Category : Business News

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA), any business or organisation which suffers a personal data breach is required to carry out an assessment. Depending on the seriousness, it may be necessary to report a breach to the Information Commissioner’s Office (ICO). In this post, we will explain the circumstances under which it may be necessary to report personal data breaches, how to report them, and we will look at some of the potential consequences.

What is Considered a Data Breach?

The ICO defines a personal data breach as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”

In order to be considered a data breach under the regulations, the data which has been breached should have been of a personal nature; general data which does not relate to an identifiable living individual is not covered under the UK GDPR or DPA.

Data breaches are often caused by a cyberattack. In this case, malicious hackers might target a business and attempt to extract information held, for example, in databases. Alternatively, the organisation may fall victim to a computer virus which is circulating online, inadvertently enabling a trojan horse to automatically gain access to confidential data (when an employee accidentally clicks on a link in a spam email, for example).

That being said, a data breach does not always have to be the result of a cyberattack, or even occur online. There have been several publicised cases where members of staff have forgotten a USB stick or paper files containing personal data on a train or other public places. These are also considered to be data breaches, as are cases where an employee has accidentally emailed confidential files to an unintended recipient who is not authorised to access the personal data inside.

It’s also worth noting that the data does not necessarily need to fall into the wrong hands to be considered a data breach. If an authorised person deliberately or mistakenly alters or deletes personal data improperly, this also contravenes the rules.

How Serious are Data Breaches?

Depending on the circumstances, the ICO may fine any organisation which suffers a data breach up to a maximum of £17.5 million or 4% of its annual global turnover (whichever is higher). British Airways was fined £20 million for infringements of the GDPR in relation to a data breach in 2018 which exposed names, addresses, and payment card details of customers and staff.

In addition to potential ICO penalties, businesses in certain sectors may also have to contend with their own regulatory bodies. For example, law firms which suffer a data breach as a result of failure to implement sufficient cybersecurity measures may face enforcement action from the Solicitors Regulation Authority (SRA).

Furthermore, businesses which are publicly exposed as having incurred a significant data breach will inevitably suffer a certain degree of reputational damage. This can result in loss of clients and potentially missing out on future business opportunities.

Finally, data breaches which involve a cyberattack will result in damage to IT infrastructure, and there will often be extensive work which needs to be carried out to rebuild security protocols, issue new passwords and so on.

What is the Maximum Fine for a Data Breach?

The “higher maximum level” of fine for breaching the UK GDPR is £17.5 million or 4% of its annual global turnover (whichever is higher). This level can apply to infringement of key aspects of the UK GDPR including the data protection principles, the rights of individuals, and provisions relating to the transfer of personal data to third countries.

The “standard maximum level” of fine – which applies to other types of infringement (such as those relating to certain obligations of controllers and processors, and certain obligations of certification and monitoring bodies) – is the higher of £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year.

A number of factors will be considered when deciding whether or not to impose a fine and how much the fine will be. Some key factors taken into consideration will include (note that this is not an exhaustive list):

• The nature, gravity, and duration of the infringement, taking into account the nature, scope or purpose of the personal data processing involved, the number of individuals affected, and the level of damage suffered by them;
• The intentional or negligent nature of the infringement;
• Action taken to mitigate the damage suffered by individuals;
• The degree of responsibility taking account of the technical and organisational measures implemented by the data controller and/or processor involved;
• Previous infringements;
• The degree of co-operation with the ICO in remedying the infringement and mitigating its adverse effects;
• The categories of personal data affected by the infringement;
• The manner in which the infringement became known to the ICO (whether or not the organisation responsible for the breach notified the ICO themselves, for example);
• Compliance with approved codes of conduct; and
• Other aggravating or mitigating factors.

Fines under the UK GDPR must be “effective, proportionate, and dissuasive”. In practice, both of these maximum levels of fine only apply to the largest companies with the most significant infringements, caused by egregious data protection failings. The ICO notes that: “Any penalty that we issue is intended to be effective, proportionate and dissuasive, and will be decided on a case-by-case basis.”

When should a Data Breach be Reported?

Any business which suffers a personal data breach is required to carry out an assessment of the likelihood of any risk to the rights and freedoms of individuals. If a risk is considered to be likely, the data breach should be reported to the ICO.

Who Should You Report a Data Breach To?

The ICO should be notified within 72 hours of awareness of any reportable breach. Follow the ICO’s guidance on breach notification on their website.

In addition to notifying the ICO, any individuals whose data has been involved in the breach should also be personally notified if the breach is likely to result in a high risk to the rights and freedoms of these individuals.

What Processes Should You Have in Place to Report a Data Breach?

Businesses should put in place data breach policies which cover the following steps:

• Initial reporting – there should be a process for staff to report any suspected breach to management.
• Assessment – how a breach is recorded and assessed to determine whether it needs to be reported to the ICO etc.
• ICO reporting – the process for reporting relevant data breaches to the ICO.
• Individual notification – process for reporting data breaches to the individuals involved (where it meets the threshold).

Simply-Docs has a wide array of documents and policies relating to data breaches and other key areas of data protection.

What Happens After You’ve Reported a Data Breach?

Aside from reporting relevant data breaches, organisations will have a lot of work to do following a data breach, particularly where this is the result of a cyberattack.

An investigation should be carried out to find out exactly what caused the data breach. The immediate issues should be resolved, new passwords issued where relevant, and disciplinary action taken if appropriate.

New measures should also be put in place to avoid similar data breaches occurring in future, which may involve updating company policies, upgrading software, and carrying out staff training.

When starting out in business there are many decisions to be made, some of which can have a significant impact on the success of the new venture. Legal issues are particularly important, and entrepreneurs should spend some time considering this aspect. In this post, we will examine some of the legal decisions facing new businesses and provide a few legal tips for startups.

Choose The Correct Business Type

One of the first steps of setting up a business is deciding on its legal operating structure. The vast majority of businesses in the UK fall under one of the following models:

1. Sole trader

If an individual starts carrying out business activities on their own, without setting up a formal business structure such as a limited company, they will automatically be classed as a sole trader. In this case, there is no legal distinction between the individual and their business. Sole traders are therefore entirely responsible for the legal aspects of their business, notably any debts incurred.

2. Limited company

Anyone starting a business on their own or jointly with other entrepreneurs can choose to set up a limited company. This puts the business on a more formal footing and requires registration with Companies House along with a range of annual filings. Crucially, a limited company is considered to be a legal entity in its own right and essentially protects the business owners from debts built up by the company (beyond their initial capital investment). The business owners of a limited company will hold shares and will often also be company directors.

3. Partnership

If two or more people set up a business together without registering it as a limited company or LLP (see below), they will automatically be classed as an ordinary partnership. Partners are considered to be jointly and severally liable for any debts and obligations of their business; each and every partner is responsible for the acts, omissions, and debts of the partnership. There is therefore no protection from liability, as would be the case with a limited company.

4. Limited liability partnership (LLP)

A relatively new type of business structure which has become increasingly popular, especially amongst professional services providers such as lawyers and accountants, is the Limited Liability Partnership (LLP). An LLP needs to be registered with Companies House and combines the benefits of limited liability for business owners with the flexibility of ordinary partnerships.

Simply-Docs has a range of documents which can help with starting a business and company formation.

Distinguish Your Employee Types

When a business requires extra resources, it will need to decide whether to subcontract out the work, bring in temps or agency workers, or take the step of employing new members of staff. It is vital to determine the status of each individual who carries out work for the business, namely whether they are:

• a contractor;
• a worker; or
• an employee.

In the case of employees and, to some extent, workers, the business will have extensive legal responsibilities including:

• national minimum wage;
• sick pay and annual leave;
• maternity and paternity rights;
• protection from discrimination; and
• health and safety duties.

Employees are entitled to receive a “written statement of employment particulars” on the first day that they start work. It’s best practice to include this as part of a more comprehensive employment contract, which outlines the various rights and responsibilities of both the employee and employer.

Simply-Docs has a variety of employment contract templates and related documentation.

Ensure The Right Agreements Are in Place

Where two or more people start a business together, they should consider putting in place relevant agreements to set out the basis of their business relationship, such as a:

• shareholders agreement – in the case of a limited company; or
• partnership agreement – in the case of a business partnership.

Although these agreements are not mandatory, they help to ensure that each party knows where they stand and can avoid potential disputes arising further down the line.

Protect Your Intellectual Property

Although intellectual property (IP) is typically associated with creative industries, most businesses have IP of one form or another, such as:

• copyright – this covers literary, dramatic, musical, and artistic works, as well as computer software and databases;
• design rights – IP can include both registered and unregistered designs;
• patents – this is a highly specialised form of IP which covers inventions;
• trade marks – these include logos, slogans, and symbols which help to build a business’s brand and distinguish their products and services from those of competitors; and
• trade secrets – although it’s not possible to register a trade secret as a form of IP, non-disclosure agreements (NDAs) can help provide protection.

It’s vital that a business understands its IP and protects it where possible to ensure that competitors don’t capitalise on, or misappropriate its work. Although some forms of IP such as copyright do not require registration, it may become necessary to enforce such IP rights using infringement notices or a cease and desist letter.

Ensure You Have the Correct Legal Support

Depending on the nature of the business, different levels of legal support may be required. Heavily regulated sectors will often need substantial advice from a law firm, particularly when starting out, and larger organisations may even have an in-house legal team. Most SMEs, however, will be able to prevent many legal headaches by putting in place suitable documentation.

Simply-Docs has a wide range of legal document templates which can help many different types of business get on top of key legal issues and avoid disputes.

FAQs

What Legal Documents Are Needed to Start a Business?

This entirely depends on the legal framework of the business, whether it has any employees or valuable IP, and the sector in which it operates. It’s worth perusing the range of legal documents available from Simply-Docs to find out if any are suitable for your particular business.

What Are Legal Issues in Business?

Legal issues in business generally involve rules and regulations set out by a range of government legislation, as well as a number of important aspects involving contracts and terms & conditions. We stay on top of the latest regulatory updates so you can rest assured that our legal documents will have you covered.

What Legal Issues Do Small Businesses Face?

Although larger companies tend to face more regulatory hurdles, SMEs are also exposed to the full gamut of business legislation, from the Companies Act 2006 to the Equality Act 2010.

What Legal Services Do Businesses Need?

The legal support requirements of each organisation are unique, depending on their size, sector, and nature of their business. Although most SMEs will require advice from a solicitor at some point, many will be able to avoid legal issues from arising, particularly if they put the right documentation in place.

New Registration Requirements for Overseas Entities Buying Land in the UK

For several years, the UK government has sought to cut property fraud and money laundering activity in the UK. One key element they have focused on is making the ownership of property in the UK more transparent. Overseas entities have sought to invest in property in UK, but the ultimate beneficial owners of these overseas entities are often not known. The proposals for an overseas entities register were put forward in a government bill in 2018, but have now been passed into law under the Economic Crime (Transparency and Enforcement) Act 2022 (“the Act”).

The Act, (which, for the main part, is not yet in force) creates a new registration requirement at Companies House for any overseas entity who:

• Is buying a freehold property or a lease (with a term of more than 7 years) in the UK; or
• Owns a freehold property or a lease (with a term of more than 7 years) in the UK, which was purchased on or after 01 January 1999.

Once the relevant provisions of the Act are in force, an overseas entity will be required to register at Companies House and provide the required information about their beneficial owners.

A beneficial owner is anyone who holds:

• More than 25% of the shares or voting rights in the overseas entity;
• Has the right to exercise, or actually exercises, significant influence or control over the overseas entity;
• Holds the right to appoint or remove a majority of the board of directors of the overseas entity.

This works on the same principle as the PSC register (people with significant control).

Once registered at Companies House, the overseas entity will be issued an overseas entity ID number. This ID will then be provided to HM Land Registry to enable land transactions to be registered.

There will be a six month transitional period from the date the Act commences for overseas entities to register at Companies House.

During this six month window, HM Land Registry will register a restriction on the registered title of land owned by an overseas entity. This restriction will limit the overseas entity’s ability to transfer, let (for more than 7 years) or charge the property unless they have complied with the registration requirements. Some exceptions will apply, but these are beyond the scope of this post.

There is a further obligation on overseas entities to ensure that the register at Companies House is up-to-date, and they will be required to update this information annually.

Failing to comply with the registration requirements under the Act can result in a criminal offence, with the penalties for non-compliance of the Act including fines and imprisonment.

We will continue to monitor this and update our portfolios if and when necessary, once the implementation dates are known and if any supporting legislation is passed following the Act receiving Royal Assent.

What is ESG About?

“ESG” stands for “Environmental, Social and Governance”. The ESG acronym is being increasingly used as a shorthand term for a wide range of issues relevant to how a business can have a net positive impact on the world and how it can demonstrate that it is having that impact.

All ESG issues relate in some way to the running and resilience of a business and what that business must do to be a “good corporate citizen”. ESG issues are usually listed under three broad headings: “Environmental”, “Social”, and “Governance”, but there is a degree of overlap between issues that fall under each of those headings.

Origin of ESG

There is a growing body of standards and requirements that regulate this area, some legally binding, others not. ESG did not come from any single source, but rather it was a development sparked by institutional investors demanding that if they are to invest in a business, it must meet certain standards in a variety of areas, depending on the type of business in question.

Being a Good Corporate Citizen

ESG establishes what a business needs to do to be a “good corporate citizen”.

A business firstly needs to comply with all measures having the force of law that are applicable to it, including statute and common law, regulatory rules, and other legal obligations or duties (see “Legal Compliance”, below). Increasingly though, legal compliance alone is regarded as insufficient, and the ESG concept embraces a good deal more.

ESG secondly recognizes that, in the interests of stakeholders (such as suppliers, customers, tenants, employees, shareholders, investors, suppliers of finance, neighbours, and the community at large), businesses should, in relation to their activities and conduct, also meet other relevant domestic (and often international) codes, standards, and behaviours, including appropriate standards of business ethics and morality, as well as others’ reasonable requirements and expectations. More widely, it also embraces “sustainability”, i.e., a business’s efforts to reduce its negative impacts and increase its positive impacts on the world around it.

Resilience

The “good corporate citizen” and sustainability aims are important aspects of ESG, but ESG is ultimately about resilience of businesses. The Covid-19 pandemic has led to an increased focus on business resilience. If a business complies with ESG “good corporate citizen” and sustainability principles, laws, and behaviours, it not only benefits stakeholders and the environment, but it also renders it more resilient, i.e., more likely to survive and succeed. In contrast, failure to comply can ultimately damage the business, its goodwill and reputation, or it can prevent it from meeting its maximum potential (see “Why should you take ESG on board?”, below).

Legal Compliance

As to ESG-related standards, codes, behaviours and other requirements which do not have the force of law, these are so numerous and wide-ranging that it would not be practicable to set out here even a small portion of them as examples. Whether any particular requirements of that nature are relevant to a business will depend on many factors including the size and type of business.

As to ESG-related obligations and regulation of businesses which do have the force of law, although they are only a part of the totality of ESG requirements, standards, codes, and behaviours, they are set to keep increasing. Such legal measures are already considerable and wide-ranging, and the following offers no more than a flavour of just a few of them that might be relevant to businesses. Such legal measures include:

• Companies Acts requirements for certain companies to issue statements and reports on dealing with various ESG issues (including climate-related, environmental, and other non-financial matters such as social and employee-related matters disclosures, as well as financial matters);
• Bribery Act;
• Modern Slavery Act;
• Equality Act;
• Health & Safety at Work Act;
• Common law obligations and duties, e.g., the law relating to negligence, nuisance;
• Consumer Protection Act (product liability);
• Environment Act, Environmental Permitting (England and Wales) Regulations, Environmental Damage (Prevention and Remediation) Regulations, Water Resources Act, and various other environment law statutes.

What is the Subject Matter of ESG?

ESG brings together disparate elements, a number of which are outlined below. The following lists include some key ESG areas, but are by no means a comprehensive listing of ESG elements. However, this does illustrate the breadth of topics falling under the ESG umbrella. Whilst a variety of separate issues fall under that umbrella, those issues are increasingly linked to each other.

It should be emphasized though that not all of the following elements of ESG will be applicable to all businesses. Whether any particular ESG element, issue, or risk is relevant to a particular business will depend on various factors including the type of business, its size, whether it is a company or is in unincorporated form, whether it has shares that are publicly traded, whether it is engaged in an activity that is highly regulated, whether it operates outside the UK, or whether it has dealings with anyone outside the UK.

Environmental Elements of ESG

This aspect of ESG focuses on improving the environmental performance of a business. It measures a business’s impact on the natural environment and the natural environment’s impact on the business, for instance, through physical climate risks. It takes into account factors including a business’s carbon footprint, its impact on biodiversity, and its production of waste and pollution. It includes the following topics:

• climate change;
• greenhouse gas emissions (in particular carbon dioxide);
• emissions to air, water, and land;
• product carbon footprint;
• pollution and waste (toxic emissions and waste, packaging material and waste, electronic waste);
• biodiversity;
• deforestation and land use;
• treatment of animals;
• energy efficiency;
• raw material sourcing;
• resource depletion (including water);
• recycling;
• environmental opportunities (clean tech, green building, renewable energy).

Social Elements of ESG

This aspect of ESG focuses on a business’s impact on people. It measures how a business treats people such as employees, customers, and the communities in which it operates. It includes the following topics:

• human resources and hiring;
• human rights (including modern slavery and child labour);
• supply chain labour standards;
• health and safety;
• product safety, quality, and liability;
• chemical safety;
• financial product safety;
• wide ranging diversity and inclusion requirements, including anti-discrimination and anti-harassment (D&I);
• equal pay;
• privacy and data security;
• conflict zones and conflict minerals;
• controversial sourcing;
• stakeholder/community relations and engagement;
• customer satisfaction;
• company cultures;
• employee advancement opportunities;
• employee education and welfare;
• philanthropy (e.g., donations to local community, employee volunteering programmes).

Governance Elements of ESG

This aspect of ESG focuses on a business’s leadership and structure. It measures how a business operates in terms of audits, board diversity, internal controls, and shareholder rights. It includes the following topics:

• bribery and corruption;
• executive pay;
• board independence;
• business ethics;
• board composition and audit committee diversity and structure;
• financial system instability;
• tax transparency;
• political contributions;
• whistleblowing;
• conflicts of interest;
• anti-money laundering;
• anti-competitive practice.

Why Should You Take ESG on Board?

ESG is inevitably relevant to larger businesses, but it is also increasingly becoming more material to start ups and smaller organizations. Businesses should be seriously considering ESG in view of the potential positive impact on it of taking ESG on board on the one hand and the potential negative impact of not doing so on the other.

What, then, might such positive and negative impacts be?

Positive impacts of adopting ESG

• meeting shareholder activists’ expectations or requirements so that they are kept “on-side” and supportive of the business;
• encouraging potential investors to invest in the business. Many major banks and investors include ESG investing criteria in their processes and products;
• improving relations with regulators/government;
• enabling the business to contract with those suppliers and customers who require their business partners to adhere to ESG standards;
• attracting and retaining employee or volunteer talent;
• better productivity;
• positively influencing customer sentiment;
• achieving costs savings (e.g., reduced waste or energy consumption).

Negative impacts of not adopting ESG

• harming or failing to improve reputation or morale of staff;
• failing to realize full potential sales turnover;
• dissuading potential investors from taking, retaining, or increasing a stake in that business;
• loss of opportunities to tender for contracts due to failure to meet ESG standards required by tender conditions;
• failing to attract investment or to meet qualifying conditions for grants or other financing;
• incurring additional costs, expenses, fines, or other penalties;
• incurring additional legal liabilities.

Adopting an ESG Policy and ESG Strategy

Adopting, publishing, and implementing an appropriate ESG policy can assist a business to identify and state clearly those factors that pose a risk to the business, i.e., factors that can directly or indirectly harm the business in any way. Such risks include the risk of litigation or liability; regulatory enforcement; risk of physical damage, loss, personal injury, or harm to health; commercial risk; and reputational risk. Identifying risks is the first step to minimizing them and planning for the eventuality that they materialize.

If a business additionally includes in its ESG policy a commitment to measure its degree of compliance with the policy (and report to its board or publicly on its compliance), it will not only have a basis for informing stakeholders and others about the extent of that compliance, but it will also highlight for itself and others how it is mitigating risks. In short, adoption, publication, and implementation of an ESG policy can aid business resilience.

Once a business has formulated an ESG policy, it needs to work out and document a strategy for implementing it. This will entail creating processes for doing so, including the means for measuring and reporting periodically on progress in implementing its ESG policy. In that connection, it should specify – using clear metrics – what will be achieved and when it will be achieved.

Prudence dictates that a business firstly ensures that the ESG policy that it formulates is consistent with its culture and values. Secondly, it must be realistic: a business may be tempted to cover a very wide range of matters, but should only say what it can realistically do, only set targets and timescales that it reasonably expects to achieve, and be prepared to report on why it has not achieved them. Otherwise, it will have failed to comply with its own ESG policy, producing a damaging effect to its reputation and its success.

Supply Chain

For many businesses and other organizations, being able to meet some of the aims set out in their ESG policy depends to a significant extent on taking steps to ensure that companies in their supply chain comply with aspects of their customer’s ESG policy.

A business might carry out due diligence checks or take other steps to assess prospective suppliers’ management of ESG issues. Some businesses have a supplier code of conduct (covering a range of ESG criteria) to which they require suppliers to sign up. Many businesses include a standard “compliance with ESG and other policies” clause in their contracts with suppliers that obliges suppliers to comply with ESG-related policies which the business lists in a schedule attached to the contract. This might be combined with a “self-certification” clause whereby the supplier certifies periodically that it and its subcontractors are meeting the compliance requirements. Some businesses include an audit clause in their supply agreements giving them a right to audit aspects of the supplier’s provision of the goods or services under the contract. In each case, the contract can specify the consequences (e.g., termination, remediation) of the supplier’s non-compliance with ESG clauses in the contract.

Conclusion

It can be seen from the above that ESG is not, and should not be treated as, just a “box-ticking” or “flavour-of-the month” topic. In the interests of the long-term survival and success of any business, it should be seriously considering how ESG is relevant to it.

Simply-Docs ESG Materials

There are currently a number of template environmental policies and environmental policy statements available to download. Whilst these specifically cover environmental matters and can assist with implementation of some environmental aspects of ESG, those templates are not designed to cover other ESG issues as well. However, from time to time, templates and checklists will be added to the website to deal with Social and Governance issues as well as Environmental issues. The first of these, a template set of Company Directors’ Board Minutes adopting an ESG strategy, is available here.

When the Covid-19 pandemic began, thousands left their workplaces behind and began working from home. Over the past 18 months or so, working from home has not only become commonplace but now, as employees return to their normal places of work, it has become the preference for many. Working from home has made the long-elusive work-life balance much easier to strike. In many cases, working conditions are more comfortable and convenient, common workplace annoyances are reduced or even removed, and according to some studies, productivity rates have improved (in the interests of balance, however, it should also be noted that there are those who say the opposite).

Whatever the productivity merits, there are some employees who have become so attached to working from home that – according to a recent opinion piece in The Guardian (available here) – they are prepared to accept pay cuts to continue working at home instead of returning to the office. The merits of this approach warrant their own discussion, which we will save for another time. What is important, though, is that if greater numbers of employees are likely to make a permanent switch to working from home, some formalities that might have been overlooked in the scramble to lockdown last year must be addressed.

One of those formalities is copyright and intellectual property more broadly. The default position on copyright ownership is that works created by employees in the course of their employment belong to their employer unless there is an express agreement to the contrary (for example, a provision in an employment contract). In the case of self-employed consultants, the default position for commissioned copyright works is that the creator of the work is the owner, unless it is agreed otherwise in writing. Whether a commissioned work is assigned to the commissioning party or merely licensed to them should be dealt with in the contract.

So far so good. What happens, though, when an employee is working from home and creates something outside of their normal working hours, using their own computer?

Penhallurick v MD5 Ltd

Earlier this year, the High Court considered a case in which a former employee of MD5 Ltd, Mr Penhallurick, had developed a piece of software for use in forensic computers along with a graphical user interface and a user guide. Much of the work had been done outside of Mr Penhallurick’s normal office hours, at home, and using his own computer. The court nevertheless held that MD5 Ltd owned the copyright in the works in question.

A key factor in this decision was the fact that Mr Penhallurick’s normal job duties entailed the creation of the same kind of software. Consequently, there was a “strong and primary indication” that this work, even though it was outside of his normal hours, undertaken at home, and using his own computer, nevertheless formed a part of the course of Penhallurick’s employment.

“…in my view the place where the employee chooses to do the work will not generally make any difference. The same applies to the ownership of the tools the employee chooses to use.” – Judge Hacon

It is also important to note that the work in question was undertaken several years ago, long before the massive growth in working from home caused by the pandemic. If this reasoning applies to work undertaken at home under “normal” circumstances, then one would arguably expect it to be even more likely to apply to work undertaken at home under “new normal” circumstances. (Author’s note: Sorry, you knew we were going to say “new normal” somewhere here, didn’t you?)

With this in mind, then, whether you are dealing with an employee or taking on a contractor, it is important to consider copyright ownership from the beginning, particularly where the individual concerned will be creating some form of copyright works for you. Ensure that a proper contract is in place which clearly defines the individual’s role and duties and, if necessary, addresses copyright ownership and any other applicable IP rights.

If working from home is set to remain a preferred and more common way to work, be it fully or partly with time divided between home and the office, it is even more important to be clear on what constitutes “work in the course of employment”. Working from home is inherently flexible. In many cases, it makes little difference to an employer or to the resulting work whether it is done at 3pm or 11pm. If an employee’s previous office hours were 9am to 6pm, however, there is potential for confusion unless their contract of employment is amended accordingly.

Last year, we witnessed a proverbial stampede for the exit as employees left their offices behind and set up shop on the sofa with a laptop, clad in their finest pyjamas. Understandably, there was insufficient time (not to mention considerable panic and uncertainty over what damage the virus might do to businesses and the global economy as a whole) to get the formalities and legalities in order. Now, however, it is time to take a step back and get things sorted out.

Changes to the IR35 rules came into effect on 6 April 2021. This has caused quite a commotion but why, and should you be concerned? In this post, we will explore the latest changes and their impact.

Media coverage of the impact of the changes

Much of the media coverage over the past months about the IR35 rules has concentrated on the effect of the changes to the rules rather than the IR35 regime as a whole. Various commentators have been emphasising that not only freelance individuals but also their business clients need to consider the impact of the changes on them. In particular, the media have quite rightly focused on whether and how freelancers and their clients are affected by the rule changes, and what action they need to take in response.

If you have seen some of that coverage, you might be forgiven for concluding that the changes will affect all freelancers and their clients from 6 April 2021. We wonder whether the media coverage has focused too much on where the rule changes do impact on the world of freelance work without also clarifying those who won’t be affected.

To redress the balance, we invite you to consider the following situations in which, although the IR35 regime does or might apply, the rule changes themselves will not have any impact on a freelancer and/or their clients.

To keep things simple for our present purposes, we will look only at private sector clients. (Other rules apply to public sector clients.)

Where do the changes not impact on freelancers and their business clients?

If, as a freelancer, you only work for a client as a self-employed individual but do not provide your services to them through a personal services company (“PSC”) or other intermediary company, IR35 rules (pre- or post-April 2021) do not impact on how you have to be paid by a client. In short, IR35 will not apply to you or your client at all if you do not use any type of intermediary company. You will, however, still need to satisfy yourself and HMRC that you are genuinely self-employed, and not in law an employee of a client in order to be paid gross by your client.

So, do IR35 rules apply to a freelancer and/or their client where the freelancer does work for them through a PSC? Possibly. The IR35 rules both pre- and post-6 April can, but do not necessarily, still apply to them. However, there is a distinction between the pre- and post-April situation, as follows.

The new rules only relate to the mechanics of determining a freelancer’s status

The rules both pre- and post-April are concerned with the status of the freelancer, namely whether or not they are to be treated as if they were employed rather than self-employed, and the consequences to how they are to be paid where they have to be treated as if employed. The effect of the 6 April rule changes is to add to that pre-April regime an additional layer of rules which apply in some cases. The changes are not about whether the freelancer is to be treated as if employed or self-employed, but instead on how that status is to be ascertained. In some cases – outlined below – but only in those cases, instead of the PSC having to determine that status, it is the client’s responsibility to do so, where so required by the changes.

This switch in responsibility to the client only applies where it is “medium” or “large”. Factors such as size, turnover, etc. of the individual freelancer and their PSC (and any other intermediary companies) are not relevant for this purpose.

The key test of whether the rule changes affect the freelancer or the client is whether the client is “small”. If it is, the PSC has the legal responsibility to determine the freelancer’s status vis-à-vis that client, just as the PSC did before 6 April. As you will see from the test outlined below, many of our customers and other readers will be “small” business clients, or they will be freelancers or PSCs working for business clients who are “small”. In that case, the changes do not affect them in relation to a work engagement. A client is small if it is in the private sector and at least two of the following apply to it:

• its annual turnover is less than £10.2 million;
• its balance sheet total is less than £5.1 million;
• its employees number less than an average of 50 in the year.

Does IR35 apply at all if the client is exempt as “small”?

Where the exemption applies, it only has the effect of releasing the client from the duty under the post-April IR35 rules to determine the freelancer’s status. In other words, the “exemption” does not take the IR35 regime out of the picture altogether. This means that even if the client is “exempt”, the pre-April IR35 rules will still apply where they require the freelancer to be treated as if employed, with the result that the client has to pay the PSC less PAYE deductions.

Conversely, if the exemption does not apply, it is the client under the post-April IR35 rules that has to determine the freelancer’s status under the pre-April IR35 rules. However, if the client then determines that the freelancer is to be treated under the pre-April IR35 rules as self-employed, the client can make gross payments, i.e. it will not have to pay the PSC less PAYE deductions.

In short, whether the client is exempt and what the freelancer’s status is are two separate questions. The freelancer’s status has to be determined in each case according to the same criteria, and the question of exemption is only relevant to ascertain whether it is the client or the PSC which has to determine the freelancer’s status.

Conclusion

Views about the IR35 regime as a whole cover a broad spectrum. Many who are in favour of the IR35 regime (including the new rules) may hold that view because they are not themselves freelancers, PSCs, or clients of either, and they are not burdened with its direct effects. They simply see IR35 as a good and effective measure to prevent tax avoidance by freelancers. At the other end of the spectrum, many freelancers using PSCs and their clients see IR35 as an unfair set of measures, and would gladly abolish IR35 completely.  Freelancers and their clients alike see IR35 as creating an unacceptably high tax bill for freelancers and a heavy administrative burden for freelancers, PSCs, and their clients.

IR35 and self-employment template documents and guidance notes

We have a wide range of materials on our website which can help you with IR35 and self-employment issues. We recommend that you read our business information pages which you can see here: Business Information pages on Employment and Self-employment and here: Business Info on IR35 and that you also look at our guidance notes and range of template documents that you can use to create forms of agreement between a client and a freelance worker or intermediary company which you can see here: Self-Employment and Freelancer Contracts and here: IR35 And Other Company Contracts. These templates also include a form of IR35 Status Determination Statement template which is designed to save time when a client has to complete a status determination statement to comply with the post April 2021 IR35 rules.

Overview

The Corporate Insolvency and Governance Act (CIG) received Royal Assent on 26 June 2020. The CIG is expected to improve the ability of companies to be efficiently restructured, reinvigorate UK rescue culture, and support the UK’s economic recovery.

It also includes temporary corporate governance changes to shareholder meetings, AGMs, and Companies House filing deadlines.

The following is a brief summary of the main provisions. These are specialist areas of the law and will require specialist advice.

Restructuring Plan

The CIG introduces a new flexible restructuring plan, similar to the existing scheme of arrangement. Under the plan, a company that has encountered, or is likely to encounter, financial difficulties that are affecting, or will or may affect, its ability to carry on its business as a going concern has the ability to enter into a compromise or arrangement with its creditors/members in order to restructure its debts.

It will be inserted into the Companies Act 2006 with the aim of achieving a compromise with dissenting secured creditors by the addition of a “class cram down”. This particular feature draws inspiration from US Chapter 11 proceedings.

The aim is to make it easier to pass a restructuring plan by dividing creditors/members into classes based on the similarity of their rights and each class/member given the opportunity to vote on the plan. The new restructuring plan enables a court to sanction a plan that binds dissenting classes of creditors/members. A plan will be passed if it is approved by 75% in value of the creditors/members or class of creditors/members and importantly, unlike a scheme of arrangement, there is no requirement for a majority (over 50%) in number of each class to vote in favour.

Moratorium

The CIG introduces a new, stand-alone moratorium procedure designed to provide breathing space to companies in financial distress. The moratorium provides a payment holiday for certain types of pre- and post-moratorium debts without requiring leave of the court and will prevent creditors from taking enforcement action against a company. Companies will qualify if they are, or are likely to become, unable to pay their debts when they fall due. A company does not have to be solvent to be eligible.

A fundamental requirement of the process is that it must be likely to result in the rescue of the company as a going concern. It is a director-driven process, and the directors retain full management and control of the company throughout. The regime requires the appointment of a monitor, who must be a qualified insolvency practitioner, and whose role it is to oversee the company’s affairs with a view as to whether it remains likely that the moratorium will result in the rescue of the company as a going concern.

Ipso Facto (Termination) Clauses

Contracts for the supply of goods or services contain clauses which allow a supplier to terminate or threaten to terminate or vary the supply when the counterparty to the contract enters into an insolvency or restructuring process. This is known as an ipso facto clause. The CIG contains a provision, to be inserted into the Insolvency Act 1986, to prohibit suppliers from relying on such clauses. Therefore, subject to certain exceptions, suppliers will be required to continue to supply goods or services to a company in a restructuring or insolvency process. The aim is to protect a company’s supply chain and enable the company to continue to trade.

Temporary suspension of winding up petitions, statutory demands and wrongful trading

The Government announced on 28 March 2020, plans to amend the wrongful trading provisions to remove the potential liability for directors in situations where a company’s financial position has worsened during the COVID-19 pandemic. This was an attempt to prevent directors from placing a company into administration prematurely as a result of concern for their exposure to personal liability for wrongful trading.

The relevant period is between 1 March 2020 and one month after the CIG is enacted.

Likewise, it was announced in April 2020 that statutory demands and winding up petitions would be temporarily banned where a debtor company cannot pay its debts as a result of the COVID-19 pandemic. The hope is that this process will enable companies in financial distress to enter into compromises/arrangements with their creditors without the need for formal insolvency processes to be commenced.

Under the CIG, all statutory demands will be void if served on a company during the period between 1 March 2020 and one month after the CIG comes into force.

Flexibility for Holding Shareholder’s Meetings and AGMs

The rules around shareholder meetings will be temporarily relaxed. This period of relaxation began on 26 March 2020 and ends on 30 September 2020, subject to a possible extension until April 2021.

During this period, overriding anything in the company’s constitution, the provisions allow for general meetings to be held on a virtual basis and for votes to be cast by electronic means, and that quorum requirements can be met without any members being together at the same place.

Companies required to hold their AGMs during the period from March to September 2020, can hold their meeting at any time before 30 September 2020 (again with a possible extension).

Temporary Extension of Companies House Filings

Temporary easements will be introduced regarding filing requirements. They include extensions to deadlines for:

• confirmation statements;
• accounts (Companies House has already made arrangements for companies to apply for a three-month extension to their accounts filing deadline if they are unable to meet the deadline owing to COVID-19);
• registrations of charges (mortgage); and
• event-driven filings, such as changes to company directors, people with significant control, or a change of registered office.

Where the existing filing period is 21 days or less, the extended filing period will not exceed 42 days. Where the existing filing period is between three and nine months, the extended filing period will not exceed 12 months.

This is a very brief overview of the CIG and more information can be found here.

After a long build-up, a great deal of commentary, fear, and anticipation, the EU’s General Data Protection Regulation or “GDPR” came into effect on 25 May 2018. At the time, a great deal of attention was focused on the wider scope of the GDPR and, in particular, how “personal data” was defined. Individuals or “data subjects” had more and better rights bestowed upon them, and any organisation that breached those rights would face tough new penalties.

So, what actually happened? At the time, many businesses scrambled to become compliant with the new GDPR regime. Inboxes throughout Europe and beyond became clogged with messages about updated privacy policies. Internet users suddenly found their favourite websites blocked because American companies either didn’t know how to comply with the GDPR or didn’t want to. Far from being taken as a (mostly) sensible and practical evolution of existing data protection legislation, the GDPR became a source of fear for many. Scarcely an article about it could be found that didn’t talk of fines reaching into the tens of millions.

The GDPR itself requires the European Commission to review it every two years. Here in 2020, the outcome of that review is now due and should have been published in April, but at the time of writing, it is now expected in June. Now is also a good time for businesses and other organisations handling personal data to review the GDPR themselves.

• After getting compliant in 2018, have you stayed compliant since?
• There was considerable confusion around the GDPR two years ago; have things been clarified?
• Has the GDPR been a success; is people’s personal data safer and have organisations taken more steps to truly protect privacy?
• Has there been a wider impact; what happened to all those American websites that cut us off?
• Has the GDPR been a force for change in other jurisdictions?

Moreover, as the oft-falsely attributed curse goes, may you live in interesting times. Both Brexit and the COVID-19 pandemic are significantly changing the business and legal landscape, not least where data protection is concerned.

In this post, we will take a look at the GDPR two years on, discussing those questions above (if not providing definitive answers!), and considering where we go from here. Whatever shape the UK’s domestic data protection legislation takes (initially as the “UK GDPR”), the EU GDPR and indeed the EU itself will remain central to many business’ compliance after the transition period ends. Meanwhile, the prevalence of home working and the increase in sensitive medical data changing hands within organisations as the world endeavours to press on through the coronavirus pandemic, also raise important issues that were unforeseen just two short years ago.

What did the GDPR ever do for us?

Data protection legislation is still, in the grand scheme of things, in its relative infancy. Privacy has been protected to some degree by law for much longer, but the first Data Protection Act in the UK only dates back to 1984. This was succeeded by the Data Protection Act 1998, and again by the Data Protection Act 2018 and the GDPR.

Technology, particularly the internet, has been a major catalyst for the development of data protection law. In the mid-1990s, the internet was still quite new, but the implications for privacy and the widespread use of personal data were clearly recognised from an early stage. The EU passed its Data Protection Directive in 1995, setting out minimum data privacy and security standards. Being a Directive, it was then up to EU Member States to implement it through their own domestic legislation and, thus, the Data Protection Act 1998 was born.

As the world settled into the 21^st Century, the internet’s appetite for personal data stepped up the pace. In 2010, the European Commission adopted a communication entitled “A comprehensive approach on personal data protection in the European Union” and so began the work to update the 1995 Directive and, considering the growth of the internet, not before time. In 1995 less than 10% of UK households had internet access. By 2010, this number had risen to over 70%. In 2016, the General Data Protection Regulation was born, due to enter into effect in all EU Member States on 25 May 2018.

The definition of “personal data” expanded significantly to include not only the obvious forms of personal data such as names and contact details, but also less obvious – at first glance, anonymous – forms of data such as IP addresses. The amount of information to be provided to data subjects was increased, and rules surrounding consent where tightened up. Greater emphasis was placed on accountability and record-keeping, and higher standards for “lawful processing” applied.

The GDPR also brought with it a much greater territorial scope than had been seen before. Simply put, if an organisation processed the personal data of anyone residing within the EU, regardless of that organisation’s location, the GDPR applied.

More information was required to be given to individuals when collecting their personal data. This requirement was designed to promote transparency, ensuring that individuals were more informed about what their personal data was being used for, how, why, and what rights they had in relation to that. In practice, it also triggered a veritable blizzard of “we have updated our privacy policy” emails.

The GDPR was designed to raise both standards and hurdles when it came to the use of personal data. In particular, new rules over consent were introduced, including a stricter standard for consent. Consent and explicit consent would now require a clear affirmative action from the individual. Consent would now have to be freely given, specific, informed, and unambiguous. Data controllers were also now required to make it easy to withdraw consent at any time and, unless they had another legal basis on which to continue using the personal data in question, would have to cease using it upon such withdrawal.

Not only were the requirements for consent toughened up, but so were other lawful bases for personal data processing such as “legitimate interests”. Under the old Data Protection Act 1998 regime, the UK had taken a rather generous position on this particular basis, but the GDPR narrowed things down, placing a stricter emphasis on ensuring that such interests were not overridden by the rights and freedoms of data subjects.

Key new rights were bestowed upon individuals, not least the so-called “right to be forgotten”, which gave individuals the right to require organisations to delete all personal data relating to them. In practice, particularly with so much data being backed up in various forms and spread across multiple systems, the prospect of complying with this right was a source of considerable concern for many.

New requirements concerning accountability were introduced. Chief among these were the requirement to notify supervisory authorities (such as the ICO) of data breaches within 72 hours if the breach was likely to pose a risk to the rights and freedoms of individuals. Where there was a high risk that the rights and freedoms of individuals would be adversely affected, the individuals themselves were also to be notified. The GDPR also introduced new requirements relating to Data Protection Officers, making it mandatory for a wide range of organisations to appoint one. Also important under the heading of accountability was record keeping. Even in situations where a decision had been made to not do something, for example, because of a low risk to individuals’ rights, it would need to be documented.

How Did We React?

The majority of news items about the new GDPR were keen to emphasise one element above all others: the fines and penalties. In broad terms, the GDPR introduced two categories of fines, the highest of which could reach up to €20m or up to 4% of an organisation’s total worldwide turnover, whichever was higher. Cooler heads remarked that for many businesses that were already taking their Data Protection Act 1998 compliance seriously, there was little need to worry and that the change was easily manageable. Nevertheless, predictions of doom persisted.

Many were also confused about their obligations, leading in some cases to over-reactions and in others, to apathy. The over-emphasis in commentary on topics such as consent, for example, even led some to believe that it was now the only basis upon which they could use any personal data. Particularly for online operations in the US, so demanding and threatening was the GDPR that the preferred choice was simply to block all EU-based users from their websites.

Further concern stemmed from the fact that a great deal of guidance on data protection, including some of that available from official bodies, was outdated, referring only to the Data Protection Act 1998 / Data Protection Directive 1995 regime.

Where Are We Now?

What happened to all those huge fines that were going to put everyone out of business? There have certainly been fines, but, as the ICO was keen to point out in its blog post GDPR – sorting the fact from the fiction back in August 2017, “it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm…Issuing fines has always been and will continue to be, a last resort…we intend to use those powers proportionately and judiciously.”

There have been some big fines, certainly, but looking at them more closely, they are still far from the top end. The French supervisory authority, CNIL, issued a €50m fine to Google. This, however, amounted to a mere 0.04% of Google’s global turnover – arguably more the cost of doing business than a deterrent. Last year, the ICO announced its intention to fine British Airways £183.39m in relation to a cyber incident which took place in 2018. Again, big money, but only equal to around 1.5% of BA’s global turnover. Moreover, at the time of writing, BA has not yet been issued the fine after a series of delays and there are now questions over whether the ICO may take the financial impact of the COVID-19 pandemic into account, the effect of which would presumably be to reduce the fine or perhaps defer it.

The fines may not have turned out to be as bad as feared, but does this mean that people’s personal data is better protected? Is the GDPR doing its job? Certainly, awareness is much higher, even outside of the UK and EU. Some of the biggest names in technology have adopted GDPR standards of data protection worldwide, rather than focusing only on Europe. Small businesses that might previously have overlooked data protection entirely are now keen to get their privacy policies in place, and it is clear that the GDPR itself prompted a surge of updates to business practices and documentation, both inwardly and outwardly.

Moreover, much more useful guidance has emerged over the past two years, including comprehensive guidance on compliance from bodies such as the ICO, and certain issues that caused confusion in the early days have been clarified.

Has it all been good news, however? It would be difficult to argue that this is the case. The GDPR continues to be a source of uncertainty and increased costs, particularly where technology is concerned and in areas such as analytics and ad tech. A 2019 survey conducted by German trade association, Bitkom, found that for many, the GDPR represents a barrier to innovation, particularly where new technologies are concerned. Nor is it necessarily ideal for individuals, many of whom have long since tired of emails informing them of privacy policy changes. Moreover, while many have heard of the GDPR, it is at the very least open to question how many of those people really understand what it means for them. Then, there is also the issue noted above – the geo-blocking of online content, particularly from the US – solely on GDPR compliance grounds. One must ask whether this is a benefit to individuals at all. It will be interesting to see if the Commission’s review considers such real-world impacts and, if so, what improvements may emerge.

What Did You Do Back in 2018?

Two years feels like a long time. Longer now, probably, given that the past two months have felt like an eternity as the world collectively hangs on the pause button. The advent of the GDPR caused no small amount of panic. Many scrambled to make their businesses compliant in time for the 25 May 2018 deadline that loomed like a threatening spectre.

Since then, however, the important question has become not so much “how did we do then?” as “how have we done since?”. Getting your business compliant in 2018 was but the first step of what a less jaded author might call your “GDPR journey”. Now that things have had time to settle down and guidance has become more widespread and fleshed-out, it is an ideal time to take a fresh look at data protection within your business. As a starting point, consider these questions:

• Am I maintaining awareness of data protection within my business?
• Have the changes I made in 2018 been successful? What could I do better?
• Is my privacy information up-to-date and is it easily accessible?
• Am I keeping proper records? Is there any way I can improve upon them?
• Have I had any data breaches? Have they been handled properly?
• Am I being proactive about data protection when considering new uses of personal data?

A Data Protection Audit is a useful exercise to carry out on a regular basis as it prompts you to ask and answer questions like these in more detail, considering all aspects of your business’s data protection compliance. If you haven’t carried one out before or perhaps haven’t carried one out since preparing for the GDPR, now is a good time to get started. It might also be the case that you have avoided an audit because you are afraid of what it might turn up. That is not an invalid concern but consider this – it is an internal exercise and the ICO would rather you identified your weaknesses and fixed them than ignored them. You aren’t going to get a €20m fine landing in your lap because your internal audit identified room for improvement or even outright failings. It is better to find out what is wrong and fix it, so cast aside the fear and get going!

Another side to ongoing compliance is the Data Protection Impact Assessment. A DPIA is a valuable (and indeed mandatory in some cases) tool which helps you to evaluate new projects from a data protection perspective, identifying and minimising the risks from a variety of angles. Again, a DPIA is not an exercise that should be carried out once and forgotten about. A system, product, or feature that began as a new project back in 2018 will quite possibly have changed in some way since then. Perhaps without even realising it, the way in which you collect, use, or store the personal data involved has changed. DPIAs should, therefore, be regularly reviewed and repeated if necessary.

The Picture in 2020

Brexit and Data Protection

Until recently, one of the biggest topics up for discussion in data protection circles was Brexit. We know that, at the end of the transition period, the EU GDPR will cease to apply in the UK and that it will be replaced with a “UK GDPR” – a direct copy in many respects, with necessary contextual changes to accommodate its status as a solely domestic instrument (references to EU laws, institutions, and powers, for example, will be removed or replaced with UK equivalents).

We also know that, whatever the outcome of Brexit, it will remain possible to transfer personal data to the EU and EEA and to “third countries” covered by an existing EU Commission adequacy decision without constraint, as is the case now. Not only that, but the UK will also recognise the current EU Standard Contractual Clauses as a valid mechanism for international transfers of personal data.

We do not, however, know what the UK’s status will be from the European perspective. Despite the similarities in our data protection legislation, the European Commission must still assess the UK’s post-Brexit data protection framework and grant an adequacy decision in order for personal data to flow as freely into the UK from the EU and EEA as it can in the other direction. It is far from certain that an adequacy decision will be made before the end of the transition period.

If an adequacy decision is not granted before the end of the transition period – and many commentators think it unlikely that one will be – other safeguards will be needed to cover personal data moving from the EU into the UK such as the aforementioned Standard Contractual Clauses or binding corporate rules (to name just two examples). Another key change to data protection compliance will be the need to appoint an EEA representative from the end of the transition period if your organisation offers goods or services to individuals in the EEA or monitors their behaviour.

Home is where the Work Is – Data Protection and COVID-19

Just a few short months ago, we might have thought it impossible that any subject could knock Brexit of the top spot of things we were tired of hearing and worrying about, but along came the coronavirus, making Brexit look like proverbial small potatoes.

From a data protection perspective, the pandemic has resulted in a rapid increase in medical data changing hands within businesses of all shapes and sizes. Medical information is, of course, “special category” (formerly “sensitive”) personal data and thus requires greater levels of care and security. Not only that, but such data is also moving around in an inherently less secure environment in many cases. Instead of being confined to secure and tightly-controlled networks and equipment that is constantly kept up to date with the latest security patches and new software, business personal data is now finding itself residing on home computer systems and home networks – some lacking in the latest security software (or indeed any at all), left vulnerable by older equipment and weak passwords. Other security threats are also seeking to exploit the decline in secure IT environments with activities such as phishing reportedly (and dramatically) on the rise.

Not only does the increase in home working pose potential security threats, but it may also make it harder for some organisations to comply with requests from individuals to exercise their rights. With personal data less centralised, for example, it may be harder to locate it in response to a subject access request.

Maintaining awareness and providing regular training is essential in overcoming such new challenges. Having an up to date Data Protection Policy can help to underpin your staff’s knowledge and serve as a reminder of things that, again, might have been fresh back in 2018 but may have given way to complacency or simple forgetfulness by now. Where possible, other practical steps such as the use of VPNs and the issuing of centrally administered computers and other devices can be taken to help reduce the risks associated with individual staff working with personal data on their own devices.

Such challenging circumstances will undoubtedly make assessing the GDPR’s success a harder exercise, both for regulators and for organisations. It remains vitally important to protect personal data and to use it lawfully, fairly, and transparently. At this point, no virus-specific changes are planned for data protection law and it is doubtful that they will be. What is important to note, however, is that authorities such as the ICO are not oblivious to the difficulties. The ICO recently issued a statement reassuring us all that while the law itself remains unchanged, “We understand that resources…might be diverted away from usual compliance or information governance…We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.” In short, keep calm and carry on!

Where To?

It is clear that while data protection regulation has evolved to keep up with modern technology and contemporary uses of personal data, there remain many problems. Perhaps the greatest of these is that the law appears to be too heavy handed. The law and technology have been at odds in many areas for a long time, and this shows no signs of abating.

Business, technology, and the law itself need to evolve to accommodate one another. Whether or not they will is a different matter. It does seem evident, however, that this is understood on all sides. Enforcement powers and penalties exist to punish those who break the rules knowingly or carelessly and put the rights and freedoms of individuals at risk. Does this mean that small businesses will be fined for innovating? Arguably not.

It will be particularly interesting to see how the UK’s data protection laws evolve after Brexit. While keeping closely in tune with EU legislation, it is arguable that a desire to make the UK an attractive economy for innovation and investment in technology may lead to new developments in the data protection framework. The UK GDPR will be the same as the EU GDPR for all intents and purposes – particularly from the SME perspective – but what comes next will make for interesting viewing.

Introduction

The outbreak of COVID-19 and the ensuing pandemic is unprecedented in recent times and its economic impact is similarly unheard of. The Office for Budget Responsibility recently warned that the pandemic could lead to the UK economy shrinking by 35% by June 2020.

For many businesses of all shapes and sizes, in a variety of sectors, the pandemic has, at the very least, necessitated changes and, in more serious circumstances, poses a threat to their survival.

There is, however, plenty of cause for optimism. The government has introduced a range of measures to help support struggling businesses and there are a number of things that businesses of all size, SMEs in particular, can do to weather the storm of the pandemic. Above all else, it is important to stay calm and organised. A clear head and an efficient approach to business will make everything else that much easier.

Dealing with your Staff

We have covered flexible and home working in a number of other articles here at Simply-Docs (check out our Working from Home with Children blog post and our recent newsletter on Home Working). We also offer a range of documents specifically designed to facilitate such arrangements. Flexible working is a boon to employers and employees alike, particularly in such challenging times. It may not be suitable in all sectors, but if the nature of your business permits it, it is most definitely worth considering if you are not already doing so.

Implementing the right policies is an important element of flexible and home working. Without the structure of a normal working day, productivity and adherence to procedures can quickly deteriorate. Nevertheless, it is also important to understand that many staff, particularly parents or those with other dependents, will be facing considerably more responsibilities at home at present. Cultivating an understanding of such pressures and offering as much flexibility as you can will be appreciated by your staff and ideally enable them to be more productive.

Technology can be a great help. Investing in the right software and hardware can make it much easier for your business to operate as close to normal as possible, enabling your staff to easily keep in touch with each other, to hold meetings, to deal with customers, business partners, and the like. It can also be easier to implement security controls on company-owned technology such as laptops and smartphones, meaning that your business is less likely to fall victim to hacking, malware, or the perils of a data breach and the potentially crippling fines that can follow.

If you find that your resources are stretched, consider weighing up the costs of training existing staff for new or expanded roles instead of recruiting new people or taking on contractors. This opens up new opportunities and the possibility of a very welcome pay increase for your existing employees while avoiding the higher expense and complications of taking on new people.

Not all businesses are suited to home working, whether partially or fully. If your staff still need to come into work, keeping the workplace clean and safe is of paramount importance. The normal health and safety rules continue to apply, but when it comes to keeping things clean and hygienic, now is the time to go above and beyond. Equipment and surfaces should be cleaned more often than normal, with “high-touch” objects and areas receiving particular attention. Where supplies permit, provide cleaning materials for your staff to use, such as alcohol wipes for keyboards, mice, telephones, and other objects that are regularly handled. Ensure a plentiful supply of soap and hand sanitiser and ensure that your staff are reminded to use them frequently. Most important of all – if any of your staff are ill, however minor it may be, and whether or not they think it may be the coronavirus, ensure they stay at home and self-isolate in line with government and NHS guidelines.

If revenue declines to the point at which your options are limited financially, there are a range of options open. What is very important is that you communicate with your staff. Do not keep them in the dark. Consult with them and, where appropriate, involve them in planning. If possible, take advantage of the Coronavirus Job Retention Scheme and place your employees on furlough leave. Simply-Docs has a range of templates and guidance designed to assist with this. Further choices include reduced pay, reduced hours, and, if all else fails, redundancy. When considering any such plans, it is vitally important to take professional advice.

Reduce Your Outgoings

If possible, look to re-negotiate contracts. Many of those businesses you are contracting with will be in similarly difficult positions and it may well be preferable to agree to reduced payments, orders, and so forth rather than to risk losing them completely. We offer a range of templates designed to assist in amending contracts in our Business document folder.

When it comes to property, particularly if you are not using your premises (or not using it to its normal capacity), consider negotiating with your landlord and look into the possibility of options such as discounted rent, rent deferment, rent-free periods, and/or a reduction on service charges. Find out more about managing property during the pandemic in our April 2020 property newsletter.

Whatever accommodations are agreed, and however renegotiations proceed, do not let the sense of urgency tempt you into informal agreements. Whenever possible, ensure that everything is documented and legally formalised.

Looking for New Financing Solutions

As revenue falls, debt becomes harder to pay. It is important to remember, however, that those to whom you owe money should hopefully want to receive it than risk missing out. Communication is, once again, key. Discuss your situation with banks and other lenders and look to renegotiate agreements or even take out new finance to help bridge the gap until normal trading begins to resume. The government’s Coronavirus Business Interruption Loan Scheme is of particular relevance under this heading.

If you are a company, be particularly careful about giving personal guarantees. Always remember that a company is a legal entity of its own. Shareholders are protected and have limited liability. By giving a personal guarantee, the so-called “corporate veil” is pierced and the guarantor’s personal assets (including, potentially, their home) will be at risk. Once again, the importance of taking professional advice cannot be overstated.

VAT

Paying VAT can be a tremendous source of pressure and, if your revenue is on the decline, it will be even more so. Look to set up a quarterly payment plan for VAT and talk to HMRC about other assistance or concessions that may be available.

The government has also announced a VAT payment deferral scheme under which payments due between 20 March 2020 and 30 June 2020 will not need to be made until 31 March 2021. Returns must, however, be filed on time. Also ensure that any direct debits are cancelled.

Take Care of Your Duties to the Company

If your business is a company, it is important to remember that directors must still comply with their statutory duties as set out in the Companies Act 2006:

• Act within their powers
• Promote the success of the company
• Exercise independent judgement
• Exercise reasonable care, skill, and diligence
• Avoid conflicts of interest
• Not accept benefits from third parties
• Declare any interest in a proposed transaction or arrangement

The second of these is particularly important, and directors must act in a way that they consider (in good faith) to be most likely to benefit the company’s shareholders as a whole.

It is also, however, important to keep in mind solvency and wrongful trading. If your company’s solvency is in doubt, a director’s first duty is to creditors, not shareholders. That being said, companies in trouble have been given more breathing room with the recent announcement of changes with respect to wrongful trading.

Under normal circumstances, directors may incur personal liability if they allow a company to continue trading beyond the point at which they should have decided it wasn’t reasonably possible to save it. New measures, however, allow directors to continue trading even if there are reasonable grounds to think that the company may become insolvent, without incurring personal liability. This applies to actions taken after 1 March 2020. There will also be a temporary moratorium to prevent creditors seeking to wind up companies seeking rescue or restructuring, but at the time of writing, this is yet to be introduced.

Ensure that the normal procedures for running your business are adhered to, at least as much as the situation permits. If a decision needs to be made that requires shareholder or board approval, conduct things online using tools such as Zoom or Microsoft Teams (the same applies to meeting with your staff). Ensure that your articles of association permit this, however, and keep to the established processes. Do not succumb to the temptation to let things slide into informality. In particular, if you hold a virtual shareholders’ meeting, ensure that you adhere to the Companies Act 2006 and all required formalities.

Fail to Plan; Plan to Fail

Planning is always important in business, but all the more so now as there is less margin for error. A good starting point is to prepare a cashflow forecast to cover the next two to three months. This should be followed by planning and forecasting for the next couple of years as, even once lockdown restrictions begin to lift, it is likely to take the economy quite some time to stabilise and rebuild.

Organisation is vital. Ensure that your books and management accounts are up-to-date and review everything regularly. All meetings, at whatever level and however formal, should be documented, in accordance with legal requirements where applicable.

Concerns, whether they are of the gravest or most easily dismissed, should all be taken seriously and considered at the appropriate levels within your business, leaving nothing to chance. Changing circumstances could easily turn paranoia into reality on the one hand, and render a significant worry unwarranted on the other. Bury nothing!

Diversify and Grow

Yes – grow! As counterintuitive as it may first appear, such seismic changes to the economic landscape also present opportunities for those businesses ready and willing to adapt. One opportunity is to expand online, particularly if your business has remained predominantly (or entirely) brick-and-mortar in the past. This will not, of course, work for all, but in some cases a move online could not only keep your business afloat during the COVID-19 pandemic, but also benefit it immensely afterward.

It may also be a good time to explore diversification. Perhaps there are new avenues that you have been keen to explore or some that are a natural next step that could be easily accommodated within your existing business model and by your existing staff.

Now is not the time for complacency. Businesses that have built up goodwill and nurtured customer relationships over many years may not, until now, have considered advertising and marketing particularly important. If finances permit, however, now may be an ideal time to consider casting a wider net. Online advertising, particularly on social media, can be an extremely productive investment if done correctly. Similarly, for those businesses already established online, consider your current SEO strategy. Is your website performing at its best? Could you make some changes to it that might move you up a peg or two in the search engine rankings? The internet is key to doing business under normal circumstances and even more so with the vast majority of the population quarantined in their homes.

You CAN Make It!

We keep being assured that there is light at the end of the tunnel. Meanwhile, numerous commentators caution us that we can’t see that light yet. It is certain that the toll that COVID-19 will take on the world will be huge, both in terms of the human cost and economically. Nevertheless, it is vital to persevere, and not surrender to the assumption that your business will fail just because it is facing difficulties.

To wrap up, some key points:

• Stay up-to-date with the news (but don’t overdo it) and look out for announcements from the government that relate to your business affairs.
• Document everything, whether required to by statute or not.
• Avoid informal agreements at all costs.
• When negotiating or re-negotiating contracts, be sure to cover the important points. Be specific about numbers, dates, review periods, termination, and other key provisions such as force majeure.
• Communicate with your board, your shareholders, your staff, your suppliers, your customers, your bank, HMRC, and anyone else with whom your business deals. A problem is much harder to solve if those affected by it don’t know about it!
• Be realistic and act accordingly. Don’t hide from your problems. Be proactive, be honest, be transparent, and be positive!

Being positive may sound awfully trite; but it is vitally important to remain as positive as you can. Looking after yourself as well as your business should be a key priority. Exhaustion and stress will not help keep your business going and could well end up costing you dearly if a lack of focus, physical, or mental illness stop you from performing at your best. Take time for exercise and for rest. Look after your mental health during these difficult times and ask yourself whether doing something really will make a difference. Will sweating over work until 11pm actually result in anything, or would your mind and work fare better with a fresh start in the morning if you took the evening to relax with your family or catch up with a friend over the phone or online?

Plan for the worst, hope for the best, and take steps now to keep your business going. In the words of President Barack Obama in his 2009 inaugural address: “With hope and virtue, let us brave once more the icy currents, and endure what storms may come.”

Introduction

Working from home is the new normal for thousands of people in many sectors and industries. The laptop on the dining table is the new workstation on the desk; Zoom is the new conference room; and the kids are the new colleagues.

For some, this will be a delightful change, and indeed there are many who thrive on the flexibility and comfort of working from home, enjoying the company of their families as they continue about their labours. For others, however, adapting is hard. Striking a balance between childcare, education, and remaining productive for your employer can be a seemingly insurmountable challenge.

If there is one word that stands out as a solution from all sides, it is flexibility. By embracing flexibility during these challenging times, employers, employees, and their families will all benefit and striking that elusive balance will be that much easier. In this post, we look at some top tips for achieving the holy grail that is the work-life balance.

Setting Realistic Goals

Being realistic is right up there with being flexible. Particularly if you have young children, expecting a full working day that is as productive as a day in the office is likely to be unrealistic. It is, therefore, important to accept that your working day will be disrupted and that long periods of concentration may not be possible.

With this in mind, it is important to prioritise and to plan. Planning applies not only to your work, but to everyone’s. A normal working routine provides structure which can rapidly dissipate without the fixed timetables of school and work attendance. Creating a schedule for the family can be very helpful in recreating that structure.

• Ensure that everyone gets up at the same times they did before the lockdown began.
• Get showered and dressed for the day. It will put you in a more productive frame of mind than staying in your pyjamas.
• Have meals at normal times, together as a family, and free of screens if possible!
• Devise a timetable that incorporates everyone’s work – grownups and children alike.
• Plan work carefully. Prioritise and keep track of what you’re doing.
• Try to maintain boundaries between working and non-working hours.

Everyone is different. Some people thrive in circumstances that stymie others and vice versa. Maintaining self-discipline is important but try to avoid letting that slide into unhelpful comparisons and self-criticism. A colleague may have children too, but perhaps those children are older than yours or perhaps their family’s lifestyle has made them more self-sufficient. Chastising yourself for seemingly not performing as well as that colleague is rarely productive and remember – as the saying goes – the grass is always greener on the other side of the fence!

Work with Your Children

This heading encompasses multiple meanings. Creating a positive environment with as little friction as possible will help everyone to get more done. Importantly, you will need to adapt to the age of your children.

For those with very young pre-schoolers, nap times and early bedtimes may help when planning work time. Instead of trying to work when the kids decide that it’s playtime, consider shifting your working hours to coincide with naps or after bedtime, if the nature of your business or your employer allows it.

When it comes to primary school-age children, find ways to accommodate their desire for attention and set aside time in your schedule to fully engage. Attempts at multitasking rarely succeed in reality. Your productive endeavours and your children will benefit as a result.

Teenagers crave a sense of agency. They are transitioning from childhood to adulthood in more ways than one. So, when it comes to creating a positive home working environment, work with your teens. Negotiate rather than dictate and, depending on the nature of your work and the schoolwork that they have been assigned, perhaps even look for ways to involve them in your own work. This can help you at a practical level and provides many benefits for your offspring too by giving them useful work experience as well as a sense of responsibility.

Whatever age your children are, remember flexibility. While you may be used to – and even enjoy – a relatively rigid routine and work regimen, your children quite likely don’t share your enthusiasm and while it remains important to do your job, ask yourself this question: “Do I work better when I’m in a good mood, or while fuming after a row with the kids?” We hope we know the answer!

Look After Your Health

This is another ingredient to successful home working that applies to your whole family. When you aren’t leaving the house as part of your normal routine, it can be easy to slide into not getting any exercise. Government guidelines on leaving the house during the pandemic allow for outdoor exercise once a day, alone or with people you live with. This includes activities such as walking, running, or cycling. There are also many exercises you can do indoors, with or without exercise equipment.

Maintaining (or even improving) your physical health is important; mental health is, if anything, even more important. This is particularly so under such stressful conditions. Poor mental health can rob you of focus and motivation, ultimately reducing both the quality and quantity of your work. This in turn increases stress and damages your mental wellbeing yet further. Poor mental health can also have a knock-on effect within a family, particularly with everyone stuck at home, unable to take a break. Vicious cycles can develop rapidly. It is, therefore, important to be mindful and to deal proactively and positively with worries, stress, and other mental health issues rather than burying them.

Taking some of the other steps outlined in this piece can help with mental health. By being organised, your mind is free to think more clearly and calmly about things – work and otherwise. By managing your expectations, you are more likely to feel satisfied with your work rather than frustrated and worried by it. By fostering a positive relationship with your children and balancing their wants and needs with your work, you will be cultivating a happier and healthier home.

It is important to stay in the know. Indeed, your job may require you to follow current events in detail. An overload of news and information about the pandemic, however, can be harmful. If you can, limit your consumption of news. Consider picking two or three times per day when you read the latest news or watch a bulletin on TV or online and keep it at that. Also, take great care with your sources; keep to those that you know are trustworthy and reliable. Overconsumption of news will not make you any better-informed, but it may lead to excessive worry, stress, and ultimately more serious health issues. Similar rules should be applied to social media. You may even wish to curate your content more carefully using lists or groups. Twitter, for example, allows you to mute words, phrases, and hashtags.

Communication also plays a key role in maintaining mental health, both within the home and without. Talk to your family and encourage them to talk to you. Human contact is severely limited for many at present, and those with family at home should make the most of it. If you are worried about the virus, about your job, or about anything else, talk to your family and encourage them to do the same. Communicating with your friends is similarly important. You may not be able to socialise in person, but with methods ranging from a simple text message, to a video chat, to a session of Fortnite, there are myriad options available to keep your social life alive and well, and if you need to vent a little about your family with whom you’ve been cooped up for weeks, a phone call with a friend will help relieve pressure tremendously!

Communication is Key

We have looked at the benefits of communicating with your friends and family, and the same applies to your workplace at all levels. Having a chat around the water cooler with colleagues is on hold, but the same workplace relationships can and should be maintained through the other means available, for example, by email or via a workplace online chat tool such as Microsoft Teams.

Communication is also essential in keeping work organised. Even if your own work is largely independent from that of your colleagues, it is important to keep in touch and maintain at least the same knowledge of each other’s work that you would have under normal circumstances. Particularly now, you may have colleagues who need a hand maintaining their own work-life balance, or you may need a hand from them in maintaining yours.

Many workplaces are keeping regular meetings going using online tools such as Teams and Zoom. For those whose work requires communication with customers, other organisations, or similar, the use of company-provided phone systems or internet-based equivalents can be particularly useful. In any case, steps should be taken, wherever possible, to avoid “uninvited guests”. The appearance of children in the background of TV news interviews often goes viral online, but in the day-to-day business context, it is likely to become tiresome and unwelcome rather quickly. Finding a quiet place to work, preferably in a room with a lockable door, is ideal. If this is not possible, noise-cancelling headphones or a headset with a noise-cancelling microphone can at the very least help to filter out some unwanted background racket.

Communication is also important on a practical level within your family. You know how important your work is, and your partner or spouse likely understands it too. Your children, on the other hand, may not. Take the time to explain the responsibilities and pressures of your job and why that means you can’t spend all your time with them, even though you’re at home.

Much of the above also requires regular communication between employers and employees. Some people are fortunate enough to be in a position to arrange their work and their working hours however they would like but, in many businesses, this is not the default option or even possible under normal circumstances. These are not, however, normal circumstances and it is important to remember that many other people within your business are quite likely dealing with the same balancing act as you. Management are likely to prefer that staff work flexibly and productively rather than struggle to work strict nine to five hours while being unable to stay focused at their desk for more than five minutes at a time before having to help with maths homework or clean up a home art lesson gone wrong.

How Employers can Help

Once again, flexibility is key. Flexibility within employment comes in many forms and need not relate only to working hours. Depending upon the nature of the business, flexible hours may not be desirable or even possible. What, then, are the options for employers and their home working staff?

Flexible Working

If the nature of the business permits it, this is likely to be everyone’s favourite option. It maintains the availability of more staff, albeit at varying times, and is better in this regard than the various leave options considered below. Staff could, for example, split their workdays with their partner or spouse, with half a day spent on the children and the other half spent on the job. This could also be combined with working earlier or later in the day, resulting in a normal number of hours worked, with compressed hours, or with weekend working on days when one partner or spouse has more time to spend looking after the children.

For those who work part time, hours could perhaps be spread more thinly. The same number of hours are worked, but over a greater number of days, resulting in more time to spend looking after the kids. For those who do not normally work part time, it may be worth exploring the possibility of moving from full to part-time during the lockdown.

Taking Annual, Parental, or Compassionate Leave

Flexible working is desirable but may not be an ideal fit in all industries. Using annual leave may help to relieve some pressure or at least may buy some time to set up longer-term childcare arrangements. Similarly, leave entitlement could be used in combination with that of a partner or spouse, alternating time off in order to stretch it out somewhat. Given the length of time the lockdown restrictions may last, however, this is unlikely to be a long-term solution.

Parental leave is a second possibility, with every parent of a child (or adopted child) entitled to up to 18 weeks per child up to the age of 18. Unlike annual leave, however, parental leave is unpaid. Moreover, employees are subject to eligibility requirements and need to have been employed by their employer for more than a year.

Time off for dependants is a third option. This is also known as “compassionate leave”. If you have someone who “depends on you”, you are entitled to take compassionate leave for a reasonable period to deal with an emergency involving them. Compassionate leave is usually unpaid, although some employers opt to pay staff taking it. Again, however, taking compassionate leave – or any of the above kinds of leave – for the duration of the lockdown is unlikely to be a viable option for many. Wherever it can be accommodated, therefore, flexible working should be the preferred goal for those with children (or other dependants) to look after.

It All Comes Down to Flexibility

Working from home can be a pleasure or a toil; working at home with children, all the more so (in either direction). For employers and employees alike, in many cases it is a less than desirable combination and will inevitably impact productivity. At the start of this post, we said that flexibility was the watchword, and so it is. Employers will ultimately benefit from being flexible with their employees, enabling their employees to be flexible in turn.

Flexibility is only effective, however, when supported by some sort of structure. Planning and organisation are vital ingredients, as is the maintenance of good health, and effective communication.

Managing expectations is also something that all must do. Employers must manage their expectations of their employees and employees must manage their expectations of themselves. “Business as usual” is, for many, a concept that is unquestionably on hold for the time being, but by accepting and adapting to the unprecedented situation in which we all find ourselves, doing “the best you can” may just bring about better results than you might hope for.