Data Protection Impact Assessments or DPIAs

Data Protection Impact Assessments or DPIAs
Recently, the European Union, under the General Data Protection Regulations, require Data Protection Impact Assessments in order to be compliant leaders in the technology world. Translation: We need to make sure we have our finger on the pulse of any application or system integration involved with IllumiDesk.
While the legal requirements may seem cumbersome, the need is quite apparent. A DPIA ensures all the necessary controls are in place to cover your most important assets - personal information.
For more information, check out: DPIA Policy DPIA Procedure DPIA Form
DPIA General FAQ
What is a Data Protection Impact Assessment (DPIA)? A DPIA is a tool that is utilized to identify and analyze risks for individuals, which exist due to the use of a certain technology or system by an organization in their various roles (as citizens, customers, patients, etc.). On the basis of the outcome of the analysis, the appropriate measures to remedy the risks should be chosen and implemented. A Process for Data Protection Impact Assessment Under the European General Data Protection Regulation is required.
DPIAs are addressed in Article 35 of the GDPR.
When is a DPIA required? A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (GDPR Article 35(1)), but processors must continuously assess the risks created by their processing activities to identify when a type of processing requires them to conduct a DPIA. The questions in pay to procure process are to assist you in assessing whether a DPIA is required and should be re-evaluated periodically in light of the list of processing operations that the Supervising authority deems subject to the requirement of a DPIA.
The assessment of whether there is a need for a DPIA, as well as any required DPIA should be carried out prior to processing.
Why is a DPIA Conducted? A DPIA aims to accomplish two outcomes:
1.Identify the risks associated with processing the collected personal data
2.Establish mitigation strategies and tactics to lessen the identified risks
Who is involved in the DPIA process? The GDPR establishes that data controllers are responsible to carry out the assessments. Controllers also seek the advice of the data protection officer and "where appropriate" seek the view of data subjects themselves. (Article 35(2) and (9).)
At IllumiDesk, the DPIA process is initiated by a tool's Business Owner during the Procure to Pay Process, during which the Business Owner must complete a Data Protection Impact Assessment issue template.
IllumiDesk's DPIA Process FAQs
Who is responsible for the DPIA? Ultimately, the Business Owner of a tool is the DRI for completing the DPIA. However, there are steps that require input from others at IllumiDesk, including the Privacy Officer and the Data Protection Officer (DPO). The DPIA issue template will walk you through the steps and instruct you on who to consult with for each step. It is important to understand that while the Business Owner is responsible for moving the process forward through the steps, there may be steps during which someone else becomes the DRI for making decisions to address concerns in that step.
What is considered "personal data"? Article 4 of the GDPR sets out the definitions for the law. The first definition is that of "personal data."
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR Article 4(1).)
What is considered a "high risk" to rights and freedoms? The GDPR does not define "high risk," but The European Commission has issued Guidelines on Data Protection Impact Assessment [DPIA] and Determining Whether Processing is "Likely to Result in a High Risk" for the Purposes of Regulation 2016/679. Please review pages 9-12 of this guidance to see included categories, as well as more tangible examples of "high risk."
CAN-SPAM
Since I live in Minnesota, it seems appropriate that I alert people to the nuances of canned spam; but as a lawyer, it is probably more important that I let you know about CAN-SPAM. One of these items is very salty; the other is meat in a tin. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) came into effect in 2003 and impacts all mass electronic marketing communications (among other things).
CAN-SPAM sets forth certain requirements that must be honored when sending out mass emails and other marketing materials. They may seem simple but, much like canned spam, there is more than meets (meats?) the eye.
Keep the header honest. The reader needs to be able to identify who is sending them messages. The email address of the sender should properly denote IllumiDesk as the sender of the company material.
Keep the subject line honest. Don’t mislead the reader or otherwise use deceitful or inaccurate subject lines to compel someone to open the email. Be honest, impactful and short. You can create urgency but, most importantly, create value. In fact, the more authentic and clear the email, the less likely it is to be marked as spam or junk mail.
Admit that it is an ad. This doesn’t mean that you have to go over the top and begin each Subject Line with “Hello, I am an advertisement.” It just means that the sender has to know it is marketing material sent by IllumiDesk. Put it in the subject line or put it in the body - just put it somewhere.
Location, location, location. Primary rule in real estate and an important rule in spam laws. There needs to be a valid business address listed in the emails. This helps ensure that if that Nigerian Prince were to send out an email on IllumiDesk’s behalf - the recipient has a clear and legal point of reference to double check the authenticity of the sender.
Opt-out options are not oppressive. When people receive mail that they don’t want, there must be an easy way to unsubscribe from the lists. And “easy” means my grandmother should be able to figure it out as quickly as my 15-year old nephew. In some jurisdictions, every email sent after an opt-out is selected is subject to a fine.
Opt-outs need to be quick. Ideally, an opt-out will occur automatically or within a business day or two. If you take more than ten (10) business days to remove an email from a mailing list, things will get messy quickly.
Stay Diligent. If you use a third party to manage business emails, be aware that IllumiDesk could still be on the hook for any wrongdoing. Make sure that any mass communications are reviewed by someone knowledgeable in the spam laws.
We care about our customers and their protection is our focus. But, if creating transparent and open relationships with our customers isn't your concern, then be aware that failing to comply can cost a lot of money on a per email basis - up to $41,000 per violation. That adds up quickly.
The rules are simple and something each one of us would appreciate in our own inbox.
Cookies and Consent
I was happy to learn that if someone tries to give you a cookie, they have to get your consent. I was a crazy diet and, despite my attempts to eat healthy, offers of Oreos kept surfacing. Cookies can be detrimental if not kept under control.
Electronic cookies are the same.
Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the GDPR. They give people specific privacy rights in relation to electronic communications. PECR sets specific rules around marketing, secure communication services and customer privacy (as regards traffic and location data, itemised billing, line identification, directory listings) and - you guessed it - cookies (which is broadly defined).
There are important factors to consider with cookies in general. If you use cookies you must: •say what cookies will be sent; •explain what the cookies will do; and •obtain consent to store cookies on devices.
PECR expands the definition of cookies to include “similar technologies” like fingerprinting techniques. Therefore, unless an exemption applies, any use of device fingerprinting requires the provision of clear and comprehensive information as well as the consent of the user or subscriber.
Consent is not required if the cookie is used: “(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.”
Please note that cookies for analytics purposes are not “strictly necessary”.
PECR applies to any technology that stores or accesses information on the user’s device. This could include, for example, HTML5 local storage, Local Shared Objects and fingerprinting techniques.
Device fingerprinting is a technique that involves combining a set of information elements in order to uniquely identify a particular device. Examples of the information elements that device fingerprinting can single out, link, or infer include (but are not limited to): •data derived from the configuration of a device; •data exposed by the use of particular network protocols; •CSS information; •JavaScript objects; •HTTP header information, •clock information; •TCP stack variation; •installed fonts; •installed plugins within the browser; and •use of any APIs (internal and/or external).
It is also possible to combine these elements with other information, such as IP addresses or unique identifiers, etc.
PECR also applies to technologies like scripts, tracking pixels and plugins, wherever these are used.
If you provide cookies that fall in these categories, consent is required. You never who is on a technological diet. Ask before you give them a cookie.
Contract Details
I went to eat at a restaurant last week and the menu didn’t have any prices on it. I was so excited to find a luxurious place that didn’t care about money! I thought “Wow! Great food and all in my price range!” Man, was I surprised. I was informed by my dinner guests that the lack of prices wasn’t a sign of gratuity.
I then had to ping the waiter to get the going rate for chicken, a ballpark estimate on soup and the blue book value on beef. After interrogating the poor waiter for a great deal of time, I finally settled on a nice side salad for my meal along with the restaurant’s finest l’eau de la tap. I pretended to thoroughly enjoy the evening even when the bill came. Who needs new tires or brakes, anyways? They’re overrated. As I slid home with my doggie-bag of croutons rolling on my floorboard, I realized that the restaurant wasn’t the best fit for my needs.
What does this mean to you? Expectations. The number one cause of corporate litigation isn’t bad sales people (as many lawyers might argue) or bad lawyers (as everyone may argue) – it is the misunderstanding of expectations. The contract is just the sword and shield wielded when the misunderstanding escalates.
So let’s talk about some fundamentals of contract terms and why those horrible lawyers wield them.
Price - If a contract lacks a price (or a mechanism for objectively ascertaining price) then the contract isn’t valid. If I agree to sell you my Defibrillator Toaster, the primary thing you want to know (aside from what is a Defibrillator Toaster) is how much does it cost? If I get so crazy or convoluted with a pricing structure that a reasonable person cannot understand the cost, I could lose the validity of the contract. No price, no deal.
Delivery – Just when is that toaster going to arrive? If it is not in the contract, I can hold the toaster until I’m 100. “Yeah. I said I would sell it to you but not this year.” Sounds crazy. It is. But it’s there because it happened frequently enough that courts just eventually wound up requiring some objective form of delivery to stop people from getting money right away for something they don’t plan to deliver until ten years later. Accounting rules also require clarity here, so have mercy on accountants.
LOUD NOISES – THESE ARE ALL THOSE CONTRACT TERMS IN THE AGREEMENT THAT ARE ALWAYS PUT IN CAPITAL LETTERS. DO YOU KNOW WHY? BECAUSE APPARENTLY LOTS OF PEOPLE SAID THAT UNLESS YOU ARE SCREAMING AT THEM, THEY DIDN’T REALIZE THE TERMS WERE THERE. WELL, THE YELLING IS RESERVED FOR THE BIGGEST OF THE BIG. [SO IF YOU ARE EVER TOO TIRED TO READ AN ENTIRE CONTRACT, FOCUS ON THE SCREAMS.] WE DON’T PAY FOR EVERY SINGLE THING THAT COULD POSSIBLY GO WRONG BECAUSE OUR PSYCHIC APP EXTENSION IS STILL IN DEVELOPMENT. WE AREN’T GOING TO FUND A CORPORATE RETREAT IN FIJI FOR SOME OTHER PARTY FOR SOMETHING WE NEVER SAW COMING OR WAS UNRELATED TO OUR PRODUCT. UNLESS YOU CLARIFY THIS, UP FRONT, SOMEONE WILL ALWAYS EXPECT YOU TO BANKROLL A PROBLEM. WE HAVE TO BE CLEAR HERE.
MORE LOUD NOISES – WE DON’T PROMISE OUR PRODUCTS WILL MAKE ANYONE LOOK YOUNGER, RUN FASTER OR CAUSE PATIENTS TO ACT LIKE THE SIX MILLION DOLLAR MAN OR BIONIC WOMAN. OUR PRODUCTS DO WHAT THE DOCUMENTATION SAYS THEY WILL DO. NOTHING MORE.
UNDER WARRANTY, CUSTOMERS GENERALLY ASK FOR TWO THINGS: WARRANTY OF MERCHANTABILITY AND WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE. MERCHANTABILITY MEANS THAT WE ARE PINKY-SWEARING (AT THE RISK OF LOTS OF MONEY) THAT THE PRODUCT WE PROVIDE WILL PERFORM EXACTLY THE SAME WAY IT PERFORMS IN EVERY OTHER ENVIRONMENT. THAT’S A SUPER TRICKY PROMISE TO MAKE SINCE NO TWO CUSTOMERS ARE IDENTICAL.
FITNESS FOR A PARTICULAR PURPOSE MEANS THAT WE ARE CROSSING OUR HEART (AT THE RISK OF LOTS OF MONEY) THAT THE PRODUCT WILL DO EVERYTHING THAT THE CUSTOMER EXPECTS IT TO DO - EVEN IF THEY HAVEN’T TOLD US THOSE EXPECTATIONS. SO, UNTIL THE IllumiDesk PSYCHIC APP IS RELEASED, WE HAVE TO AVOID THIS ONE, TOO (OR OTHERWISE DO A MAGIC 8 BALL INSTALL).
HERE’S ANOTHER JEDI-CONTRACT TRICK: IF YOU DON’T EXPRESSLY STATE THAT NO OTHER WARRANTIES APPLY THEN OTHER WARRANTIES WILL APPLY (EVEN THOSE NOT WRITTEN OUT). CONFUSING, LAWYERS MAKE IT.
Governing Law – We like to be certain of where any lawsuit may take place. Think of it as wanting home court advantage. Even without the advantage, could you imagine having to travel to all fifty states or to dozens of different countries to deal with lawyers? Scary, right? Not only is it expensive, it is completely unpredictable. We might as well just try our odds at Vegas versus securing consistent verdicts in California, Louisiana and Delaware [For OUS, it would be like trying to get consistent verdicts in France, Russia, Germany and Zimbabwe.] It’s not a reflection on any particular system other than that they are all very different. You may win big but you may also lose big for the exact same issues.
Zombie Clause – this is to make sure that some things still haunt you long after the contract is dead. We don’t want our customers buying our stuff, promising not to reverse engineer it, cancel the contract and then yell “Psych! It’s our IP now!” Canceling a contract doesn’t cancel the obligation to protect our IP or maintain confidentiality. These things survive after the death of the contract – like Jason or Freddy or most other horror movie characters.
STOP YELLING AT ME – I FORGOT ABOUT INDEMNIFICATION. THIS IS WHERE WE PROMISE TO PAY FOR LAWSUITS THAT A CUSTOMER MAY HAVE. IF WE DON’T CLARIFY HERE, WE COULD BE PAYING FOR THINGS UNRELATED TO OUR PRODUCTS. YEAH. IT’S A REAL BIG DEAL; EXPENSIVE, TOO. IN FACT, THIS IS ONE OF THE MOST EXPENSIVE PROVISIONS IN A CONTRACT.
Intellectual Property – By Intellectual Property, I mean patents, copyrights, trademarks, trade secrets, pictures, videos, sounds (ummm, not sure what kind of sounds we’ll make…but they're ours!!) I had to deal with a great many patent lawyers to make sure that we have a competitive advantage. Dealing with all these lawyers has aged me considerably. Did you know that I am only 21? So, we need to protect our IP out of respect for our work, oh, and because it gives market differentiation. Any attempt to sell or give away IP ownership has to have to permission of the highest levels of management. (By highest, I mean by rank, not altitude.)
Confidentiality – I can’t talk about this. I am pretty sure most all of you know why we have this. If not, send me a coded message and we can meet in an undisclosed Caribbean island, at your expense, to make sure you understand this need.
Subtext – Many people are unaware of the legal baggage that accompanies many phrases. For instance:
When you see “Time is of the essence”, you may think. I guess they are in an eloquent hurry. Nope. When you see that phrase, it means a late delivery is a material breach of contract and, DEPENDING ON HOW MUCH YOU SCREAMED EARLIER, you could be on the hook for damages. So, Herbal Essence, okay; Time is of the essence, ugh.
When you see “best efforts”, you may think that you should try real hard. Nope. This phrase means that you will go as far as bankrupting the company before you fail on that effort. It’s not logical but it keeps lawyers employed; so we like it. In fact, it’s like a legal booby-trap. Those without lawyers may get caught in the snare.
When you see “I’m fine. Forget about it.” You had best be buying flowers and chocolate because you’re in trouble.
*While these are just some high level things to consider when reading a contract, some restrictions may apply. Not available in all countries. Quantum materiae materietur marmota monax si marmota monax materiam possit materiari? Si Hoc Legere Scis Nimium Eruditionis Habes
Trademarks
A trademark is a word, symbol, device, or any combination used to identify and distinguish one's goods or services from others. It is a form of Intellectual Property and it has value; so much value that using someone else’s trademarks improperly or failing to protect your own can cost companies large amounts of money.
I bring this up because I am thinking about selling soda out of my garage to offset my wages. For fifty cents (the money, not the rapper), you can get my Yummy Upper Cola. Now, the adventurers out there may feel compelled to imbibe my crazy new concoction but I recognize that the majority will most likely default to the more well-known and established brands. The certainty of the name ensures certainty of the product; and therefore, the certainty of the sale.
That said, I am still confident that my soda with its secret sauce handed down from a guy I met at the airport will astound you. I just need to finalize the name and build the brand.
There are important things to consider when settling on a name and ensuring I get the most value from my mark as possible.
Strength: The ideal trademarks are fanciful or arbitrary. Fanciful is just a nice way of saying “made up”. This category includes marks like Kodak, Xerox, iPod, Lego, etc.; you know, those words that had absolutely no meaning before they were trademarked. Arbitrary just means that the name and the product are not generally found together or otherwise related. For instance, computers and apples generally don’t go together (unless you happen to be a tech-savvy Adam and Eve); therefore, Apple has a very strong mark. When trying to decide is a mark is arbitrary, consider this: if the company name and the product were SAT or ACT questions, they would be tough (if not impossible) to answer. To demonstrate: Shell is to gasoline as Dolphins are to __; Hertz is to cars as Digestion is to ____; Amazon is to Shopping as Urology is to ______. The mere arbitrariness of the marks makes them difficult to penetrate (and to word associate).
Use: Unlike patents, in order to protect a trademark – you must use it. You can’t register it and then let it sit on the shelf until you decide what to do with it. It must be used AND it must be used in the manner with which you said you would use it. I can’t name my soft drink Yummy Upper Cola and then label the bottle “YUC”. I need to use the words I trademark and I need to trademark the words I use. When actually using the mark, the best protection for the mark is to use it as an adjective. Once you start using the mark as a verb or a noun – you make it generic. You can’t enforce generic. Even fanciful words can become generic if used improperly as a verb or noun. Think about it, how often have you used a Q-Tip to clean your ears while Rollerblading? The resulting fall required you to apply a Band-aid, wipe your tears with a Kleenex while Tasering those who laughed at your misfortune. If you doubt that these words are trademarked, Google them. Misusing even a great trademark can make it so common that it can get difficult and expensive to protect.
Market: Don’t think that just because you got a trademark that no one else in the world, country, state or neighborhood can use that same word. There is Delta Airline, Delta Dental and Delta faucets. The key distinction here is likelihood of confusion. If you see “Delta” on a plane – you know that it is the airline company. If you see “Delta” on a sink faucet, is there a real likelihood that you would expect frequent flier miles from it? Probably not. So two very different companies can use the same name because most people are smart enough to realize that these are very different companies.
While you can have the same word for different markets, you can’t have different words for similar markets if those different words are similar to a trademarked word (back to that likelihood of confusion standard). If I decided to take my soda sales global – I would not be able to trademark Boca-Bola, 6Up, 7Down or Spite. While none of these names are currently trademarked - and they are quite fanciful or arbitrary – they present a risk of confusion. The names are close - and close counts in horseshoes, hand grenades and trademarks.
I should note that trademarks aren’t just words. Owens Corning trademarked the color pink for insulation. No other company can make insulation that color. If you ever see insulation that is pink – you know who made it. But if you see the singer Pink, there is no of confusion, she doesn’t sell insulation. John Deere trademarked a specific color of green for farm equipment. McDonald’s has the Golden Arches. Sounds can be trademarked. NBC trademarked the chimes that you hear during intermissions, Intel has a trademarked sound. Shapes can be trademarked! One of the most famous non-word trademarks is the shape of a Coke bottle. Once you start getting into how something looks – it is called trade dress. Trade dress is just a fancy term for trademarked product presentation. If my sodas were sold in curvy bottles, I would be poking the seltzer giant. I would be infringing.
Registration: Another thing to consider is if I should register the mark. In some common law countries (such as US, UK, South Africa, Australia, et al), those who use the mark first get protection. (These trademarks are denoted by a “TM”.) Admittedly, it can get difficult to determine when that first use occurred; so registration in common law countries helps to clear that date issue up. In any non-common law country, the first to file owns the mark. To set a date certain and own the mark, marks get registered. If a mark is registered, it gets an “®”. [That is a R with a circle around it for those with struggling eyes.] The catch here is that when you put that R on your mark, you are in essence screaming “Mine, mine! I own it here!” The problem with this attestation is that if I registered my soft drink in Canada but I send the bottle marked Yummy Upper Cola® to Germany, the Germans could easily yell at me “Das ist nicht richtig!” They would be right, I wouldn’t be right. The mark isn’t registered in Germany, so the R suggests a sort of untruth. To combat this confusion, whenever you use an R for a mark, you should also state where the mark is registered. ”Yummy Upper Cola is registered in Canada and may have protection in other countries.” That way, the Germans know that I am not trying to con them. I can either use the R for my sales in registered countries and no mark everywhere else or just use the caveat.
Cultural Significance: Last but not least, cultural sensitivity is critical. Any attempt to market globally and/or translate trademarks must be met with heightened attention. As my “YUC” moniker is unlikely to draw a positive response, many other companies have attempted to trademark words and failed miserably.
Coors put its slogan, "Turn it loose," into Spanish, where it was read as "Suffer from diarrhea".
Clairol introduced the "Mist Stick", a curling iron, into Germany only to find out that "mist" is slang for manure. Not too many people found a use for the "manure stick".
In Chinese, the Kentucky Fried Chicken slogan "finger-lickin' good" came out as "eat your fingers off".
An American T-shirt maker in Miami printed shirts for the Spanish market which promoted the Pope's visit. Instead of "I saw the Pope" (el Papa), the shirts read "I saw the potato" (la papa).
In Italy, a campaign for Schweppes Tonic Water translated the name into "Schweppes Toilet Water".
Pepsi's "Come alive with the Pepsi Generation" translated into "Pepsi brings your ancestors back from the grave", in Chinese.
When Parker Pen marketed a ball-point pen in Mexico, its ads were supposed to have read, "it won't leak in your pocket and embarrass you". Instead, the company thought that the word "embarazar" (to impregnate) meant to embarrass, so the ad read: "It won't leak in your pocket and make you pregnant".
The Coca-Cola name in China was first read as "Ke-kou-ke- la", meaning "Bite the wax tadpole" or "female horse stuffed with wax", depending on the dialect. Coke then researched 40,000 characters to find a phonetic equivalent "ko-kou-ko- le", translating into "happiness in the mouth".
Like with any conversation, it is critical to be aware of how your words are received in different cultures. Enjoy the education! TM
Secret Reseller Man
“Secret Reseller Man, they've given him a number and taken away his name.” Hmm. Something doesn’t sound quite right there. Oh, yes! It’s Secret Agent Man! Clearly Agents and Resellers are NOT synonymous. It totally screws up song lyrics. But what are the distinctions? I am so glad you asked because I currently need to sell my stash of glow in the dark toilet paper and this is the perfect opportunity. I am selling it for $5 a roll and I have a hundred rolls.
So, you know about my inventory. You know people that would love this toilet paper. You have contacts. You tell me that you want to be my reseller. Resellers buy from the Manufacturer and, you guessed it, resell the product. As my reseller, I would sell you my toilet paper at $4 roll. I’m giving you a reduction in price because you are saving me time and money in chasing down buyers. Once you buy my toilet paper, it’s yours. I can have no control over what you decide to do with it - except, if you do something illegal with it. If you do something illegal with it, I just might have full liability. This is why the most critical part of our arrangement is my demand that you not do anything illegal with the toilet paper I sell you.
Aside from requiring you to not break any laws, once you buy my toilet paper, I can have no more control with what you do with it. I can’t tell you how much to sell it to others, I can’t tell you to combine it with other products, I can’t tell you where to sell (or not to sell). For all intents and purposes, it is yours. If you want to use the toilet paper as decoration at a party - Mazel Tov. If you want to wear it as headwear - Oo La La. I don’t want to know who your customers are or what they paid. They are your problem! Your agreements are your to manage. The customers will transact directly with you. And, if the customers get mad, it is you they will sue. If I were to try to start dictating what a reseller can and can’t do, I could trigger antitrust laws. Antitrust laws would get us both in hot water.
Think of all the things you have bought in your life. Can you imagine how horrible and controlling it would be if anything you tried to resell was subject to the manufacturer’s control? Garage sales would be a legal nightmare. “Yes, Pierre, I would love to sell you this used monitor of mine but the manufacturer insists that I charge you $300.” Wills and trusts would be bureaucratic due to the minimum exchange amounts and new terms..it would be silly.
An important fact to note is that because I am selling to you, you are major customer of mine. Why does that title matter? Because I cannot PAY customers to buy from me; no one can. This is called a kickback. If you pay a reseller, you could run afoul of anti-bribery laws.
Resellers make money by buying low and selling high. (You can choose to buy high and sell low and I can’t stop you. Not the greatest idea but, hey, it’s your problem once I’ve sold to you.) Resellers control their own sales, revenues, losses and markets. A good reseller makes a profit running their business.
Now, you could decide to be a representative or agent for me. This is different than a reseller. As my agent, you would have all your friends call me to buy my toilet paper at $5 a roll directly from me. For every roll that I sell, I will pay you $1 commission. The difference here is that the agreement is between me and the customer. You wear my hat and hold yourself out as an extension of me. I pay you a percentage of the sales; but those sales are at full price.
If you were my agent and did something pretty bad, the customers would sue me directly. Sure, I would probably make sure that I had a strong indemnification clause in my agreement with you to make sure you cover me but I am 100% on the hook with the customer issues.
What about distributors? Can you be, won’t you be - my distributor? The nuance here is that a distributor is a glorified reseller. Where a reseller sells to the end user, distributors sell to resellers.
Why would anyone care about these nuances? Because the relationship will govern the contract terms. The relationship also governs which laws apply.
If you are reselling or distributing, it is critical that I give you the right to resell. It is critical that I demand you comply with anti-corruption, anti-bribery, anti- slavery/human trafficking and export laws because I have no insight into what you are doing but I could face civil and criminal if you do something illegal. I want to make sure that you know that I am not paying you, I will not control you and my toilet paper is $4 a roll for you. I also need to clarify certain responsibilities. Since the reseller has the relationship with the customer, any rights that go with the product also need transfer rights. For instance, while the customer may only know the reseller, the right to customer support from me may need to be flowed down to the end user; or do I want the reseller to be first line support? So many questions.
The distribution agreement has a bit more complexity because there is one more party between me and the end wiper. The rights need to be transferred more than once.
If you are my agent, I need to set very clear expectations. If you are holding yourself out as an extension of me, I have standards that must be met. You need to understand and agree to those standards. I can control where you sell, to whom you sell and for how much you offer the product. Since my contract is directly with the customer, you don’t need any specific rights as it relates to the product.
Ultimately, the key to remember is that a reseller is a customer who is going to resell the product. They buy at a lower (transfer) price and run free (within the bounds of the law). Resellers negotiate directly with the customer and they bear most of the risk.
Distributors resell to resellers. The distributor and reseller (in their own agreements) allocate risk between and among themselves. The ultimate sale to the end user is under a reseller agreement.
The manufacturer is liable for the bad acts of its resellers and distributors, its own actions and product liability. The distributor and reseller are on the hook for most everything else.
Representatives or agents facilitate sales between the manufacturer and end user and they are paid a commission. Agents don’t absorb much risk as this acts like a direct sale. The manufacturer is on the hook for everything. This sounds scary but since a manufacturer can exercise control over an agent, it is a risk that is easier to mitigate.
In the time it has taken me to write this, I have already blown through most of my inventory. Hopefully, I can still sign you up as a reseller for my remaining rolls.
For more information, see the Partner Code of Ethics
Export
I grew up in a time where the only social media we had were comments written in yearbooks and on bleachers. Thank goodness those embarrassing pictures of me never made it to the eternal technological world. You know those pictures - the ones taken right after you made a profound statement such as “Here, hold my beer…” or “That’s nothing, watch this…” Inevitably, what followed was always incriminating.
Don’t get me wrong, those pictures still exist. They remain hidden in a photobox in the depths of my personal archives. There are a few, select people with whom I share these most embarrassing moments. That said, there are some people who I will never share those photos; specifically, my ex, those who live in my ex’s house and Sid.
You could say that I have imposed export restrictions on the pictures for those people and areas. My photos can be shared with anyone EXCEPT those I have specifically embargoed or denied.
Governments throughout the world pose similar restrictions (not on my pictures, on their technology). Various countries state that if the technology is of their origin, it falls under the laws of their country.) It isn’t just a United States thing, most countries have restrictions. Even Canada has rules about their technology and Canada has to be one of the nicest countries in the world. Who doesn’t like Canada?
Well, IllumiDesk US technology is subject to US law. Much like I say that you can’t send my pictures to anyone at my ex’s house, US law states you can’t send their technology to Iran, Sudan, Syria, Cuba, North Korea or the Crimean Region of the Ukraine. Much like I say that you can’t show my pictures to my ex or to Sid, US law has a list of entities to whom they prohibit passing the technology.
A prohibition is a prohibition. You can’t find loopholes. For instance, if I say you can’t send those pictures to my ex, you can’t try to get all creative by giving him a tour of my house and just showing him the pictures while he is here. You can’t take pictures of my pictures and forward those. You can’t have a sketch artist recreate renderings of the photos. Same with export. If you can’t send the technology to a country or a person, you can’t let them see the guts of the technology through other mechanisms. There simply aren’t loopholes in export law. The only way you can get around the restrictions is to get permission from the government directly. This permission is provided in the form of a license.
Violating my picture restrictions will definitely get you in trouble. There will be stern lectures, cold stares followed by serious silence. Violating export laws can result in civil and criminal penalties for the officers of the company and (in case you really don’t care what happens to the officers) the individuals involved.
Let’s keep things on the up and up - don’t violate either.
For more information, check out: Export Policy Export Procedure
Data Protection Impact Assessment (DPIA) Policy
UX Department
Last modified 2yr ago
Copy link
Contents
Data Protection Impact Assessments or DPIAs
DPIA General FAQ
IllumiDesk's DPIA Process FAQs