Welcome To Simplydocs

Category : Business News

Brexit Notes: No-Deal & Company Law

The UK is scheduled to leave the European Union on 29 March 2019 by virtue of having served a formal notice under Article 50 of the Treaty on European Union to terminate its membership of the EU.

At the time of writing, it is still not clear whether this departure will be delayed, accompanied by a ‘deal’ smoothing the exit through a transition period or whether the UK will leave the EU in a ‘no-deal’ scenario.

This note focuses on the potential company law impact to UK private limited companies of exiting the EU in a no-deal scenario. It is important to remember that this is a fluid situation with events changing rapidly; however, the good news for UK incorporated private limited companies is that whilst many other legal areas may be subject to quite significant change, UK company law is not expected to be immediately affected even in the event of a no-deal exit.

The Companies Act 2006

The key legislation governing and regulating English and Welsh companies is the Companies Act 2006. This includes the types of companies that can be incorporated, their liability, the role of Companies House, directors’ duties, and the rules on accounts and audit. Whilst some parts of the Companies Act 2006 are derived from EU Directives such as shareholder rights, the majority of English company law is not derived from EU legislation. The Companies Act 2006 will, therefore, continue in force as at present and no-deal will not of itself change the legal status of UK incorporated companies. However, the company law form of a European Company (‘Societas Europaea’) will no longer be available in the UK.

Third Country Companies

Notwithstanding the expected limited effect on private limited companies, it is worth noting that following Brexit, UK incorporated companies will become ‘third country’ entities as far as European law is concerned. The significance of this is that Member States will not be obliged to recognise the legal personality and limited liability of companies which are incorporated in the UK but have their central administration or principal place of business in another EU Member State. There may be recognition by individual Member State’s national laws or under international law, but this is a point of uncertainty.

UK companies being considered third country entities will also affect a UK company’s ability to undertake a cross-border merger within the EU and rely on group company account exemptions if it has an EU parent. Similarly, UK incorporated companies with branches in other EU Member States will no longer benefit from favourable rules applicable to branches of third country companies. These are, however, issues that will most likely affect large companies or listed PLCs, rather than SMEs operating solely within the UK.

Trading and Commercial Impact

As the legal impact (at least initially) is expected to be limited, probably the biggest issue that UK private limited companies face is the commercial uncertainty that Brexit and particularly a no-deal Brexit may bring.

As yet, no one knows the trading terms that will take effect post-Brexit, and this could lead to both broader economic uncertainty within the UK as well as specifically impacting certain companies whose business model and strategy is more vulnerable to certain goods and exchange rate fluctuations. This is of course not something that anyone can yet predict with any certainty.

UK companies can therefore only adopt a ‘wait and see’ approach whilst trying to be aware of the vulnerabilities that their companies may face in the light of a potential no-deal Brexit.

Brexit Notes: No-Deal & Consumer Rights

As 2019 dawned, there was hope in some quarters that a renewed commitment to common sense might have dawned with it and that our intrepid politicians might return to work determined to agree upon a way forward for Brexit. It is quite clear, not least in light of the House of Commons’ rejection of the Government’s Brexit deal on 15 January, that this is not to be.

Talk of ‘no-deal’ is far from new; however, for a long time, it has been reasonably easy to dismiss a no-deal scenario as unrealistic. Now, however, with less than three months before the UK leaves the EU, a no-deal Brexit is starting to look like a realistic possibility after all.

Opinions on a no-deal Brexit are wide-ranging and, of course, it is still entirely possible that the scenario will play out in some other way. Nevertheless, the Government has been making preparations for a no-deal Brexit, including the publication of a range of Technical Notices and an even broader range of draft secondary legislation.

In this post, we look at the impact of a no-deal Brexit on consumer rights in the UK and offer some comments on what this will mean for consumers and businesses in real terms.

No-Deal Brexit: The Basics

Before we get into the detail, it is as well to briefly outline exactly what ‘no-deal’ means. The UK is scheduled to leave the EU at 11 pm local time on 29 March 2019. If there is no deal in place at this point, EU law ceases to apply in the UK unless the UK has expressly adopted it. Unlike the alternative ‘deal’ scenario, there is no transition period within which EU law and the ‘four freedoms’ would continue to apply.

No-Deal Preparations for Consumer Rights

The Government has published a Technical Notice entitled ‘Consumer rights if there’s no Brexit deal’ and two draft statutory instruments: the Consumer Protection (Enforcement) (Amendment etc.) (EU Exit) Regulations 2018, and the Consumer Protection (Amendment etc.) (EU Exit) Regulations 2018.

In addition to the general changes outlined in this post, the Technical Notice also sets out some specific changes relating to package travel, timeshares, textile labelling, and footwear labelling.

The first set of regulations deal with cross-border enforcement while the second would implement the following changes:

  • • Limit the applicability of responsibilities set out in the Consumer Rights Act 2015 (currently applying to importers into the EEA) to importers into the UK;
  • • Put choice of law clauses referring to the laws of an EEA state on the same footing as those referring to non-EEA countries;
  • • Limit consumers’ rights to redress from importers engaging in practices prohibited by the Consumer Protection from Unfair Trading Regulations 2008 to importers into the UK (as opposed to importers into the EEA);
  • • Put users of EEA-based payment service providers on the same (less-protected) footing as users of payment service providers based in non-EEA countries; and
  • • Remove the current obligations on UK ADR providers to deal with disputes involving consumers resident in EU Member States. This would also end the operation in the UK of the European Commission’s Online Dispute Resolution Regulation for consumer Alternative Dispute Resolution.

Current UK consumer law is derived from EU law and, in the form of the Consumer Rights Act 2015, in fact provides better standards of protection than the ‘basic’ EU provisions. At least initially, therefore, UK consumer law and EU consumer law will be essentially the same. Cross-border enforcement would become more difficult in the event of a no-deal Brexit, however.

Put more simply, life for UK consumers would continue largely as normal, at least where their consumer rights within the UK are concerned. What would change is the ease of enforcing those rights if a trader is not based in the UK.

Cross-Border Enforcement and Dispute Resolution

At present, as an EU Member State, the UK’s consumer protection regime is supported by a reciprocal cross-border enforcement framework. A no-deal Brexit would mean the UK’s immediate departure from that framework.

Moreover, UK consumers would no longer be able to use the UK courts to take action against traders based in the EU effectively. Even if a UK court were to rule in a consumer’s favour in such a case, enforcing that ruling would be more difficult. By the same token, consumers based in the EU buying from UK-based traders could find enforcing their rights similarly difficult if we leave without a deal.

Access to alternative dispute resolution (‘ADR’) stands to be reduced. The European Commission provides an Online Dispute Resolution Platform for use in disputes between traders and consumers; however, a no-deal Brexit would mean UK-based traders and consumers no longer having access to it. Nevertheless, within the UK, the Government has said that it is taking steps to ensure that consumers and traders will still be able to use ADR for UK disputes. ADR obligations for businesses will not change; however, if your website makes any reference to the EU Online Dispute Resolution Platform, such references should be removed in the event of no-deal.

Final Thoughts

It goes without saying that regardless of how our departure from the EU proceeds, consumer rights will be affected in some way, but the impact of a no-deal Brexit could be more significant and would, of course, happen much sooner.

That being said, UK-based consumers and UK-based traders doing business within the UK should not need to be overly concerned and should expect the same rules that apply now to apply even if there is a no-deal Brexit. Those engaged in cross-border trading, however, should expect things to become less straightforward and prepare accordingly.

For consumers with questions about cross-border transactions in the event of no-deal, the UK’s European Consumer Centre will be available to help, and the Government has committed to funding the Centre for at least one year from April 2019.

From a business perspective, those selling only within the UK should not expect a great deal (no pun intended) to change. Those selling to consumers in EU Member States, however, must remember that, once the UK has left the EU (especially in a no-deal scenario), changes to EU consumer law will no longer necessarily be reflected in UK consumer law in the same way that they are now. In such cases, it will be important to keep up-to-date with EU law and the laws of any Member States sold into.

Do you trade with consumers in other EU Member States? If so, how are you preparing for Brexit, no-deal or otherwise? Are you expecting business to become more difficult or have you got it covered? As always, your comments are welcome!

 

[This post was edited on 16 January to reflect the outcome of the Meaningful Vote in the House of Commons on 15 January]

Sign Here Please – Electronic Signatures and the Law

Whether your signature is an example of elegant calligraphy or of the scruffiest scribble, you have probably ‘signed here’ more times than you care to count. The 1677 Statute of Frauds required certain documents to be in writing and signed. This provision is still in force today.

But what of the documents being signed? Predications of the paperless office have become increasingly common over the past 100 years, particularly with the exponential growth of desktop and then mobile computing from the 1980s onwards. While a paperless business world is still, perhaps surprisingly, far from a reality, we are now closer than we have ever been before and think nothing of entire contracts being instantaneously transmitted from the other side of the world, ready for us to read on anything from a desktop computer to a smartphone.

Signing such a contract, though, often still catapults us back to 1677. Paper and biro might have replaced parchment and quill, but that all-important squiggle of ink on a physical page remains commonplace. Electronic signatures have been around for a while in various forms, but a question mark still hangs over them, particularly when it comes to important legal documents.

Clarification from the Law Commission

At last, clarification is at hand. Last month, the Law Commission confirmed that electronic signatures can be used to sign formal legal contracts under English law. Furthermore, the Law Commission has also confirmed that an electronic document is ‘in writing’ for legal purposes if it can be viewed on a screen in a legible form, and that deeds can both exist and be executed electronically.

Despite this, however, the Law Commission has said that there remains “a lack of clarity in the law” which is “discouraging businesses from executing documents electronically when it would be quicker and easier to do so”.

Law Commission Consultation on the Electronic Execution of Documents

With this in mind, the Law Commission has launched a formal consultation on electronic signatures and the electronic execution of documents. Specifically, the consultation seeks to:

“consider whether there are problems with the law around the electronic execution of documents and deeds (including deeds of trust) which are inhibiting the use of electronic documents by commercial parties and, if appropriate, consumers, particularly with regard to:

(a) Electronic signatures;
(b) Witnessing;
(c) Delivery…”

Following the consultation, the Law Commission will consider whether legislative or other changes are required to address these issues.

The consultation is open until 23 November 2018. Full details including a form to participate online are available on the Law Commission website.

Here at Simply-Docs, we are no strangers to electronic documents and if you’re here on our website, we suspect that neither are you. Do you distribute legal documents in electronic form? Do you use electronic signatures too, or do you prefer to execute documents using good old pen and paper? As always, we would love to hear from you in the comments below.

What Will Brexit Mean for SMEs?

Brexit Notes

A new study led by Dr Ross Brown and Professor John Wilson at the Centre for Responsible Banking and Finance at the University of St Andrews suggests that, through a reduction in capital investment, less access to external finance, reduced growth, lower levels of product development, and reduced business internationalisation, SMEs could be set to suffer more than larger businesses under Brexit.

In particular, the study’s authors suggest that reduced investment will hamper SME growth, in essence, preventing many small, innovative startups from getting off the ground. Indeed, it is such businesses that expressed the greatest concerns when approached by the researchers.

Will the Impact Be the Same for Everyone?

Amidst the uncertainty, it is interesting to note that not all types of SMEs had the same level of concern. Dr Ross Brown, one of the lead researchers of the study, observed that: “The results of our analysis suggest that Brexit-related concerns could result in a range of negative consequences for UK SMEs, especially the impact on reduced capital investment, which critically weakens and undermines their ability to grow and prosper”. The research also notes, however, that such concerns are not shared by all in the SME community, suggesting that high-tech, service-oriented, and export-oriented businesses are likely to experience a more significant negative impact.

As well as the differentiation between sectors, the study also suggests that SMEs based in Scotland and Northern Ireland take a dimmer view on Brexit than their English and Welsh counterparts (a view which, it is also noted, mirrors voting patterns in the 2016 referendum to an extent).

More information, as well as the full paper, is available here.

What Does Brexit Mean to You?

For better or for worse, Brexit appears to be continuing apace. Much speculative talk of a second referendum has appeared in Brexit news of late; but, at least for the moment, support for the idea appears to be flexible at best. What is also clear is that impacts are already being felt in the business world due to rising uncertainty over what shape Brexit and related economic and legal arrangements will finally take.

As ever, then, we want to hear from you about your experiences. How has your business changed since the referendum result? Have you encountered any negative effects attributable to Brexit in your business and do you have plans in place to counter those effects? On the other hand, perhaps your business has improved as a result of Brexit and is looking forward to further improvements in the future. Again, we are eager to learn more about your experiences!

Processing and Transferring Personal Data

If you process personal data, that processing is currently subject to the Data Protection Act 1998. As of next May, the EU General Data Protection Regulation – the GDPR – will take over. Continuing the changes, the new Data Protection Bill introduced recently will bring much of the GDPR, with a few minor differences, into UK law post-Brexit.

Changes in the Law

Much media attention has been devoted recently to the GDPR. Some of this has provoked questions about the future legal position on data transfer not only within the UK but also to other countries outside the EU or EEA. The good news is that, in our view, what you will need to do in the future will not really change in practical terms.

To Where are You Transferring Personal Data?

You might need to transfer personal data within or outside the UK, to a location within the EU or EEA, or to a non-EU/EEA country (a “third country”). In addition to general requirements for processing personal data, particular requirements apply to transfer of data within the UK or abroad as outlined below.

Transferring Personal Data Within the UK or EEA

Where a UK data controller has a data processor within the UK or the EEA processing personal data for it, currently the law requires a written contract obliging the data processor to act on instructions from the data controller and to comply with obligations equivalent to those in the Data Protection Act’s Seventh Data Protection Principle. The GDPR also requires the contract to detail the processing and the data processor’s obligations. Our template document Data Processing Agreement – Personal Data Security (UK/EEA) meets the current requirements for such a contract.

There are no officially recognised standard clauses for such a contract. There may be in future, but there are none on the horizon, so you may continue to use our template. If the position changes, we will, in addition to making any necessary changes to our template, advise you accordingly.

Transferring Personal Data Outside the EEA

The Act’s Eighth Data Protection Principle and the EU Directive 95/46/EC (often referred to as the “Data Protection Directive”) only allow data controllers to transfer personal data outside the EU if the destination country has an adequate level of protection for the rights of the data subjects concerned. A number of alternative methods of ensuring such protection exist, as follows, but we believe that the “model terms” option (see below) is the best and easiest solution. This is because in practice another method may not be available or it may be relatively difficult to use it. The alternatives are as follows:

1) Recognised Destination

The EU Commission website lists those countries which it recognises as satisfying the test of “adequate level of protection”. The current Act and the GDPR provide for such recognition as a means of satisfying the test for an adequate level of protection. Transfer of data from the UK to the USA is complicated. The USA is not listed as “recognised” but a transfer will be permitted if the USA recipient (“data importer”) has self-certified compliance with the Privacy Shield framework.

2) Adequate Level of Protection

If the destination country is not “recognised”, then the requirements of the Act’s Eighth Data Protection Principle may be met if the data controller concludes that there is an adequate level of protection for the person who is the subject of the data, having regard in particular to the “adequacy criteria” set out in the Act.

It may not always be easy to properly apply these adequacy criteria. Further, the self-assessment basis of ensuring an adequate level of protection will be different and reduced under the GDPR. All in all, we think it will be very difficult for you to make proper use of this method.

3) An Exemption

Schedule 4 of the current Act provides several exemptions from the application of the Eighth Data Protection Principle. Similar exemptions will apply under the GDPR. If one of them applies, you would not need to consider whether there is an “adequate level of protection” or to take any other special steps in relation to the transfer.

4) Agreement on “Model Terms”

In view of the uncertainties and difficulties of ensuring an “adequate level of protection”, it will often be easier and preferable to make use of the following means instead.

The relevant EU Directive provides that an adequate level of protection will be achieved if a data controller and data processor sign an agreement governing transfer of data on model terms issued by the EU Commission for such purposes. The Commission issued the model terms in 2010. The current Act gives effect to this means of compliance and the Information Commissioner authorised the EU Commission model terms. This creates a “safe harbour” for UK data controllers transferring personal data outside the EU or EEA. Our template document Data Processing Export Agreement – Personal Data Security (Non-EU) contains the model terms and it may be used where transferring personal data outside the EU or EEA.

Although the GDPR supersedes the EU Directive, it does not alter the model terms regime so our template can be used after the GDPR and, subsequently, the new Act come into effect. It appears unlikely that the model terms will be amended in the foreseeable future. If they are, we will amend our template to take account of those changes.

Your Experience

Do you transfer personal data to another organisation to process it in the UK/EEA or outside the EU or EEA? If so, we would like to hear about how you ensured compliance with the current Act and the Directive, and how you plan to ensure compliance with the GDPR and the new Act. If you transferred data outside the EU or EEA, then, in order to do so, have you made use of the “model terms”? Have you relied on some other option instead? Are you confident that you are complying with all legal requirements relating to data transfer?

 

The Data Protection Bill 2017

Back in August we published a post here on the Simply-Docs Blog with news of a new Data Protection Bill which the government planned to publish soon thereafter. That Bill has now been published and while it is likely to be chopped and changed as it makes its way through Parliament, there are some key things to know about it from the start.

What is the Data Protection Bill?

The main purpose of the Data Protection Bill 2017 is to bring the provisions of the EU General Data Protection Regulation – the GDPR – onto the UK statute book in readiness for Brexit. As many readers will now know, the GDPR comes into force on 25th May 2018, bringing with it new higher standards of data protection compliance and a privacy regime fit for the 21st Century. In its most basic form, the Data Protection Bill will lead to an Act of Parliament that replicates the GDPR, ensuring that UK data protection law remains consistent with EU law – something that will be essential for doing business in a post-Brexit world. There will, however, be some key differences.

What is the difference between the Data Protection Bill and the GDPR?

The GDPR will apply almost uniformly in all EU member states (including the UK until we leave). We say almost because it does provide for limited differences at the member-state level. A member state is able to introduce some exemptions from the GDPR, provided that those exemptions still respect the fundamental rights and freedoms of data subjects, and provided that an exemption is necessary with respect to highly important matters such as national security; the prevention, investigation, detection, or prosecution of criminal offences; judicial proceedings; and a number of other public interest, public administration, and legal matters.

The Data Protection Bill deals with some of these limitations, but it is not just a copy of the GDPR. It will, in some areas, go beyond it. The Bill will also cover:

  • ● Data processing that is not covered by EU law;
  • ● The implementation of the EU Law Enforcement Directive;
  • ● National security matters; and
  • ● The changing duties of the Information Commissioners Office in light of the new legislation.

 

What key changes will the Data Protection Bill bring?

The Data Protection Bill includes a number of key elements:

  • ● Making it easier for people to withdraw their consent to the use of their personal data;
  • ● Implementing the so-called “right to be forgotten” into UK law;
  • ● Requiring organisations to obtain explicit consent from data subjects when processing sensitive personal data;
  • ● Expanding the definition of personal data to make it more suitable in the modern world, including data such as IP addresses, cookies, and biometric data;
  • ● Improving subject access requests (including removing the right for organisations to charge for them in many cases);
  • ● Enhancing the remedies, such as compensation, available to data subjects in the event of data breaches where the effects of such breaches go beyond financial loss or distress; and
  • ● Creating new criminal offences that will apply in the case of certain severe data breaches.

 

Watch This Space!

As with any new piece of legislation, the Data Protection Bill now faces a long journey through Parliament where it will no doubt be subject to a number of changes – minor or otherwise – as it passes back and forth. Moreover, the European (Withdrawal) Bill, formerly (colloquially) known as the “Great Repeal Bill”, presently allows for significant modification of certain legislation by government ministers without it being subject to the normal levels of parliamentary scrutiny, so there is possibly even greater scope for changes that might not otherwise be palatable across the board. As ever, we will keep a close eye on things and keep you informed.

What Is The Data Protection Bill 2017?

First mentioned in the Queen’s Speech back in June, the proposed Data Protection Bill was in the news again last week after the Department for Culture, Media & Sport issued a press release outlining the proposed legislation in more detail. The Bill is expected to be published in September and, given its stated purpose, should be ready for the statute book by the time the UK leaves the EU in 2019.

What About the GDPR?

The EU General Data Protection Regulation comes into force on 25th May 2018. This will not be affected by the new Data Protection Bill. Indeed, the primary purpose of the Data Protection Bill is to bring the GDPR into UK law so that our legal standards of data protection remain consistent with those throughout the European Union after Brexit. Not only does this mean that businesses already complying with the GDPR will face little or no disruption in transitioning from the GDPR regime to that introduced under the Bill; but it also means that handling personal data across European borders will be undisturbed by Brexit. In short, carry on preparing for the GDPR. That comes into force first, and there shouldn’t be any major differences under the new domestic data protection legislation that follows.

What Will the Data Protection Bill Do?

As we’ve already stated above, the main purpose of the Bill is to bring UK domestic data protection legislation into line with the GDPR. The UK’s current data protection statute, the Data Protection Act 1998, is quite literally from a bygone era and is no longer adequate to deal with current methods of data collection and processing, nor with current forms of personal data, for that matter. The Data Protection Bill will bring data protection law up-to-date and, according to the DCMS press release, will include measures to do the following:

  • ● Make it simpler for data subjects to withdraw their consent for the use of their personal data;
  • ● Allow data subjects to ask for their personal data to be erased;
  • ● Enable parents and guardians to give consent to data processing on behalf of their children;
  • ● Modernise and strengthen data protection law to fit with the digital economy;
  • ● Make it easier (and free) for data subjects to require organisations to disclose the personal data those organisations hold about them; and
  • ● Make it easier for consumers to move data between service providers.

(Read the press release in full here)

 

Will There Be Any Differences Between the Data Protection Bill and the GDPR?

Yes, it appears that there will be some slight differences, exercising the derogations in the GDPR that the UK government originally negotiated. This will include giving young people the right to require social media websites to delete information held about them when they reach the age of 18. The government has also stated that the derogations will allow for ‘a simpler shift for both businesses and consumers as we retain many of the enablers of processing essential to all sectors of the economy, from financial services to academic research, under the new legislation’.

What Should I Be Doing to Prepare?

For now, simply keep getting ready (or start if you haven’t already) preparing for the GDPR. There are no indications that the Data Protection Bill will represent a radical shift from the GDPR – as we’ve already pointed out – its main purpose is to bring UK law in line with the GDPR, subject to some minor differences which aren’t likely to make a big difference to most SMEs in any case.

In the mean time, here at Simply-Docs we will be monitoring the progress of the Data Protection Bill, as well as publishing new documents and guidance focused on the GDPR as May 2018 draws nearer. As always, if you have any thoughts or questions about the Data Protection Bill, we would love to hear from you in the comments.

Is Politics in the Workplace Giving You a Headache?

Just when you thought you’d seen enough emotively divisive politics to last a lifetime, with the election of President Trump following hot on the heels of the Brexit referendum; along comes a general election just to make sure that peoples’ conversations don’t stray to anything quite so mundane as the weather and the weekend’s football scores. A general election is inevitably contentious at the best of times, and with Brexit front and centre, the 2017 election is shaping up to be even more so.

Now that’s all well and good, and it’s everyone’s prerogative to hold and share their political views or – as some quite understandably choose – to switch off and filter out the noise altogether. When in the company of colleagues, however, this isn’t quite so straightforward. Politics among friends can cause enough problems, and these can be come even more acute in the workplace. What, then, can employers do to keep things peaceful and productive?

Outside of the workplace, of course, there isn’t a great deal that an employer can do about their employees’ political activities unless those activities have a direct impact on their employment. An employer could, for example, take action against an employee whose political activities are bringing the employer into disrepute.

Ordinarily, however, politics in the workplace is something that should be handled with care. Even if an employee’s political affiliations may be seen as offensive, employers must take great care when considering disciplinary action or dismissal. If an employee is dismissed because of their political opinions or affiliation, the normal rules regarding unfair dismissal don’t apply: employees do not need to have had two years’ continuous employment.

There is however a line that, if crossed by an employee, entitles an employer to take action. For an employee to hold political opinions and affiliations is one thing (and don’t forget, employers can’t take any action on the basis of an employee’s membership of a particular political party), but if the expression of those opinions and affiliations crosses over into campaigning, employers are in a better position to do something about it.

As to the definition of campaigning, it can take many forms, ranging from heated political discussions between colleagues, to handing out leaflets, putting up posters, and organising political meetings. Imposing a ban on political conversations in the workplace is neither desirable nor practical, but prohibiting the more active types of campaigning is arguably quite reasonable. Politics is by its very nature a polarising subject and seems to be one that is becoming increasingly personal and, at times, hostile. By preventing staff from campaigning at work, employers can help to avoid a lot of disruption, not only to productivity but also to staff relations and morale. In more extreme cases, such behaviour could even be considered to be bullying or harassment and thus a reason for dismissal in itself. Political expression isn’t a defence to allegations of discrimination or harassment either, so be on your guard for the would-be activist on your staff that goes around upsetting everyone under the banner of free speech, and don’t take any nonsense! Action could also be taken against an employee that was found to be spending time on non-work activities like political campaigning during working hours, or perhaps using company equipment for political purposes.

As with many situations like this, it is better to be proactive than reactive, and our Political Activity in the Workplace Policy is on hand to assist, setting out the expectations and code of conduct that apply to all of your employees. Most importantly, the policy removes ambiguity by clearly setting out what is and what is not permitted and sets out the various consequences employees may face for failing to adhere to it.

It would be nice to think that after the 8th June election, politics might quieten down for a while, but with formal Brexit negotiations set to commence shortly thereafter, political temperatures seem set to remain high for the foreseeable future. Political awareness and involvement among the populous is vital, but at work it must have its limits. You can’t, after all, run a successful business if the remainers, re-leavers, and brexiteers on your staff are at each others’ throats all day long! How do you deal with political activity in your business? Is it something you would prefer to keep out? Perhaps you go the opposite way and provide specific forums for your employees to exchange and debate their political views? Your views, as ever, are welcome!

Zeroing in on Zero Hours Contracts?

According to the Office for National Statistics, over 900,000 employees in Britain are currently employed on zero-hours employment contracts. Zero-hours contracts often crop up in the news, and it’s fair to say that they’ve gotten something of a bad name – often not without good reason. Particularly with the rise of the gig economy, zero-hours contracts and other means of securing peoples’ labour without too much commitment have become very popular with some employers.

None of this is to say that the situation is settled, however, and some are now taking action to offer alternatives to their employees. McDonald’s, for example, recently offered fixed-hours contracts to its 115,000 zero-hours employees (according to the BBC, around 20% of employees at the Golden Arches have chosen to take the fixed-hours option. We certainly hope they’re lovin’ it).

On the political front, with a general election once again on our doorstep, the Labour Party’s 2017 manifesto includes a pledge to ban zero-hours contracts. The Liberal Democrats, while not planning to ban them, have pledged to create a formal right for zero-hours employees to request fixed contracts instead. The Conservative Party manifesto, on the other hand, is silent on zero-hours contracts themselves, but nevertheless emphasises the importance of protecting those working in the gig economy – a broad statement of policy to be sure, but one that arguably wouldn’t rule out future action on zero-hours contracts.

In October 2016, the government appointed Matthew Taylor, former policy chief to Tony Blair, and Chief Executive of the Royal Society of the Arts to lead a review of employment practices. Taylor has previously suggested improvements to zero-hours contracts including the payment of premium wages to zero-hours employees. As for the review, the deadline for the submission of evidence passed earlier this week, meaning that a final report shouldn’t be too far away. While the full results of the review have not yet been published, it is believed that Taylor will recommend a right for zero-hours employees to request fixed-hours contracts instead.

With such an emphasis on the negatives of zero-hours contracts, then, it may at first appear that the benefits are all one-sided, favouring only employers. While it is true that many employees prefer the certainty and security that zero-hours contracts simply can’t offer, there are those who like the flexibility that they provide. Indeed, according to a 2013 study (updated in 2015) by the Chartered Institute of Personnel Development, many zero-hours employees were happy with the arrangement and more content than their permanently-employed counterparts. Among the benefits, zero-hours contracts enable workers to take on a more diverse variety of work instead of being limited to one specialism or department. In other cases, they may facilitate a better work/life balance – ideal for those professionals that want to focus their energies on their families as well as their offices.

There is no question that zero-hours contracts have been used unfairly, and one may even be led to question whether their recent surge in popularity may have been buttressed by a government happy to see unemployment figures drop – even if the reality is that some of those who are “employed” have no work to do; but it is difficult to argue that the solution is simply to get rid of what can – when properly used – be a beneficial employment relationship for both employers and employees alike. What may be the better option for employers, then, is to offer employees a choice.

The future of the zero-hours contract may currently be a little uncertain; but for now at least, when used fairly and in the right circumstances, both employers and employees can benefit from their flexible nature. What’s more, thanks to the Small Business, Enterprise and Employment Act 2015, since 26th May 2015, exclusivity clauses in zero-hours contracts have been unenforceable, making them somewhat fairer than perhaps they once were.

To find out more about zero-hours contracts and to see whether they might have a place in your business, take a look at our Employment templates:

Zero Hours Contract
Zero Hours Policy
Zero Hours Employment Offer Letter
Casual Workers / Zero Hours Comparison

Does your business use zero-hours contracts? Perhaps you’re a professional that is on a zero-hours contract? We want to hear your thoughts. Not all zero-hours contracts deserve the bad rap, but with the election just around the corner, they’re in the spotlight again. Would you like to see them stick around as they are, reformed with restrictions designed to protect employees, or eliminated altogether?

Data Protection: The GDPR is Coming

In just over a year’s time, on the 25th May 2018, the new EU General Data Protection Regulation, more often known simply as the “GDPR” comes into force. The GDPR is designed both to harmonise data protection throughout Europe and to modernise it, taking into account significant advances in science and technology that have taken place in recent years. In particular, the growth of the internet and the huge increase in the amount of personal data being transferred, stored and processed online (looking at you, cloud storage and social media), means that data protection legislation is long overdue for a refresh.

The first thing to get out of the way, since the “EU” part will doubtlessly be leading some to question whether or not the GDPR will be around for long, is that the UK government has confirmed that the GDPR will not be affected by Brexit. It is quite likely, then, that the Great Repeal Bill (see our previous post, here) will take care of that. Now we’ve said “Brexit”, we’ll move on.

Who Does The GDPR Affect?

In the most basic terms, if you already have obligations under the Data Protection Act 1998, you still will under the GDPR. The GDPR will apply to organisations operating within the EU and to organisations outside the EU that deal with individuals inside it.

What Does The GDPR Apply To?

As with the Data Protection Act, the GDPR applies to “personal data”. This is where one of the key modernisation points arises, for the GDPR expands its definition of personal data to personal identifiers such as IP addresses. Even personal data that has been anonymised – by using coding or pseudonyms, for example – may still count as personal data if it can be traced to a particular individual. In short, almost any kind of personal data, whether it was previously caught under the Data Protection Act or not, will likely be included under the GDPR.

The good news, however, for many businesses – especially SMEs – is that in the case of things like HR records, customer lists, contact details and so forth, the new definition will make little practical difference. That being said, for those who do a lot with online data behind the scenes, it’s certainly worth brushing up to be on the safe side.

Another key point to note is that the GDPR now applies to “data processors” as well as “data controllers”. Those processing personal data purely in a service provider capacity for a data controller will thus now also need to ensure compliance.

What Does The GDPR Say About Consent?

Organisations will need to be more proactive, and clearer with the language they use, when it comes to obtaining consent to the collection and processing of personal data. Individuals must know how their information will be used, and organisations cannot rely on silence or inactivity on the part of those individuals as consent. Not only that, but if the purpose for which you want to use someone’s data changes after getting their initial consent to use it, you must get fresh consent for the new use.

Again, in some cases, particularly for those who already pay careful attention to privacy and data protection, this will simply mean business as usual; but for others, particularly those who use customer data for marketing purposes, consent mechanisms may need to be re-thought, and clear, detailed information must be made easily accessible to customers, explaining the whats, whys, and hows of the organisation’s personal data collection and use.

How Will This Change The Way I Do Things?

Simply put, organisations need to take a more proactive approach to data protection, maintaining a much sharper awareness of privacy throughout their activities, systems, and projects. One key way in which this should be done is through the use of Privacy Impact Assessments, another new requirement introduced by the GDPR. A Privacy Impact Assessment or “PIA” should be conducted wherever a particular activity presents a risk of privacy being breached so as to minimise the risks to the individuals whose data is involved.

You may also have heard about the so-called “right to be forgotten”, especially in the context of search engines. The GDPR now brings this one to your doorstep too. If an individual requests that you delete the data you hold about them, you must do so.

Will I Need A Data Protection Officer?

If an organisation’s “core activities” involve the “regular and systemic monitoring of data subjects on a large scale” or the “processing on a large scale of special categories of data”, then it will need to appoint a Data Protection Officer.

This will apply regardless of the size of the organisation itself, so small businesses are by no means off the hook. Particularly as a result of the growth in online business, even small businesses with only a few employees may potentially be dealing with the personal details of thousands of individuals.

Among the Data Protection Officer’s responsibilities will be the carrying out of Privacy Impact Assessments, designed to identify and assess privacy risks for a given project which will involve the use of personal data (see above).

What If Something Goes Wrong?

If there is a data breach, the GDPR requires that the local data protection authority (in the UK’s case, the Information Commissioner’s Office) be informed within 72 hours of discovering it. Not only does this mean increased accountability, but for many this will also mean changes to internal systems, policies, and procedures to make it quicker and easier to spot and respond to breaches.

It’s under this heading that it’s also worth mentioning the F word. No, not that one (although you’d probably say it in the circumstances). Fines: that’s the one we mean. The GDPR is serious about increasing data protection, and penalties are no exception. Organisations that fail to comply with their obligations can face fines of up to 4% of their annual global turnover or €20 million, whichever sum is greater.

I’m Going To Be Very Busy, Aren’t I?

That depends. If your organisation is already taking data protection and compliance with the Data Protection Act seriously, the GDPR shouldn’t be anything to be afraid of. What’s more, you have a year to determine what changes need to be made and to make them, and provided you don’t mess about, that should be plenty of time.

Start by getting all relevant staff up to speed, appoint someone to oversee data protection, then evaluate your existing methods of data collection, obtaining consent, holding data, processing it, and handling individuals’ requests to see that data or have it erased. Your next step should be to determine what (if anything) needs to be improved and to get a plan in place for implementing those improvements in the time available. Remember the new responsibilities of data processors too: make sure that your suppliers and service providers are aware of their responsibilities under the GDPR and are taking the necessary steps to comply. Last but not least, don’t panic!

As ever, we want to hear your thoughts. Will the GDPR come as a shock to the system or is your business already hot on data protection? Do you think the modernisation of data protection law is overdue or do you see it as adding unwelcome burdens? Have you already started preparing? What steps would you recommend to other businesses?

Over the coming weeks and months we will be adding a range of new documents to our portfolio to help you get up to speed and up to spec with the GDPR, plus comprehensive new information on the various aspects of the GDPR with best practice guidance on how to comply. Stay tuned!

Top