Not literally, of course. A close contact of mine works for a tech company that recently purchased my contact’s internal department and took all the employees across under TUPE to provide the same services under a commercial contract. Unfortunately, they did too little planning and are now paying the price.
The tale so far
I’m not going to name names, not because I think anyone should be protected but because I have a pathological fear of lawyers! There is far too much blame being bandied around right now and I’d hate to find more of it attaching to me....
In short, my contact is a programming specialist and was providing data analytics services internally within a large organisation. His work was valued and he delivered what they needed, on time and in an easy-to-grasp format. Then a large private concern decided to bid for the contract to do the same work with their product and they absorbed my contact’s department into their organisation. Since then they appear to have lurched from disaster to disaster and the end client has become increasingly exasperated.
For my contact the nightmare now is that he keeps being asked to make his employer’s product deliver the service when it is incapable of doing so. The developers are having to change it on a regular basis; his bosses keep changing their instructions to him to try to accommodate what can be done rather than what really needs to be done; and everyone is threatening everyone else as the mad scramble to deliver something – anything! – in approximate compliance with the contract. It’s painful to watch.
The lessons I draw from this
Salesmen love to say, “yes”, but that isn’t always the whole truth and nothing but the truth. In complex sales, such as technical services, thorough planning, detailed understanding of client needs and a ruthless assessment of one’s own capacity and capabilities is vital before allowing anyone to answer in the affirmative. If your product should be able to deliver what the client requires but you know it cannot yet achieve that, then be harsh in your analysis of what needs to happen to make it possible – the time, the resources, the costs.
Fire-fighting in business is an enormously inefficient way to work. Good planning helps avoid this notorious pitfall and would, in this instance, have saved my contact a lot of heartache and needless pressure.
Many might say we are not heading for a downturn just yet and they could be right but we would suggest you do not ignore the vulnerabilities:
CFO survey points to defensive outlook
The Q2 CFO survey by Deloittes highlights a marked shift in the attitude of UK Chief Financial Officers towards a more defensive stance – conserving cash, reducing cost and asset disposals:
As larger corporates tighten their belts so their suppliers and partners feel the pinch – that’s you, your customers and maybe even your suppliers. Cash circulation slows down, payment terms are extended and life gets tougher for SMEs.
Action to take now
If you do not yet have robust credit management policies and procedures then now is the time to introduce some. If you already have policies in place then take the time to review them thoroughly. Pay attention to:
Plan for the downturn, enjoy the upturn
It may, of course, never happen. The economy may ride out all the vulnerabilities and shocks we have seen. Life may flow smoothly on...
However, when has a little housekeeping or spring cleaning ever been bad? If you’re prepared for the worst then you won’t be one of those struggling to catch up if things do take a dip.
If you would like to speak to us about getting prepared and what changes your business may need to ride out any economic problems then do email us at email@example.com.
We have all heard about the much greater fines that can be levied against organisations that fail to protect their customers’ data or that inadvertently disclose that data. GDPR is now here and the fines can be eye-watering. What perhaps fewer companies realise is that these fines are just the tip of the iceberg in terms of the true costs of a data breach.
I don’t plan to devote much space to the reputational risk associated with poor data security but I’m sure I would get plenty of comments if I left this off the list. You don’t need me to fill in the blanks though...
Data subjects and class actions
Messrs. Stalkem & Pounce, your eager data protection lawyers, are gearing up for the class actions that are likely to follow some of the more serious and high profile data breaches. The fines you may get from the regulator – the Information Commissioner’s Office in the UK – do not provide any immunity from legal action by data subjects who can prove loss, distress or heightened risk to themselves emanating from the disclosure of their data.
I have no real idea how substantial these damages could be in practice but there are some precedents which give an indication of what may be decided by courts:
"Awards of between £2,500 and £12,500 were awarded to six asylum seekers when their personal data was inadvertently published on the Home office website (TLT v Secretary of State for the Home Department. Reference )". Source: Ashfords LLP.
Supplier or customer contracts
In many businesses there will be little in the way of threat from suppliers or customers taking action because of a data breach unless the data concerned was theirs. However, it is worth checking your contracts to ensure there is no 3rd party action that can be taken resulting from a data loss. It may also be worth considering whether your contracts with others should incorporate such a clause.
Could your business could suffer financially, reputationally or otherwise were one of your suppliers or customers to lose data, even if that were not data you had provided them? GDPR has heightened the focus on data security but many businesses are only just beginning to appreciate the reach of this new regulation so don’t get caught out.
Credit card fines
If you take credit card payments you need to look very carefully at how you are doing this and whether you are storing such highly sensitive data. If you don’t need to keep the customers’ card details then don’t keep them – the requirement for far greater security measures will involve you in layers of cost most businesses can do without. If there is a breach and data is lost then the fines from Card Schemes – Visa, Mastercard or others – will be passed down the chain to you.
There are considerable Card Scheme fines associated with non-compliance following a data compromise; these can range from tens to hundreds of thousands or even millions of pounds. Many non-compliant merchants have ceased trading because the fines could not be accommodated. The fines are passed from the Card Scheme to the acquirer and then onto the merchant.
It is too early to tell how many businesses will be damaged beyond repair by the fallout from data leaks and breaches but there are plenty of layers to the costs that may be involved. It’s worth taking some time to ensure you understand where your organisation’s vulnerabilities lie so that these costs are, at least, well understood.
A client of ours, Calibre Facility Services Ltd, has just sponsored a choir of around 30 hearing-impaired children to defend their national title at a signing choir competition next May. We have attached the press release so please pass this on to any journalists you may know as it's a great story.
It's so lovely to see businesses supporting such worthy ventures and bringing real joy to these children.
I have copied below an email I recently sent to a debtor company that owed my client around £6,500. I am removing any names to protect the innocent and the not so innocent and I shall refer to the two businesses as Debtor Ltd and Creditor Ltd, the latter being my client (I don’t believe either of these names is taken by a real business but please accept my apologies if my searches have falsely indicated this).
Firstly, the email I sent to Debtor Ltd:
Please stop trying to dictate what we do and by when. You are no longer in a position to demand this.
We offered on more than one occasion to stop proceedings if you paid the lesser sum by a certain date. You did nothing.
You then received court papers which required a response within 14 days. You did nothing.
The upshot is that now:
• Your company has a CCJ against it;
• Experian (and, no doubt, the other credit reference bureaux) have picked this up and your credit rating has been damaged;
• There will doubtless be further deleterious effects of this CCJ as your customers, suppliers, financiers and others get to learn of it;
• Probably your staff will find themselves fielding calls from the above asking what is happening.
Our records indicate that you owe Creditor £6,xxx not the £5,xxx you have stated. I can commit the staff at Creditor to working with you to resolve this difference and to repaying any amounts determined not to be owed by you but I suggest you now clear the full amount of the judgment (£6,yyy with the costs) so that the CCJ can be fully removed and any further damage limited.
If you are unsure what to do I recommend you seek legal advice but exhorting us to action is inappropriate now.
Debtor Ltd had run up credit with my client, Creditor Ltd, whose terms of business are 30 days net. They had requested and received an extension to 5 weeks credit but still were not paying on time. When challenged and asked to bring the account within terms their response was that they would pay us on their terms only, notwithstanding the agreement they had reached with Creditor Ltd:
Our invoices are paid on a weekly basis, and a payment is made every Friday. These are our payment terms and this is how we will continue to pay the outstanding invoices.
They then proceeded to pay irregularly and amounts determined by them and not in agreement with Creditor.
So, we threatened legal action if they did not clear the balance. They disputed the total amount owed but acknowledged a debt of around 80% of the total but steadfastly refused to clear even this amount within an acceptable timeframe. We proceeded to issue a claim in court and, as the email points out, for some inexplicable reason they failed to respond at all. We obtained summary judgment thereby creating a County Court Judgment against them for the full amount we claimed they owe plus costs, expenses and interest.
Debtor Ltd has now paid the full amount of the judgment and will need to prove to Creditor Ltd any differences. In addition, they have suffered potentially serious damage to their reputation with customers, suppliers, staff and others which will take them some time and management effort to recover.
Despite my many years working in debt collection I can still be surprised by the naivety of many companies. Do not fall into the trap of believing that because a customer is paying you something this robs you of your right to enforce your terms of business.
If you are trying to recover money owed to you or you owe money and may be struggling to pay on time then speak to us – we cannot make all your woes disappear but we can often take one load off your mind.
Well, we’ve had GDPR for a few months now (July 2018) and gradually we’re all getting used to it albeit some of us still have a long way to go even to understand it properly. Now seems a good time to start a conversation about why GDPR is going to be good for business, good for consumers and not the ogre it has often been portrayed.
Away with the hyperbole
Data protection regulators around the EU now certainly have more teeth than was the case before May 25th but let’s not get carried away by talk of the maximum fines for data breaches under GDPR. It seems to me that the ICO (Information Commissioners Office) here in the UK has been at some pains to help businesses understand and implement the new data protection regulations and I suspect this approach will continue for some while. Where fines are to be levied I would expect them to be reserved for cases involving wilful and blatant flouting or disregard of the regulation. If you are planning to be in this category then open a savings account soon – you’re going to need every penny.
Most businesses will find they are sanctioned lightly in the first instance unless the breach is serious (large volumes of unencrypted data and/or data of a highly sensitive nature lost). But woe betide if you then fail to act as the GDPR is clear on the severity of any sanctions being linked to any past “form” on the part of the miscreant as well as their attitude to working with the regulator and rectifying the problem.
So wherein lays the risk?
Frankly, the biggest risks to most businesses lie in the need to respond to data subjects (the fancy GDPR term for consumers) when they ask to have copies of their data, in an electronic and portable format. For businesses that are collecting data at several different points, locations or through a variety of systems this will prove a nightmare if they have not established systems to collate all of this. And the GDPR only gives you a brief time in which to provide the data.
GDPR will be properly tested when organisations find they have to respond to requests for data held and they struggle to compile it accurately and completely within the designated time allowed.
And wherein the opportunity?
I think the best practitioners of data security and management will definitely steal a march on their less prepared competitors. As consumers become more aware of which businesses respect their data and treat it as something on loan rather than an owned asset so they will vote with their feet, as the expression goes. Trust will be built between customers and those businesses that embed respect for data throughout their organisation. Consumers will engage more openly with your content and your personnel and they will distinguish between the good, the bad and the ugly.
So let’s embrace GDPR as a good thing and learn to use it to our advantage. Let’s treat customers’ data respectfully and teach colleagues how to make the data for which we are custodians is made to be more valuable to us whilst in our hands.
Let’s stop scaremongering and start focusing on the plus side of the equation.
Many of you have probably had your fill of the General Data Protection Regulation (“GDPR”) and people telling you what you need to change in your organisations to become GDPR compliant. Sadly, I’m afraid, you have a lot more coming your way. This is because the GDPR is not an isolated piece of regulation but part of a trend, a movement if you will, towards greater data protection, data privacy and data accountability.
Technology and data
Because technology continues to develop apace – AI, Fintech, etc – and because technology relies upon data for its basic functionality to have any use we must expect data privacy regulations to increase in quantum, scope and power. True, not all data is personal data that can be used to identify us as individuals but a growing amount is and it is the potential for abuse of this data that concerns the authorities. To be honest, government is playing catch-up and will continue to do so as technological advancements happen. The Internet of Things (“IoT”) is just one more example of a field that few of us could have imagined a decade ago.
The movement we are witnessing as the authorities tackle data privacy issues is towards giving us as individuals (data subjects, as the GDPR calls us) greater control over who has our data, where and how it is held and used (or processed) and what we can do to prevent others from having or using our data. In effect, we are moving from an environment in which businesses could view the data they held on us as an asset with value (sometimes even as a tradable asset) to one in which they have to realise this data is loaned and not owned (I think I should copyright that!).
The GDPR II, ePrivacy Regulation and more
Preparations for GDPR compliance need to take into account the ongoing nature of this trend towards greater consumer power and the known and unknown regulations coming in the field of data protection. The best practice will be evidenced by those organisations that achieve a true culture shift within their people, away from data as simply a business tool towards one of respect for the individuals behind the data. Only by achieving this cultural revolution in data protection will an organisation be fit and ready for the oncoming waves of data protection regulation which are coming.
The EU ePrivacy regulation – or “Regulation on Privacy and Electronic Communications” – is coming soon. We don’t yet know precisely when this will become EU law but 2019-2020 seems the likely timeframe and it will expand and extend on the reach of the GDPR. Those organisations that have kept one eye on this whilst preparing for GDPR compliance will have a head start. Those that have focused solely on doing what is necessary to become compliant will constantly be playing catch-up with the authorities.
If you want to know more about GDPR, data security and privacy and how you can adapt to this changing environment then drop us a line at firstname.lastname@example.org. It doesn’t need to be painful!