Commercial Client Reference Articles

Age Discrimination and Retirement

Since the abolition of the Default Retirement Age (DRA) in 2011, it is not permissible for an employer to dismiss an older worker on the ground of retirement unless this can be objectively justified under the Equality Act 2010.

This does not mean that employees will never be able to retire, but that an employer cannot lawfully force an employee to retire at a set age unless the age can be objectively justified under the Equality Act. If this is not possible, the employer faces the double threat of a claim for age discrimination and for unfair dismissal.

Employers therefore have two options. These are:

  • not to have a set retirement age and use other dismissal options where necessary; or
  • to use an Employer Justified Retirement Age (EJRA).

For a set retirement age to be objectively justified, its use must be a proportionate means of achieving a legitimate aim. This is not an easy test to pass, and businesses who do wish to have in place an EJRA are advised to seek legal advice before choosing this option. An EJRA will normally be appropriate for occupations where retirement at a particular age can be justified on health and safety grounds – for example for airline pilots or fire fighters. Employers must provide evidence that the chosen EJRA is necessary – not based merely on assumptions – and be able to demonstrate that no alternative or less discriminatory action could achieve the same result. Employers who choose to use an EJRA must follow a fair procedure, giving the employee adequate notice of their impending retirement and, if circumstances permit, consider any request to work beyond the EJRA as an exception to the normal policy. However, it is important to have procedures in place to ensure consistency of treatment of employees who request to stay on.

Older employees can retire voluntarily at a time of their choosing and draw any occupational pension to which they are entitled under the rules of the scheme. If an employee has given formal notice that they wish to retire, the employer is under no obligation to permit them to withdraw their notice should they change their mind. If, however, an employee has only told their employer that they plan to retire, they can change their mind before formal notice is given.

Great care must be taken if an older employee is performing badly. Procedures for dealing with performance issues must be fair and applied consistently across all age groups. To avoid a claim of unfair dismissal, any dismissal must be for one of the potentially fair reasons for dismissal under the Employment Rights Act 1996. Care must also be taken that any decisions taken by the employer do not discriminate against an employee who has a condition that constitutes a disability under the Equality Act. In such cases, the employer has a duty to make reasonable adjustments to remove any barriers to the employee’s performance.

Group risk insured benefits are exempt from the principle of equal treatment on the grounds of age, so employers who provide such benefits can cease to provide or offer them to employees who reach the State Pension Age, even if they continue to work beyond that age. The age at which group risk insured benefits can be withdrawn will increase in line with increases in the State Pension Age.

In addition, under the pensions auto-enrolment rules, employers are not obliged to enrol workers who have reached the State Pension Age.

Whilst the abolition of the DRA has given employees greater choice and flexibility over when to retire, the move has been criticised as having a negative impact on an employer’s ability to plan workforce requirements to meet future business needs.

The Advisory, Conciliation and Arbitration Service has guidance on retirement that contains useful advice on a possible framework for workplace discussions that will help identify an employee’s future aims, and gives examples of ways of raising the issue of retirement without asking questions that could be seen as discriminatory.

The Equality Act 2010 - A Guide for Employers

The Equality Act 2010 replaced nine major pieces of discrimination legislation and other ancillary measures introduced over the last forty years. The core provisions of the Act came into force on 1 October 2010.

As well as harmonising existing discrimination laws, the Act aims to advance equality and to extend protection from unfairness and discrimination on grounds of disability; age; sex; sexual orientation; gender reassignment; race; religion or belief; marriage and civil partnership; and pregnancy and maternity. These are now called ‘protected characteristics’.

Whilst many of an employer’s obligations regarding discrimination in the workplace remain the same, there are some key changes that do need to be addressed as the Act extends some protections to characteristics that were not previously covered and also strengthens some aspects of equality law.

Types of Discrimination – Definitions

Direct Discrimination
Direct discrimination occurs where the reason for a person being treated less favourably than another is one of the protected characteristics covered by the Act. The new definition is broad enough to cover instances where someone does not have the protected characteristic but has suffered less favourable treatment because of their association with someone who does (discrimination by association) or where the victim of less favourable treatment is wrongly thought to have a protected characteristic (perception discrimination).

Indirect Discrimination
Indirect discrimination occurs when a policy or practice which applies in the same way to everyone has an effect which particularly disadvantages people with a protected characteristic, unless the person applying the policy or practice can justify it by demonstrating that it is a proportionate means of achieving a legitimate aim.

Indirect discrimination can also occur when a policy would put a person at a disadvantage were it to be applied. For example, where a person is deterred from doing something, such as applying for a job, because a policy which would be applied would result in his or her disadvantage, this may also be indirect discrimination.

Indirect discrimination now covers all the protected characteristics apart from pregnancy and maternity.

Harassment is unwanted conduct that is related to a relevant protected characteristic that has the purpose or effect of creating an intimidating, hostile, degrading, humiliating or offensive environment for the complainant or of violating the complainant’s dignity.

Harassment applies to all the protected characteristics apart from pregnancy and maternity and marriage and civil partnership. The definition means that employees can complain of behaviour they find offensive, even if it is not directed specifically at them and the complainant need not possess the relevant protected characteristic themselves.

Third Party Harassment
Under Section 40 of the Act, an employer was potentially liable for harassment of an employee by a third party, for example a customer or client. However, the third party harassment provisions were repealed with effect from 1 October 2013.

Victimisation takes place where one person treats another badly because he or she has, in good faith, done a ‘protected act’, for example taken action, or supported any action taken, for the purpose of the Act, including in relation to any alleged breach of its provisions. Victimisation also occurs where one person treats another badly because he or she is suspected of having done this or of intending to do so. A person is not protected where he or she maliciously makes or supports an untrue complaint. Only an individual can bring a claim for victimisation.

Under the Act, victimisation is technically no longer treated as a form of discrimination, so there is no longer a need to compare treatment of an alleged victim with that of a person who has not made or supported a complaint under the Act.

Specific Points to Note

The definition of disability remains essentially the same. A person is disabled if they have a physical or mental impairment which has a substantial and long-term adverse effect on their ability to carry out normal day-to-day activities. However, the Act removes the requirement to consider a list of eight capacities, such as mobility or speech, hearing or eyesight, when determining whether or not a person is disabled. This change will make it easier for some people to demonstrate that they meet the definition of a disabled person.

The Act replaces the concept of disability-related discrimination with a new protection from discrimination arising from disability. This means that a person discriminates against a disabled person if they treat them unfavourably because of something arising from, or in consequence of, their disability where the employer or other person acting for the employer knows, or could reasonably be expected to know, that the employee has a disability, unless the treatment can be shown to be a proportionate means of achieving a legitimate aim. This definition means that there is no need for a disabled employee to establish that his or her treatment is less favourable than that experienced by other, non-disabled employees.

The concept of indirect discrimination has been extended to the protected characteristic of disability.

As before, an employer has a duty to make reasonable adjustments to help employees overcome disadvantages arising from an impairment. Failure of the duty cannot be justified. The Act makes clear that this duty includes a requirement to provide an auxiliary aid, such as job application forms in large print for someone with a visual impairment or a specially adapted computer keyboard for an employee with arthritis, if this would overcome the substantial disadvantage to the disabled person.

The Act protects people of all ages. However, different treatment because of age is not unlawful direct or indirect discrimination if the employer can justify it – i.e. can demonstrate that it is a proportionate means of achieving a legitimate aim. Age is the only protected characteristic that allows an employer to justify direct discrimination.

As of 6 April 2011, it is no longer lawful to compulsorily retire an employee on the grounds of age unless the dismissal can be objectively justified as a proportionate means of achieving a legitimate aim, which is not an easy test to pass.

Group risk insured benefits are exempt from the principle of equal treatment on the grounds of age, so employers who provide such benefits can cease to provide or offer them to employees aged 65 and above, even if they continue to work beyond that age. The age at which group risk insured benefits can be withdrawn will increase in line with increases in the State Pension Age.

Employers can continue to use the development bands of the national minimum wage without the threat of legal challenge on the grounds of age discrimination.

Gender Reassignment
A transsexual person now has the protected characteristic of gender reassignment.

The Act defines this as being where a person has proposed, started or completed a process to change his or her sex. Note that he or she is no longer required to be under medical supervision to come within the definition.

It is discrimination to treat transsexual people less favourably for being absent from work because they propose to undergo, are undergoing or have undergone gender reassignment than they would be treated if they were absent through illness or injury.

In January 2016, a report by the Women and Equalities Committee made recommendations calling for the Government to act to ensure full equality for trans people. One of the report's recommendations was that the use of the terms 'gender reassignment' and 'transsexual' in the Equality Act are outdated and misleading, as the preferred term is 'trans'. Please note that the terms used in this article are those used in the Act itself. However, employers are advised to make sure that relevant policies used the more up-to-date terminology.

Pre-Employment Health Questionnaires
In order to protect job applicants with a disability from discrimination during the recruitment process, the Act prohibits the use of questionnaires on an applicant’s general health and related issues prior to a job offer being made. This includes prohibiting the use of such questionnaires before selecting a pool of applicants from whom the successful candidate will be chosen.

The measure does not prevent employers from asking job applicants any questions about their health but stipulates that they are only allowed to do so for specific purposes, for example deciding whether a job applicant can carry out a function that is essential (‘intrinsic’) to the work concerned.

Equal Pay
The Act allows an employee to bring a claim of direct pay discrimination using a hypothetical comparator where no actual comparator of the opposite sex exists.

Pay Secrecy Clauses
The Act makes pay secrecy clauses unenforceable and provides that individuals who discuss their pay with one another in order to find out if there might be pay discrimination with regard to any of the protected characteristics are protected from victimisation, even if their employment contract requires them not to discuss their pay.

Positive Discrimination
As with previous equality legislation, the Act allows an employer to take ‘positive action’ in certain situations. Positive action is lawful where it is necessary to prevent those who share a particular protected characteristic from suffering a disadvantage connected with that characteristic or if their participation in an activity is disproportionately low.

The Act also contains provisions that allow positive action specifically in the process of recruitment and promotion, in limited circumstances. These provisions mean that it is not unlawful to recruit or promote a candidate who is of equal merit, in relation to the specific job or position for which they have applied, to another candidate for the same post if the employer reasonably thinks that:

  • the candidate has a protected characteristic that is under-represented in the workforce; or
  • people with that characteristic suffer a disadvantage connected to that characteristic.

This kind of positive action is only allowed where it is a proportionate way of addressing the under-representation or disadvantage. The Act does not allow an employer to appoint a less suitable candidate just because he or she has a protected characteristic that is under-represented or disadvantaged.

Dual Discrimination
Section 14 of the Act contains provisions that would allow individuals who believe they have been treated less favourably on account of two protected characteristics to bring a combined claim. For example, a woman may feel she has suffered discrimination on account of both her sex and her age. However, this provision has not been implemented.

Genuine Occupational Requirements
Under the Act, there is now a single occupational requirement that must exist for direct discrimination in favour of a particular protected characteristic to be lawful. This applies to all the protected characteristics and differs from the previous exceptions for occupational requirements in that it makes clear that the requirement must pursue a legitimate aim and that the burden of showing that the exception applies rests on those seeking to rely on it.

Organised Religion
Where employment is for the purposes of an organised religion, an employer is permitted to apply a requirement to be of a particular sex or not to be a transsexual person, or to make a requirement related to the employee’s marriage or civil partnership status or sexual orientation, but only in narrowly defined circumstances.

In March 2017, the Government launched a consultation entitled 'Caste in Great Britain and Equality Law', seeking views on how best to ensure that appropriate and proportionate legal protection exists for victims of caste discrimination.

The consultation suggested two potential ways of achieving this, which were:

  1. to implement a duty, which was introduced by Parliament in 2013, to bring caste discrimination within the scope of the Equality Act; or
  2. to rely on emerging case law, which in the Government's view shows that a statutory remedy against caste discrimination is available through existing provisions in the Act, and to invite Parliament to repeal the duty on that basis.

Having considered the responses, the Government has decided not to add caste to the list of protected characteristics under the Act on the ground that it already affords this protection. The decision takes into account that caste is an exceptionally controversial, deeply divisive issue, and legislating for it to become a protected characteristic would be as divisive as doing the same for 'class' would be across British society more widely. Reliance on case law, and the scope for individuals to bring claims of caste discrimination under 'ethnic origin' rather than caste itself, is likely to create less friction between different groups and help community cohesion.

The Burden of Proof
In any claim where someone alleges discrimination, harassment or victimisation under the Act, the burden of proving his or her case starts with the claimant. Once the claimant has established sufficient facts, which in the absence of any other explanation point to a breach having occurred, the burden then shifts to the respondent to demonstrate that no breach of the provisions of the Act has occurred.

Extension of Employment Tribunal Powers
Previously, an Employment Tribunal could only make recommendations for the benefit of the individual claimant. The Act extends this power so that Tribunals can now make recommendations that an employer takes steps to eliminate or reduce the effect of discrimination on other employees.

Further information and Codes of Practice supporting the Act can be found on the website of the Equality and Human Rights Commission.

Employers should ensure that their equal opportunity policies, contracts of employment and recruitment procedures are up to date and that staff are informed and trained accordingly in order to comply with the provisions of the Act.

In addition, it is important to make sure that compromise agreements refer to settling claims under the Act where appropriate.

Failing to Prevent Bribery - Are You at Risk?

The Bribery Act 2010 came into force on 1 July 2011. It created a new offence which can be committed by a commercial organisation if it fails to prevent persons associated with it from committing bribery on its behalf. A business can provide a defence by showing that it had ‘adequate procedures’ to prevent bribery by such persons from taking place, however. Organisations that have not already done so should ensure they have the necessary prevention procedures in place.

What is deemed to be adequate will depend on the nature, size and complexity of your business. The key point is that to rely on the defence, the measures you adopt must be proportionate in view of the likelihood of bribery occurring – for example, a large firm which operates in overseas markets is likely to be more at risk than a small organisation undertaking business primarily in the UK. You should therefore carry out a risk assessment of the potential that exists for bribery offences to be committed, especially when entering into new business arrangements and new overseas markets.

Where appropriate, due diligence should be carried out so that you know exactly whom you are dealing with, especially when engaging others to represent you in business dealings.

Whatever anti-bribery procedures you do decide are necessary should be seen to have the backing of those at the top of the organisation and the policy should be communicated to staff and others who will perform services for you, with training provided where appropriate, so that it is clear that the business culture is one in which bribery is not tolerated. If the risks you face change, your procedures may cease to be effective, so it is important to make sure these are kept up to date.

Concern has been expressed that spending on hospitality could cause a business to fall foul of the Bribery Act. The position is that you can continue to provide bona fide hospitality and spend money on promotional or other business initiatives provided the expenditure is reasonable and proportionate given the sort of business you are engaged in. The expenditure should be made in order to promote your products or services, improve the image of your business or establish good relations with clients, with no intention of corrupting the independence of the recipient.

The Serious Fraud Office advises that when considering whether expenditure on corporate hospitality can be considered to be a bribe, it will look at five factors:

  1. Whether or not the organisation has issued a clear policy regarding gifts and hospitality;
  2. Whether the expenditure in question was compliant with the policy and, if not, whether or not it had been sanctioned at the appropriate level within the organisation;
  3. Whether or not the expenditure was proportionate with regard to the status of the recipient;
  4. Whether or not the expenditure had been entered in the organisation’s books of account; and
  5. The lawfulness of the receipt by the recipient under the laws of his or her own country.

Where an offence under the Act is committed with the consent or connivance of a senior officer of an organisation, that person (as well as the body corporate or partnership) is guilty of the offence and liable to be proceeded against and punished accordingly. The maximum penalty for individuals is 10 years’ imprisonment or an unlimited fine, or both. The maximum penalty for commercial organisations is an unlimited fine.

The Ministry of Justice has published guidance on the Act, including case studies illustrating what approach businesses might take in certain situations.

The Corporate Manslaughter Act

The Corporate Manslaughter and Corporate Homicide Act 2007 established a new statutory offence of corporate manslaughter (corporate culpable homicide in Scotland).

An organisation is guilty of the offence if the way in which it manages or organises its activities causes a death and amounts to a gross breach of a relevant duty of care to the deceased. A substantial part of the breach must have been in the way activities were managed by the senior management of the organisation.

The offence built on the responsibilities that employers and organisations already owed to their employees and members of the general public, with regard to the premises occupied and the activities carried out.

Before the introduction of the Act, an organisation could only be convicted of manslaughter if a ‘directing mind’ – i.e. a senior manager or director – was also personally liable. However, this did not reflect the reality of the way decisions are made in large organisations and there were very few prosecutions as a result. Under the Act, the offence is concerned with the corporate liability of the organisation itself, allowing this to be assessed on a wider basis and providing greater accountability for serious management failings across the organisation. It continues to be possible to bring prosecutions for gross negligence manslaughter against individuals, however, where there is sufficient evidence and it is in the public interest to do so.

When determining whether an organisation is guilty of the offence of corporate manslaughter, the courts will look at management systems and practices across the organisation and whether an adequate standard of care was applied to the fatal activity. Juries are required to consider the extent to which an organisation was in breach of its health and safety requirements and how serious those failings were. They are able to consider the culture that exists within an organisation regarding health and safety issues. Lax management attitudes that result in a lower standard of care than could reasonably be expected will be punished.

An organisation convicted of corporate manslaughter receive:

  • an unlimited fine;
  • a publicity order requiring the organisation to publicise its conviction and certain details of the offence; and
  • a remedial order requiring the organisation to address the cause of the fatal injury.

Cases brought under the Act took a while to reach court, with the first prosecutions involving small companies. However, more recent cases, although few in number, show that that the courts take very seriously breaches of health and safety laws that lead to someone being killed.

A consultation paper published in July 2017 by the Sentencing Council for England and Wales ('Manslaughter Guideline Consultation') proposed that the current law on manslaughter committed by negligent employers should be beefed up, with longer potential terms of imprisonment in cases of 'gross negligence manslaughter'.

The Sentencing Council has now published 'Manslaughter – Definitive Guideline', setting out for the first time stet-by step guidance on how offenders convicted of gross negligence manslaughter should be sentenced in England and Wales. Judges are being advised to consider life in prison for the most serious culprits, with a recommendation they serve at least 18 years before being eligible for parole. The new rules come into force for sentences handed down from 1 November 2018.

The majority of those charged with the offence are likely to be employers, but grossly negligent medical practitioners can also be charged.

Employers are advised to keep their procedures under review, especially those with direct health and safety implications. Successful defences to charges of corporate manslaughter will inevitably depend on being able to prove that the organisation takes a responsible attitude to health and safety, with appropriate risk management procedures in place that are enforced rigorously.

Workplace Stress - An Employer's Duties

The Chartered, Institute of Personnel Development (CIPD) has published its eighteenth annual survey, 'The Health and Well-Being at Work Report', which was carried out in in November 2017 in partnership with Simplyhealth. Whilst the survey continues to monitor absence management trends, policy and practice, as in past years, this year the focus has shifted from absence management to health and well-being at work.

The 2017 survey found that organisations that have in place a standalone well-being strategy, with senior managers and line managers who recognise the importance of and promote the well-being of workers, are more likely to report positive outcomes with regard to employee health.

Stress-related absence increased over the last year in nearly two-fifths of organisations, while even more report a rise in reported common mental health conditions, such as anxiety and depression. More organisations reported that mental ill health was among their most common causes of short- and long-term absence. One in five of those who responded reported that mental ill health is the number one cause of long-term absence in their organisation, while nearly three-fifths reported that it is among their top three causes of long-term absence.

The main causes of stress at work have changed very little over the last few years, with workload remaining the main cause of stress-related absence, particularly in larger organisations. Management style was the second main cause of stress, compared with the third main cause in 2016. Non-work factors such as family and relationships also remain one of the major causes of stress. In larger organisations, however, considerable organisational change/restructuring was likely to rank among the top three causes of workplace stress.

The number of organisations that reported seeing an increase in stress-related absence and mental health problems indicates that these continue to give cause for concern.

Work-related stress occurs when a worker reacts in an adverse way to excessive pressures or demands in the workplace. It can affect a person's mental and physical health. A distinction can be made, however, between abnormal pressure that is beyond the worker's ability to cope as distinct from normal pressures of work that an employer is entitled to expect people to handle without adverse effects.

Dealing with stress is a difficult issue for employers. In addition to specific duties under health and safety legislation, such as carrying out risk assessments/stress audits, they owe their employees a common law duty to take reasonable care to safeguard their health and safety, and this includes a duty to control stress levels at work. Employers are only in breach of their duty if they have failed to take reasonable steps in the circumstances to prevent the stress. It is foreseeable injury arising from an employer's breach of duty that gives rise to a liability, and foreseeability depends on what the employer knows (or ought reasonably to know) about an individual employee. However, taking positive steps to safeguard the well-being of workers, such as ensuring that the working environment is free from the sort of pressures that can have an adverse effect, makes good business sense as doing so is likely to have a beneficial impact on the productivity and efficiency of a business.

Larger employers should make sure that managers are trained to recognise the signs of stress and know how to respond, and that they conduct themselves in a way that minimises stress and promotes a happy working environment. Employers should be aware that they can be found vicariously liable for the actions of their employees in certain circumstances.

An employer who is actively managing potential causes of work-related stress and preventing day-to-day pressures from becoming excessive is unlikely to be found in breach of their duty. The legal duty to carry out assessments so that risks posed by work-related stress can be managed means that it is important to examine your workplace to spot the signs of existing work-related stress and to identify any potential sources of stress that could put employees at risk. These assessments should be kept under regular review. Do you, for example, monitor employees' working hours to make sure they have appropriate rest breaks? Do sickness absence figures or staff turnover rates reveal a problem with high stress levels that should be tackled? Do you have policies in place to identify and deal with any instances of bullying and harassment?

Employers have a legal duty to consult with duly elected safety representatives of employees on health and safety matters, or with employees themselves where there are no formally elected representatives, and there is no exemption from this requirement for 'small' employers. However, you might also consider carrying out periodic employee satisfaction surveys seeking views on workplace morale and attitudes to stress, and asking for suggestions on ways of combating any problems.

If you become aware that an employee is suffering from work-related stress, you are required to take reasonable steps to prevent it. It is often helpful to agree an action plan with the employee concerned. Case law suggests that an employer who offers a confidential advice service to employees suffering from stress, with referral to appropriate counselling or treatment services, is less likely to be found to have failed in their duty of care, provided reasonable steps are taken at the same time to alleviate the problem – for example by reducing that person's workload or making changes to the way they work.

Employers are reminded of their specific duty under the Equality Act 2010 to make reasonable adjustments to the work or workplace where an employee is disabled, the definition of which can include persons who are experiencing mental health problems caused by stress where their illness is having a substantial and adverse effect on their ability to carry out normal day-to-day activities, the effect is long-term and the condition is likely to recur.

The message to employers is clear: stress cannot be ignored. It is important to have in place a stress policy that is proactive in promoting the well-being of workers. If and when stress-related complaints are made, they must be treated seriously, investigated fully and appropriate action taken at once. Active intervention is required. Monitor the situation to see if the remedial action is working and continue to do so until the situation is resolved. Make any changes necessary to prevent a recurrence where possible.

The Health and Safety Executive has comprehensive guidance on work-related stress.

GDPR General Principles

The General Data Protection Regulation (GDPR) applies detailed provisions to ensure that personal data – i.e. any data relating to an identifiable person – is properly processed and kept secure, and imposes a significant compliance regime on those who hold such data.

Key to the GDPR is the concept of 'data protection by design', so that data protection risks are considered at all steps of data handling and storage.

The GDPR builds on the existing data protection principles, as set out in the Data Protection Act 1998 (which has now been updated with a broader and stricter Data Protection Act 2018), but also makes significant changes, imposing stricter rules concerning the holding and management of data and also the use of personal data for commercial purposes. There are substantial rights given to individuals as to how information about them is collected and held.

The key principles are that the processing of personal data must be lawful, fair and transparent. This means that only the minimum necessary amount of personal data must be collected and only for specified, explicit and legitimate purposes. The data must be accurate and kept up to date, with access to it and use of it restricted to only those personnel who are necessary for the purpose, and it must be retained for no longer than is necessary and kept secure.

The most significant addition is the 'accountability principle', whereby data controllers must keep records to demonstrate how they comply with the data protection principles – for example by documenting the decisions taken about a processing activity.

The ICO's office has published a guide and checklist for complying with the GDPR. The requirements are substantial for organisations of all sizes and the potential fines for failure to adhere to data protection law are extremely severe.

GDPR Guidance

If you have not yet taken steps to ensure your business complies with the General Data Protection Regulation (GDPR), the time to start is now: it came into force, on 25 May 2018, from which date the Information Commissioner's Office (ICO) will start to enforce the new data protection regime. Failing to adhere can bring swingeing fines.

The GDPR applies detailed provisions to ensure that personal data – i.e. any data relating to an identifiable person – is properly processed and kept secure, and imposes a significant compliance regime on those who hold such data.

Key to the GDPR is the concept of 'data protection by design', so that data protection risks are considered at all steps of data handling and storage.

The GDPR builds on the existing data protection principles, as set out in the Data Protection Act 1998, but also makes significant changes, imposing stricter rules concerning the holding and management of data and also the use of personal data for commercial purposes. There are substantial rights given to individuals as to how information about them is collected and held.

The key principles are that the processing of personal data must be lawful, fair and transparent. This means that only the minimum necessary amount of personal data must be collected and only for specified, explicit and legitimate purposes. The data must be accurate and kept up to date, with access to it and use of it restricted to only those personnel who are necessary for the purpose, and it must be retained for no longer than is necessary and kept secure.

The most significant addition is the 'accountability principle', whereby data controllers must keep records to demonstrate how they comply with the data protection principles – for example by documenting the decisions taken about a processing activity.

The ICO's office has published a guide and checklist for complying with the GDPR.

For advice on how the GDPR affects you, contact us.

GDPR Documenting Processing Activities

Article 30 of the EU General Data Protection Regulation (GDPR) contains explicit provisions that require organisations to maintain internal records of their data processing activities.

This obligation reflects the increased importance of accountability and the need to ensure (and demonstrate) that your organisation processes personal data in line with the GDPR. 

Most organisations must document their processing activities to some extent. Both data controllers and data processors have their own documentation obligations, but controllers are required to keep more extensive records than processors.

The scope of the exemption from documentation is still under consideration. Under the current guidance, organisations with 250 or more employees will be required to document all their processing activities. Smaller organisations must do so where the processing is not occasional, where it is likely to result in a risk to the rights and freedoms of data subjects or where it includes special categories of data. The latter largely refers to what is currently termed 'sensitive personal data' under the Data Protection Act 1998, but also includes genetic and biometric data when this is processed in order to uniquely identify an individual. Similar extra safeguards apply to the processing of personal data relating to criminal convictions.

The Information Commissioner's Office (ICO) has published detailed guidance on documentation. This explains how maintaining up-to-date records of data processing activities can assist in complying with other elements of the GDPR, such as drafting privacy notices, responding to access requests and ensuring the personal data you hold is relevant, accurate and secure. Knowing precisely what data you hold will also support good practice in data governance and increase business efficiency.

The ICO's guidance on documentation can be found on the ICO website.

The GDPR came into effect on 25 May 2018 as did the Data Protection Act 2018. This widens the scope of data protection law somewhat and increases various penalties for transgressions for various offences.

The GDPR and Your Firm's Pension Scheme

The press is awash with comment about the General Data Protection Regulation (GDPR), which came into full effect 25 May 2018. It would be difficult for any organisation not to be aware by now of the issues and, hopefully, your business is well on the way to making sure it complies.

However, many businesses do not seem to be aware that a firm's pension scheme must also comply with the GDPR, and the trustees of the pension scheme will be responsible for this.

Pension schemes hold a great deal of information about individual members and former members, which is protected data under the GDPR.

In order to comply, the scheme trustees will need to understand what personal data they hold and ensure the data is:

  • processed fairly and lawfully;
  • kept secure and up to date and is accurate;
  • only collected for legitimate purposes which are clearly specified; and
  • retained no longer than it is needed.

They must also demonstrate that the pension scheme has the systems and procedures in place to be able to prove compliance with the scheme's data protection policies and the GDPR.

For advice on any data protection issue or on your legal obligations regarding your firm's pension scheme or as a pension scheme trustee, contact us.

Direct Marketing Via E-mail - Regulations

UK law relating to the sending of unsolicited direct marketing material by electronic means are based on the EC Directive on Privacy and Electronic Communications and are modified by the General Data Protection Regulation which started to be enforced in the UK in May 2018.

A major aim of the Directive was to cut down on the amount of ‘spam’ that e-mail users receive from companies with whom they have never had dealings. The Department of Trade and Industry defines spam as ‘unsolicited commercial bulk e-mail sent without the consent of the addressee and without any attempt at targeting recipients who are likely to be interested in its contents’.

Whilst the intention behind the law is clear, the regulations only apply to UK businesses and will do nothing to prevent spam originating in countries where the relevant laws are less strict or, indeed, non-existent. For genuine UK businesses seeking to increase sales of their products to a targeted market, the effect will be more red tape in order to ensure they do not fall foul of the regulations.

The regulations apply to unsolicited commercial e-mails and text messages (SMS) sent to individual subscribers, rather than to company addresses, so much business-to-business e-marketing is not affected. However, under the regulations the term ‘individual subscriber’ includes sole traders, non-limited liability partnerships and their employees.

All direct marketing e-mails, regardless of whom they are sent to, must include clear sender and contact details. In addition:

  • businesses must gain prior consent in that an individual must have actively opted in before they are sent unsolicited marketing e-mail;
  • if your website uses cookies, or other tracking devices, to recognise previous visitors or to capture information about a user’s preferences, you must tell them this and inform them as to how any collected information will be used. Consumers must be given the right to refuse cookies;
  • individuals are given greater rights to decide whether they wish to be listed in subscriber directories. Directory providers will have to give them full information and a reinforced chance to be ex-directory.

If the recipient of the e-mail was a customer prior to 11 December 2003, you may continue to market to them providing:

  • their e-mail or SMS details were obtained through the sale, or negotiations for the sale, of a product or service;
  • the product or service you are marketing is a similar one;
  • the individual had the opportunity to opt out of receiving direct marketing material at the time they gave their contact details and is given the chance to unsubscribe or opt out on each new message that is sent; and
  • the identity of the sender is not concealed.

However, where a customer has previously registered an interest in a company’s products or services, but has neither bought anything nor entered into negotiations to purchase which then fell through, then that individual’s consent must be sought before you can contact them again for direct marketing purposes.

The Office of the Information Commissioner is responsible for enforcing the regulations by issuing enforcement orders to those who do not comply. Breach of an enforcement order is a criminal offence liable to a fine of up to £5,000 in a Magistrate’s Court or an unlimited fine if the trial is before a jury. Any individual who has suffered damages as a result of a breach of the regulations has the right to sue the person responsible for compensation.

View regulations.

The GDPR requires that consent to be sent marketing email must be unambiguouis and freely given and that the recipient must be given adequate information on how their information will be used.

  • Page 1 of 10