Founder Series: Top Tips to Follow for Compliance Matters

Orrick's Founder Series offers monthly top tips for UK startups on key considerations at each stage of their lifecycle, from incorporating a company through to possible exit strategies. The Series is written by members of our market-leading London Technology Companies Group (TCG), with contributions from other practice members. Our Band 1 ranked London TCG team closed over 320 growth financings and tech M&A deals totalling US$9.76bn in 2022 and has dominated the European venture capital tech market for 7 years in a row (PitchBook, FY 2022). In our previous Series instalments, we guide founders through the process of incorporating a private limited company and building their team through to using share options to attract and incentivise their employees and how to protect their ideas.

While focusing on many of the key aspects discussed in prior instalments in the early stages of growing your startup, it can be easy to forget the importance of compliance. Two core areas of your company where compliance is increasingly important from the outset are data protection and employment. In the fifth instalment of Orrick’s Founder Series, our Cyber, Privacy and Data Innovation team and our Employment team offer top tips to help UK startups navigate these compliance areas.

1. Data Mapping. From the very beginning, it is important to consider whether your startup will be collecting any personal data. This will help you to determine the extent of your data protection obligations. For example, if your company is data-driven and intends to collect large amounts of personal data or particularly sensitive data, the extent of your privacy compliance obligations and liability exposure will be greater than if your use of personal data is confined to holding personal data in respect of your employees only. Conducting a data mapping exercise will therefore set the right foundation for a good compliance programme and help you to understand your legal obligations and the risks that your business faces.

2. Legal Basis for Processing. The UK General Data Protection Regulation (“UK GDPR”) requires companies to have a valid legal basis for any processing of personal data. There are six available legal bases as follows: (i) obtaining the individual’s consent, (ii) complying with a legal obligation, (iii) performing a contract, (iv) protecting the vital interests of an individual, (v) for a public task, and (vi) for the legitimate interests of an organisation. For a company to legally process any personal data, it must have established which legal basis it intends to rely on before collecting such personal data. Each legal basis has different requirements that must be satisfied; therefore, this analysis should be factored in at the start before processing any personal data.

3. Website Privacy and Cookie Notice. The UK GDPR requires companies to provide certain information to individuals whenever they collect and process personal data. This is often done by way of a privacy notice. Where the company website collects personal data from site users, a UK GDPR compliant privacy notice will need to be displayed on its website.

Where a company website uses cookies, the general rule is that you must inform users that cookies are being used, explain what the cookies are doing and why, and obtain the user’s consent to store a cookie on their device. The best way to achieve this is through having a UK GDPR compliant cookie policy and implementing a means by which individuals can consent to the use of cookies when they visit your website.

Generally, the first place that a regulator or individual will look for information about a company’s privacy practices is the disclosures on the company website. These documents are likely to be subjected to a higher level of scrutiny. The external facing privacy notices should therefore be prioritised in the early stages of a startup’s privacy compliance journey.

4. Internal Privacy Compliance. Companies which process personal data are required to implement and maintain certain privacy compliance documents, policies and procedures. For example, companies must have a Record of Processing Activities in place which details the company’s processing of personal data. If you have employees, an employee privacy notice will also be required. The extent of your privacy compliance documents, policies and procedures will largely depend on the nature and scope of your business operations; there is no “one-size-fits-all”, so you should seek advice early to understand what your compliance roadmap looks like.

5. International Data Transfers. There are strict rules governing the transfer of personal data internationally. If personal data is being transferred outside of the UK to a country which is not deemed to have an equivalent level of data protection, the company will need to implement additional safeguards, such as standard contractual clauses and any necessary supplementary security measures (i.e. encryption, access controls). As at the date of this instalment, the following are viewed as providing adequate data protection from a UK perspective: the European Economic Area (EEA), Gibraltar, Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. As part of the data mapping process, you should consider how and where you move data to determine whether the data will need safeguarding.

6. Compulsory Employment Policies. There are a handful of mandatory employment policies which should be adopted at the relevant stage.

1. Disciplinary Procedure and Grievance Procedure: the company should seek to align its disciplinary and grievance procedures with those set out by the Advisory, Conciliation and Arbitration Service (Acas). If a claim, for example for unfair dismissal, is successfully brought against the company (as the employer) in the Employment Tribunal, a failure to comply with the steps set out by Acas can result in an uplift of 25% of any award made. Disciplinary and grievance procedures should be marked non-contractual and sit separately from the employment contract.
2. Health and Safety Policy: companies with five or more employees are required to have in place a written health and safety policy.
3. Whistleblowing Policy: certain regulated and listed companies are required to have a whistleblowing policy.

7. Optional Policies: putting certain additional policies in place can be beneficial for the company as it ensures that both the employer and employees are clear about what is expected of them. It also helps to maintain consistency across the business and manage legal risk. Although the following policies are not legally required, it can be useful for the company to implement them and can provide protection for the company in key areas. Most companies choose to introduce the following as a minimum as they grow:

1. Equal opportunities policy;
2. Family leave policies (particularly where the company offers enhanced pay for family leave);
3. Whistleblowing policy (if not mandatory);
4. Flexible and / or remote working policy;
5. IT and communications policy;
6. Anti-corruption and bribery policy;
7. Modern slavery statement; and
8. Environmental Social and Governance policy.

8. Employee Handbook. Depending on the business of the company and its size, further policies can also be introduced. These policies can be collated in an Employee Handbook, and can include a sickness and absence policy, holiday policy, and expense policy. Company policies should explicitly state that they are non-contractual in order to give the employer more flexibility to amend and update them.

9. Employment-related Insurance. All employers in the United Kingdom are required to obtain employers' liability insurance. This insurance protects the company in respect of liability to its employees for injuries or illness.

10. General compliance. There are a number of other key employment-related compliance matters you should keep in mind to ensure that you are managing employee matters in a compliant manner, including the following:

1. Ensure all employees have the right to work in the UK;
2. Provide all employees with a written statement of the main terms and conditions of employment before employment commences;
3. Automatically enroll eligible employees into a qualifying pension scheme and make the minimum employer/employee contributions;
4. Comply with the rest breaks, holiday entitlements and maximum weekly working time limit set out in the Working Time Regulations (and, if necessary, keep adequate records in relation to the same);
5. Pay employees the national living/minimum wage for all of their working time; and
6. Consider any regulatory compliance issues in respect of their employees.

Our London Cyber, Privacy and Data Innovation team regularly advise early-stage companies on all aspects of data protection law, from guidance on compliance programmes, to incident responses and regulatory engagement. We can also assist with privacy related disputes. As a company grows, we can advise on how you can maximise the value of your data in a compliant way, as well as helping onboard vendors to streamline your process.

For further advice on the data protection compliance issues raised above or for other general UK data protection advice, please contact Kelly Hagedorn.

Our London Employment team regularly advise early-stage companies on all aspects of employment law, from guidance on recruiting a company's first employees, to managing a growing team and beyond. We can also assist with drafting and implementing employment policies, advising on disciplinary, capability and grievance procedures and ensuring the company is complying with its statutory, and any regulatory, obligations generally. We can advise on any issues that arise during the employment relationship, as well as termination of employment.

To discuss any of the employment law topics in more detail, please contact Nicola Whiteley.