Small business compliance UK – what you need to know
Find out about GDPR and other areas of SME compliance in the UK.
Industry regulators are constantly updating regulations and legal obligations – and it can be a real challenge for SMEs to keep up.
Here’s the heads up on the key areas you need to focus on to ensure your small business meets compliance rules and regulations.
What is compliance for small businesses?
In business terms, compliance is about ensuring companies of all sizes and their employees comply with existing national and international laws.
The Companies Act 2006 is the main legislation that forms the primary source of UK company law.
The main objective of compliance is to avoid or swiftly identify criminal behaviour and react appropriately to it.
And, while making sure every aspect of your operation is being run compliantly may seem a daunting task if you’re running or starting a small business, it’s worth the effort.
Compliance regulations have been put in place to protect you, your company, your employees, and your property.
Along with meeting legal requirements, there’s also an ethical aspect of compliance to consider.
Essentially, a compliant company demonstrates that it’s a reputable business that respects the interests of its stakeholders – such as customers, employees and residents (for example, if you have a factory) – by operating responsibly.
This can have a positive effect on your small business’s credibility and reputation.
What are the main areas of business compliance to consider?
If you’re setting up a company, some of the most important compliance considerations include:
- Complying with applicable industry regulations set out by professional regulators – for example, the Financial Conduct Authority, the Office of Rail and Road, the Law Society or the Environment Agency
- Complying with finance regulations – such as tax, payroll, HMRC, accounting, record keeping, Companies House and anti-money laundering regulations
- Employment law and workers’ rights
- Health and safety for workers and visitors to your offices/site
- General Data Protection Regulation (GDPR)
- Contracts and agreements with third parties
- Sector-specific permits, licences, permissions
Ensuring GDPR compliance
The EU’s 2018 General Data Protection Regulation (GDPR) governs how organisations process and use personal data to provide consumers with greater protection.
GDPR impacts every aspect of a business – from how you build your customer database to the way you market your business.
Non-compliance can result in a hefty fine – up to €20 million (about £18 million) or 4% of annual global turnover – whichever is greater. There are some exceptions for businesses with fewer than 250 employees.
Since Brexit, GDPR has been incorporated into UK data protection law as the ‘UK GDPR’.
This iteration, which came into force on 1 January 2021, is largely similar in its data protection principles and obligations.
Under GDPR, every organisation that handles personal data needs to be able to:
- Prove that consent was given to hold it
- Be able to show what the data is being used for
- Demonstrate how it is being protected
- Provide individuals with access and the ability to review, amend or challenge data processing practices
What legal documentation does my small business need?
To make sure your business is compliant, you should regularly review and update all your legal documentation, including agreements, contracts, forms, letters, policies, and procedures.
This applies across the board and covers everything from employment and business law to tax and health and safety.
As an employer, the documentation you need includes:
Employment law: This ensures each employee is protected by specified employment terms, which is a legal requirement and demonstrates that you have the correct policies in place:
- Employment contracts (written statement of employment)
- Grievance, disciplinary and HR procedures
Business law: All documentation that registers your business, relates to tenancy and financial arrangements, or protects your business, products and services:
- Companies House information
- HMRC papers
- Data protection documents
- Tenancy agreements
- Details of financial agreements
- Contracts for goods and services
- Intellectual property
Tax: Retain any information which is provided for tax purposes:
- Bank statements
- Invoices
- Record of expenses
- Past tax returns
Health and safety: Ensure you regularly complete risk assessments and have procedures in place to log incidents:
- Display a health and safety regulations poster
- Keep accident and incident reports
- Carry out risk assessments (in writing if you have five or more employees)
- Create a health and safety policy (in writing if you have more than five employees)
What are the risks of poor business compliance?
Poor business compliance is simply not worth the risk. You should adopt appropriate internal controls to make sure you’re abiding by the regulations related to your company’s operations.
If your company is investigated and found to be non-compliant, you could be punished with sanctions such as fines, profit skimming, or even imprisonment.
Some other consequences and costs may be incurred, such as claims for damages by customers and business partners.
What’s more, these sanctions are not limited to a single company but can affect the entire parent company.
In these cases, business insurance does not offer any protection. There’s also the loss of reputation and trust among business partners and customers to consider, which may be impossible to come back from.
How can I keep my business compliant?
The regulations are ever-changing, with new rules and updates coming into place all the time – and there’s no doubt that it’s a huge challenge for small businesses to keep up, but it’s important that you do.
One example is a recent change in a piece of tax-avoidance legislation.
From April 2021, private sector employers have to follow the same rules as the public sector concerning IR35 – also known as the ‘off-payroll working rules’.
This means that private-sector employers now face a tricky choice: continue to treat contractors as contractors and risk a hefty fine if HMRC takes a different view or treat them as employees with the additional costs and responsibilities this involves.
However, by taking the appropriate steps, both contractors and businesses can ensure that they do not fall foul of IR35.
To minimise your chances of being non-compliant, adopt internal controls such as appropriate organisational policies and procedures, regular risk assessments, internal audits and independent statuary audits and process updates, keeping all the associated documentation as proof of your compliance.