinforce this idea, here’s a slider by WebAIM. [If you only follow one link, you should follow this one]

Why you should not use an image carousel

Why you should be sending letters

Bank Robber Willie SuttonWillie Sutton is a well known American bank robber (bio on Wiki). Although always taking a pistol or Thompson sub-machine gun he never killed anyone, in fact he never even fired his weapon. When captured, his gun was always found to be empty and when asked about this he simply replied “I never carry a loaded gun because somebody may get hurt”. In fact if a woman screamed or a baby cried he stopped the robbery and left.

Why are we talking about Willie?
Simple, he made a statement that has ramifications on your marketing even today, when asked why he robbed banks Willie replied “Because that’s where the money is

So, how does that reflect on marketing? Simple – when you are marketing your business, you should always look where the money (your customers) is.

Where is the money?
According to marketing expert Drayton Bird, Millennials may not be the ideal target, they are buried in debt, apparently 40% of 18-34 year olds live with their parents and struggle to find well paying jobs.

Baby boomers, on the other hand are less stressed about money having enjoyed decades of cheap housing, safe jobs (some guaranteed for life), solid pensions and huge stock market gains. So, perhaps that’s who your marketing should be focussing on.

A recent survey has also turned up some very interesting statistics about Baby Boomers. Apparently they respond better to offline advertising

  • Less than 10% prefer hearing from a new company through email
  • 73% prefer getting new product/service offers by mail
  • Only 31% say they discard unopened commercial mail

So, what’s the message?
Don’t ignore “snail mail” – take a look at what arrives in your letterbox. Mine’s almost empty for most of the week so a well targeted piece of direct mail is likely to be opened, and that’s half the battle. After that, it’s down to the quality of your letter, the words, the pictures AND ensuring that there’s a positive call to action (CTA) and whilst on the topic of CTAs, every page of your website should have one and every email you send.

What’s next?
If you need help with any aspect of your marketing, get in touch. Give me a call on 01793 238020, drop me an email to andy@enterprise-oms.co.uk or link up on LinkedIn or Twitter.


That’s my CTA, btw.

Do you use a .EU domain?

Brexit was always going to have problems and issues for businesses but none expected it to have an impact on business domain names.

Well, until Easter 2018 anyway, which was when a major problem for businesses was announced in well known and respected technology news site, The Register.

You probably chose your .EU domain for a really good reason, you want the world to know that either you are an EU-based business or your market is the EU, for example.

However, as a result of Brexit, the EU has announced that all .EU domains registered by UK businesses (and individuals) will be revoked on B-Day (Brexit Day) 31st March 2018

What this means is that if you are one of the 300,000 UK organisations or individuals who has registered a .EU domain you might well see your website disappear overnight.

Obviously, continental domain registrars may well take advantage of this, offering to take on your domain and “fix” the problem for a (presumably large) fee, but that also has issues. The European Commission has hinted it is unhappy with that arrangement too; they will no longer allow you to own an .eu domain (that’s their whole point), so you are putting yourself at some commercial risk (similar to not owning IP in any products you make), and the EU is legally bound to prefer “the good of the EU” in any contractual dispute. Thankfully though, there are alternatives:

What’s in a (domain) name?

It’s not just your web site that could be affected, your email system, security certificates for encryption and e-commerce, and possibly even remote access to company assets for sales staff might be impacted too.

It will vary, obviously, depending on how you are set up, but checking this now is very sensible.

Perhaps the best approach is to do two things

  1. Immediately register a suitable .UK domain, and
  2. Point your .EU web traffic to it as soon as possible.

You have a choice of .uk domain name, and you can still represent your EU connection in it, if that’s crucial. For example,

bloggs-transport.eu

might change to,

bloggs-transport-eu.uk

We realise this isn’t ideal, but the second name is safe as it can’t be affected by any disruption the EU Commission might cause. You would have normal rights to the name, under English law, and, if it’s done right, there’s almost a whole year for your clients to get used to your new URL. Thus the risk is minimised, and it becomes one aspect of Brexit that can’t hurt you further commercially.

If this change goes ahead—and this is much more likely than unlikely in our opinion—you have less than a year for clients to become used to the change. This isn’t something to hesitate over: the implication is that no redirection will be possible after 31st March 2019, so at that point your site will simply vanish off the internet. People may even think you’ve gone bust!

Right now, you have enough time for this NOT to become an expensive issue. The longer you leave this one, the more electronic business disruption is likely to cost you come Brexit day.

If you have a .eu domain and you are worried, please get in touch: the fixes are mostly straightforward and inexpensive to implement (without disruption, if you act quickly enough).

Digital Leadership

Digital Leaders

What do these three people have in common?

Alan Turing

Alan Turing

Tommy Flowers

Tommy Flowers

Dorothy Vaughan

Dorothy Vaughan

 

 

 

 

 

 

All 3 were very early digital leaders, Turing for his “Turing Machine”, an early general purpose computer, Flowers for “Colossus – the first programmable computer used to decrypt German military messages at Bletchley Park and Vaughan for spotting the potential of NASA’s first IBM mainframe and leading the way in programming the device to compute spaceship trajectories.

Closer to today

Pierre Morad Omidyer

Pierre Omidyer

Elon Musk

Martha Lane Fox

Martha Lane Fox

 

 

 

 

 

 

All of the above are Digital Leaders who founded exciting, new and very disruptive tech companies in the early naughties. Omidyer founded e-Bay, Musk founded PayPal and Lane Fox founded LastMinute.com.

But what is Digital Leadership?

Digital Leadership is the strategic use of digital to achieve business goals and  uses technology to gain competitive advantage in both internal and external operations.

Companies and individuals can be Digital Leaders.

Benefits of Digital Leadership

Although the people mentioned above were disruptive, introducing new concepts, thoughts and technology, a business doesn’t have to be disruptive to be a digital leader.

When a company looks to make maximum use of technology and IT solutions across their business – striving for Digital Leadership, they stand to make gains across many areas, including

  • Process Simplification
  • Automation
    • Reducing costs
    • Minimising errors
  • Increased Speed to Market
  • Improved Competitiveness
  • Market Advantage
  • Increased Profit

Just look at the evolution in milking technology to see evolution in action. Think back to a time when cows were milked by hand and the revolution that an automated milking machine brought to the market, enabling a herd of cows to be milked at the same time, requiring far fewer people.

Now, the introduction of fully roboticized milking parlours mean that the cows can get themselves milked at a time that suits them, rather than just at dawn and dusk.  Apparently, cows are happiest when they are milked between 3 and 4 times a day, alleviating the discomfort of full udders as required and happier cows lead to improved milk yield and the roboticized process significantly reduces workforce costs.

Transforming your business

If you want to take advantage of the opportunities presented by the digital and technological revolution, take a step back from the day-to-day running of your business and analyse EVERYTHING. Look at everything you do, ask who does what, why, when, how and invite others to contribute to your research. In other words, stop working IN and start working ON your business.

You could use Post-It notes on a wall and capture the completed research using your phone
Process Mapping

You could Post-It notes on a wall and capture the completed research using your phone

Next, look at ways of making everything “better”. The goal being to work Smarter not Harder so you’ll be looking to – 

  • Simplify
  • Automate
  • Improve

And you can investigate off-the-shelf solution or have bespoke solutions developed. The former will normally deliver a quicker fix but with compromises which mean you may not gain maximum advantage. A bespoke solution will take longer to develop and implement and will probably cost more in the short term. However, the benefits will be far greater in the medium to long term because the solution will be precisely tailored to meet your exact requirements.

When to start Digital Transformation

There’s no time like the present, you might already be lagging behind your competition!

How much is a Page 1 result in Google actually worth?

Elements of Search Engine OptimisationAlmost every week I am approached by clients who need their site to be found higher up in the Google Search Results Pages (SERPs). Quite often they have been approached by (or have approached) consultants offering to this but have balked at the fees.

Now, I know that the fundamentals are pretty easy to achieve if you have the knowledge, experience, inclination and time but many small businesses rarely have any of these and yet many still believe that good search engine optimisation [SEO] can be delivered quickly and cheaply.

If you’re confused by the SEO jargon, have a look at my SEO Glossary of Terms for clarification.

Is this possible and what’s the real value of good SEO?

Let’s take a look at the numbers. In the UK about 85% of the population use the internet. With a population of 65.64m (Worldometers) and this equates to around 56m individuals who are online. Of these, 80% use search engines to find what they are looking for, that’s about 45m people and at least 95% of them use Google as their search engine of choice, 42.75m people.

Now, let me ask the question “how much is it worth to expose your brand to a potential audience of this size?”

TV Advertising

Lets look at TV first. There is the cost associated with the production of the advert, script writing, casting, production, filming and editing.

According to the Televisual magazine, the average cost of producing a 30 second advert for TV is around £201,000.

Clock - how much does a 30 second TV ad costThen there is the cost of your slot. This will vary based on a number of factors

  • your target channel
  • whether you want a regional or national ad
  • the time of day, the product to be advertised
  • the show (s) that are on either side of the ad break targeted
  • etc

So, putting your ad on screen at peak viewing, 9pm, is going to cost much much more than a slot at 2am when the audiences will be far lower

As a very rough guide, an evening slot on ITV will cost around between £60,000 and £75,000 and this is likely to reach between 5m and 9m viewers depending on the popularity of the show.

However if you want your ad to go during something like the X-Factor then a 30 second slot cost will set you back a cool £200,000.

Radio and Print Advertising

So, you may look at radio or the print media, both of which have lower costs (production and media costs) but also have significantly lower audience figures.

In all of these cases, the costs will be for a one-off and most people with any experience of advertising know that one-off adverts simply do not work, so you have to pay for a campaign.

All of a sudden fees quoted by Search Engine Optimisers actually begin to actually look like pretty good value for money bearing in mind that if they succeed your site will be in front of the largest possible audience 24 hours a day and 7 days a week.

What’s next and a Shameless Plug

Are you happy with the place your site has reached in Google? If not, get in touch today – call me on 01793 238020 or drop me an email to andy@enterprise-oms.co.uk

My SEO rates start at £150.00 + VAT per month, peanuts compared to TV, radio and most forms of print advertising.

007 in ‘For your GDPR Only’

MI6 headquartersWhen “M” has finished spymastering for the day, or pops out for a cheeky Nandos, we always see M locking the “Top Secret” files away in the office  safe. We know that’s so that no secrets will be discovered, even if an enemy spy (or the tea person) manages to gain access to the empty office.

In business, we need to be like “M”.

In a previous post I looked at Data Protection and the forthcoming General Data Protection Regulations (GDPR). However, I didn’t make it clear that the regulations don’t just apply to digital data stored on your IT systems and network but also apply to paper records too.

Anything that contains personal data, whether paper or digital, falls under the auspices of the Act, including the recordings from your CCTV cameras, phone systems (think “this call may be recorded for training purposes”) and biometric data – such as fingerprint or iris recognition systems used to unlock systems or grant access.

Keyboard with the word 'Privacy' overlaid

This means the files on your desk, the files in your filing cabinet, your paper archives as well as your electronic records, anything that includes personal data.

To start with, you need to ask yourself

  • Who has overall responsibility for the data you have and/or use?
  • What data are you holding, why are you holding it and where is it held?
  • Are your Privacy and Data Use Policies as good as they need to be?
  • How long do you need to keep data & how will you securely destroy it when you no longer need to keep it?
  • Who has legitimate access to it and who else can access it?
  • How secure is your building, your paper records and IT systems?
  • What happens out of normal business hours?
  • Can data be exported and removed without authorisation (to a USB key for example)?
  • Is your network connected to the internet and how secure is your connection?
  • Can your network be accessed remotely – is this secure?
  • Is your electronic data encrypted so, in the event of a breach, data cannot be accessed and used?
  • Can your network prevent unauthorised intrusion (hacking)?
  • How do you manage Subject Access Requests, (when someone requests to see the data you hold about them)?
  • How will you manage a data breach, whether it’s a hack, unauthorised file copy or unauthorised removal of paper records?

So, how can I help?

I can put you in touch with reliable IT companies and trusted partners 

  • Blob figure staring, "James Bond like" down the barrel of a gunthat will be able to inventory all of your IT and data assets.
  • who’ll test your network to see how secure it is and whether hackers are likely to be able to gain access
  • who will secure your network from external threats (hacking) and ensure that your remote access requirements are reliable, easy to use and secure.
  • who will help you secure your data inside the organisation and set things up so that only appropriately authorised employees can access the data they need to do their job and no more.
  • who will secure your network so that it’s almost impossible for data to be copied onto a USB key or external hard drive and removed from the organisation
  • who will put transparent encryption in place which means that it doesn’t slow anything down but is so strong that only GCHQ or the NSA would be likely to crack it.

Take the first step now, by giving me a call on 01793 238020 or emailing andy@enterprise-oms.co.uk to find out how I can help mitigate data security risks and start preparing for GDPR guidelines.

General Data Protection Regulation (GDPR)

Keyboard with the word 'Privacy' overlaidWhat is the GDPR?

The General Data Protection Regulation (GDPR) is the name given to the new law that will come into effect on 25 May 2018 to provide added protection and security to the data that businesses hold on, and about, individuals. It will replace the UK’s Data Protection Act (DPA).

At the end of this post you’ll find a simple glossary of terms for reference

Why do we need the GDPR?

There has been a huge change in the amount of data, and the way we use it, since the Data Protection Act came into effect 20 years ago.

Back then, a home PC was a rarity, now it’s pretty much the norm and households typically have multiple devices (PCs/laptops, phones, tablets, smart TVs and other internet connected devices) whilst the majority of businesses are totally reliant on IT and data.

As a consequence of these changes the laws relating to data needed updating and there was a strong drive to have common data protection laws across the EU due to the increased globalisation of business. Brexit will have no impact on the new regulations

What impact will the GDPR have on my business?

There will be a need to ensure that the way you collect, store, manage, use and destroy data is in compliance with the new regulations and there may be a requirement to employ new staff, outsource services or allocate new responsibilities to existing employees.

People & Accountability

Data Protection Officer

To comply with the new regulations you may need to allocate data protection responsibilities to employees or employ a new member of staff, depending on the size of your business and the data protection requirements placed on it. The following businesses MUST appoint a Data Protection Officer (DPO)

  • Public Authorities
  • Businesses whose core activities involve large scale systematic monitoring and profiling activities
  • Businesses whose core activities involve large scale processing of special categories of data such as ethnic origin, political opinions or religious beliefs

DPOs can be employed or outsourced but must report to the highest level of management.

Data Processors

Current law does not apply to pure data processors, i.e serviced providers who only deal with data as directed by their customer, only applying to data controllers. If you are a mailing house which accepts data from a client for producing mail shots (land mail or email) for example

GDPR introduces direct rules and accountabilities for data processors, including

  • Keeping records of data processed
  • Designating a Data Protection Office (where required)
  • Notifying the Data Controller where there has been a breach

Under GDPR, data controllers can only use data processors “providing sufficient guarantees to implement the appropriate technical and organisational measures so that the processing meets the requirements of GDPR and ensures the protection of the rights of data subjects

Accountability and the GDPR

Accountability is all about considering risks and demonstrating that you have considered, and managed, data protection risks. You will need to have clear policies in place to show that you meet the required standards and should establish a culture of monitoring, reviewing and assessing your data processing procedures

Privacy Impact Assessments

Businesses will be required to carry out a data protection impact assessment where carrying out any processes that use new technology that is likely to result in a high risk to data subjects, required in particular where there will be automated processing (including profiling) and on which decisions which affect the data subject and for large scale processing of personal data

Privacy By Design

Businesses must take data protection requirements into account from the inception of any new technology, product, or service, that involves the processing of personal data, with an ongoing requirement to keep those measures up to date.

Notification of Breach

The existing DPA requires an organisation to notify (register and pay a fee) the ICO that they will be processing personal data. This will no longer be a requirement under the GDPR, replaced by an obligation on the Data Controller and Data Processor to maintain detailed documentation, recording;

  • Processing records
  • Data location
  • Purpose of processing
  • Lists of data subjects
  • Categories of data
  • Security procedures

However, if you have fewer than 250 employees, the requirements are less onerous and you’ll only need to comply if your processing is “likely to result in high risk to individuals, the processing is not occasional, or includes sensitive personal data. However, because the processing of employee data is likely to involve sensitive personal data there will be an obligation on all organisations to maintain documentation, no matter what their size.

With the removal of registration and fee payment, the ICO loses their main source of income and this could make them keener to catch organisations in breach and fine them.

Under current  legislation there is no requirement to notify the ICO should you suffer a data security breach. This changes under the GDPR with the introduction of a requirement to report data security breaches to

  • Data Controllers (if a Data Processor breaches)
  • Regulators – if a Data Controller breaches and the result is a risk to the rights and freedoms of individuals – without undue delay (within 72 hours of discovery if feasible)
  • Affected Data Subjects – where the breach could leave them open to financial loss, for example. If the risk is high, this notification must be without undue delay.

When does the GDPR come in to law?

25 May 2018

Where will the GDPR apply?

Current data protection laws apply if you are located in the EU, or make use of equipment located in the EU, such as servers. The GDPR applies whether or not you are located in an EU country – it applies if you offer goods or services to EU residents or if you monitor their behavior.

If you want to transfer data beyond the EU (if you use a server based in the US to do your email marketing, for example) you need to ensure that the destination country has been recognised as having “adequate or equivalent” data protection regulations and you will have to ensure that suitable safeguards are in place to ensure the protection and security of the data you are transferring.

What happens if I don’t comply with the GDPR?

Currently, fines across the EU for a Data Protection Breach vary greatly with the UK having a maximum fine of £500,000 for a breach of the DPA.

One of the goals of the GDPR is to ensure that fines are consistent across national borders and to impose a significant increase in fines to emphasize the importance of good data management and security.

The new fines are to be split across two tiers

  • Up to 2% of annual, worldwide, turnover of the preceding financial year or EU10m (whichever is the greater) for violations relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers and data protection by design and default
  • Up to 4% of annual, worldwide, turnover of the preceding financial year or EU20m (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects rights and international data transfers

The Information Commissioner’s Office (ICO) will also have increased enforcement powers and grounds for seeking judicial remedies under the GDPR, including a power to carry out audits and to require (demand)  information to be provided and obtain access to premises

Practical Steps to prepare for the GDPR

  • Ensure that you have the resources to plan and implement GDPR requirements
  • Identify all existing data systems and the personal data processed
  • Review existing compliance programs and update/expand as required to meet the requirements of GDPR
  • Ensure you have clear records of all data processing activities and that the records are available
  • When using Data Processors, ensure you include terms in your agreement relating to immediate notification of any data breach.
  • Develop and implement a data breach response plan and have templated notifications so that staff can act promptly
  • Put internal reporting procedures in place, have an internal breach register and train staff on notification and use
  • Ensure that you have sufficient resources to implement required changes
  • Consider appointing a DPO
  • Assess whether the organisation uses consent to justify processing
  • Develop, and implement, a policy on data storage and retention
  • Review contractual arrangements with Data Processors
  • Consider Data Protection when developing new technologies, services and goods and keep clear records
  • Ensure all policies and procedures are available and written in clear, concise and easily understood language
  • Consider how you will gain consent for the use of the ata you hold, and use, for advertising, marketing and/or social media
  • Examine your Privacy notices now and start updating them
  • Review privacy notices and other “fair processing” information given to employees
  • Review employment contracts, handbooks and policies. Is contractual “consent” sought?
  • Ensure that you can respond to Subject Access Requests within 1 month (no admin fee will apply under GDPR)
  • Train staff on data protection responsibilities

Summary

The GDPR will have a wide reaching impact on most businesses, both large and small, which make use of data within the organisation.

Within the GDPR there are many undefined phrases, such as what counts as “large scale” and what is “new technology” and it is likely that these will only be determined as part of case law i.e. when a company is prosecuted for a suspected breach and their defence (or prosecution) need an accurate description of such terms.

It is likely that things will change as we get closer to implementation. However, you should start your preparation as soon as possible and the ICO has published a useful leaflet called “12 Steps to Take Now” which provides more helpful advice.

Disclaimer

I’m a digital marketing and SEO professional, not a legal practice. As a consequence, this should be used as a guide to the GDPR and legal support sought to ensure that your business is in compliance.

Glossary of Data Protection and GDPR Terms

  • Consent – Permission to collect, store and use personal data
  • Data Controller – A person, or persons, determined the purposes for which, and the manner in which any personal data are, or are to be, processed
  • Data Portability – The ability to move data from organisation to organisation, or across nation states
  • DPA – Data Protection Act, the regulations that the GDPR replaces
  • Data Processor – Any person who processes data on behalf of the data controller
  • Data Protection Officer – Person responsible for the oversight of organisational data protection strategy and implementation to ensure compliance with the GDPR
  • Data subject – The person to whom a data set relates (you and I)
  • GDPR – General Data Protection Regulations. The name given to the new regulations relating to the way we collect, store, use and destroy data
  • ICO – Information Commissioner’s Office – body responsible for upholding GDPR
  • Personal Data – anything clearly seen as personal, including name, address, phone number but also including IP addresses, cookie identifiers and UDID (Unique device Identifiers). Expressions of opinion about an individual also count as personal data so you need to be careful what you say about colleagues or clients in emails
  • Right to be Forgotten – The right to request the complete deletion of all personal data.
  • Subject Access Request – A request that an individual can make to find out the data that an organisation has relating to them.

WannaCry, Ransomware and Bitcoin

The recent”WannaCry” Ransomware attack that hit the NHS (and more than 200,000 other victims across 150 countries) has focused attention on the CryptoCurrency called Bitcoin.

There have been numerous calls to outlaw Bitcoin and other CryptoCurrencies but there’s a lot of mis-understanding and a belief that they are only used to fund criminal activities.

In fact, over the last couple of years there have been numerous articles in the mainstream media about Bitcoin. Most have focused on their use by the criminal fraternity, whether for the payment of Ransomware ransoms to decrypt company data through to the purchasing of illegal weapons and drugs on the Dark Web, including The Silk Road, a dark web site where drugs, weapons and illegal services were traded online – before the site was taken down by the FBI in 2014.

However, Bitcoin, and other digital currencies, are now experiencing a significant uplift in their use for legitimate purposes and we thought that this is an ideal time to send out an explanatory email so that you can be better informed.

We’ll be looking at

  • What is a digital/virtual currency?
  • What is a Bitcoin?What is Distributed Ledger Technology / Blockchain?
  • How do I get digital money?
  • How can I spend digital money?
  • Where do I keep my Bitcoin?
  • How safe/secure is my digital money bank?

What is a digital/virtual currency?

A virtual currency is simply a digital form of money for online transactions. Virtual currencies only exist electronically, there’s no bank notes or coins and no bank deposits, hence their description as a Virtual Currency.

Virtual Currencies bring innovation and benefits to more traditional forms of banking and financial systems. Transactions are much cheaper and faster with international payments being much simplified due to freedom from exchange rate worries and bank transfer fees.

This means there are no currency exchange barriers, digital currencies are genuinely international, unaffected by national boundaries and traditional currency issues and associated exchange rate issues – until you want to exchange them for traditional cash.

The most well known Virtual Currency is Bitcoin although other examples include Dogecoin, Ether, Dash, Litecoin and Stellar.

In the early days, Virtual Currencies were seen as a way to pay for online transactions but these days you can use them as a form of payment in physical stores. There are even Bitcoin ATMs where you can buy and sell Bitcoins from your account – there are 20 in London alone and a total of 60 across the UK

What is a Bitcoin

All digital currencies only exist in the virtual form, being recorded in a public Distributed Ledger which is basically a secure database of digital currencies and which holds a record of every Bitcoin transaction

Bitcoins were one of the earliest forms of virtual currency, first introduced in 2008. In 2013 Bloomberg effectively endorsed the legitimacy of Bitcoin by testing Bitcoin on its trading terminals and later that year the US Federal Reserve gave their apparent blessing, stating that Bitcoin “may hold long-term promise, particularly if the innovations promote a faster, more secure and more efficient payment system” and is the most well known form of Digital Currency. In 2014 our own HMRC classifies Bitcoin as assets or private money which means that no VAT will be charged on the mining of, or exchange of Bitcoin. Later that year, Microsoft started accepting payment made by Bitcoin and a 2015 HMRC report on digital currencies further marked the acceptance of Virtual Currencies by mainstream financial services.

What is the Blockchain

The Blockchain is a database that records all Bitcoin transactions. It’s basically a distributed database, is totally separate from the banking industry and free from central interference.

Transactions are recorded in the form of payer x sends y bitcoins to payee z and payments are verified and validated and added to the Blockchain

How do I get digital money

Bitcoin Mining in IcelandBelieve it or not, it’s possible to make your own, legitimate, Bitcoin through a technique called “mining” which uses high performance computers to carry out sophisticated cryptological processing to effectively make new currency that’s then added to the Blockchain.

However, it’s not as easy at it sounds and most people simply buy their Bitcoins, and other virtual currencies, through more traditional routes – including the Bitcoin ATMs mentioned earlier in this article

How can I spend digital money

You can use Bitcoins to purchase traditional currencies, products and services and you can acquire Bitcoins in a similar manner.

Small amounts of Bitcoin can be traded. They are the millibitcoin (0.001 bitcoin), microbitcoin (0.0000001 bitcoin) and the satoshi which is the smallest amount and named after the inventor (0.00000001 bitcoin)

As noted earlier, transactions follow payer x sends y bitcoins to payee z format. Although transactions on the Blockchain are open to inspection, the reason why Bitcoin is so attractive to criminals is that transactions are pseudonymous. This means that “payer x” is only identified by his or her Bitcoin address.

In 2014, Bitcoin Payment Service Provider (A PayPal for Bitcoin) started accepting Bitcoin payments for tickets and concession sales at the St. Petersburg Bowl in the USA and in 2015 Barclays started to accept Bitcoin, the first UK high street bank to do so. Over 100,000 establishments were accepting payment by Bitcoin by the end of 2015.

You can buy technology from Aria and Dell, pre-owned technology, media and games from CeX around the UK, you can sign up for language courses, buy a beer and a meal in a pub, book theatre tickets, accommodation, home and garden furniture, new windows and much more – full list of UK companies accepting Bitcoin here.

In 2013 a Bitcoin was worth $13 and at the time of writing a Bitcoin would cost $1,033.43 ( £830.81) having peaked in 2017 at $1216.73.

The downside is the lack of protection because virtual currencies lien outside of the established banking regulations, Bitcoin users are not protected by refund rights or chargebacks and transactions are non-reversible.

Where do I keep my Bitcoin?

Your Digital Wallet stores all the information required to transact bitcoins. Although they’re frequently described as a place to hold, or store your Bitcoins, the reality is that Bitcoins ONLY exist in the Blockchain and your Digital Wallet simply stores your credentials to access your Bitcoin holdings. It’s similar to the way your debit card doesn’t store your money but allows you to access your account and arrange for the transfer for funds from your account to that of the seller.

How safe/secure is my digital money bank

Because your Virtual Currency is held centrally, there’s actually nothing to steal, in the conventional sense.

However, your Wallet needs to be secured. You need to use a strong password – and don’t forget it because there’s no “password recovery” routine. Lose your password and you lose your Bitcoin.You should keep your Wallet backedup, preferably in a number of locations, online, USB etc. Just as you would for your other computer data

So, is traditional money dead?

Far from it, and it’s probably a long way from dying simply because each country likes to have it’s own currency regulations in place and the fear associated with the disruption that Virtual Currencies will cause.

As a result, banks are making it easier for customers to spend their traditional money. We say the introduction of cheques – now on the decline. Credit and payment cards that facilitate the easy transfer of money. Internet banking, making it easier to manage our own funds. Contactless payments speeding up transactions, Apple and Android Pay., facilitating payment by simply tapping your phone on a payment terminal and the migration of these services to Smart Watches. Soon, you’ll have contactless payment capability added to pieces of jewellery (A payment wedding ring anyone?) followed by the embedding of a suitable chip under the skin of a fingertip.
However, as world governments become more centralised, the benefits of Virtual Currencies may begin to outweigh the pressures (and costs involved) to maintain more traditional Fiat based monetary systems and all we can suggest is that you “watch this space”