The GDPR and the new UK Data Protection Act is forcing a review of many business processes, and thereby challenging lots of processes and forms.

We are particularly concerned about new employees, and what is ‘done’ to them in two respects.

New employees need to feel at home, and become as productive as possible in the shortest amount of time. This requires some foresight and effort from Management prior to the start date, as well as planning your employee’s induction process, but in turn this can reap real and quick returns for everyone involved. The sooner a new staff member is made aware of the critical and regular policies and procedures within their new workplace, the sooner they are able to comply with company expectations. Your staff induction programme should be delivered in a simple format that explains any legal requirements that impact on their job role, e.g. health & safety requirements, as well as your working procedures, rules and practices, your expectations of them and their specific responsibilities.

In addition to helping new staff, an induction process can be useful for helping employees who are returning from extended leave, or are taking on a new role in the business.

Prepare an Induction Checklist

Most employers remember what they need to take a new employee through, usually based on what they did last time, invariably without checking whether the last inductee actually found it to be of any help and benefit. It is good practice to have a document that outlines:

  1. Pre-start – things like computer set-up, email set-up, vehicles etc.;
  2. On the first day – show emergency exits, explain software, etc.; and
  3. The first week – training sessions, larger overview of organisation;

It needn’t be that long. However, we would recommend at least some form of checklist that covers the basics of your employee induction process. For example, you can include items such as;

  • Introduction to Team Leader or direct Manager.
  • Obtaining/checking personal details.
  • Office/work times.
  • Checking understanding of employment contractual requirements, including the contents of the Handbook.
  • Performance standards and expectations of new employee over various milestones, e.g. first week, first month, probationary period and first year.
  • Introduction to team members with explanation of team roles and responsibilities.
  • Organisational chart and introductions to other key people outside of their team.
  • Showing them where they are working, layout and ergonomics of workspace.
  • Homeworkers will need to complete a home-working self risk assessment.
  • Security issues and access to the building.
  • Health, Safety and Welfare related procedures, rules, requirements and how to safely operate work equipment.
  • IT and any job-related data protection obligations.

We have taken the opportunity to review our template documentation to be GDPR compliant. The revised induction checklist addresses the issue which all employers need to deal with, i.e. ensuring training in data protection and being able to prove that training – Click here.

Employment Details Form and Personal Data

We recommend to our clients that there are important key checks that you need to undertake once you have made an appointment, and preferably establish before, if not soon after, they have taken up employment. One can also ask more legitimate, yet personal questions about an employee once they have been given a job offer than before. This includes checking they have the legal right to work in the UK, if they have claimed they have training qualifications then checking that they can provide proof of such assertions, and if they will be required to drive as part of their job requirements, that they hold the appropriate driving licence.


We have now taken the opportunity to review our template documentation to be GDPR compliant. The revised employment details form addresses the issue which all employers need to deal with, i.e. ensuring training in data protection and being able to prove that training.

The New Employee Employment Details form is designed to address two concerns:

  • Not to be discriminatory, and only elicit that information which can be justified.
  • To ensure that new recruits are clear on what information you are likely to hold about them, and what you do with it.

The form is, therefore, more likely to be justifiable in asking for medical information from new employees, and gives further details about data security – Click here.

Data Protection Regulations also require that you periodically check that the personal information you retain on your employees is correct. We recommend that you use our Existing Employment Details Form to ensure that the information you retain about your existing employees is up-to-date, but also reminds your employees about the key information you hold about them under the Privacy Notice contained within the form.  We believe that if you do this, they are less likely to submit subject access requests, which are probably going to be more time consuming and potentially more contentious. Perhaps more importantly, it means you are less likely to be contacting the wrong person should you need to contact their next of kin, or need to write to them – Click here.



We hope you find these forms of use, and as they are in Word format, you can adapt them further for your purposes. If you have any other questions on the issue of either induction or data protection, please speak with our HR Consultants.


The latest annual statistics, published by the Health and Safety Executive (HSE), indicate that in 2016/17 almost half of all working days lost due to ill-health were reported as being due to work-related stress, depression or anxiety. This estimate, based on figures from the Labour Force Survey (LFS), is further complemented by the Mental Health at Work Report 2016 produced by Business in the Community (BiC), which was based on the 2016 National Employee Mental Wellbeing Survey findings. They highlight the extent of mental health difficulties at work.

  • A majority of employees have been affected by symptoms of poor mental health. 77% of employees covered by the main survey said they had experienced symptoms of poor mental health at some point in their lives.
  • 62% of employees attributed their symptoms of poor mental health to work, or said that work was a contributing factor.
  • More than 10% of those surveyed described their current state of mental health as poor, or very poor.

There will inevitably be some debate about the accuracy of such statistics, but the key concern is that there is a major disconnect between these figures and those reported by employers, who believe the problem is not so large, and that they are doing all they can to support people.

According to the Society of Occupational Medicine, mental ill-health affects one in six people at work in the UK. The World Health Organisation predicts that if we do not proactively address wellbeing, mental illness will be the leading cause of disability and absence in the workplace by 2030. So, employers need to give mental health the same level of importance and investment (time and resources) that that have placed on safety over the years.

In 2016, the main causes of work-related stress, depression or anxiety were said to be:

  • workload pressures, including tight deadlines
  • too much responsibility
  • a lack of managerial support

Sickness absence is very costly in tangible financial terms, but also it usually means that when someone is off work that the workload burden then falls on others, so this can lead to a spreading negative ripple effect within the organisation.

The most common symptoms of poor mental health, in which work was a factor, were:

  • psychological symptoms (e.g. depression, anxiety, panic attacks):
  • behavioural symptoms (e.g. changes to appetite, irritability, procrastination, mood swings):
  • physical symptoms (e.g. raised blood pressure, muscle tension, sweating, dizziness, headaches or migraines):

The BiC report summarises the main conclusions from the survey as follows:

  • Employers need to recognise the scale of poor mental health in work, and take significant steps to reduce the risk of their workplace being a contributor to poor mental health.
  • Employers have a duty of care to respond to mental ill-health just as they would to a physical illness, such as cancer, diabetes or back pain.
  • Managers need to be equipped with the tools, support and the right organisational culture to do their job well, which includes managing employees with mental health issues.
  • Workplaces should be environments in which employees feel comfortable disclosing their current state of mental health. Employees need support at an early stage, and Line Managers should agree and implement a personalised plan that works best for that employee.
  • Better signposting to formal support mechanisms is vital. No one is expecting Line Managers to be mental health experts, but they need to know where to refer people for help, and what they can do by way of follow-up.

It makes good business sense to foster a culture of openness that supports employees with a mental health issue to remain working. The mental health charity Mind state: “Mental health is still the elephant in the room in most workplaces – employees are reluctant to raise the subject for fear of discrimination, while Managers often shy away from the subject for fear of making matters worse, or provoking legal consequences. This culture of silence means undetected mental health problems can spiral into a crisis, resulting in sickness absences.” It is certainly our observation that Managers worry far more about this type of sickness absence rather than when a more tangible physical illness is reported, and they usually “freeze” taking no action for a very long time when actually early contact with the employee is vital.

The same report recommends actions on a number of fronts, and at all levels within organisations that employers should do including:

  • Seek to embed well-being into organisational culture. You will see that in our 2018 Handbook updates we now talk about physical health and mental well-being in several of our policies.
  • Take simple, positive actions to build a culture that promotes good health
  • Send a clear message of parity of esteem between mental and physical health to normalise conversations around mental health.
  • Appoint a mental health champion from the senior team, with a remit to drive better mental health.
  • Ensure skills based learning is made available to Management teams to develop awareness, confidence and capability to deal with mental health.

Additionally employees should:

  • Be provided with basic mental health literacy, so they can spot the signs when they or a colleague may need help – see mental health first aid.
  • Know where to go for guidance, and be equipped with the confidence to start a conversation about mental health with colleagues they are concerned about.

Introduce a Well-being Framework

So, how can employers embed well-being into the organisation? As always it has to be led by Senior Managers. Ideas include:

  1. Train all Managers and employees (just as we train employees on codes of business practice and safety) in enhancing workplace well-being. This will help to:
    1. dispel the myth that depression and other common conditions are weaknesses, instead recognise that these are just other forms of illnesses
    2. aid employees in recognising symptoms in themselves, and in others
    3. provide guidance on how to manage someone in a team who might become ill
    4. demonstrate how to reintegrate someone into work after illness; after all, it is well established that work is good for us, and can be key to the recovery of someone who has been ill
  2. How an organisation successfully communicates on matters of mental health is key to the successful implementation of a well-being strategy. Normalising mental illness by encouraging senior and influential people to share stories of their associations with conditions, such as depression and anxiety. This is the most powerful means of breaking the stigma and generating discussion.
  3. Introduce mental hygiene techniques your employees can learn. Just as many employees have a personal trainer in the gym, think about encouraging mental hygiene techniques, such as good sleep, food and exercise practices, how to develop resilience and assertiveness to reduce the affects of conflict at work, mindfulness techniques to help reduce stress etc.

Other Practical Steps

View health holistically as a combination of Mental and Physical Health

Employers need to accept that all employees have mental health, in the same way that they have physical health. Mental health can move up or down a spectrum from good to poor, depending on factors in and outside the workplace just as physical health can.

Review how you describe employees with Mental Health Issues

To change adverse perceptions of people with mental health conditions, Managers should describe people with mental health conditions in more positive terms. Rather than labelling them as mentally “disabled”, and focusing negatively on what we assume (wrongfully in many cases) they cannot do, Managers need to have open discussions about how to help to enable them early on, thus avoiding actually disabling them as soon as their mental health condition is found out.

Line Managers, and where possible all employees, should receive training, which should deal with outdated unhelpful definitions of weakness and strength. Mental health problems are very often the curse of the strong, not the weak. For instance, it is usually high achievers that are likely to suffer unexpected and severe mental health burnout.

Swift early access to Medical Intervention

It is also critical that Managers help employees with mental health conditions to access the medical services and the support that they need quickly and swiftly, as early medical intervention will help them return to work sooner. Managers need to be taught that with the right support, mentally ill employees can return to the same or better performance than previously.

Mental Health First Aid Training

Line Managers or employee volunteers who complete the course will have mental health first aider status and will be able to spot mental health problems, take action to prevent them from developing into something more serious and help colleagues to recover more quickly.

Many employees are promoted into management positions because of their technical skills and ability, but without training, they will not necessarily have the right people management and communication skills to be able to deal with mental health issues in an open and supportive manner, so this course really helps.

The two-day course developed by Mental Health First Aid England:

  • Trains delegates to recognise the signs and symptoms of mental ill health.
  • Educates on what are the good mental health hygiene factors and self care.
  • Empowers delegates to provide help and support on a first aid basis though the power of building relationships that encourage people to talk about their problems and health.
  • By asking the right questions, it helps them guide people with mental health problems towards the right support services.
  • Covers a range of mental health problems, from stress through to more serious conditions such as depression and psychosis.
  • Develops understanding of the stigma that exists around mental health.

Open and Supportive Culture of Communication

Employers should promote an open and supportive culture, where Line Managers have regular one to one catch ups with their staff, during which they check in on their mental health well-being (whether they are aware of a mental health condition or not), in the same way that they check in on work-related matters. It is important that employees feel able to be authentic and bring their ‘whole self’ to work, rather than pretending to be someone that they’re not, in order to conform and fit in. The stiff upper lip British attitude is not helpful in encouraging open conversations around mental health.

Address your Working Environment

Create an environment where individuals feel their work is meaningful, purposeful and they are treated with dignity. Creating a sense of purpose beyond profit and growth; encouraging a more respectful environment will go a long way to helping prevent mental illness in the workplace.

Back to Work

The way an employee is treated during their absence, and their initial return, has a major impact on their likelihood of returning to work. Once an employee has been off sick with mental health issues for four weeks or more, the chances of them returning to work are much slimmer, as they lose confidence and begin to feel alienated from the business. Keeping in touch in an appropriate manner is vitally important.

The Society of Occupational Medicine (SOM) has highlighted six key steps to support the return to work process following sickness absence due to mental ill-health.

For employers and employees, six steps have been identified as follows.

  1. Dealing with the initial absence.
  2. Developing knowledge and skills.
  3. Maintaining communication throughout the absence.
  4. Preparing for the return to work.
  5. The return to work conversation.
  6. Keeping healthy and productive at work.

The SOM points out that people often find it difficult to talk about mental ill-health, and sometimes do not recognise it in themselves. In severe cases of mental ill-health, an employee may feel numb and unable to ask questions, or ask for help. The guidance offers helpful tips regarding what to say, and what not to say, to the employee who is suffering from mental ill health.

Key actions for these steps are:

  1. If they do not contact you, contact them, focusing on recovery not return to work.
  2. Look after the rest of the team, and develop skills to have open constructive conversations with empathy.
  3. Not communicating makes things worse, so keep in contact regularly as it increases the chances of a successful return to work.
  4. Do not get people back too soon, but talk positively about how they can return, identifying possible adjustments so you can plan properly.
  5. Focus on having a good conversation not following procedures, and focussing on the future then prepare a plan.
  6. The employee may need long-term support, even if they only experience mental ill-health once. On-going review of the plan will give them the best chance of staying healthy and at work.


We recognise that there is a lot of information to absorb on this topic, and it may seem daunting. Even if you just act on a handful of our guidance, you will be making a good start. Our recommendations would be:

  1. Get Senior Management commitment to being supportive about mental health issues, and communicate that to all employees.
  2. See what you can do to reduce stress and anxiety within your team.
  3. Keep in regular contact with people who are off work due to ill-health.
  4. Consider training a couple of people in Mental Health First Aid.
  5. Educate your Managers in commitment to being supportive, and giving them the skills to put this into practice.


Our Consultants would be pleased to advise you on any element of the issues arising from this newsletter.


We occasionally get calls from our clients, stating that they have received a claim for compensation arising from either an accident or injury that the employee (Claimant) is alleging happened at work and is, therefore, the fault of the Employer (Defendant). The caller is often very indignant about the personal injury claim, as they do not believe such an accident or injury happened at work, and is invariably cross with the employee. The first advice we have to give is to park the emotion, as one is entering into dangerous employment law territory if an employee can prove they suffered a detriment arising from submitting a health or safety concern, or in this case, a health & safety legal compensation claim. The second piece of advice we give is to contact the appropriate insurance company, and follow their instructions.

Given the ease of access these days to ‘no-win, no-fee’ solicitors, the increase in personal injury claims has meant that employers’ liability insurance premium has increased for many organisations.

This newsletter will briefly summarise some of the key information regarding the legal principles behind personal injury claims, and what action is required when a claim is received, as well as some good practice that will help to defend these claims.

Employers must comply with:

  • The Employers’ Liability (Compulsory Insurance) Act 1969, which makes it compulsory for organisations to have employers’ liability insurance.
  • The requirements of the Civil Procedure Rules (as amended by the Woolf reforms).
  • The Health and Safety at Work, etc. Act 1974, the Management of Health & Safety at Work Regulations 1999, and indeed, all other health and safety regulations under which claims may also be made, if the regulations state that civil liability may arise.

Duty of Care

The leading case for personal injury claims was established in 1932 with Donoghue v Stevenson (1932), where it was deemed a duty of care is owed to “neighbours”. The case described neighbours as being those who we could “reasonably foresee” could be affected by our “acts and omissions”. Typical neighbour relationships include:

  • employer to its employees
  • employer to others’ employees
  • employer to contractor
  • occupier to authorised visitors or even unauthorised visitors, e.g. trespassers
  • employer to members of the public

The common law duty of care owed by an employer to its employees was further defined in the case of Wilsons and Clyde Coal Co v English (1938). In particular, this case decided that the employer’s duty of care to its employees was personal to the employer, and could not be delegated to, for instance, a Manager or other employees. Additionally employers must provide:

  • a safe place of work and equipment
  • safe systems of work
  • reasonably competent employees

These two cases are regularly cited in claims for personal injury. Since then, other cases have gone further in defining the true implications regarding the common law duty of care. If the employer knows of a condition in an employee that makes that employee more susceptible to injury, or makes the consequences of injury more severe than usual, extra precautions must be taken, as stated in Paris v Stepney Borough Council (1951). Therefore, employers must take into account any significant “special needs” in an employee, and take extra precautions. Employees with “special needs” could be:

  • disabled employees and/or with serious medical conditions
  • employees with learning difficulties
  • young and inexperienced workers
  • pregnant employees

Employers must also consider the mental well-being of their employees, such as work-related stress. The case of Walker v Northumberland County Council (1995) was developed further in Sutherland v Hatton (2002), when the Court of Appeal cited 16 practical propositions related to stress, including that employers should not have to pay compensation for stress-induced illness, unless such illness was reasonably foreseeable. This is not the ‘get out of jail free’ card that it initially sounds to be, as there is a lot within those 16 practical propositions that an employer must still do.

As these claims are bought in the civil courts the law of tort, i.e. ’wrongdoing’, will be used. Two particular torts are usually used, namely the tort of negligence and the tort of breach of statutory duty.

The Tort of Negligence

A claim for compensation based upon the tort of negligence requires that all four general conditions must be proved by the Claimant, as part of a causal chain, these being that:

  1. A duty of care must be owed by the Defendant (employer) to the Claimant (employee); and
  2. The duty of care must have been breached. (Did the employer do enough to take reasonable care? Often proved if sufficient records exist of good health & safety practices); and
  3. The injury or loss suffered by the Claimant must have been due to the breach of duty of care. (Was the injury or loss related to the acts or omission of the employer rather than an activity or incident which occurred out of work in the employee’s personal time?); and
  4. The injury or loss to the employee must have been a reasonably foreseeable consequence of the employer’s acts or omissions.

The Tort of Breach of Statutory Duty

An alternative route when making a claim for personal injury is for the Claimant to show that the Defendant was in breach of a relevant statute, and, therefore, liable to pay compensation. This was established in Groves v Lord Wimborne (1898), when a boy had his arm amputated due to an unguarded cogwheel when working at the Defendant’s factory. It was held that the applicable statute required the secure fencing of dangerous parts of machinery, and, therefore, the statute was relevant to the boy’s civil claim.

However, section 69 of the Enterprise and Regulatory Reform Act came into force on 1 October 2013, amending s.47 of the Health and Safety at Work, etc. Act 1974, which, up to that time, meant there was a legal presumption that all health and safety regulations involved civil liability, unless expressly excluded. The 2013 Act reverses this presumption, so now no regulation will impose civil liability unless there is express provision to that effect. There will be no civil enforcement for breach of health and safety regulations. In reality, this means that Claimants have to rely on actions for common law negligence.

Additionally, this means that the burden of proof, instead of being on the employer to show what steps were taken to protect an employee, has now shifted to the employee to prove negligence. Prior to the 2013 Act, employees needed only to show that a machine was inadequate or defective, but now they have to prove that an employer could, and should, have spotted the defect before the incident, and rectified it.

Finally, it is worth remembering that the enforcement of health and safety regulations is in the domain of the Health & Safety Executive (the HSE).

Contributory Negligence

One of the more important defences is that of “contributory negligence”, which permits the amount of compensation to be reduced if the employee was partly to blame for an accident through their own negligence. For example, if a Claimant failed to follow the employer’s procedures or defined working practices, e.g. not following what they were trained to do, or, not wearing the protective clothing or equipment provided for that job then their actions amount to contributory negligence, leading to any damages award being reduced. Where it can be shown that the injury sustained was due to the sole fault of the Claimant, the Defendant may not be deemed liable at all, but 100% contributory negligence rarely happens.

Vicarious Liability

We recently wrote a detailed article on vicarious liability so, a brief recap, is that in some situations an employer could be deemed liable for the negligence of its employees with respect to some other person being injured. The key conditions for vicarious liability to third parties are that:

  • the employee must have been negligent
  • the employee must have been acting in the course of employment, in other words, acting on behalf of the employer

The Supreme Court has recently given judgment in two landmark cases involving vicarious liability. The first, Mohamud v Morrison Supermarkets plc (2016) concerned an attack on a customer by an employee of Morrisons, where the Supreme Court ruled that the company was vicariously liable because the attack was sufficiently closely connected to the employee’s work. The second case is Cox v Ministry of Justice (2016), where the Catering Manager at a prison was injured when a prisoner dropped a sack of rice onto her. The Supreme Court ruled that the Ministry of Justice (MOJ) was liable to compensate her stating that it was fair, just and reasonable to impose liability on the MOJ.

Timescales Limitations for Claims

Any action for personal injury, or death, must be commenced within three years from the date of the accident, or where the Claimant first became aware of the injury, i.e. the date of diagnosis by a medical practitioner. In the case of a death, the Fatal Accident Act 1976 allows close relatives to make a claim on behalf of the deceased. Courts do have discretionary power to override the three-year period where it is equitable to do so.


Damages can be considerable under two headings:

  • Pecuniary: these involve monetary losses, such as loss of earnings, medical and travel expenses. It is the loss of future earnings up to retirement that can involved the biggest part of a damages claim especially if the Court accepts that the Claimant will not be able to work again.
  • Non-pecuniary: these involve compensation for pain and suffering, and loss of amenity, such as changes to lifestyle, e.g. being stuck in a wheelchair.

Claim Procedures

New rules have existed since 1999, following on from Lord Woolf’s enquiry, which introduced a number of “pre-action protocols” to provide for the early exchange of information. Parties who fail to comply with the protocols can be penalised by the Courts. A summary of the intended sequence of events are:

  • Letter of claim sent and received
  • Defendant must at least acknowledge receipt within 21 days
  • Claim investigated
  • Admit liability and settle out of court
  • Deny liability, either completely or partially
  • Relevant documentation disclosed
  • A “statement of truth” must be signed by someone from the defendant’s organisation

Letter of Claim

Following the decision to make a claim, the Claimant, or more usually their solicitor, must send two copies of a standard “letter of claim” to the Defendant. The letter contains information relating to the general circumstances of the claim, including the nature of any accident, a description of injuries sustained, and the documents which the Claimant would like to be disclosed. The Defendant must acknowledge the letter of claim within 21 days. If the Defendant does not reply within this timescale, the Claimant will be entitled to begin legal proceedings, and the Court will take into account the fact that the Defendant did not follow the protocol’s rules. This puts an important onus on employers to react quickly to letters of claim.

From 1 August 2013, Claimants in employer personal injury claims of up to £25,000 have had to use a Government claims portal although disease-related claims are excluded. The aim of the portal is to manage personal injury claims efficiently and quickly. It operates by way of a system of notifications and responses, which are input into the portal by the Claimant and the Defendant, or its insurers. A Claimant who is seeking compensation for a personal injury claim must register the claim on the portal by completing and registering a Claim Notification Form, which is like a letter of claim. It must include sufficient information for the Defendant to investigate the claim. If liability is admitted, the claim stays within the portal. If liability is denied, or an allegation of contributory negligence is made, the claim falls out of the portal to be dealt with in the normal way.

A Claimant can remove a claim from the portal if there are complex issues of law, or fact. The intention of the portal is to assist in the settlement of straightforward personal injury claims quickly, and within a framework of low fixed costs.

The Government has recently proposed reforms of the procedure for low value personal injury claims. The main aim of the proposals is specifically to reduce the number of road accident fraudulent whiplash claims, but, if and when the proposals are implemented, they are likely to also impact claims for workplace injuries.

Information that Defendants must disclose

Following the initial acknowledgement by the defendant of the letter of claim, the Defendant has three months to investigate the claim before replying. The protocols set out in some detail specific information that Defendants must disclose. For workplace injury claims, this includes:

  • Accident book entry
  • Any first aider report
  • Any initial management report

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) require that certain accident/injuries must be made to the HSE, so it is important to retain a paper copy of that report as well.

Where specific regulations apply, the protocols require additional documents to be produced. For example, in respect of the Management of Health and Safety at Work Regulations, the following should be disclosed:

  • pre-accident risk assessment required by regulation 3
  • post-accident risk assessment required by regulation 3
  • accident investigation report
  • any appropriate health surveillance records required by regulation 6

In cases where the Control of Substances Hazardous to Health Regulations (COSHH) is relevant, a similar disclosure of documentation is required by the protocols. This includes:

  • the risk assessment complying with the requirements of regulation 6
  • documentation relating to the maintenance of personal protective equipment

For claims involving the Workplace (Health, Safety and Welfare) Regulations, the documents required to be disclosed include:

  • repair and maintenance records required by regulation 5
  • housekeeping records to comply with regulation 9

You need to be aware that if the employer is unable to produce the relevant documentation, it may make fighting the case much harder, and your insurance company is more likely to want to settle the case. The argument being to have complied with the law, then appropriate records must be able to prove it.

Where the pre-action protocols do not result in agreement or settlement, the case will be allocated to one of three “tracks”:

  1. Small claims track jurisdiction, with a financial limit of £5,000.
  2. A fast track for relatively straightforward cases up to £15,000, with strictly limited timetables set up by the Court.
  3. A multi-track for cases over £15,000, providing hands-on management by the Court.

This should help achieve quick settlements of cases by the Courts.

Tips to help successfully defend a Claim

Having a good paper trail of evidence on all of the above and, indeed, other health & safety matters, e.g. regularly reviewed health & safety policy, annual health & safety actions plans etc., will help to make a difference. Other suggested actions include:

  • Make sure that what is said happens in the health & safety policy and associated policies and procedures, do indeed happen in practice, by regularly inspecting and periodically auditing all activities.
  • Ensure that health and safety is talked about regularly at either Board/Senior Management level, alongside other key business objectives.
  • Make sure that people are encouraged to report accidents, incidents and even near misses, in a spirit of openness and transparency. Clients that tell me that they never have accidents are just kidding themselves, they do, they are just not recorded which is far more concerning.
  • After an accident happens, ascertain immediately who did, or did not, see the accident, and get signatures under each heading. Ask witnesses to write down as soon as possible exactly what they did see, before they have a chance to revise or tone down what they saw, in order to minimise getting others into trouble.
  • Investigate any accident or injury that becomes RIDDOR reportable, and make sure the report is not focused on blame, but is rather all about better understanding how the accident happened and, as a result, what improvements could take place.
  • Make sure that important records, such as risk assessments, safe systems of work, safety action plans, induction checklists are not only kept, but are up-to- date and easily retrievable.
  • Make sure additional records, e.g. individual risk assessments or return to work programmes, are kept for those people with “special needs”, such as young persons, the disabled and/or people with serious medical conditions.
  • Have robust recruitment and selection procedures, including identifying in job descriptions where there are specific and objectively justifiable criteria, e.g. certain levels of physical fitness or mental robustness.
  • Check out whether future Managers understand their health and safety responsibilities, and what have they done to reduce known risks in previous jobs.
  • Use the discipline procedure for breaches of health and safety procedures and protocols, e.g. where people won’t wear PPE, or take unsafe shortcuts in working practices.
  • Train all staff to make sure that they can do their jobs safely. Train Managers on the additional duty of care responsibilities that they have towards their team(s).
  • Write into all Management job descriptions health and safety responsibilities, and include health and safety objectives in any formal performance management reviews.


Our Consultants would be pleased to advise you on any element of the issues arising from this newsletter.

What is it?

Developing resilience appears to be a hot topic in business circles, as it is the further evolution from stress management. Reading media publicity, authors and trainers, the concept is being pushed as a key to unlocking business performance, helping people cope more effectively and efficiently with the stresses and strains within the modern day workplace.

The importance of resilience really begins to emerge when we consider the range of different workplace situations where it is required – for example, dealing with organisational change, threats to job security, feelings of restricted control or autonomy, or a heavy workload. Some people will handle these situations better than others – those who are able to successfully draw upon a combination of their personality and learned behaviours will cope with the problems, and perhaps even turn them to their advantage, with resulting individual and organisational benefits.

Mind (the mental health charity) define it thus: “Resilience is not simply a person’s ability to ‘bounce back’, but their capacity to adapt in the face of challenging circumstances, whilst maintaining a stable mental wellbeing.”

“Emotional resilience” is more hard-hitting than many of the other methods promising to keep us cool, calm and collected. Originally developed to help victims of natural disasters and massacres cope with catastrophe, it is slowly infiltrating workplaces, schools and communities. No matter how you define resilience, most agree there’s less of it around than is actually required, and this could well explain the increasing incidences of poor mental health.

How do we get more of it?

Resilience is not just about survival, it helps us to grow and develop so that we can successfully navigate our careers in the modern world. Contrary to popular belief, resilience is not something that either you have or don’t have; we do not have a ‘fixed level’ of resilience so it can be developed.

Resilience training – which draws on elements of Cognitive Behavioural Therapy (CBT) and positive psychology – seems to have a real impact on peoples’ self-reported ability to cope. Robertson Cooper in their website “A Good Day at Work” state that resilience is derived from four principal factors: confidence, a sense of purpose, social support and adaptability – see diagram below. Many people typically rely on one or two of these but may need help to make the most of the strengths they have, and use those to build and maintain their resilience to find the best way through life’s challenges.

The best way to begin developing resilience is to understand these components, and identify which of them you tend to draw on naturally. From there you can start to adopt alternative and more constructive coping strategies in certain situations, and avoid any possible risks of over-using your strengths.

People with a negative mind-set are far less resilient. For example, negative people may expect to lose their jobs as a result of change. This immediately puts them on the defensive so they perform less well, and consequently their fear ultimately can become a self-fulfilling prophesy. By contrast, more positive people see the opportunities in change and are likely to benefit accordingly. Changing mind-set is not an easy task, but it can be done.

It is also worth remembering that the fundamentals of good diet, plenty of exercise, rest, good quality sleep, minimal alcohol and other drug intake cannot be ignored, as they have a huge effect on how much pressure someone can handle. Resilience helps you to boost your own levels of confidence and emotional well-being, and gives you a brighter outlook on life. Resilient people are less likely to suffer from severe mental health problems, and even if they do, they are better able to manage it using resilience techniques.

Ways to build your emotional resilience

Resilient behaviour can be learned and developed to manage pressure, promote well-being and bolster resilience. The following might be termed self help:

  1. See crises as challenges to overcome; not insurmountable problems.
  2. Surround yourself with a supportive network of friends and family. Can you ask for support when it is needed?
  3. Accept that change is part of life, not a disaster.
  4. Take control and be decisive in difficult situations.
  5. Nurture a positive view of yourself – don’t talk yourself down or focus on flaws.
  6. Look for opportunities to improve yourself; a new challenge, social situation or interest outside work. Set goals and plan ways to reach them.
  7. Keep things in perspective: learn from your mistakes and think long-term.
  8. Practice optimism and actively seek the good side of a bad situation.
  9. Practice emotional awareness: can you identify what you are feeling and why?
  10. Look after yourself, through healthy eating, exercise, sleep and relaxation.
  11. Developing relationships and a passion for what we do.
  12. Take the time to learn, think and build knowledge.

The Resilient Manager

You will know that you are a resilient Manager when you display some of the following key characteristics, and can effectively implement a range of different coping mechanisms:

  • You are transparent: you can admit things are difficult and let others know this is how you are feeling.
  • You have realistic expectations of yourself: you are not a perfectionist and can give yourself a break.
  • You deal with problems effectively: feeling stressed may all be about (a) your perception about the meaning of events, (b) your reactions, and (c) knowing what can and should be changed as opposed to what cannot be.
  • You communicate assertively: you have achieved a balance between not bottling up feelings and not over-reacting, but communicating clearly in a way that is respectful of yourself and others, including saying “no” when you need to.
  • You have inner buoyancy: the confidence to feel that you will survive and come through hard times, a sense of optimism and engagement with life and work, underpinned by strong personal values.
  • You are able to return to a calm state after feeling upset or emotional, and think through possible consequences of actions – the ability to switch off and refresh.
  • You have an internal ‘locus of control’- i.e. not feeling like a victim.

Resilient people possess three characteristics — a staunch acceptance of reality; a deep belief often buttressed by strongly held values that life is meaningful; and an uncanny ability to improvise. You can bounce back from hardship with just one or two of these qualities, but you will only be truly resilient with all three. These three characteristics hold true for resilient organisations as well. Resilient people know that a situation, good or bad, has to be accepted before it can be changed. Acceptance is a key component of resilient thinking – don’t fight reality as you won’t win.

Organisational Approaches

Self development and training alone is not enough to change a culture. Training in resilience should not be seen as a sticking plaster covering up organisational weaknesses. Poor job design needs to be addressed. Targets and deadlines need to be realistic. Senior people must not condone a bullying culture which disregards organisational dignity at work policies. Resilience should be seen as part of your organisational well-being approach. As such, part of developing resilience is to encourage good social connections at work, so that people do not feel isolated.

In a Harvard Business Review survey, 75% of Managers said that the biggest drain on their resilience reserves was “managing difficult people or office politics at work.” That was followed closely by stress brought on by overwork, and by having to withstand personal criticism. These are issues which senior management can address.

The following are good organisational resilience strategies:

  • Develop your employees’ creative problem solving skills.
  • Provide training in handling difficult situations and how to deal with conflict skilfully and when to use mediation.
  • Facilitate emotional resilience in the workplace by providing a pleasant physical working environment (e.g. good lighting, ergonomic seating, etc.).
  • Promote healthy behaviour in the workplace (e.g. healthy eating, physical activity).
  • Provide training for employees and Managers to recognise and take early action to ameliorate conditions that can produce stress.
  • Create opportunities for ‘good work’ – i.e. characterised by employment security, task variety, autonomy, fair treatment and reward for effort, strong workplace relationships and effective development and use of skills.
  • Support employees with mental health problems (and other health issues).
  • Encourage Managers to think creatively about their own well-being and emotional resilience, helping them to identify their own stress triggers, and creating strategies to cope, should this be required.

Resilient people and companies face reality with staunchness, make meaning of hardship instead of crying out in despair, and improvise solutions from thin air. This is the nature of resilience, and we may never completely understand it. It is, however, important because it not only makes people more productive, but helps protects them against the development of mental health problems.

If you are interested in undertaking a free i-resilience report, then follow the link on the Good Day at Work website:



Our Consultants wouldbe pleased to advise you on any element of the issues arising from this newsletter.

Saying “you’re fired” may actually be an indicator of management failure, even though it has been popularised in the media.

This course looks at the three key areas, namely recruitment & induction, performance management and improvement, which if applied correctly, should minimise the need to consider terminating employment. However, the third key area is the effective use of the disciplinary procedure to formally improve performance standards, and only if that does not work, how best to dismiss.

We have designed this course to suit those who are new to Management, as well as being a useful refresher for the more experienced Manager looking to develop existing skills and/or want to be more successful by learning new/different approaches, as part of personal/career development.

This course will be highly participative, practical in content, and is intended to challenge our delegates into recognising there are always alternative ways of dealing with people and/or situations.

The course objectives will include: –

  • Recruitment & Induction
  • Performance Management
  • Performance Improvement
  • Discipline, Dismissal & Alternatives
  • Practical Learning Opportunities

We are running this course at the following venues:

Park Farm Country Hotel, Norwich – 18th October 2018
Rowley Mile Conference Centre, Newmarket – 21st November 2018

The course will commence at 8.30 am, with registration and refreshments from 8.00 am. The course will finish around 1.45 pm, with breaks for refreshments and lunch.

The cost for this training event will be £75.00 plus VAT per delegate, including lunch.

To reserve your place on this course, please contact Jackie Bolton either by e-mail: or call 01480 677981.

ICO Registration and Fees

Currently, many organisations pay a fee to the Information Commissioner’s Office (ICO) as a Data Controller. These registrations (or notifications) would have been removed by the application of the GDPR into UK law. However, a new registration and fee scheme for Data Controllers will come in from 25 May 2018, the same day the General Data Protection Regulation is introduced across the EU.

There was mention of a move by the ICO to levy new fees for Data Controllers last year on its blog and Twitter. These have now found their way into draft regulations presented to Parliament. Originally it was thought that fines would support the funding of the ICO, but to ensure the continued funding of the ICO, the Government has announced a new charging structure for Data Controllers. Until then, organisations are legally required to pay the current notification fee, unless they are exempt.

To help Data Controllers understand why there is a new funding model and what they will be required to pay, the ICO has produced a Guide to the Data Protection Fee which can be found at . It should be noted that this is a draft at the moment, as the model has to be approved by Parliament before it is confirmed.

Key Changes and Information

If you have a current registration, you do not need to renew it on 25 May 2018, just when it runs out.

There are exemptions from the need to register – these are set out in the draft guidance, but may change in Parliament. There are some activities which trigger the need to register as well, though these have been widened from the current regime.

Charities and small occupational pension schemes just pay the Tier 1 fee.

Fee levels – these are between £40 and £2,900 based on number of staff and (for non-public bodies) turnover as well.

There is a default position of Tier 3, unless and until you can demonstrate to the ICO that you are a Tier 1 or 2 organisation.

Below is the revised Tier structure:

  • Tier 1 – micro organisations – cap of £632K turnover or 10 members of staff – £40
  • Tier 2 – small and medium organisations – cap of £36M turnover or 250 members of staff – £60
  • Tier 3 – if you exceed the caps in Tier 2, then the fee is £2,900.

For very small (micro) organisations, the fee will not be any higher than the £35 they currently pay, if they take advantage of a £5 reduction for paying by direct debit. The ICO explains that the fee is higher because these organisations are likely to hold and process the largest volumes of data, and therefore represent a greater risk.

There is a monetary penalty (fine) for not registering of £4,350 regardless of organisational size.

Key FAQs on the website include:

Do I have to pay a fee? If you are a Controller and the exemptions don’t apply to you, you will have to pay the fee.

If my registration expires on or after 25 May 2018, can I renew early and pay my current fee? No. You must pay the correct fee under the new fee structure.

When will I have to pay the new fee? The new regulations come into effect on 25 May 2018, when organisations must apply the GDPR. But this doesn’t mean that everyone has to pay us a fee on that day. Controllers with a current registration (or notification) under the 1998 Act will not have to pay any other fee until their notification has expired (12 months from the day they made it). Controllers that are not currently notified will be liable for the new fee on 25 May 2018, unless an exemption applies.

If I renew under the old arrangements, will I have to pay again on 25 May 2018? No. If you renewed or registered before 25 May 2018 under the 1998 Act, that registration will be valid for 12 months. You will not need to pay the new fee until your current registration expires.

What is the difference between notifying under the Data Protection Act 1998 and paying the data protection fee? Aside from the level of the fee, the main difference is that under the 1998 Act, Controllers had to give details of the types of processing they did. You will not need to provide this information from 25 May 2018.

How will I know my renewal is due? The ICO will email you before your previous payment expires and your new payment is due.

What happens if I don’t pay my fee? The ICO will send you a reminder explaining when you need to pay. If you don’t pay, or tell them why you are no longer required to pay a fee, they will issue a notice of intent 14 days after expiry. You will have 21 days to pay or make representations. If you do not pay, or fail to notify them that you no longer need to pay, you may be issued with a fine of up to £4,350 (150% of the top tier fee.)

Data Protection and SMEs

Many small firms are still not sure what GDPR means, but they need to start paying attention, as the new UK legislation in the form of the Data Protection Act 2018 will soon apply. The Federation of Small Businesses (FSB)  has found that that a third of small businesses have not started preparing for the introduction of the GDPR, while a further third are only in the early stages of preparations. Only 8% of small businesses have completed their preparations.

FSB National Chairman Mike Cherry explains: “The GDPR is the biggest shake-up in data protection to date, and many small businesses will be concerned that the changes will be too much to handle. It is clear that a large part of the small business community is still unaware of the steps that they need to take to comply and may be left playing catch-up.”

On average small firms will spend seven hours per month meeting their data protection obligations, which equates to £1,075 per year, according to the FSB. Recognising that some small businesses will not be compliant ahead of the May deadline, the FSB has appealed to the regulator, the ICO, to take a proportionate approach to enforcement and not immediately to resort to fines.

What actions need to happen before 25 May 2018

We have been reviewing our own Data Protection Policies, and we have now issued to all our clients a Data Sharing Agreement, along with mailing out our policies on how we will ensure that we protect and handle client data.

We are also updating all our client’s Handbooks with an Employment Data Protection Policy, which will cover your employees’ responsibilities and rights. It is not meant, and indeed does not cover, what data you hold about your customers or others, and what practices you have in place to keep it secure. So you need to be taking steps to prepare for this.

It is likely that the ICO will not be able to, or inclined to, start enforcement action against SMEs unless they are blatantly doing something terrible, but that is not an excuse for procrastination. We are already seeing signs that large organisations will be expecting their suppliers to have in place relevant Data Protection policies, or answer rigorous questionnaires, so it is best to be ready for this, and be able to show what you do to keep their data secure. Data holders (Controllers or Processors) will have to ensure that they have safeguards in place to prevent the accidental loss, destruction or damage of data or unauthorised access. They should also review how they seek, record and manage consent to personal data being held by their organisation.

Please feel free to ask any questions of our Consultants who would be pleased to advise on any element of this newsletter.

New Statutory Figures

The annual increase in compensation limits have been confirmed.  The limits apply to dismissals (redundancies or detriments etc.) occurring on or after 6th April 2018.

  • £508.00 – the maximum amount of a week’s pay for calculating statutory redundancy pay and the basic award; (up from £489.00)
  • £15,240.00 – the maximum statutory redundancy payment or basic award, i.e. 30 weeks (up from £14,670.00);
  • £83,682.00 – the maximum compensatory award which can be made for unfair dismissal (up from £80,541.00)  or one year’s gross pay whichever is the lower

These increases mean that the maximum total unfair dismissal award is now £98,922.00, although uplifts can add a further 25%.

Employees may be entitled to receive guarantee payments for up to five days of lay-off in any three-month period. The maximum amount of such a statutory guarantee payment will increase to £28.00 (from £27.00) for any one day.

The new rates take effect where the ‘appropriate date’ for the cause of action (such as the date of termination in an unfair dismissal claim) falls on or after 6th April 2018. If the appropriate date falls before 6th April, the old limits will still apply, irrespective of the date on which compensation is awarded.

Fit for Work – No more

From 15th December 2017, ‘Fit for Work’ has no longer been running its referral and assessment service. Free, professional advice is available in a number of ways. All of the advice and guidance elements of ‘Fit for Work’ remain in place, as the website (the most highly used aspect of the service) and helpline remain open.

The service was part of the Government’s efforts to find solutions to keep people in work (and off benefits). Reforms to Statutory Sick Pay (SSP) will be set out in a separate consultation paper, to include proposals designed to allow greater flexibility in the payment of SSP (for example, to support phased returns to work).

The ‘Fit for Work’ service was meant to aid employees who have been absent for more than four weeks, and to plug the gap in access to Occupational Health services. It was conceived just over two years ago as a way to boost medical interventions, by allowing employees to be targeted by GPs by referring them for ‘specialist help’. The scheme never really took off and has now been scrapped due to low take-up rates. Given that a survey in August showed that 65% of GPs had not referred a single patient and of those that had, only 40% had seen someone return to work.

We were never fans as we doubted whether the Government could attract and retain good quality staff that would actually see people, and make considered individually tailored recommendations that were reasonably practicable. We would nearly always recommend to employers that they use a reputable professional OH service to review the health and work of sick employees. We always advise clients that asking employee’s GPs for a report is unlikely to be too helpful, as the quality of response is often poor, reflecting their lack of knowledge about the employer’s jobs/environment.


  • There is no need to have a retained OH provider but it is useful to know of one (or know someone who does)
  • Conduct return to work interviews which should pick up if people are returning to work when not fully fit
  • Do not let people drift once they have gone beyond four weeks of absence; get them referred to a reputable OH provider
  • Ensure that you give an OH provider a clear and realistic brief.

We would be pleased to recommend a good quality OH provider to employers who need this assistance.

Looking Ahead – Payslips

Arising from the Taylor Review into modern working practices, the Employment Rights Act 1996 (Itemised Pay Statement) (Amendment) Order 2018 has been laid before Parliament. This is a small but important amendment, which will require employers to set out on payslips the number of hours that an employee is being paid for; and where different hourly rates apply for different hours, to specify this. Where an employee’s pay varies as a consequence of the time worked, their itemised pay statement must contain information about the number of hours worked. This should make it easier for employees to understand what they have been paid for – and whether they have been underpaid.

We believe this is because the current legislation focuses on deductions, but for many people with variable hours, the difficulty lies in calculating gross figures.

The Order doesn’t come into force until 6th April 2019 so employers have plenty of time to prepare.

Our Consultants would be pleased to answer questions on any of the above, or you can find much of the data on our website, by clicking on Frequently Asked Questions.

The General Date Protection Regulations (GDPR) will apply in all EU Member States from 25th May 2018. It is important to stress that the GDPR is about much more than employee data. It is becoming increasingly clear to us that our extensive range of clients have a wide range of data protections issues, far beyond the employee information which they hold, and many do not meet the current Data Protection Act, let alone the even more onerous GDPR, so they are just not prepared. Our previous newsletter focussed on employee data. This newsletter will concentrate on broader issues which you need to thinking about with regard to what personal data as an organisation you process, store and dispose of.

One of the first things to consider is whether the organisation is processing personal data as a controller or a processor. A processor just acts on the instructions of the controller.

Countdown to 2018

The GDPR will harmonise data privacy practice across Europe. The emphasis is on protecting citizens and their data, and giving users more information about, and control over, how it’s used. There are a large number of national derogations. It is also likely there will be differences in the way the Regulation is interpreted and enforced in different Member States. It is believed that the British Data Protection Bill will not be ‘gold-plated’, i.e. not made more onerous than the EU Directive, on its way to becoming an Act of Parliament. The new law gives individuals more say over what organisations can do with their personal data (which can be anything from physical, physiological, mental, economic or cultural data and more).

The new law retains the same core rules as the Data Protection Act 1998 (DPA), and continues to regulate the processing of personal data, but there are some significant changes. These include the right to be forgotten, the right to request the porting of one’s personal data to a new organisation, the right to object to certain processing activities and to decisions taken by automated processes.

The concept of sensitive personal data has been retained and expanded to include genetic and biometric data. The actual term ‘sensitive personal data’ has been dropped, but is now re-termed as falling into ‘special categories’, i.e. information concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.

Board or Senior Management Issues

Data protection needs to become a boardroom issue, as the law is designed to put data protection at the top of the agenda for all organisations. This is done by creating a culture where everyone contributes to maintaining data privacy standards, ensuring compliance, thinking about how their own personal information to be processed, as well as handling the personal data of others, i.e. the people they deal with, such as customers/clients, patients, guests, residents, other stakeholders, members of the public etc.

Also, it’s not just about the threat of financial penalties. Individuals need to trust the organisations they are providing their personal information to, and have confidence that their information will be handled appropriately and securely, as without that trust there will be huge organisational challenges to overcome.

The GDPR introduces the principle of accountability which runs through the core of the legislation. Accountability needs to be entrenched in an organisation, requiring a change in mind-set and for organisations to take a proactive, methodical and accountable approach toward compliance. The Senior Management Team need to understand the potential exposure to fines, and other sanctions under the GDPR, and must get buy-in for compliance at all levels across the organisation.


Organisations must be able to demonstrate their compliance with the GDPR’s principles, which will include adopting certain “data protection by design” measures, staff training programmes, and having suitable data protection policies and procedures.

You will need to identify means to “demonstrate compliance” – e.g. adherence to approved codes of conduct, “paper trails” of decisions relating to data processing and, where appropriate, privacy impact assessments.

Your internal governance processes will need to demonstrate how decisions to use data for further processing purposes have been reached and, that relevant factors have been considered.

Consent and Legitimate Interests

You need to ensure you are clear about the grounds for lawful processing relied on by your organisation, and check these grounds will still be applicable under the legal requirements. Consent is not the only mechanism for justifying the processing of personal data.

The processing of personal data will only be lawful if it satisfies at least one of the following conditions:

  • Consent of the data subject – this is broadly the same as under the DPA, but the GDPR has a narrower view of what constitutes consent, meaning that it will become harder to obtain consent. In practice, this means that data controllers will have to fall back on other processing conditions.
  • Necessary for compliance with a legal obligation – this is broadly the same as under the DPA. However, under the GDPR, the legal obligation must be an obligation of Member State or EU law to which the controller is subject.
  • Necessary for the performance of a contract with the data subject, or to take steps preparatory to such a contract – again, no change from current law.
  • Necessary to protect the vital interests of a data subject, or another person where the data subject is incapable of giving consent – this should only be relied on when there is no other ground available, e.g. medical emergencies.
  • Necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller.
  • Necessary for the purposes of legitimate interests – this condition can no longer be relied on by public authorities, but is probably the most important for many other organisations.

If you are relying on “legitimate interests”, ensure that decision-making in relation to the balance between the interests of the controller (or relevant third party) and the rights of data subjects are documented, particularly where this affects children. Make sure also that data subjects would reasonably expect their data to be processed on the basis of the legitimate interests of the controller or relevant third party. You will also need to make sure that you advise people of this reason in the information that must be supplied to data subjects. A legitimate interest ‘must be real and not too vague’. For example, it may apply to an organisation’s data processing as part of fraud protection, security measures or transferring that data between different parts of an organisation.In some ways the best reason is that the individual has consented to you processing their data. The standard to obtain valid consent has, however, been tightened up. Consent must be specific, freely given, informed and unambiguous. The conditions for obtaining consent have become stricter. To justify consent from a legal perspective, ensure that:

  • consent is active, and does not rely on silence, inactivity or pre-ticked boxes;
  • consent to processing must be distinguishable, clear, and not “bundled” with other written agreements or declarations; there is a presumption that forced consent mechanisms will not be valid, so it must be clear exactly what people are assenting to;
  • consent requests are separate from other terms and conditions; organisations should avoid making consent a precondition of a service, unless necessary for that service, and must not be used as a vehicle to get consent to something else, e.g. receiving email;
  • the data subject must have the right to withdraw consent at any time, but this will not affect the lawfulness of consensual processing before its withdrawal;
  • there are simple methods for withdrawing consent, including methods using the same medium used to obtain consent in the first place;
  • separate consents are obtained for distinct processing operations; and
    • consent is not relied on where there is a clear imbalance of power between the data subject and the controller;

Further guidance is expected, but organisations will need to review existing consent mechanisms, to ensure they present genuine and granular choice. Granular means that you give a thorough explanation of options to consent to different types of processing wherever appropriate. You will need to determine whether any of your current processing is based on assumed consent and if so, this must be stopped, unless you can get consent, or have another legal basis for the processing. You must audit data privacy notices and policies to ensure that individuals are told about their right to object, clearly and separately, at the point of ‘first communication’. For online services, ensure there is an automated way for this to be effected.


Controllers and processors are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The assessment of what might be appropriate involves considering the context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.

Appropriate measures are set out as possibly including:

  • pseudonymisation (separation of data from direct identifiers so that linkage to an identity is not possible without additional data to re-identify the person);
  • anonymisation irreversibly destroys any way of identifying the data subject;
  • encryption and other measures, such as firewalls, to prevent hacking;
  • ensuring confidentiality, integrity, availability and resilience of processing systems and services;
  • ability to restore availability and access to personal data in a timely manner in the event of an incident; and
  • the regular testing and evaluating of technical and organisational measures designed to ensure security of data processing;

The best way for organisations to deal with this is to minimise breaches, but also to have policies in place to enable staff to assess risk in order to show compliance. As with so much of the GDPR, being able to demonstrate that the proper precautions and steps were taken will be crucial. If your security measures are currently fit for purpose, you are unlikely to need to do much more. However, it would be worth reviewing these measures to ensure they are up to date with the latest technology and threats. However, many changes are not about technology it is simple stuff like not leaving files on photocopiers, or on desks or screens when we are not there.

In a recent case against Morrison Supermarkets, the High Court has held that an employer was vicariously liable for the actions of a disgruntled employee who disclosed the personal information of around 100,000 colleagues on the internet. Although the disclosure took place outside working hours, and from the employee’s personal computer, there was a sufficient connection between the employee’s employment and the wrongful conduct for it to be right to hold the employer liable. There is no suggestion that Morrison was negligent, but they are facing a potentially large amount in compensation. This highlights another warning about how the employer can be held responsible for the acts, lawful and unlawful, of its employees.

Subject Rights

Many existing rights are retained or enhanced in GDPR, and there are some new ones. Here is a selection:

Subject Access

The right is retained, but it will no longer be permissible to charge a fee, and the time limit is reduced from 40 days to a month.


The Data Subject can have incorrect data corrected and incomplete data completed.

Erasure (“right to be forgotten”)

The Data Subject can tell you to erase their information and you must do so unless you have a good reason (from among the options set out in GDPR) to retain it.

Restriction of Processing

The Data Subject can restrict your processing of their data if there is an unresolved question of its accuracy, and in some other specified situations.


In certain cases (mainly where the Data Subject has signed up to online services), they can have their data transferred directly to another provider.

Direct Marketing

As now, the Data Subject has the right to stop you from sending them any direct marketing, and you must make sure they know about this right. If you currently send email campaigns, you need to make sure your audience has opted in to receive information, and that you have a record of when and where that person opted in. (To prove it was a person and not a ‘bot’, a ‘double opt-in’ is required). This may mean re-opting in all the people on your mailing list before May next year.

Profiling & Automated Decision-Making

There is a new right giving people the right, in some cases, to prevent “a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her’.

Complaints and Compensation

Data Subjects have the right to complain to the ‘supervisory authority’ – i.e. the Information Commissioner – and have the complaint investigated.

Data Sharing with Other Organisations

If you process personal data as part of work in collaboration with other organisations, then both or all organisations are likely to be joint Controllers. Under GDPR you can’t pass the buck between processor and controller. Each business is responsible for upholding the same standards, and you’ll want to work with businesses who are GDPR-compliant. You must set out ‘in a transparent manner’ your respective Data Protection responsibilities, and to make the ‘essence’ of the arrangement available to your Data Subjects. Data Subjects may exercise their rights against any of the joint Controllers.

Work with relevant partners who may collect data on your organisation’s behalf to assign responsibility for notice review, update and approval. You need to review all your collaborative projects and activities to ensure that, where applicable, your agreements are clear on each party’s Data Protection responsibilities.

Controllers and processors are also required to ensure anyone acting under their authority accessing the personal data, does so only in accordance with their instructions. Compliance may (but does not have to) be demonstrated by adherence to an approved code of conduct or certification mechanism.

Controllers and processors should agree to report to other controllers or processors that are involved in the same processing, any relevant compliance breaches and any complaints or claims received from relevant data subjects. They should agree on their respective obligations for data protection compliance, their respective liabilities for data protection breaches and mechanisms for resolving disputes regarding respective liabilities to settle compensation claims.


Assign responsibility and budget for data protection compliance within your organisation. Whether or not you decide to appoint a Data Protection Officer (DPO), (or have to) the GDPR’s long list of data governance measures necessitates ownership for their adoption being allocated within an organisation.

Ensure that a full compliance programme is designed for your organisation, incorporating features such as: Privacy Impact Assessments (PIAs), and regular audits of data, data protection updates, and training/awareness raising programmes.

Monitor the publication of supervisory authorities/EU and industry published supplier terms and codes of practice to see if they are suitable for use by your organisation. If you are a supplier, consider the impact of the GDPR’s provisions on your cost structure and responsibility for signing off the legality of your customer’s activities.

Implement measures to prepare records of your organisation’s processing activities. If you are a supplier develop your strategy for dealing with customer requests for assisting with the development of such records.

Teamwork not just IT

You should establish a GDPR compliance team with the necessary skills and experience to develop; implement and coordinate a compliance plan. Initially this will mean analysing existing data processing activities across the organisation’s employment lifecycle to identify high-risk areas.

Develop a timeline to implement a GDPR compliance programme.

Next Steps

  1. Carry out a risk assessment (PIA) and then act on the results:
    1. Document all current processes and data flows
    2. Analyse any potential areas of weakness or vulnerability
  2. Document:
    1. What personal data you hold and why?
    2. Where it came from?
    3. Who you share it with?
    4. Business relationships with service providers, data providers and contractors and ensure they are GDPR compliant.
  3. Identify the lawful basis for your processing activity.
  4. Review/establish processes for seeking, recording and managing consent and refresh consents if they do not comply with GDPR.
  5. Document the procedure in place to detect report and investigate personal data breaches and audit them.
  6. Document and review procedures for communicating privacy; dealing with individuals rights re erasure, subject access requests, objections; transfer of data etc.


  • Make someone responsible for managing GDPR and data strategy.
  • Add opt-ins to all your digital marketing, and ensure you get a double opt in.
  • Restrict access to personal data to only those who need to have access to it.
  • Ensure you have up to date security systems, such as firewalls, backups, encryption and authentication and test them on a regular basis.
  • Explain to users, in plain language, what data you’re holding, how long you’re holding it for, and how users can withdraw their consent. Your policy has to be simple, appropriate, and contain all the required information.
  • Develop a detailed breach response plan, including when to notify regulators and individuals, as well as how to handle data breaches from a media perspective.
  • Consider making financial provision to handle transitional costs, any data breaches and taking out insurance to cover data breaches.
  • Keep records of any data breaches, what data was compromised and how the breach was dealt with as well as what steps are being taken to ensure that type of breach does not re-occur.

We are not saying that this is all you need to know about Data Protection, but if you address these issues it is likely that you will have covered all the most important matters.


Please feel free to ask any questions of our Consultants who would be pleased to advise on any element of this newsletter.