Welcome To Simplydocs

What Is The Data Protection Bill 2017?

Data Protection ImageFirst mentioned in the Queen’s Speech back in June, the proposed Data Protection Bill was in the news again last week after the Department for Culture, Media & Sport issued a press release outlining the proposed legislation in more detail. The Bill is expected to be published in September and, given its stated purpose, should be ready for the statute book by the time the UK leaves the EU in 2019.
 

What About the GDPR?

The EU General Data Protection Regulation comes into force on 25th May 2018. This will not be affected by the new Data Protection Bill. Indeed, the primary purpose of the Data Protection Bill is to bring the GDPR into UK law so that our legal standards of data protection remain consistent with those throughout the European Union after Brexit. Not only does this mean that businesses already complying with the GDPR will face little or no disruption in transitioning from the GDPR regime to that introduced under the Bill; but it also means that handling personal data across European borders will be undisturbed by Brexit. In short, carry on preparing for the GDPR. That comes into force first, and there shouldn’t be any major differences under the new domestic data protection legislation that follows.
 

What Will the Data Protection Bill Do?

As we’ve already stated above, the main purpose of the Bill is to bring UK domestic data protection legislation into line with the GDPR. The UK’s current data protection statute, the Data Protection Act 1998, is quite literally from a bygone era and is no longer adequate to deal with current methods of data collection and processing, nor with current forms of personal data, for that matter. The Data Protection Bill will bring data protection law up-to-date and, according to the DCMS press release, will include measures to do the following:

  • - Make it simpler for data subjects to withdraw their consent for the use of their personal data;
  • - Allow data subjects to ask for their personal data to be erased;
  • - Enable parents and guardians to give consent to data processing on behalf of their children;
  • - Modernise and strengthen data protection law to fit with the digital economy;
  • - Make it easier (and free) for data subjects to require organisations to disclose the personal data those organisations hold about them; and
  • - Make it easier for consumers to move data between service providers.

 
(Read the press release in full here)

 

Will There Be Any Differences Between the Data Protection Bill and the GDPR?

Yes, it appears that there will be some slight differences, exercising the derogations in the GDPR that the UK government originally negotiated. This will include giving young people the right to require social media websites to delete information held about them when they reach the age of 18. The government has also stated that the derogations will allow for ‘a simpler shift for both businesses and consumers as we retain many of the enablers of processing essential to all sectors of the economy, from financial services to academic research, under the new legislation’.

 

What Should I Be Doing to Prepare?

For now, simply keep getting ready (or start if you haven’t already) preparing for the GDPR. There are no indications that the Data Protection Bill will represent a radical shift from the GDPR – as we’ve already pointed out – its main purpose is to bring UK law in line with the GDPR, subject to some minor differences which aren’t likely to make a big difference to most SMEs in any case.

In the mean time, here at Simply-Docs we will be monitoring the progress of the Data Protection Bill, as well as publishing new documents and guidance focused on the GDPR as May 2018 draws nearer. As always, if you have any thoughts or questions about the Data Protection Bill, we would love to hear from you in the comments.

Charity Fundraising and Data Protection

Damage to a charity’s reputation often diminishes the level of trust in the charity on the part of its donors and supporters, leading to a decline in funding. Reputation of a charity is a key influencing factor in a prospective donor’s decision to donate to that charity.

Coverage, insurance or Protection concept, coins in glass , umbrella nature background.

Damage to Reputation

Reputational damage can arise from a number of causes. For example, supporters might become aware of a serious incident which reduces their confidence in the charity. A serious incident at a charity might consist of fraud, theft, significant financial loss, abuse or serious harm of beneficiaries, links to extremism, investment in or support by an organization whose aims or activities are at odds with those of the charity, or loss of personal data (e.g. theft of a charity laptop containing personal details of beneficiaries, staff or donors, or the hacking of IT systems to obtain such details).

Improper Processing of Donor or Supporter Personal Data

Other matters can also adversely affect reputation, and in this post, we are focusing on one in particular: a charity’s failure to deal with donor/supporter data correctly. A number of well-known charities were recently fined by the Information Commissoner’s Office (ICO) for misusing donors’ personal data. Media coverage adversely affected not only the reputation of the particular charities involved, but also that of the charity sector generally.

The ICO found that the charities concerned had been using personal data of individual donors in ways which breached the Data Protection Act 1998 (DPA). The breaches comprised failure to be sufficiently transparent about the charity’s use of donors’ personal data, and failure to obtain their consent to that use of data. The charities had been sharing personal data with other charities, using personal data to estimate donors’ wealth (wealth screening), and using what personal data they had about individuals to discover missing information (data matching), all without being transparent or having consent from those donors to do so.

How Will the GDPR Affect Fundraising?

These issues have come increasingly to the fore because of the impeding implementation of the European General Data Protection Regulation (GDPR) which will require all organizations, including charities, to comply with new consent and transparency requirements that will be tougher than those under the DPA. If a charity fails to comply with those GDPR requirements, there will be a consequent decline in its reputation because people will tend not to trust it to deal properly with their personal information. That distrust will have a clear and direct adverse twofold impact on donations. Firstly, potential supporters/donors will be disinclined to donate to the charity (or even make contact with it with a view to supporting it in some other way). Secondly, current or past donors will no longer be inclined to donate, and they might ask the charity to no longer contact them and to delete their personal information. In order to ensure that donations to charities do not fall due to misuse of donor information (and to avoid the risk of substantial fines for breaching the GDPR) it will now be more important than ever that charities review their fundraising practices to ensure that they comply with the transparency and consent requirements of the new GDPR in relation to personal data of donors and others. The ICO has issued draft guidance on data protection and consent under the GDPR, and the Fundraising Regulator has recently issued a best practice guide, “Personal Information and Fundraising; Consent, Purpose and Transparency”, available here, designed to help charity trustees understand their responsibilities under the GDPR.

Even if a charity has met the transparency requirement to tell individual donors that they are processing their data, what it is being processed for, and any other information needed to make it fair to process the data, the charity also needs to establish a clear legal basis for using the data. We will not try to cover that in any detail here, but in general terms this means – depending on the particular circumstances – either having a “legitimate interest” for that use, or consent to that use. Where consent is required by the GDPR (e.g. for direct marketing by electronic means), it will be express consent that will be required. This will be stricter than under the current law, and as a result it is now a hot topic. The existing DPA consent requirements will be tightened up under the GDPR so that from May 2018, the data subject must have the right to withdraw consent at any time and it must be as easy to withdraw as it is to give, and consent mechanisms will need to be genuine and granular (‘catch-all’ consents will likely be invalid), and individuals must take affirmative action to provide their consent such as signing a form or ticking a box.

What Will be the Effect of Complying with the GDPR?

There are two opposing general attitudes to these changes, and we would like to hear your views about them.

One view amongst charities and critics is that those outside the charity sector (including legislators and regulators) do not understand fundraising and have approached it in a legalistic way without taking account of reality, with the result that the GDPR and the manner in which it is interpreted by regulators will lead to fundraising being destroyed in some charities. In particular, they see “opt in” (express) consent as leading to decline in fundraising because it requires a positive act whereas the normal tendency is towards inertia. The argument is that when one looks at the donor experience in practice, donors do not need or want to have to opt in, and they would be just as satisfied with an effective system that allows them to opt out of contact quickly and easily. Those against the new strictures of the GDPR also point out that the burden imposed by the GDPR on fundraising involves charities having to spend a great deal of time and money working on implementing strategies and processes to comply.

The opposite view is that the new requirements of the GDPR actually create an opportunity for charity fundraisers to increase donations and contact with supporters. The argument is that by complying with the GDPR, charities will actually improve and increase engagement with donors, and will build and strengthen trust amongst existing and prospective donors, and that this will outweigh the issues raised by those who take a negative view of the effects of GDPR on fundraising. The proponents of this positive view say that complying with GDPR will entail charities explaining why data is being collected and what it will be used for, that this can be coupled with an explanation of how the funds raised will be used, and that this will encourage individuals to “opt in” to being contacted and to allow use of their data in the way the charity has explained.

On which side of the argument do you stand?

Small Charity Funding: Is The Decline Reversible?

There are five major risks to the wellbeing (or even the existence) of small charities in the UK: decline in funding and donations, damage to reputation, inadequate insurance cover, loss of data, and fraud.

Funding

In this post, we are focusing on funding. Many small charities are in crisis due to lack of adequate income. On average over the past three years, when earned income, voluntary income and statutory income sources are placed together, it appears that small charities have only experienced a total overall growth of 3%. What can be done to improve the situation?

Voluntary Income

The charity sector relies heavily on voluntary income. The National Council for Voluntary Organisations (NCVO) found in 2016 that the overall trend for voluntary income is that it has been flatlining for some time. This has been the experience of small charities in particular. In a recent edition of a quarterly report produced by the Foundation for Social Improvement’s (FSI), it found that total voluntary income of small charities since 2013 has only increased by 1%. This is causing increasing difficulties for many small charities trying to bridge the gap between static income and a significant rise in the demand for their services.

Why Has Voluntary Income Not Increased?

A number of factors have affected voluntary income levels. Fundraisers at small charities are having to contend with an increasingly challenging environment. Although public trust in small charities delivering local services is still relatively high, as at mid 2016 there was a fall in public trust of charities’ fundraising methods to the lowest level since 2005 although there are now some signs that public trust is now growing). There is less disposable household income than in the past, and so a lower level of donations. Corporate donations have fallen. Many smaller charities find that their message is being lost due to larger charities presenting a challenge to their fundraising efforts. There is the potential for the economy to perform less well following the Brexit referendum vote with the consequent real threat that there will be a reduction in charitable donations. Regulation of fundraising has also become tougher, and trustees’ responsibilities in relation to fundraising activities are now greater.

What Has Happened to Other Forms of Income?

Over the past three years, charities’ statutory income has dropped by 8%. Since the 2008 financial crisis, small and medium-sized charities have lost substantial income from central and local government in the form of both grants and contracts. With voluntary income of small charities remaining static or falling in some cases, many are struggling. Some small charities who have been reliant on statutory income find that their voluntary income does not sufficiently compensate for falls in their statutory income. An increasing number of small charities are having to dip into reserves in order to continue their day to day work. This trend is worrying, especially in view of the fact that a substantial proportion of small charities do not hold any reserves.
However, in contrast, over the same period the level of charities’ earned income has increased by 9%. Charities’ earned income includes fees for their services and also income from selling goods or services to raise money.

Increasing Small Charities’ Income

So, there is a need to increase income of small charities across the UK. How can they achieve an increase, and which type(s) of income can they realistically increase?

Data seems to indicate that in comparison to larger charities, small and medium-sized charities have proportionally lost more of their government income and gained less income from individuals, and they can expect to see little rise in income from donations or government.

However, small charities have increased their earned income very significantly. Although this has not been enough to cover all lost income from government, it has replaced some of that shortfall. Between 2007/08 and 2014/15, across all of the charity sector earned income from the public grew 35% while donations from the public grew only 6%. According to NCVO analysis, earned income is the best prospect for future growth.

Are small charities trying to increase their earned income? Should they try to do so further? Will they be able to do so?

It appears that some charities – especially those which have seen no increase in government funding – have set out to alter their approach to generating income. For example, charities have developed partnerships with other charities or merged with other charities, and some have made use of financial mechanisms such as social impact bonds and creation of social enterprises. Increasing earned income may involve setting up a trading arm of a charity, market research, upskilling finance and other staff, and taking greater commercial risks. It might be a new type of activity or service or it might be selling services to the public using existing expertise already used or developed within the charity.

For some charities, “earned income” is now a major part of their total income, but for smaller charities, i.e. those more likely to have lost voluntary or statutory income, it may be difficult to establish and maintain an earned income stream especially where they lack the necessary skills and resources.

What has been your experience?

Personal Liability of Charity Trustees

The House of Lords Select Committee noted in its recent Report “Stronger Charities for a Stronger Society” (March 2017, available here) that registered charities in England and Wales with an annual income of less than £100,000 make up almost three quarters of the sector.

These smaller charities contribute significantly to the wellbeing of the nation, but, given the voluntary nature of trusteeship, charities have for some time found it difficult to recruit suitable trustees. It is worth noting that the average age of trustees is 57 and rising, half of all charities have vacancies on their boards (with many struggling to fill those vacancies), the age and gender profiles of trustee boards differ significantly from those of wider society, and the recruitment problem is being exacerbated by trustees being overburdened with responsibility or regulation.

The Growing Burden of Regulation

As the Report found, being a trustee has become more challenging: the environment for charities has changed substantially (particularly as a result of increased financial pressures and significant shifts in funding models), and there are also additional legal and regulatory requirements to comply with, such as new data protection regulations and fundraising standards. The Charity Commission noted in evidence to the Select Committee that navigating these challenges required “strong strategic leadership and the ability to take managed risks; we see many boards failing to rise to the occasion”.

Lack of Knowledge of Trustees’ Roles & Responsibilities

Evidence submitted to the Select Committee indicated that many new and existing trustees were not really familiar with the role, its requirements, and responsibilities (although, following the collapse of Kids Company, trustees have become more conscious of their responsibilities). This is a problem for small and medium sized charities (as well as for some larger charities) since, irrespective of the size of a charity, the role of trustee (although an honorary position), carries with it legal duties, responsibilities, and potential liabilities, and crucially, trustee boards need to have both the necessary knowledge of their legal responsibilities and the necessary range of skills between them to enable them to carry out their responsibilities correctly.

Additional Risk of Personal Liability if Your Charity is Unincorporated

Against this background, we are concerned that trustees of small and medium sized charities often bear a potential risk over and above the risks and responsibilities borne by trustees of larger charities. This stems from the fact that rather than being set up in a corporate form (e.g. as a company limited by guarantee or as a CIO), smaller charities are more likely to be set up as “unincorporated associations” or “trusts”. As we explain below, this increased risk arises from the lack of “separate legal personality” that a corporate form provides.

Whether a charity is in corporate form or it is an unincorporated association or trust, failure of a trustee to discharge his/her governance liabilities is a personal liability of each trustee (“breach of duty” or “breach of trust”) and any resulting loss to the charity is the trustees’ personal liability. Where a trustee has acted honestly and reasonably, the Charity Commission is less likely to enforce that personal liability. Trustees will also have personal liability if the charity is insolvent and they have engaged in wrongful or fraudulent trading, or if they fail to file certain documents, or they breach certain health & safety, environmental, discrimination, tax, or other laws.

Where the charity is incorporated, its liability for debts and other liabilities incurred by it (for example, to suppliers or staff) remain its sole liability even if it has insufficient assets to meet the liability – its trustees will not also be personally liable. Establishing a charity in incorporated form will therefore mitigate potential exposure to personal liability of trustees for a charity’s debts and other financial liabilities. There has been a growing trend towards use of incorporated vehicles for charities. The usual form is the company limited by guarantee but charities may also use the CIO form introduced by recent charity legislation.

Compare this to a charity which is an unincorporated association or trust: its trustees might also incur personal liability due to the activities of the charity (i.e. not due to their own conduct as trustees). For example, a charity might provide services to a local authority, or hold a lease on premises, or employ staff. In each case, the charity will have a legal relationship under which it could become liable to another party. The trustees might also become personally liable as a result of that liability of the charity (even though they may personally have acted properly) since they are in effect the organisation and they can be sued as individuals. All liabilities of their organisation will be theirs, but they will normally not be ultimately liable (i.e. the liabilities will be met out of the assets of the charity). However, if the charity does not itself pay a debt or some other liability of the charity, and it has insufficient assets to meet liabilities, the trustees could be personally liable to the extent of the shortfall. Although it is rare, it is not impossible for trustees of an unincorporated charity to be held personally liable in this way for the activities of their charities. This was illustrated in a recent decision of the High Court in the case of Chandra v Mayor (2016) where it was affirmed that each member of an unincorporated charity’s trustee board was personally liable for the charity’s wrongful dismissal of an employee.

Should There Not Be a Level Playing Field for All Charity Trustees?

Trusteeship carries important responsibilities and that message needs to be clear. Against this, there is a need to encourage volunteers to take up trustee roles since, as the Charity Commission points out, volunteer trustees play a vital role in a sector that contributes significantly to the character and wellbeing of the country. So, if many people consider that it is reasonable to remove the potential for personal liablility of trustees arising solely from the fact that their charity is unincorporated rather than incorporated, shouldn’t legislation be introduced to protect trustees from that personal risk?

We would like to hear from you on this. Do you feel that, to remove this risk from their trustees, charities should have to go to the trouble and expense of incorporating, and then incur the ongoing additional trouble and expense attached to maintaining a corporate entity, given that most charities have very limited resources? Should there not instead be a simple piece of reforming legislation which has the effect of removing this inequality between incorporated charities on the one hand and unincorporated charities on the other hand? Your thoughts, as ever, are encouraged and welcome.

Is Politics in the Workplace Giving You a Headache?

Political HeadacheJust when you thought you’d seen enough emotively divisive politics to last a lifetime, with the election of President Trump following hot on the heels of the Brexit referendum; along comes a general election just to make sure that peoples’ conversations don’t stray to anything quite so mundane as the weather and the weekend’s football scores. A general election is inevitably contentious at the best of times, and with Brexit front and centre, the 2017 election is shaping up to be even more so.

Now that’s all well and good, and it’s everyone’s prerogative to hold and share their political views or – as some quite understandably choose – to switch off and filter out the noise altogether. When in the company of colleagues, however, this isn’t quite so straightforward. Politics among friends can cause enough problems, and these can be come even more acute in the workplace. What, then, can employers do to keep things peaceful and productive?

Outside of the workplace, of course, there isn’t a great deal that an employer can do about their employees’ political activities unless those activities have a direct impact on their employment. An employer could, for example, take action against an employee whose political activities are bringing the employer into disrepute.

Ordinarily, however, politics in the workplace is something that should be handled with care. Even if an employee’s political affiliations may be seen as offensive, employers must take great care when considering disciplinary action or dismissal. If an employee is dismissed because of their political opinions or affiliation, the normal rules regarding unfair dismissal don’t apply: employees do not need to have had two years’ continuous employment.

There is however a line that, if crossed by an employee, entitles an employer to take action. For an employee to hold political opinions and affiliations is one thing (and don’t forget, employers can’t take any action on the basis of an employee’s membership of a particular political party), but if the expression of those opinions and affiliations crosses over into campaigning, employers are in a better position to do something about it.

As to the definition of campaigning, it can take many forms, ranging from heated political discussions between colleagues, to handing out leaflets, putting up posters, and organising political meetings. Imposing a ban on political conversations in the workplace is neither desirable nor practical, but prohibiting the more active types of campaigning is arguably quite reasonable. Politics is by its very nature a polarising subject and seems to be one that is becoming increasingly personal and, at times, hostile. By preventing staff from campaigning at work, employers can help to avoid a lot of disruption, not only to productivity but also to staff relations and morale. In more extreme cases, such behaviour could even be considered to be bullying or harassment and thus a reason for dismissal in itself. Political expression isn’t a defence to allegations of discrimination or harassment either, so be on your guard for the would-be activist on your staff that goes around upsetting everyone under the banner of free speech, and don’t take any nonsense! Action could also be taken against an employee that was found to be spending time on non-work activities like political campaigning during working hours, or perhaps using company equipment for political purposes.

As with many situations like this, it is better to be proactive than reactive, and our Political Activity in the Workplace Policy is on hand to assist, setting out the expectations and code of conduct that apply to all of your employees. Most importantly, the policy removes ambiguity by clearly setting out what is and what is not permitted and sets out the various consequences employees may face for failing to adhere to it.

It would be nice to think that after the 8th June election, politics might quieten down for a while, but with formal Brexit negotiations set to commence shortly thereafter, political temperatures seem set to remain high for the foreseeable future. Political awareness and involvement among the populous is vital, but at work it must have its limits. You can’t, after all, run a successful business if the remainers, re-leavers, and brexiteers on your staff are at each others’ throats all day long! How do you deal with political activity in your business? Is it something you would prefer to keep out? Perhaps you go the opposite way and provide specific forums for your employees to exchange and debate their political views? Your views, as ever, are welcome!

Zeroing in on Zero Hours Contracts?

Coffee Shop WorkerAccording to the Office for National Statistics, over 900,000 employees in Britain are currently employed on zero-hours employment contracts. Zero-hours contracts often crop up in the news, and it’s fair to say that they’ve gotten something of a bad name – often not without good reason. Particularly with the rise of the gig economy, zero-hours contracts and other means of securing peoples’ labour without too much commitment have become very popular with some employers.

None of this is to say that the situation is settled, however, and some are now taking action to offer alternatives to their employees. McDonald’s, for example, recently offered fixed-hours contracts to its 115,000 zero-hours employees (according to the BBC, around 20% of employees at the Golden Arches have chosen to take the fixed-hours option. We certainly hope they’re lovin’ it).

On the political front, with a general election once again on our doorstep, the Labour Party’s 2017 manifesto includes a pledge to ban zero-hours contracts. The Liberal Democrats, while not planning to ban them, have pledged to create a formal right for zero-hours employees to request fixed contracts instead. The Conservative Party manifesto, on the other hand, is silent on zero-hours contracts themselves, but nevertheless emphasises the importance of protecting those working in the gig economy – a broad statement of policy to be sure, but one that arguably wouldn’t rule out future action on zero-hours contracts.

In October 2016, the government appointed Matthew Taylor, former policy chief to Tony Blair, and Chief Executive of the Royal Society of the Arts to lead a review of employment practices. Taylor has previously suggested improvements to zero-hours contracts including the payment of premium wages to zero-hours employees. As for the review, the deadline for the submission of evidence passed earlier this week, meaning that a final report shouldn’t be too far away. While the full results of the review have not yet been published, it is believed that Taylor will recommend a right for zero-hours employees to request fixed-hours contracts instead.

With such an emphasis on the negatives of zero-hours contracts, then, it may at first appear that the benefits are all one-sided, favouring only employers. While it is true that many employees prefer the certainty and security that zero-hours contracts simply can’t offer, there are those who like the flexibility that they provide. Indeed, according to a 2013 study (updated in 2015) by the Chartered Institute of Personnel Development, many zero-hours employees were happy with the arrangement and more content than their permanently-employed counterparts. Among the benefits, zero-hours contracts enable workers to take on a more diverse variety of work instead of being limited to one specialism or department. In other cases, they may facilitate a better work/life balance – ideal for those professionals that want to focus their energies on their families as well as their offices.

There is no question that zero-hours contracts have been used unfairly, and one may even be led to question whether their recent surge in popularity may have been buttressed by a government happy to see unemployment figures drop – even if the reality is that some of those who are “employed” have no work to do; but it is difficult to argue that the solution is simply to get rid of what can – when properly used – be a beneficial employment relationship for both employers and employees alike. What may be the better option for employers, then, is to offer employees a choice.

The future of the zero-hours contract may currently be a little uncertain; but for now at least, when used fairly and in the right circumstances, both employers and employees can benefit from their flexible nature. What’s more, thanks to the Small Business, Enterprise and Employment Act 2015, since 26th May 2015, exclusivity clauses in zero-hours contracts have been unenforceable, making them somewhat fairer than perhaps they once were.

To find out more about zero-hours contracts and to see whether they might have a place in your business, take a look at our Employment templates:

- Zero Hours Contract
- Zero Hours Policy
- Zero Hours Employment Offer Letter
- Casual Workers / Zero Hours Comparison

Does your business use zero-hours contracts? Perhaps you’re a professional that is on a zero-hours contract? We want to hear your thoughts. Not all zero-hours contracts deserve the bad rap, but with the election just around the corner, they’re in the spotlight again. Would you like to see them stick around as they are, reformed with restrictions designed to protect employees, or eliminated altogether?

Data Protection: The GDPR is Coming

Data ProtectionIn just over a year’s time, on the 25th May 2018, the new EU General Data Protection Regulation, more often known simply as the “GDPR” comes into force. The GDPR is designed both to harmonise data protection throughout Europe and to modernise it, taking into account significant advances in science and technology that have taken place in recent years. In particular, the growth of the internet and the huge increase in the amount of personal data being transferred, stored and processed online (looking at you, cloud storage and social media), means that data protection legislation is long overdue for a refresh.

The first thing to get out of the way, since the “EU” part will doubtlessly be leading some to question whether or not the GDPR will be around for long, is that the UK government has confirmed that the GDPR will not be affected by Brexit. It is quite likely, then, that the Great Repeal Bill (see our previous post, here) will take care of that. Now we’ve said “Brexit”, we’ll move on.

Who Does The GDPR Affect?

In the most basic terms, if you already have obligations under the Data Protection Act 1998, you still will under the GDPR. The GDPR will apply to organisations operating within the EU and to organisations outside the EU that deal with individuals inside it.

What Does The GDPR Apply To?

As with the Data Protection Act, the GDPR applies to “personal data”. This is where one of the key modernisation points arises, for the GDPR expands its definition of personal data to personal identifiers such as IP addresses. Even personal data that has been anonymised – by using coding or pseudonyms, for example – may still count as personal data if it can be traced to a particular individual. In short, almost any kind of personal data, whether it was previously caught under the Data Protection Act or not, will likely be included under the GDPR.

The good news, however, for many businesses – especially SMEs – is that in the case of things like HR records, customer lists, contact details and so forth, the new definition will make little practical difference. That being said, for those who do a lot with online data behind the scenes, it’s certainly worth brushing up to be on the safe side.

Another key point to note is that the GDPR now applies to “data processors” as well as “data controllers”. Those processing personal data purely in a service provider capacity for a data controller will thus now also need to ensure compliance.

What Does The GDPR Say About Consent?

Organisations will need to be more proactive, and clearer with the language they use, when it comes to obtaining consent to the collection and processing of personal data. Individuals must know how their information will be used, and organisations cannot rely on silence or inactivity on the part of those individuals as consent. Not only that, but if the purpose for which you want to use someone’s data changes after getting their initial consent to use it, you must get fresh consent for the new use.

Again, in some cases, particularly for those who already pay careful attention to privacy and data protection, this will simply mean business as usual; but for others, particularly those who use customer data for marketing purposes, consent mechanisms may need to be re-thought, and clear, detailed information must be made easily accessible to customers, explaining the whats, whys, and hows of the organisation’s personal data collection and use.

How Will This Change The Way I Do Things?

Simply put, organisations need to take a more proactive approach to data protection, maintaining a much sharper awareness of privacy throughout their activities, systems, and projects. One key way in which this should be done is through the use of Privacy Impact Assessments, another new requirement introduced by the GDPR. A Privacy Impact Assessment or “PIA” should be conducted wherever a particular activity presents a risk of privacy being breached so as to minimise the risks to the individuals whose data is involved.

You may also have heard about the so-called “right to be forgotten”, especially in the context of search engines. The GDPR now brings this one to your doorstep too. If an individual requests that you delete the data you hold about them, you must do so.

Will I Need A Data Protection Officer?

If an organisation’s “core activities” involve the “regular and systemic monitoring of data subjects on a large scale” or the “processing on a large scale of special categories of data”, then it will need to appoint a Data Protection Officer.

This will apply regardless of the size of the organisation itself, so small businesses are by no means off the hook. Particularly as a result of the growth in online business, even small businesses with only a few employees may potentially be dealing with the personal details of thousands of individuals.

Among the Data Protection Officer’s responsibilities will be the carrying out of Privacy Impact Assessments, designed to identify and assess privacy risks for a given project which will involve the use of personal data (see above).

What If Something Goes Wrong?

If there is a data breach, the GDPR requires that the local data protection authority (in the UK’s case, the Information Commissioner’s Office) be informed within 72 hours of discovering it. Not only does this mean increased accountability, but for many this will also mean changes to internal systems, policies, and procedures to make it quicker and easier to spot and respond to breaches.

It’s under this heading that it’s also worth mentioning the F word. No, not that one (although you’d probably say it in the circumstances). Fines: that’s the one we mean. The GDPR is serious about increasing data protection, and penalties are no exception. Organisations that fail to comply with their obligations can face fines of up to 4% of their annual global turnover or €20 million, whichever sum is greater.

I’m Going To Be Very Busy, Aren’t I?

That depends. If your organisation is already taking data protection and compliance with the Data Protection Act seriously, the GDPR shouldn’t be anything to be afraid of. What’s more, you have a year to determine what changes need to be made and to make them, and provided you don’t mess about, that should be plenty of time.

Start by getting all relevant staff up to speed, appoint someone to oversee data protection, then evaluate your existing methods of data collection, obtaining consent, holding data, processing it, and handling individuals’ requests to see that data or have it erased. Your next step should be to determine what (if anything) needs to be improved and to get a plan in place for implementing those improvements in the time available. Remember the new responsibilities of data processors too: make sure that your suppliers and service providers are aware of their responsibilities under the GDPR and are taking the necessary steps to comply. Last but not least, don’t panic!

As ever, we want to hear your thoughts. Will the GDPR come as a shock to the system or is your business already hot on data protection? Do you think the modernisation of data protection law is overdue or do you see it as adding unwelcome burdens? Have you already started preparing? What steps would you recommend to other businesses?

Over the coming weeks and months we will be adding a range of new documents to our portfolio to help you get up to speed and up to spec with the GDPR, plus comprehensive new information on the various aspects of the GDPR with best practice guidance on how to comply. Stay tuned!

Residential Landlords: Comply with Housing Law or Face Tough New Penalties!

On 6 April 2017, parts of the Housing and Planning Act 2016 came into force affecting residential landlords in England (but not in Wales). Further parts of the Act are expected to take effect in October 2017.

New Penalties for Residential LandlordsThe recent and forthcoming changes target so-called “rogue landlords”. Landlords who do not comply with their obligations under the Housing Act 2004 and other legislation may have to repay rent to their tenant or repay universal credit to the local housing authority. In addition, local housing authorities have new powers to impose financial penalties for certain offences as an alternative to prosecution.

In October 2017, we expect to see the introduction of banning orders for landlords and agents who have been convicted of certain (yet to be specified) offences.

Responsible, well-advised landlords should have nothing to fear from these new provisions which are designed to catch landlords who deliberately and persistently fail to comply with their legal obligations. But all landlords (and agents) need to make sure they know what their duties are and ensure they comply with them. Here are 10 key areas for compliance:

1. Ensure that any tenancy deposit is protected in an approved Tenancy Deposit Scheme within 30 days and that the Prescribed Information is given to the tenant.

2. An Energy performance certificate (EPC) needs to be commissioned before the property is marketed and a copy needs to be given to the tenant.

3. If there are gas appliances at the property, have them checked annually and give the tenant a copy of the gas safety record.

4. The tenant needs to receive a copy of either the Department for Communities and Local Government’s How to Rent: the checklist for renting in England or the Welsh Government’s publication A Home in the Private Rented Sector – A Guide for Tenants.

5. Carry out checks to ensure that each smoke and carbon monoxide alarm at the property is in proper working order on the day the new tenancy begins and confirm this to the tenant in writing.

6. Carry out regular health and safety inspections to identify hazards and deal with problems as soon as they arise.

7. Comply with any notices received from the local authority environmental health department.

8. If property is a House in Multiple Occupation (HMO), ensure compliance with The Management of Houses in Multiple Occupation (England) Regulations 2006.

9. Ensure the tenant is given up to date information about your address for service. Keep any data you hold about the tenant safe in accordance with the Data Protection Act.

10. Use the correct procedures to terminate the tenancy. A residential tenant cannot be evicted without a court order. Serve a valid Section 21 or Section 8 notice to seek possession.

Local authorities will now find it simpler and cheaper to impose financial penalties than to prosecute landlords. We can expect to see more enforcement action. Now is a good time for landlords and agents to review their systems and ensure that they are compliant with the law.
What do you think about the new penalty regime? Will it be an effective means of dealing with rogue landlords? Are “good” landlords coming under too much pressure from recent government reforms? Please comment below!

The Great Repeal Bill

“The

Last week the Department for Exiting the European Union took the wraps off an historic White Paper entitled Legislating for the United Kingdom’s withdrawal from the European Union. Over the course of its thirty-nine pages, the Department, headed by the Brexit Secretary, David Davis MP, lays out its plans for The Great Repeal Bill, a piece of legislation that will transfer all EU legislation to which the UK is currently subject, onto the UK statute books.

So what does all this mean? The proposed title of the Bill has an almost Victorian grandiosity to it, for sure, but will it do exactly what it says on the tin?

First of all, the Great Repeal Bill will not exactly “repeal” EU legislation in the sense that we will no longer be subject to it; quite the opposite in fact. This may be bad news for those eager to be free of excessive red tape (more on that below), but the alternative would be chaos as nobody would know what they were supposed to be doing and two years is not even close to being long enough to draw up replacement legislation (which would likely end up looking quite similar anyway). The main purpose of the Bill will in fact be to essentially copy and paste existing EU law into UK law. Whatever EU laws we are subject to at 11:59pm on our last day as EU members, we will still be subject to (albeit with some technical alterations to make it function properly in the UK as a standalone nation) at the stroke of midnight.

Sounds simple enough, right? Well, no, because simply running EU legislation through the proverbial photocopier wouldn’t work. Numerous pieces of EU legislation, for example, refer to the involvement of particular EU institutions and others work on the basis of the UK being a member of, or having access to, certain EU systems. This is where one of the proposed Bill’s more controversial aspects comes into play. Using secondary legislation, the Government will be able to make alterations to the law where necessary, using a much quicker and less-scrutinised procedure than that used for ordinary primary legislation.

It is the special powers over the use of secondary legislation that so far seem to have a lot of people hot under the collar. Many see it as a subversive move by the Government to scrap aspects of EU legislation that it simply doesn’t like or that lobby groups would rather see consigned to the waste paper basket. Indeed among the more hysterical of social media posts are those calling out the Government for wanting to use the special powers to eliminate human rights protection and to scrap the NHS. Perhaps there’s another version of the White Paper out there that enunciates these despotic plans, but here at Simply-Docs the version we’ve read hints at nothing of the sort. The stated aim of the Great Repeal Bill is to ensure that the Government has the necessary power “to correct or remove the laws that would otherwise not function properly once we have left the EU”. For anything that goes beyond transposing EU law into UK law, normal primary legislation will be required and, as per the White Paper, “the power will not be available where Government wishes to make a policy change which is not designed to deal with deficiencies in preserved EU-derived law arising out of our exit from the EU”. Furthermore, the White Paper makes it clear that the special powers will be time-limited and will not exist beyond the period needed to ensure the clear and certain legal transition. The proof of the pudding, of course, is yet to be seen and it is to be hoped that the drafting of the Bill will be carefully scrutinised in Parliament to ensure that the powers are tightly controlled in line with the intent stated in the White Paper.

As for the courts, the buck currently stops with the Court of Justice of the European Union when it comes to EU law. To simply remove and forget this status after the date of our departure from the EU would again stand to create a great deal of uncertainty. Judgments of the Court of Justice handed down prior to our departure, therefore, will continue to be referred to in post-Brexit cases and will be given the same status as a judgment from the UK’s Supreme Court. This doesn’t mean that they will be set in stone for all time, but it does mean that any interpretation of an EU-derived law will remain consistent after Brexit and that those decisions may – like any other Supreme Court decision – be departed from in the future by the Supreme Court “when it appears right to do so”.

What Does This Mean for Business?

It is fair to say that the EU has long been seen as a mixed blessing in the business world. Some see a large, attractive, and accessible market, not only in terms of potential customers, but also in terms of access to a broad and diverse labour market. For others, complaints about the regulatory burden and excessive red tape are commonplace. Even notable Remainer Nick Clegg has previously spoken of the need to reduce bureaucracy in the EU and to “end any unnecessarily meddling” where small businesses are concerned (see his 2014 comment in The Guardian here).

Excessive red tape or not, however, from a legislative point of view, it is clear that any predictions (or hopes) that such burdens would be reduced by Brexit are not to be. On reflection, such expectations were arguably highly unlikely to come to fruition in any case; any UK business wanting to trade within the EU would surely need to abide by broadly the same standards and rules as its EU counterparts, and now the Government has confirmed precisely that with its White Paper and its plans for The Great Repeal Bill.

The Great Repeal Bill White Paper is an important step in giving us a clearer picture of what post-Brexit life will look like, but until negotiations with the EU begin in earnest, at best this only represents one piece of a much larger puzzle. As ever, then, we want to hear from you. How do you feel that EU regulation has impacted your business, for better or for worse? Were you hoping to see a reduction in regulatory burdens as a result of Brexit and, if so, how do you feel now about The Great Repeal Bill? Was this the outcome you had hoped for, or would you have preferred to start from square one with new laws written from the ground up?

For now, there remain an almost infinite number of unanswered questions; but now that the Article 50 process has begun and we have a better idea of what will happen with our laws, perhaps the mists will begin to clear. As always, Simply-Docs will be keeping a close eye on developments to ensure that our templates and guidance are kept up-to-date, as well as providing news, views, hints, and tips right here on our blog!

Made in Britain: Will You Be Using the Label After Brexit?

Made in Britain: Will You Be Using the Label After Brexit?

The CBI has expressed concerns that manufacturers may run into problems using the “Made in Britain” label after the UK’s departure from the EU is complete and has called on the government to ensure that exporters will be able to continue taking advantage of the status.

The problem stems from the so-called rules of origin which determine where products are made.  For products consisting of only one component, or only of components manufactured in the same country, the answer will be straightforward of course; but for those consisting of multiple components made in different places, problems may arise.  While Britain remains a part of the EU, it does not affect a product’s “Made in Britain” status if different parts are imported into Britain for final assembly.  After Brexit, however, the devil will be in the detail and precisely how much of a product is made here will have an important impact on its status.

What’s the big deal, then? Why does it matter whether your goods are made in Britain? Particularly in a post-Brexit economy, a “Made in Britain” label may be seen not only as a source of pride or a perceived seal of quality, but also of confidence: a reassurance that Britain is standing on its own two feet in the world, that our manufacturing industries are succeeding, and that jobs, skills, and ethics are safe.

What’s more, from a trading and exporting perspective, the importance of the label goes far beyond symbolism.  A key part of the Brexit negotiations will, of course, be some kind of free trade agreement.  In order for goods to be shipped under (and thus to benefit from) a free trade agreement, a certain amount of its value must have been created in the exporting country; in this case, Britain.  This stands to affect not only goods whose Britishness is an important part of their identity, but also those goods which form part of international supply chains.

As reported recently in The Times, the CBI and law firm Clifford Chance have jointly released a paper stressing the importance of the issue, effectively holding the government to its stated goal of securing a “bold and ambitious” free trade agreement with the EU.  Britain will need free trade deals with the countries that it currently does as a member of the EU and, ideally, an agreement will be reached with the EU that enables British manufacturers to continue to source components from EU member states in the same way that they do now: that is, with those components still counting towards the all-important “Made in Britain” status (and indeed vice versa).  As The Times article points out, however, there is little precedent for such a scenario and the EU would need to renegotiate its existing free trade agreements in order for it to work.  It certainly goes without saying that this issue will make trade agreement negotiations more complicated.

Britain may well be heading for the exit, but this will not change the fact that a major portion of the UK’s trade is with EU member states, and while it is perhaps arguable that manufacturers of larger items such as cars face the biggest potential impact from this issue, many SMEs also trade across borders and may also find that their supply chains, not to mention their branding, could be facing a shake-up unless Brexit negotiations go as the CBI and Clifford Chance hope.

Time will tell, but in the meantime, we want to hear from you.  Does “Made in Britain” form an important part of your business’ identity? Does your business form a part of, or rely on, an international supply chain? Have you thought about the possible impacts that Brexit will have on your business?  Whether you see Brexit as a positive or a negative, one thing is certain: the business landscape is changing and it will be important for businesses of all shapes and sizes to prepare over the next two years.  Stay tuned to the Simply-Docs Blog for more updates, more Brexit Notes, and, of course, keep an eye out for our Alerts and Newsletters for details of changes to our documents as the muddy waters of post-Brexit rules and regulations begin to clear.

Top