Website-related Risks
Almost every business has a website, which provides businesses with immense access to individuals and markets across the world. A website is nearly indispensable to the operations of a business. Yet, operating a website is not without its own legal risks as well. In fact, the risks that accrue to operating a website could well be more than what you would expect.
In this article, we examine the legal risks behind operating a website, and how these risks may be managed.
Data Transfer Agreement
Many businesses are heavily reliant on personal data to fuel their operations and revenue streams. For example, technology companies such as Facebook rely on personal data to generate advertisement revenue. Even where your business model is not personal data-intensive, you are likely to collect and process more personal data than you would expect.
It’s not uncommon to procure the services of third parties, for the purposes of storing and processing personal data. A data transfer agreement sets out the obligations of this third-party service provider and is crucial in ensuring that you do not fall foul of data privacy laws.
Personal Data Risks
Businesses often collect and process individuals’ personal data for the purposes of their operations, and businesses often use websites to collect personal data. Indeed, personal data may be crucial to the operations of a business.
Yet, the emergence of high-profile data breaches in recent years has resulted in increasing clamours for a greater emphasis on the individual’s right to privacy. This has resulted in an increasingly strict data privacy enforcement climate across the world.
This means that businesses that rely on websites to collect and process personal data may face hefty sanctions if they fail to comply with data privacy laws and regulations.
One key measure that businesses can adopt to mitigate the risks arising from data breaches is to publish a legal notice on their websites requesting for users to provide their consent to the business collecting and/or processing their personal data for specified purposes.
This is on the basis that as jurisdictions seek to adopt a coordinated approach towards data privacy enforcement, one concept holds true across data privacy regimes worldwide – the requirement for consent.
Third-Party Content
While it may be necessary to publish third-party content or links to external sites to facilitate business activities, there is a risk that such content or external sites may contain information that is false, offensive or even malicious in nature.
Under such circumstances, the business that operates the website may run the risk of being liable for making false/offensive statements or even perpetuating the transmission of malware. This could lead to heavy penalties and even a damaged reputation.
To exacerbate the situation, the business that operates the website may not have the ability to control the nature of the content being posted by users on its website, or the content of external sites. This means that the business may expose itself to massive risks that it is in no position to eliminate.
One measure that businesses may wish to adopt to mitigate such risks is to set out various disclaimers of liability with respect to their third-party content and/or external sites linked to their website. These disclaimers may be reflected on the website’s terms of use.
Privacy Laws
What is personal data?
Described as “one of the hottest commodities in 21st-century commerce” on TodayOnline (a Singapore newspaper), personal data is defined widely under the laws of many jurisdictions to encompass data that can be used to identify an individual.
Accordingly, personal data potentially covers an extensive range of information – not just information such as names and contact details. The ambit of personal data could even include information such as a person’s bank account number.
Understanding what personal data constitutes will then equip you as a founder, to note the depth of privacy law obligations that your Startup is subjected to.
Know your privacy obligations
There has been a general proliferation of increasingly stringent privacy obligations amongst jurisdictions across the world. One pertinent example that has resulted in companies all over the world scrambling to update their privacy policies is the infamous General Data Protection Regime (GDPR).
This proliferation has followed hot off the heels of the growing pervasiveness of the internet in every aspect of our lives (think social media, e-commerce, internet banking etc).
In this regard, it is imperative for every business to understand its privacy obligations. Indeed, the privacy laws of certain jurisdictions may apply across borders and may even apply to businesses that do not operate in such jurisdictions.
Please do engage a lawyer to advise you on your privacy obligations – money spent to prevent liabilities that may arise from your failure to comply with your privacy obligations is money well spent.
Data collection
As a general rule of thumb, your company should collect no more personal data than is absolutely necessary, to operate your business.
In ensuring that your company’s actions are in line with the above, make sure you take some time to consider what data is essential to your organisation before taking steps to collect it.
Data disclosure and usage – informing and obtaining consent
For some companies, data disclosure and usage are part and parcel of their business. Some examples include omnipresent social media sites like Facebook and LinkedIn.
While your Startup may not necessarily fall within the ambit of the above-mentioned, data disclosure and usage can still happen. In fact, data disclosure and usage happen more often than you would expect.
In doing so, it is vital that you take note of the following (some might say, stringent) obligations:
● Informing the individual of the company’s intended purpose for disclosing and/or using his/her personal data;
● Obtaining the individual’s express consent to disclose and/or use his/her personal data for such purposes; and
● Where the company intends to disclose and/or use the individual’s personal data, the company may do so solely for the purposes for which the individual has been informed and where the individual has provided his/her express consent.
Implement security measures
Even if you have been religiously compliant with the applicable privacy laws, a data security breach can still be a problem. A company is typically required to implement adequate measures to ensure the security of personal data in its possession. What constitutes as “adequate” would depend on a multitude of factors, such as:
● The nature of the personal data (e.g. how sensitive it is);
● Whether the personal data is contained on your IT systems; and
● The volume of personal data in your possession.
Basic measures to protect personal data may include:
● Ensuring that all virtual databases that contain personal data are password protected; and
● Limiting access to databases that contain personal data to only a select group of people within your organisation.
If you are not a whiz at IT and prefer not to deal with technical jargon like “databases” and the like, it may be prudent to enlist the services of a privacy consultant to ascertain the measures that your company should implement, and how such measures should be implemented.
Responding to data breaches
Whilst prevention is certainly better than cure, the possibility of data breaches can never be completely eradicated.
In this regard, it is important to implement adequate measures to ensure that any data breaches are swiftly and adequately dealt with so that any damage is limited as much as possible.
Basic measures that a company may adopt to facilitate swift response to data breaches include:
● Requiring all employees to make a report to a designated person immediately upon discovering a data breach; and
● Implement measures to communicate the occurrence of any data breaches to all your personnel as quickly as possible.
Have a privacy policy in place
To ensure that you and your company’s personnel adopt a uniform approach towards the handling of personal data, it is crucial to formulate an organisation-wide privacy policy.
Such privacy policy serves various important functions, including:
● Setting the tone across your company with respect to how seriously privacy obligations are taken; and
● Communicating your company’s protocols with respect to dealing with personal data and handling personal data breaches.
The provisions of such privacy policy may be made legally binding if they are incorporated into the terms of your personnel’s employment contract/service agreement.
Have robust data protection clauses in your contracts
With the prominent international hotel group Marriott being fined nearly US$123 million following a data breach where the personal data of 399 million guests was breached, it is clear that the liability arising from personal data breaches could potentially be very high. With that in mind, your company’s contracts should contain robust data protection clauses to ensure adequate protection.
At the barest minimum, these clauses should set out clearly:
● Each party’s rights and obligations with respect to personal data
● The consequences of each party’s failure to comply with its privacy obligations.
Train your personnel
One of the biggest causes of data breaches is human error. Your company can have the most innovative policies and the most advanced computer programmes with respect to data protection. Yet, a chain is only as strong as its weakest link, and the weakest link in the chain of personal data protection is often the humans behind the system.
In this regard, it is vital that you keep your personnel updated, reminded and adequately trained on your company’s data protection practices and platforms.
Organise personal data
In certain jurisdictions, companies are required, upon request, to provide each individual with his/her personal data in an accurate manner.
It is good practice for your company to keep organised records of all personal data that has been collected so that personal data can be easily accessed and accurately disseminated.
Risks Associated with Collecting Personal Data
Risk 1: High costs of compliance
Companies that collect personal data are required to comply with a wide range of data privacy regimes across the world. This is due not only to the cross border nature of personal data transactions but also due to the extra-territorial nature of various data privacy regimes.
In this regard, it would be prudent for companies to make reference to the high watermark of data privacy standards across jurisdictions, in order to ensure compliance with all regimes. This means that the costs that companies would need to expend to comply with such standards could potentially be high. In particular, data privacy regimes across the globe generally require companies to adopt measures to safeguard personal data in their possession.
Depending on the amount of personal data in the company’s possession, the potential costs that a company may incur in drawing up such security measures (e.g. state of the art technology) could be very high and could prove to be a drain on the financial resources of a company.
Risk 2: Greater accountability to individuals
Collecting the personal data of a large number of individuals also means the companies will need to be accountable towards more individuals over how their personal data is used.
Data subjects may even have the right to request for companies to provide information on how their personal data is used, and companies are required to provide such individuals with accurate information on this – this may depend on the jurisdiction as well as the nature of the personal data in question (i.e. whether the personal data is particularly sensitive, such as where it relates to matters such as the individual’s religion, sexual orientation etc).
A failure to provide accurate responses within a stipulated timeframe may expose companies to severe liabilities.
Risk 3: Data breaches
Companies that suffer a data breach and are found to have failed to implement adequate security measures could be subject to very stiff penalties from regulators.
Even if a company is not found to have been liable for such breaches, the negative publicity surrounding such data breaches could have a huge impact on the company’s reputation in the marketplace.
Such negative effects on the company’s reputation could result in individuals refraining from furnishing their personal data to the company moving forward, and this may hurt the company’s operations and revenue streams.
Risk 4: Wide definition of personal data
The risks that we have highlighted above are exacerbated by the fact that personal data is generally widely across many jurisdictions. The general definition of personal data is “data that can be used to identify an individual”.
Accordingly, personal data potentially covers an extensive range of information – not just information such as names and contact details. The ambit of personal data could even include information such as a person’s bank account number.
What this means then, is that companies remain susceptible to the risks that we had highlighted above in relation to a wide range of data. Companies should thus be extremely careful to ensure that their data collection and processing practices as a whole remain stringent and top-notch.
Conclusion
Being on the right side of website security and compliance can go a long way. Make sure your businesses website is 100% foolproof when it comes to all website-related risks.
Needless to say, our solution comes with a 24/7/365 helpline whereby one of our legal professionals can assist you with any queries that you may have.
Check out our Website terms checklist.
WHAT’S NEXT?
When it comes to legal basics, it can seem overwhelming at first. But, it doesn’t have to be. GLS offers a host of free Startup resources to help set you on your way. You can also browse our list of over 200 Legal Templates and Tools, to choose the products your Startup needs at each critical stage of business.
We also offer a wide range of subscription based Legal Support Plans created specifically for Startups who want a 360 degree service in creating their own virtual legal dept.
*The above content does not constitute, nor is it offered as, legal advice of any kind. GLS Solutions Pte Ltd is not a law firm and any support provided pursuant to this entity is not regulated legal advice or legal opinion.