It’s not often that regulatory compliance becomes a water cooler topic, but over recent weeks we’ve talked of little else. This is mainly due to GDPR, which has brought the issue of regulatory compliance into our daily lives.
We’ve all been inundated with emails and text messages from a plethora of companies updating us on their GDPR policies, and it’s popped up in our news feeds, timelines and WhatsApp conversations.
But for small businesses, GDPR is just one of several business regulations which require attention and in fact, there are myriad other vital pieces of legislation which demand full and immediate compliance.
Before we examine these pieces of legislation in detail and assess how small and medium-sized enterprises (SMEs) can comply, we should look at what the meaning is of regulatory compliance.
The Organisation for Economic Co-operation and Development has adopted a wide-ranging definition, describing regulation as: “A set of ‘incentives’ established either by the legislature, government, or public administration that mandates or prohibits actions of citizens and enterprises (…). Regulations are supported by the explicit threat of punishment for non-compliance.”
To ensure regulatory compliance, companies must adapt to the legislation imposed by the higher authorities and put effective measures in place. This isn’t just about ticking boxes and rectifying any deficiency. It’s about adopting a clear, long-term plan to ensure continued compliance long into the future.
In the UK the weight of corporate regulations has long been a hot topic. Business owners have been complaining about ‘red tape’ and the dead hand of the state for decades; they were probably complaining about it back in 1802 when Parliament passed the Factory Act, which imposed a series of regulations on mills and factories in response to revelations about the abuse of children.
Since that momentous legislative milestone in the heyday of Georgian England, new regulations have been added on a piecemeal basis through Parliamentary legislation and legal precedent. Successive governments in the post-Thatcher era have announced crackdowns on regulation, pledging to hack through the red tape. The new Conservative government of 1983 launched a high-profile deregulation crusade, and a task force was launched in 1994 with a similar goal in mind. Tony Blair’s Labour government pushed the Better Regulation Commission and David Cameron’s administration threw its weight behind Startup Britain, while pledging to make life simpler for Britain’s entrepreneurs.
Yet these various governments have proved unable to deliver on their promise. In fact, the amount of red tape has actually increased according to Ian Cass, managing director of the Forum of Private Business (FPB). The FPB used to produce a health and safety manual a quarter of an inch thick, and Cass says the manual is now five times as large with the FPB’s drafting team looking to break it down into sections to make it more manageable.
In addition to British law, the UK Government is obliged to enshrine workplace directives from the EU, which impose minimum requirements in a range of areas, from the installation of health and safety signs to the provision of equal treatment to agency staff. Each of these directives is legally binding and has to be enforced.
Which brings us back to GDPR. Although the legislation originated in Brussels, it has subsequently been incorporated into the British statute book. Framed in the context of a series of very public data breaches, it requires companies to protect clients’ and subscribers’ information more effectively.
Any SME whose activities include ‘regular and systematic’ monitoring of data is now obliged to employ a data protection officer, whose role is to ensure compliance with GPDR. Such companies must also lay out their data protection policy clearly, introduce opt-in consent for any data they hold and seek retrospective permission from anyone whose images and testimonials they have used in marketing data.
The implications for SMEs could be huge. The Federation of Small Businesses told Financial Director (FD) that data protection regulation already costs small firms £7 billion a year, and GDPR will only increase that cost. In fact the FSB estimates the transition costs for smaller enterprises alone will be around £5 billion. GDPR will also impose huge fees for non-compliance, with the maximum financial penalty shooting up from £550,000 to €20 million.
To avoid suffering such huge charges, Cass advises SMEs to “make sure you have a process in place for dealing with personal data in the same way you would have processes in place for fire safety, complaints and HR issues”.
This advice is echoed by Suresh Damodararu, director of compliance specialists Tax Partners, who told us that small firms should “appoint someone senior to oversee the compliance process, review and update existing information and cyber-security measures as necessary, and be sure to ‘map’ your data. Review contracts with clients, suppliers and employees, draft data protection policies, and train staff”.
But as well as putting processes in place for GDPR, small firms must study and adapt to a flurry of other regulations introduced over recent months. These include an increase in the National Living Wage from £7.50 to £7.83, the mandatory publication of gender pay reports and a ban on corporate directors.
There is more to come with the government planning to introduce fines for directors of nuisance call firms. Some bits of regulation will require one-off implementation while others will demand long-term monitoring.
A spokesperson for the Federation of Small Businesses (FSB) told us that Theresa May’s government has rowed back on her predecessor’s commitment to repealing an unnecessary business regulation. While many individual regulations irritate SMEs, “the aspect of regulation that creates the biggest barrier to small business success is the cumulative burden. This cumulative burden is a consequence of a number of factors: the quantity of regulation, its bad design and drafting and poor implementation by regulators and enforcement authorities,” the spokesperson added.
The picture is unlikely to change after Brexit. Although a number of EU impositions will be phased out, such as the regulation which obliged UK digital businesses to charge local VAT on certain services, it is likely that each of the major EU requirements will be replaced or enshrined in British law.
Cass, who has previously demanded an “accelerated deregulation programme” for UK SMEs in the wake of Brexit, says that in the long run there won’t be much change for small businesses as all key regulations will be transferred across. “In the long run there may be changes,” he says, “but for smooth trading with our European partners, most regulations and standards will remain”.
The UK Government website offers plenty of information for small firms and the Information Commissioner’s Office runs its own advice service, as well as a phone information hotline. Both the FSB and the FPB have published a range of materials, and your local council will likely provide guidance on its website. In the private sector, a number of firms such as Tax Partners and Hiscox offer dedicated advice.
Ultimately, however, SMEs need to take compliance into their own hands. That means talking to staff about key regulations. Managers can rely on online resources such as Netregs, which offers a comprehensive explanation about key environmental regulations. Additionally, specialist software applications are available from companies such as Zenefits, Shield Safety and Promise. Many of these applications harness cloud computing, so you’ll save on space and benefit from automatic updates.
If businesses have the resources, they should allocate the job of complying with a specific regulation to a particular person in the company, ensuring a clear line of accountability within the organisation. “If you can’t outsource [a particular] function, then train in-house at a cost,” Damodararu says.
Remember that every regulation should be met with the same dedication as GDPR and no matter how much frustration they cause, they’ll have to be complied with. Fortunately, there’s more help available than ever before, and the cost of non-compliance will always outweigh the hardship.
