8 Common Myths Surrounding IP in relation to Small Businesses


Intellectual Property or IP is the general term for a group of rights used to protect intangible property, such as copyright, designs, patents and trade marks.

As we move more and more towards online and technology businesses then the main way to protect assets is via intellectual property rights.

Each of these is worthy of a blog in their own right and there is some useful information explaining the different rights on the IPO website: https://www.gov.uk/government/organisations/intellectual-property-office and the British Library: https://www.bl.uk/business-and-ip-centre/industry-guides

On this World Intellectual Property Day I thought it would be useful to go through 8 common myths around IP in relation to small businesses.


Myth 1

There is an image of my favourite TV character on social media so surely I can use it

Film and TV characters belong to the company that created them, so although there may be a photo or clip of a character (e.g. Homer Simpson) that demonstrates exactly how you want your business to look and feel, and you would like to use if on your social media post to demonstrate this, you don’t have the right to do so (even if everyone else has used it).  This is known as copyright infringement.

Myth 2

I can use a name similar to a well known brand name, especially if I am small business

In a recent case a convenience store in North Tyneside, that called itself “Singhsbury’s”, had to change its name.  This is because the sign had an orange and yellow background with white writing (in other words it looked like Sainsbury’s).  Even though Singhsbury’s was a small business Sainsbury’s threatened legal action. Using the same or a similar name to a well known brand can be a trade mark infringement or ‘passing off’ (i.e. pretending to be another business and gain the benefit of their reputation). 

Myth 3

I have a brilliant idea, that is totally unique, so nobody can copy it

Unfortunately there aren’t any IP rights that protect an idea (only how it is expressed). This can be easily seen on Saturday night television by the number of different singing/talent shows.  They all have the same idea, however, each one is technically different e.g. one has a judging panel and another has swivelling chairs.  If you have a great idea then the best way to protect it is to keep it confidential until you are in a position to express and exploit it in your own way.  If you watch Dragon’s Den this is one of the reasons why they always ask people if they have IP protection.

Myth 4

If I ask someone to design or create something for me I own the IP rights in it

If you are asking someone to design or create something for you then they automatically own the rights, so you need to make sure that the contract ‘assigns’ the IP rights to you.  This applies to a range of things such as product design; website build & creation; app design; and branding & logos.

Myth 5

I created a great product for my old company so I can use it (either for myself or by selling it to others)

If you create something whilst you are an employee the company automatically owns the rights to whatever you created when you were employed by them.  This was recently demonstrated in the case of an employee from a company called Waymo (that is owned by Google) who set up his own company based on the self-driving technology he created whilst at Waymo.  Uber then bought the company that the employee set up.  Waymo brought legal proceedings against Uber for breach of confidentiality and theft of trade secrets.  This was settled out of court (presumably to keep the details of the technology confidential) and cost Uber hundreds of millions of dollars.

Myth 6

I have lots of contacts in my current job that I can use in my new business

Your current employer will own the IP in its customer lists and databases so you cannot just take this information with you.  This is because they are usually considered to be a trade secret so you cannot assume that you can just contact people.  Most employers will also have a clause in their employment contracts stating that you cannot take this information in order to compete with them (even if you don’t consider your new business to be in competition with your old employer).

Also, individuals now have greater protection over their personal data so you cannot use it without their permission under the new General Data Protection Regulations (GDPR).

Myth 7

That I can use a brand name in my SEO to improve my rankings

Although it is easy to use brand names, especially when you are limited to key words when doing SEO, you cannot do so.  This can be trade mark infringement as you don’t have the right to use the name and you are taking advantage of the reputation and ranking of the brand name to improve your own business.  For example, if you are an app developer you cannot necessarily use iOS or Android in your SEO.

Myth 8

If I buy luxury goods at a low price I can re-sell them online 

If you buy goods that are branded, particularly luxury goods (including cosmetics and perfumes), you cannot assume that you can sell them online in a commercial capacity.  Luxury goods makers can ban the sale of good online to protect their “aura of luxury” based on the value of their trade mark and branding.

If you would like any more information about how Intellectual Property rights issues may affect your business please contact me: samantha@so-law.co.uk

This blog is a general summary of the law.  It should not replace legal advice tailored to your specific circumstances.

© SO Law 2018

Be a Star @GDPR

Why be a Star @ GDPR?

Because if you don’t you could face fines of up to 20,000,000 Euro and/or suffer damage to your reputation/brand that could lead to the loss of customer confidence in your products/services.

Data protection laws don’t just apply to marketing and big data businesses, GDPR actually specifies that it applies to micro, small and medium-sized enterprises.

What is GDPR?

GDPR are the new data protection regulations that are being brought in to tighten up on the protection of personal data and come into force on the 25th May 2018.

They state that GDPR/data protection now needs to be implemented by design and default.  This means that it needs to be at the heart of decision making processes that involve any personal data (and not an afterthought) and that such decisions need to be documented.

GDPR states that you need to implement appropriate technical and organisational measures such as pseudonymisation (i.e. information for attributing personal data to an individual is kept separate).

It is also necessary to have sufficient cybersecurity to protect an individual’s personal data.

Under GDPR, personal data now includes anything that makes an individual identifiable, so as well as the obvious things such and name and address it also includes things such as location data, IP address, cookie identifiers, photos, genetic material or cultural and social identifiers.  

This means that it covers everything from email lists and CRM (Customer Relationship Management) databases to images and videos you post on social media.  It also includes the systematic monitoring of a publicly accessible area such as CCTV.

What Do I need to Know about GDPR?

Personal data has to be processed lawfully, fairly and in a transparent manner.

There are 6 legal bases on which personal data can be processed:


•Necessary for the performance of a contract;

•Compliance with a legal obligation;

•Protect the vital interests of the individual;

•Performance of a task carried out in the public interest; or

•Legitimate interests.

GDPR emphases protecting an individual’s rights and freedoms in relation to the personal data, so in order to process personal data you must first choose one of these bases.

In addition personal data can only be collected for specified, explicit and legitimate purposes and limited to data that is adequate and necessary for the specified purpose and kept for no longer that is necessary (i.e. you can no longer just collect individuals’ personal data for the sake of it).

One of the most common bases for processing personal data is consent, however, GDPR makes it clear that consent must be via an affirmative action (e.g. ticking an opt-in button) and it must be (i) freely given; (ii) specific; (iii) informed; and (iv) unambiguous.  In other words you need to tell individuals exactly what data you will be collecting and what you will do with that data (including informing individuals of the other people or companies that you will give the data to).

If you are processing data of a child (an individual that is under 16 years of age) then you need to get parental consent.

If you are processing personal data of employees then the UK government could bring in additional requirement so you may need to seek advice with regard to this.

What Rights to Individuals Have Over the Processing of Their Personal Data?

As already mentioned, individuals have enhanced rights with regard to the processing of their data ie:-

•Access their data in an easily accessible form;

•Request confirmation as to whether or not their personal data is being processed; 

•Rectify any inaccurate data;

•Erasure of any of their personal data (aka the Right to be Forgotten);

•Restrict the processing of their personal data;

•Object to the processing of their data;

•Withdraw their consent to you processing their data at any time;

•Portability of their data; and

•Not have a decision made about them based solely on automated processing (aka profiling).

An individual can exercise these rights by submitting a request in writing (aka a Subject Access Request or SAR).

You have to respond to such SARs using clear and plain language without undue delay (and in any event within one month) and this now has to be done free of charge.

If you don’t comply with any of these requests an individual has the right to lodge a complaint with the Information Commissioners Office (ICO).  

An individual also has the right to seek a judicial remedy (i.e. sue you/your company) separate to making a complaint to the ICO.  This means that an individual can get damages (monetary compensation) from you, as well as you receiving a fine from the ICO.

What Do I Have to Do?

You need to implement appropriate technical and organisational measures in order to show compliance with GDPR and be able to demonstrate that the processing of personal data is done in accordance with GDPR.

You need to make sure that you have appropriate data protection policies in place.

You need to ensure that any third parties that process personal data on your behalf also comply with GDPR, this includes any software service provider that carries out certain functions on your behalf (e.g. payroll).

You need to notify the ICO asap in the event of a personal data breach and not later than within 72 of becoming aware of it.  If the breach is likely to result in high risk to the rights and freedoms of an individual then you also have to notify them asap.

You need to carry out a Data Protection Impact Assessment if the processing is likely to result in high risk to the rights and freedoms of individuals (e.g. large scale processing, profiling, processing sensitive personal data).  This must be done before the processing takes place.

You need to appoint a Data Protection Officer if you carry out regular and systematic monitoring of data subjects on a large scale or large scale processing of special categories of data.

You need to comply with additional provisions if you are going to transfer data outside of the EU/EEA.  It is not clear how this will apply to the UK post Brexit.

What Next?

If you have any concerns please contact me at: samantha@so-law.co.uk.

This blog is a general summary of the law.  It should not replace legal advice tailored to your specific circumstances.

© SO Law 2018