Intellectual Property, Non-UK Virtual Assistants, and GDPR Compliance: Three Legal Insights

Hello, and welcome to our weekly LinkedIn newsletter!

Every Thursday, we share three valuable insights based on discussions during our Savvy Shay Business Club. This week, we cover important topics like intellectual property ownership, working with non-UK virtual assistants, and GDPR compliance. Keep reading to learn more!

And if you want to join our thriving membership and get answers to your burning business questions,?apply here?where you can try it out for just ￡1 for your first month. Let's get started!

I am providing courses to an organisation that wants to employ me but I am concerned about owning the IP in materials that I create. I know that employers typically own the IP in works created by employees, so is there anything that I can do about this??

To safeguard your copyright for future courses developed by you while employed, consider the following:

1. Is it actually an employment relationship? It may be that the relationship is actually one of self employed contractor, in which case you would own the copyright in your courses unless you assign the copyright to the employer or any other third party. You can check using our employment status checklist and also use the HMRC’s status indicator tool - https://www.tax.service.gov.uk/check-employment-status-for-tax/disclaimer
2. Understand copyright fundamentals: In the UK, creators of original work automatically own the copyright in that work (without the need for registration). However, employers generally own the copyright for work created during employment unless otherwise agreed upon.
3. Discuss employment terms: When negotiating your employment contract, address your concerns about preserving copyright ownership for your course materials. Attempt to agree on terms related to intellectual property ownership, ideally with an express provision that all courses and materials created by you are owned by you (and that the company will make any necessary assignments to effect this) or if that is not possible, you could discuss co-ownership, licensing rights, or revenue-sharing for courses developed during employment.
4. Document agreements: Ensure that any agreements related to intellectual property ownership and protection are in writing, either as part of your employment contract or a separate document. Written agreements offer legal evidence to support your claims if needed.
5. Record your work: Keep thorough records of the course materials you create, including drafts, creation dates, and relevant communications. This documentation can help in proving your contributions and supporting any copyright claims.

2. If I use a VA from Fiverr, and they are not based in the UK, how does it work in terms of letting them have access to my systems/patients’ data from a legal/GDPR perspective? Is there anything else I should be aware of??

When working with a non-UK VA, make sure you follow UK data protection laws, including the GDPR and the UK Data Protection Act 2018. Here's what you should be thinking about:

1. Get a written Data Processing Agreement with your VA that covers all of the things prescribed by the GDPR. There is a template for this in the GDPR module of the Small Business Legal Academy.
2. Check if the country in which the VA resides has adequate data protection according to the UK government.? The countries that have currently (as of March 2023) have had adequacy granted are:

• Countries within the EU
• Countries within EFTA (Iceland, Norway and Liechtenstein)
• Andorra
• Argentina
• Canada (for commercial organisations)
• Faroe Islands
• Gibraltar
• Guernsey
• Israel
• Isle of Man
• Japan (private sector organisations only)
• Jersey
• New Zealand
• Switzerland
• Uruguay
• South Korea?

If the country in which your VA resides isn't on the list, you will need to use other safeguards such as the International Data Transfer Agreement (IDTA) - otherwise you will be processing personal data illegally - there is a template for this in the GDPR module of the Small Business Legal Academy.

3. Only give your VA the minimum amount of personal data needed to do their job, as per the GDPR's data minimisation principle.

4. Make sure there are solid technical and organisational security measures in place to protect the personal data your VA works with. This could involve secure communication, encryption, access controls, and regular security checks.

5. Ensure your VA knows they must keep the personal data they work with confidential.?

6. Inform your VA about GDPR's data subject rights and how to handle requests from individuals about their data.

7. If your VA suffers a data breach (eg a hacking, or loss of files or devices that aren’t properly password protected etc), your VA should let you know as soon as possible, and you should have a plan in place to deal with such situations. There is data breach training within the GDPR module of the Small Business Legal Academy.

8. Keep records of your data processing activities, including the use of a VA, as required by GDPR. There is a data inventory and record of processing within the GDPR module of the Small Business Legal Academy.

9. You might need to update your privacy policy to let data subjects know about your VA and how their data will be processed by your VA.

10. Be aware that, as a data controller, you could be held responsible if your VA doesn't comply with the GDPR.

3. If someone unsubscribes from marketing emails then at a later date buys a product or service, is the soft opt-in relevant, or should they stay unsubscribed because they clicked the unsubscribe link on a previous marketing email?

In the UK, the Privacy and Electronic Communications Regulations (PECR) allow organisations to send marketing emails to customers who've made a purchase, as long as those emails are about similar products or services and customers had a chance to opt-out when providing their contact information and on each subsequent email. This is known as the ‘soft opt-in’.

However, if someone has already unsubscribed from marketing emails, it's a good idea to respect that decision and not send them more marketing emails, even if they buy something later on. Once a person unsubscribes, they're essentially saying they don't want marketing emails. If you ignore an unsubscribe request and keep sending marketing emails, you could face complaints and penalties.

That’s your Three Things Thursday!?

Hope it’s helpful - and remember that if you need more support - with templates, asking me individual questions or our extensive trainings on all areas of business law that are important to small business owners, you know where I am!?

Join our Savvy Shay Business Club for just ￡1 for your first month,?apply here!?

Don't miss this opportunity to get the legal support you need to grow your business.

Suzanne Dibble