Perhaps the biggest challenge facing a business in 2024 is not knowing what they don’t know especially in light of the many legislative changes which are on the horizon! Innocent oversights can sometimes have serious consequences from a legal perspective. In this article we will highlight some of the most common challenges SMEs are facing and how potentially these can be mitigated. Compliance refers to the ways in which a business ensures they are following both their own internal compliance structure and all the laws and regulations that apply to their business or industry. However, compliance is not just about following the letter of the law, it is about planning and prevention. A robust compliance programme can help reduce legal costs and resolution time of regulatory issues and fines. We have highlighted below three challenges which have had recent legislative changes introduced which businesses need to be aware of.

Data Protection/GDPR – Data is now more valuable than ever which has forced the UK legislature to introduce additional safety measures for individuals when dealing with businesses. Whilst the Data Protection and Digital Information Bill introduced in 2023 aimed at simplifying data protection laws for business, there still remains significant onus on those businesses to manage and understand their responsibilities. Do you know what personal data you hold? When did you last check whether this was up-to-date? Do you hold any “special” categories of personal data? Do you need a Data Protection Officer? A simple assessment of the type and use of data within your business can help to mitigate the risk of breaching data laws. Fines remain high for breaches of data protection however it is the reputational impact that probably affects businesses more in the long term.

ESG Reporting and CSR – Environmental, social and governance reporting along with corporate social responsibility are all matters which are increasingly challenging yet important for businesses, their employees and customers. There are numerous environmental laws which all businesses need to be aware of and comply with, with some industry sectors being more regulated than others. Areas for consideration include waste management and disposal, pollution, energy consumption, and emissions. It is incumbent on the business to determine their own business philosophy and ethos and put policies in place to manage and monitor this. Having a detailed environmental policy can not only be a reputational enhancer but it can be a unique selling point and employee retainment or recruitment factor.

Recent evidence points to the UK moving to adopt international standards in 2025 which will introduce changes to current reporting requirements. At the moment, most reporting requirements apply to medium and large companies however with the new government in power with manifesto pledges on energy independence and clean energy by 2030, it is likely businesses of all sizes will see some level of impact.

The social element of ESG generally focuses on the business relationship you as a business have with your employees, customers and community. Legal obligations here can include the need for policies and procedures related to workplace discrimination, modern slavery, health & safety, equality, diversity and inclusion as well as supplier codes.

Finally, the third arm is governance which combines legal obligations as well as ethical and moral considerations. This refers to the way businesses are directed, controlled and how it manages its operations. Good governance focuses on promoting ethical behaviour, transparency, accountability and effective decision-making processes within the business.

Corruption & Anti-Money Laundering – A recent report* claimed that there are no corruption-free zones in Europe surmising there is pressure mounting on businesses to strengthen professional integrity, build trust and fight corruption. The report goes on to claim that “most unethical activity is done by otherwise honest employees who, due to circumstances or peer pressure, are compelled to act unethically”. Supported by a 2024 PwC** report which estimated more than US$1 trillion is paid each year in bribes globally, and that US$2.6 trillion is lost to corruption – that’s 5% of global GDP.

This may sound all doom and gloom, however ensuring you risk assess your business and put in place internal controls and monitoring systems, you minimise your exposure to corruption. Customer and supplier due diligence is a must to ensure you know where money is coming from especially around high value transactions or where that customer or supplier is not physically present or is based overseas. Traceability of funds through good internal controls and procedures is key to reduce the risk of money laundering. Linked to this, the Economic Crime and Corporate Transparency Act 2023 was introduced in Oct 2023 giving Companies House new powers to interrogate the information submitted to it and request verification for company directors and persons with significant control. The effect of the ECCTA will be felt by all businesses with more robust and thorough investigations when submitting Company House filings.

These legal challenges are not insurmountable and with a Franklins outsourcing legal health-check we can provide practical and affordable solutions to help you plan for compliant business growth.

You can contact our Legal Outsourcing team here or call on 01604 936512 / 01908 953674 or email info@franklins-sols.co.uk.

*NAVEX Global Corruption and Anti-Bribery Report

**PwC 5 forces of corruption and anti-bribery 2024

 

Terms and Conditions of a business are the legal contract between a provider and customer for the supply of goods or services. This contract regulates the business relationship between the provider and customer by setting out the rights and responsibilities of each party.

It is often the case that businesses decide to put in place standard terms and conditions as it is a quicker and easier process. However, more often than not, it turns out that the terms do not cover every aspect of the business relationship and these gaps can cause unwanted dispute. It is therefore important for a business to ensure that the terms provided to the customer clearly and fairly cover all the elements of the relationship.

Key provisions

Although most agreements vary from one another depending on the goods or services provided, there will be key provisions that remain similar.

The above is a non-exhaustive list of the provisions to consider and look out for when reviewing terms and conditions and it is therefore important for businesses to take legal advice when drafting terms and conditions or before signing said terms. Our Solicitors have a wide range of experience in advising businesses and dealing with drafting and negotiating terms and conditions in accordance with their client’s instructions so the contract is truly tailored to their needs. 

For further advice and assistance please contact our Commercial Solicitors on 01604 828282 / 01908 660966 or email info@franklins-sols.co.uk

Clothing company H&M has been fined £32.1 million for breaching GDPR. H&M violated the privacy of its employees by conducting illegal workplace surveillance. The Data Protection Authority of Hamburg, Germany, stated that H&M’s staff had been subject to “extensive recording of details about their private lives”. This included details about their families, medical symptoms and diagnoses, religious beliefs, details of holidays and information from informal conservations.

The fine highlights the repercussions faced by companies who breach GDPR. Under Article 5 GDPR personal data must be processed lawfully and collected for legitimate purposes. This is the second highest fine that has been issued to a company for breaching GDPR. The highest single fine to date was the €50 million imposed on Google by the French data protection regulator CNIL in 2019. A company can be fined up to €20 million or 4% of their global annual turnover of the preceding year, whichever is greater, for severe violations of GDPR.

H&M has apologised to all its effected employees and employees of the service centre in Nuremberg and all staff who have been employed for at least one month since GDPR came into force in May 2018 will receive financial compensation.

If you require legal assistance regarding GDPR, please do not hesitate to contact Christopher Buck, Associate Partner in our Business Services team, on 01908 660966 / 016014 828282 or by email at christopher.buck@franklins-sols.co.uk who will be happy to assist.

The Information Commissioner’s Office (ICO) has fined the airline company £500,000 for failing to secure its customers’ personal data. Cathay Pacific’s computer systems failed to implement appropriate security measures which led to the personal data of 111,578 UK residents being exposed and a further 9.4 million people internationally. The personal data exposed included names, dates of birth, passport details, addresses, phone numbers and travel history. The airline first became aware of suspicious activity in March 2018 when incidences of attempted hacking occurred, whereby hackers tried to enter the database by guessing passwords and phrases. This was described as a “brute-force” attack and led to Cathay Pacific employing a cybersecurity firm which subsequently discovered numerous errors and reported them to the ICO. The errors discovered included: back-up files that were not password protected; insufficient anti-virus protection; internet-facing servers without the latest patches and the use of operating systems that were no longer supported by the developer.

Following the implementation of GDPR in May 2018, enhanced UK and European data protection laws have come into force. However, due to the timing of Cathay Pacific’s breaches, the ICO investigated this case under the Data Protection Act 1998. The ICO found that Cathay Pacific had breached Principle 7 of the Data Protection Act 1998 which provides that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data”. The fine of £500,000 is the maximum amount possible under the 1998 Act. However, under GDPR, a company can be fined up to €20 million or 4% of their global annual turnover of the preceding year, whichever is greater, for severe violations. Therefore, companies need to ensure that they comply with GDPR and have sufficient mechanisms in place to protect personal data in order to be compliant with the law and to avoid fines. Overtime, it is highly likely that we will see the number of fines being imposed increase in correlation with the increase in the daily rate of breach notifications, which has increased from 247 notifications per day (the average during the first eight months of GDPR) to approximately 278 breach notifications per day.

If you require legal assistance regarding GDPR, then please do not hesitate to contact Christopher Buck, Associate Partner in our Business Services team on 01908 660966 / 01604 828282 or email BusinessServices@franklins-sols.co.uk.

There have been over 160,000 data breach notifications across Europe since the GDPR came into force in May 2018 which has resulted in $126 million in fines.

The countries to have received the highest fines are France (€51 million), Germany (€24.5 million) and Austria (€18 million). The Netherlands, Germany and the UK are the countries which ranked the highest for number of data breaches reported to regulators. Notwithstanding this, the highest single fine to date was the €50 million imposed on Google by the French data protection regulator CNIL. However, these related to the alleged breaches of the transparency principle, which requires any information addressed to the public to be concise, easily accessible and easy to understand and lack of consent rather than a data breach.

Under GDPR, a company can be fined up to €20 million or 4% of their global annual turnover of the preceding year, whichever is greater, for severe violations. Therefore companies such as Facebook, Google and Twitter which handle large amounts of data have a considerable burden placed on them to ensure that they comply with GDPR in order to avoid the sizeable fines which could be imposed on them by regulators. In July 2019, the UK’s Information Commissioner’s Office (ICO) issued notices of intent to impose fines on Marriott International for £99 million and British Airways for £183.39 million for data breaches under the GDPR. As yet, these fines have not been finalised demonstrating the slow start to the regulatory process. The GDPR has only been in effect for about 20 months. This is an insufficient amount of time for regulators to develop an effective and concise enforcement process. Overtime, it is highly likely that we will see the number of fines being imposed increase as regulators will make full use of their powers as clarity in this area of law develops.

Moving forward, it is expected that the number of fines being issued will increase in correlation with the increase in the daily rate of breach notifications, which has increased from 247 notifications per day (the average during the first eight months of the GDPR) to 278 breach notifications per day.

If you require legal assistance regarding the GDPR, then please do not hesitate to contact Christopher Buck, Associate Partner in our Business Services Department, on 01908 660966 / 01604 828282 or at christopher.buck@franklins-sols.co.uk.

 

Google Right to be Forgotten Case

The European Court of Justice (ECJ) ruled that Google does not have to apply the ‘right to be forgotten’ worldwide, only in Europe. This means that Google must remove outdated information or irrelevant links from the European version of its search results, but not globally, after receiving an appropriate request for the removal.

The case arose back in 2015, when French data regulator, CNIL, ordered Google to remove search results and de-list links worldwide because they contained damaging or false information about a person and broke EU law. Subsequently, in 2016, Google implemented a geo-blocking feature which prevented users in Europe from being able to see delisted links. However, Google refused to the censoring of search results outside of Europe. As a result, CNIL fined Google €100,000 and the ECJ’s hearing represented Google’s appeal against the fine that CNIL tried to impose.

The ‘right to be forgotten’ also known as the ‘right to erasure’ derives from the 2014 Google Spain v AEPD and Mario Costeja González case, where it was ruled that individuals had the right to request from search engines, the removal of out-of-date or embarrassing information and search engines had an obligation to remove such information. The ECJ’s ruling in the Google v CNIL case has been described as a “landmark” as it establishes that search engines have no obligation to remove such information outside of Europe. The right to be forgotten has been codified under Article 17 of the General Data Protection Regulation (EU) 2016/679 (GDPR). Individuals have the right to have their personal data erased if the personal data is no longer required for the original processing purpose, the individual withdraws their consent and there is no other legal basis for the processing of the data, the individual has objected to the processing of their data and there is no overriding legitimate grounds to continue processing or erasure is necessary to fulfil a statutory obligation under EU law.

The ‘right to be forgotten’ seeks to protect your personal data. It can prevent search engines from using information that is damaging or false. If you require legal assistance regarding the ‘right to be forgotten’ or have any other GDPR concern, then please do not hesitate to contact our Business Services Department who will be happy to assist. 01908 660966 or businessservices@franklins-sols.co.uk.

The ICO has revealed that it intends to fine British Airways a hefty £138 million pounds in relation to severe breaches of data protection that has resulted in customers’ personal information falling into the wrong hands! The day after the ICO announced its intentions to fine BA, Marriott International have been informed they too will be fined £99 million pounds for similar breaches.

Understanding when, and if, you are processing an individual’s personal data is crucial to understanding whether the General Data Protection Regulations apply. Not only must individuals have the right to access their personal data, as and when requested, they must be provided with the reasons behind why you are processing their data, your retention periods for holding their personal data and who it will be shared with. If not adequately managed, you may find yourself subject to the wrath of the ICO resulting in irreparable consequences!

The recent fines issued to both British Airways and Marriott demonstrate that a year on from the implementation of the new GDPR regulations, individuals and business alike are still struggling to get to grips with the regulations and how these are monitored in practice.

So what should you do to ensure you are complying with the regulations?

Firstly, and most importantly, you should ensure that you have adequate procedures in place, including a suitable data protection policy, which is essential to evidencing your commitment to GDPR compliance. You should also ensure that any policies and terms and conditions that you currently have in place are up to date and compliant with the GDPR.

If you require legal advice on the GDPR and what this means for your business, or if you require a legal health check and review of any of your current policies or terms and conditions of business that you may have in place, then please do not hesitate to contact Christopher Buck, Associate Partner in the Commercial Services Department here at Franklins.