5 Tips for Achieving GDPR Compliance in HR & Payroll

As data breaches and violations have made consumers worry more about the risks of sharing their data online, the European Union has taken the initiative to make some changes. The European General Data Protection Regulation (GDPR) is one of the most sweeping data protection reforms in years that included 11 different chapters and 91 articles.

While the fines for violating the GDPR can be harsh, the language can sometimes be vague or hard to understand. And it’s not just reserved for European companies.

Any business that keeps the data of European customers for any reason needs to be GDPR compliant.

We’re going to focus on five of the smartest changes you can make regarding HR and payroll so  you can continue running your business confidently.

Understand the Data to Protect

The purview of the GDPR is broad, and that means that you may be liable for securing user data even if you aren’t dealing with sensitive financial information. In fact, the privacy data that the GDPR covers is quite sweeping. Some of this is basic. You need to keep the name and address of users safe as well as their general browsing data like the IP address, RFID tags, and cookies, but it also includes a ton of different demographic data.

A breach that exposes the racial or ethnic status of a user, their sexual or gender orientation, or their political affiliations could constitute a failure to comply with GDPR standards.

Those working in the health sector have even more to worry about, as the GDPR also protects genetic, biometric, and general health-related data.

And the businesses that GDPR provisions apply to are broad. If your company has more than 250 employees and handles the data of European citizens in any capacity, you’re liable to any fines that may come from a GDPR violation.

Assign Appropriate Oversight

A lot about the GDPR is vague. It asks, for instance, that personal data needs to be provided a reasonable amount of protection, assigning no standards for what qualifies as reasonable, and demands that users retain a vast amount of control over how their data is used.

Rights include the ability to receive their saved data in a standard format. Also to have their data removed at request, and be notified of any way in which their data is preserved. This means you need a well-organised system for recording and storing data and dedicated staff to make sure that they can fulfil user demands upon request.

There are three positions which you’ll need to assign to oversee issues with how your business handles personal data.

The data processor, data controller, and data protection officer each fulfil different roles and have different responsibilities.

They serve as checks and balances for various stages of data management. So making sure that you have assigned those roles to at least three qualified staff members will make sure you’re covered in the case of any incident with a data breach.

Come Up With a Response Plan

One of the most stringent restrictions in place with the GDPR is the fact that companies need to report a data breach to the proper authorities within 72 hours.

That can be difficult to achieve for smaller companies that don’t have the same resources as their larger competitors.

You’ll want to make sure you’ve drilled your team so they know precisely how to respond when the worst happens.

You don’t have to do it alone, either. If you’re having trouble figuring out a methodology for a quick response, there are plenty of experts out there who can help.

Whether that means bringing consultants on board to help you polish your plan or putting a contractor on retainer to handle your responses directly, asking for outside help can save you a whole lot of money on fines in the future.

Take Steps to Stay Compliant

One thing to remember about the GDPR is that it’s a living document. Changes aren’t uncommon, and regulators won’t give you the benefit of the doubt just because you didn’t know about a particular regulatory change.

Fortunately, there are resources you can use to keep up to date on the latest changes, but you’ll want to assign a staff member to take the responsibility of recognising any changes and letting the appropriate people know so they can apply relevant changes to company policies.

The other factor is that the rules for GDPR can vary from state to state.

You want to make sure that all of your research and regulations are tailored to where you live and what customers you’re doing business with.

The last thing you need to do is spend money staying compliant with costly rules that you don’t need to follow.

Implementing new regulations also means you need to update your systems and security protocols.

Legacy software and outdated systems can easily lead to compliance issues. If you haven’t updated your systems to meet the newest data safety standards, you should do so immediately.

Enterprise-level businesses that use custom-built software may have a dedicated software development team to manage internal tools and systems.

They can ensure that all company software meets both the company and GDPR standards, as well as making changes on the fly when the need arises.

Small businesses may not have such professionals on their team, but that doesn’t mean they should rely on third-party vendors to automatically adapt to new regulations.

Take a good look at the tools you use daily, what data they store and process, and for what purpose.

Start by updating systems that deal with the most sensitive data, and check with the service providers that their settings are compliant with GDPR standards.

Don’t hesitate to reach out to experts if you don’t feel confident implementing those changes on your own.

Recognising the Consequences

Between the sometimes ambiguous and obtuse language of the GDPR and the profitability of online data theft, it’s hard to ensure that you won’t unintentionally violate the regulations written into the GDPR.

That’s why it’s essential to know the consequences and be sure that you’re ready to pay them if necessary.

The most immediate cost is financial.

The GDPR has the same swing as a federal law, and violation fines are stiffer than most of the national or international standards in place.

But you also need to consider the impact a data breach can have on your reputation.

A data breach can be a public relations disaster for both small businesses and enterprise-level corporations. Understanding the scale of the impact a violation will have will help both you and your staff members take it seriously.

Joe Peters is a Baltimore-based freelance writer and an ultimate techie. When he is not working his magic as a marketing consultant, this incurable tech junkie devours the news on the latest gadgets and binge-watches his favourite TV shows. Follow him on @bmorepeters

This article does not constitute legal advice.

The opinions expressed in the column above represent the author’s own.

Start managing your legal needs with Zegal today

Why You Can’t Ignore CSR In Your Business

What is CSR?

Corporate social responsibility, or CSR, is something I first learned about in school over a decade ago. Back then, our business class teacher made CSR seem like something good companies would engage in. Something outside the norm of the ruthless profiteering and environmental pilfering by multinational conglomerates. Perhaps CSR was emerging as a fad back then. But in today’s world—a world I might add that is mere weeks away from the beginning of this millennium’s third decade—any business would be idiotic to ignore their social responsibilities to its customers and the planet. 

In a nutshell, CSR is “international private business self-regulation”—or soft law. The concept revolves around the idea of creating shared value for its shareholders in such a way that the society at large, and planet, can also benefit from the value stemming from the business succeeding. Key features of a CSR should account for things such as: environmental sustainability; conformity to human rights; decent employment conditions; and ethical business practices.

It’s a vital part of any modern business today. Here are some tips on why it matters more now than ever and what a company’s policy on corporate social responsibility should include. 

Why CSR matters

It pains me to admit that CSR is not in the slightest bit altruistic. I really wish it was, but the raving cynic in me refuses to believe that most businesses would sacrifice their profit margins to benefit the survival of the planet. Or anything else benevolent for that matter. Such altruism cannot be expected from the mortals running businesses that have the ultimate goal of maximising profit. Most (not all) Fortune 500 companies and any sizeable corporations that have in place a policy promoting corporate social responsibility, do so for one reason only. That reason is they absolutely will lose money and customers if they don’t. 

In 2017, 63 percent of the largest 100 companies, and 75 percent of the Global Fortune 250 reported applying the GRI reporting framework, a voluntary reporting system on sustainability. CSR is mainstream and if you don’t know what it is, you’re late to the party. 

Consumers are increasingly more aware of unsavoury business practices that adversely affect the society and environment they live in. Especially those in their 20s that adhere to the notion of collective responsibility. This generation is savvy to their ever-increasing power over what they choose to buy and who they buy it from. I know, I’m one of them. Being responsible is cool. I can attest to the fact that my friends, myself, and basically everyone I know in my age group, are incredible conscious about sourcing even the most mundane of products.

These are the types of people modern corporations must cater to. Forget what that dinosaur Milton Friedman said about how a company’s sole purpose is to maximise profits for its shareholders. Okay, boomer. And hashtag side eye while I’m at it.

By The Numbers: This Is What It Looks Like Now

According to a study on younger consumers (2017, Cone):

Younger consumers may not even know what CSR is, but they care more about what the concept of CSR espouses than any other age group of people.

  • 63% of all Americans are hopeful businesses will take the lead to drive social and environmental change moving forward in the absence of government regulation
  • 78% of Americans across all age brackets want companies to address important social justice issues
  • 87% of Americans across all age brackets will purchase a product because a company advocated for an issue they cared about
  • 76% of Americans across all age brackets will refuse to purchase a company’s products or services upon learning it supported an issue contrary to their beliefs 

Another report conducted by Accenture in 2018 asked consumers what primarily attracted consumers to a brand beyond price and quality. Unsurprisingly, a significant number of consumers listed reasons such as:

  • The brand has a great culture. It does what it says it will do and delivers on its promises
  • The company is transparent—with where it sources its materials, how it treats employees fairly, etc.
  • The company treats its employees well
  • The brand has ethical values and demonstrates authenticity in everything it does

Additionally, if you’re planning to hire anyone under the age of 35, consider:

  • Seventy-six percent of millennials consider a company’s social and environmental commitments when deciding where to work
  • 64% of millennials would not take a job if a potential employer didn’t have strong corporate social responsibility practices in place
  • Eighty-eight percent of millennials say their job is more fulfilling when they are provided opportunities to make a positive impact on social and environmental issues

Environment and Society 

Do what you can to reduce your carbon footprint. Recycle, reuse, spend the extra dime to change to a supplier who is also environmentally friendly. Any steps they can take to reduce those footprints are considered good for both the company and society and can be publicised for the company’s benefit.

It really helps if the company’s culture shifts towards being environmentally friendly. If the employees of the company consider the environment every time they make a business decision, those little things can add up to substantial reduction in your carbon footprint. Natura, a Brazilian cosmetic company focuses on preserving biodiversity and traditional knowledge and culture in Amazonia. Their products are sustainably-sourced and biodegradable and has diversified its suppliers to empower smaller communities to reap the benefits of the company’s success. 

Ethical Labour Practices

I mentioned that millennials want to work at a company that has in place a strong CSR policy and a culture of responsibility towards society-at-large. And while ethical labour practices should also apply to them, this section is more concerned with companies that have businesses in countries that have atrocious worker protection laws, like China and Bangladesh. A fair-trade certification is a good way to show that your business adheres to ethical labour practices. Don’t be ignorant of criminal or unethical labour practices that happen within the warehouses and factories of your own company. Or those that your contractors and suppliers, and even your clients might engage in. It’s important to actively monitor how employees are treated in the course of business, and if unethical labour practices are discovered, quickly take steps to rectify this. 

Philanthropy and Community Engagement

Have a positive impact in the areas that your business operates in. This can be achieved by practicing social responsibility and donating money, products or services to social causes and non-profits that fosters sustainable growth and development in the community. I buy from BOMBAS, a company that sells socks, even though their prices are not cheap because they donate a pair of socks to charity for every pair they sell. So far, they’ve donated over 28 million pairs. 

A responsible, conscientious and sustainable approach to running a company is the only way forward.

This article does not constitute legal advice.

The opinions expressed in the column above represent the author’s own.

Start managing your legal needs with Zegal today

READ MORE: Your Social Media Policy Could Determine Whether Your Business Lives Or Dies

RELATED READING: How Millennials Are Changing The Workforce Of Today

Vicarious Liability: What Is It And Who is At Fault?

Who might be at fault for this one?

Imagine you brought your Hermès bag to a clubhouse and the waiter spilled red wine on it, ruining your $240,000 bag. Can you sue the clubhouse, and on what basis?

The basis of this example is vicarious liability, and it is the real-life subject of an on-going legal battle in the US .

The lawyer for the lady with the handbag argued: “She didn’t wear it apple picking. She wore it to a very expensive country club where she was a member. If you bring your car to a country club and it gets scratched up, you expect the club to pay for it.”

Who ultimately pays for butterfingers here? (Not the candy bar, which would obviously be me. Yum).

While we await the court’s decision, here’s more about vicarious liability:

What is vicarious liability?

Vicarious liability is the liability of one person for the acts of another. And the most commonly found category of vicarious liability is within the employer-employee relationship, where the employer is vicariously liable for the employee.

The rationale for this is when a claimant has suffered damage as a result of a tortious act, his concern is to obtain compensation. He will wish to seek relief from a party who has the resources to pay this. Often the individual whose wrongful act has caused the damage does not have the means to compensate the victim. In these circumstances, the victim, with the aid of his lawyer, looks for someone with deep pockets to sue.

In the Hermes bag situation, the lady is suing the clubhouse, because the clubhouse can afford the compensation, while the waiter cannot.

Vicarious liability is a strict liability. This means the employer is still liable even though he or she is not at fault.

For Example

Examples include :

  • A creditor being vicariously liable for intimidation and assault committed by the debt collectors she employed.
  • A hospital being vicariously liable for a nurse’s negligent way in handling a mentally unbalanced patient.

There are two main types of vicarious liability. The first is employer-employee, where the employer is vicariously liable for the employee’s wrongdoing committed “in the course of employment”. The second kind is where the wrongdoing results in the breach of what has been described as a non-delegable duty owed by the defendant to the claimant, for example licensees owing a non-delegable duty to their clients.

A non-delegable duty usually arises out of a pre-existing relationship between the claimant and the defendant. As a result of that relationship the defendant owes the claimant a duty to take reasonable care to see that he, or his property, is not harmed. That duty cannot be delegated. The performance of the duty may be delegated to another. But if he is negligent in performing the duty the defendant will remain personally liable for the negligence.


To establish vicarious liability for employers:

  • An employer-employee relationship must be established
  • The employee’s tort must be referable in particular way to that relationship.

Hence, there is a need to distinguish from situations where only the employee is personally liable.

Let’s say, a wealthy man employed a chauffeur to drive him around. If the chauffeur had an accident while driving the wealthy man, the wealthy man would been vicariously liable because the chauffeur was his employee and the accident had occurred in the course of the chauffeur’s employment. However, if the wealthy man had taken a taxi, and the taxi driver had had a collision, then the wealthy man would not be liable. This is because the taxi driver was an independent contractor.

Only During Office Hours

It should be noted that the wrongdoing must be committed in the course of employment for the employer to be vicariously liable. In the case Storey v Aston, where a wine merchant sent his clerk to deliver some wine. On the return journey, the clerk drove the car to visit the clerk’s brother and the car ran over a person. Is the wine merchant vicariously liable for the clerk’s tort? The answer is no, because it was after business hours, and the accident took place outside the course of his employment. Furthermore, it was a new and independent journey from the one the clerk was instructed to do, and he was on what has been called “a frolic on his own”.

It is not always clear if the relationship is an employer-employee relationship because in many cases the party is a contractor, not an employee. The test to establish whether there is an employer-employee relationship is to look at the degree of control. If there is a high degree of control, usually it entails an employer-employee relationship. Evidence for having a high degree of control include:

  • Regular, timetabled hours of work
  • Prohibition against working for others
  • Provision of transportation between job sites
  • Regular and close supervision
  • The requirement to wear company uniforms and/or to display the company logo

Recent developments

Recently, the control test has been thrown into doubt by judges. They now prefer the test where the relationship is sufficiently “akin to that between an employer and employee”. Or when the wrongdoer plays an essential part in the employer’s business enterprise. For instance, churches and parishes can be held liable for torts committed by priests working there who are appointed to their offices and do not have a contract of employment.

There is a case where the issue of whether a local authority can be vicariously liable for the torts committed by foster parents against children placed with them while in care. The answer is yes, because the local authority exercised a significant degree of control over both what the foster parents did and how they did it, in order to ensure that the children’s needs were met”.

The second development is the possibility of dual vicarious liability. Where both the head-contractor and subcontractor are vicariously liable for the worker’s negligence.

In a child sex abuse case, two brothers of a Catholic institution were also teachers at a school, committed child sex abuse. It was held that both the Catholic institution and the managers of the school are vicariously liable for the abuse. Although the Catholic institution did not employ the brothers, the brothers entered into deeds under which they undertook to transfer all their earnings to the Institute, leaving the Institute to cater for their material needs. The court held that this meant that their relationship with the Institute was even closer than that of employer and employee.

Examples of vicarious liability


Besides employers being vicariously liable for their employees, partners in a firm can also be liable for one another. This is so long as the partner in question is acting in the ordinary course of the business of the firm or with the authority of his co-partners” – Partnership Ordinance (Cap 38) S.12

Car owners

If the defendant (D) lends his car to a third party (TP) in order to perform some task for D and TP negligently injures the plaintiff (P) in doing so. D will be vicariously liable to P in respect of TP’s negligence. Although the rule only applies where TP is driving D’s car for D’s purposes or under the delegation of a task or duty.


Very often licensees are criminally liable for the acts of managers or delegated servants of the place. For example in Tam Wing Him v R , the licensee of a nightclub was convicted of “permitting the employment on the premises of a person under the age of 14 years.”, despite being overseas at the time. He had entrusted the management of the nightclub to the manager who had knowingly employed a 13year old girl at the club. The licensee commonly found as having imputed knowledge because he delegated the duty to the manager. The principle of delegation states that “Where a statute places a duty upon one person to do something (for example as a licensee) and he delegates the performance of the activity to a second person, the delegator may be liable for the conduct of the delegates in performing that activity.”

So, that’s vicarious liability. Be careful who you employ, and who you lend your car to. 

This article does not constitute legal advice.

The opinions expressed in the column above represent the author’s own.

Start managing your legal needs with Zegal today

RELATED READING: 6 Legal Dangers For E-Commerce Businesses To Watch Out For

READ MORE: Hiring Consultants – Who Owns The Intellectual Property?

A Guide To Garden Leave In The UK

By Terri Schofield

Garden leave, or gardening leave, is a term that came to standing after it was used during an episode of the household favourite satirical sitcom Yes, Prime Minister in 1986. It describes the practice whereby an employee leaving a job (having resigned or otherwise had their employment terminated) is instructed not to attend the workplace or perform duties. But, the leaving employee still enjoys the benefits of their contract of employment as they would in full employment. This is known as putting the employee on garden leave.

The termination of employment inevitably brings commercial risk and concerns to employers. Whether the employee is leaving voluntarily or the business had made the decision to terminate for some other reason, there will be recruitment, training and in some cases litigation costs that follow shortly after.

Why Would I Put An Employee on Garden Leave? 

At first glance, it may not seem logical to pay someone not to work for you. For some businesses, it is appropriate for them to allow the employee to remain employed, but physically not be called upon to “work” every day of their notice period.

For example, the employer might want to stop the employee from performing their regular duties immediately, due to conduct or capability concerns. However, it might also want to retain the employee for the notice period, typically requiring them to stay at home, to keep them away from a competitor for as long as possible.

The commercial benefits of garden leave are not one dimensional, but let’s look at a practical example:

Jeff is a specialist sales representative for an online business management platform, and has been headhunted by a competitor. They offer him a benefits package that exceeds what he can expect to receive in his current role so he decides to make the move and accept their offer. Now, the competitor knows that Jeff is working in the industry in which their clients operate, so they hope to gain some trade knowledge from him (and hopefully some new clients). As discussed in previous blogs, restrictive covenants can be incorporated into an employee’s contract of employment to safeguard your company from this. But for the time being let’s consider the immediate repercussions this could cause. Having informed his manager of his resignation, Jeff would now have an ordinary notice period of three months to satisfy before he is officially released of his duties. That leaves us with three months in which Jeff can collate company data, trade secrets, and contacts that will be beneficial to him in his new role.

Placing Jeff on garden leave enables us to keep him out of the marketplace long enough for any information to go out of date. Or for the employee’s successor to establish themselves, particularly with customers, so as to protect goodwill. In most cases, this can only be achieved if there is an express garden leave clause in the employee’s contract allowing their duties to be varied, or withdrawn altogether, during the notice period. Having an express garden leave clause may help deter a competitor from poaching employees in the first place. It will also increase the employer’s bargaining position with any disaffected employees. Such a clause may be used in conjunction with post-termination restrictive covenants for maximum effect. Although in some cases, employers will provide for a set-off arrangement, where the duration of restrictive covenants is reduced by any period spent on garden leave.

DOCUMENT: Employment Contract

Your new tools of the trade?

Employer Obligations In A Garden Leave Clause

An implied right to work can be overridden by an express term of the contract. Therefore, if an employer wants to be able to put an employee on garden leave and retain maximum control over their activities during the notice period, it is helpful to rely on express contractual provisions, such as: 

  • A right to withdraw the employee’s duties and exclude them from the premises. This will prevent the employee from resigning and claiming constructive dismissal when put on garden leave.
  • A restriction on carrying out other business activities during employment (commonly relaxed to allow limited shareholdings in good faith for investment purposes only). This will draw the employee’s attention to the purpose of the garden leave, which is to restrain them from carrying out any business activities, and allow an order enforcing it to be framed more precisely.
  • An option to require the employee to do alternative duties during the garden leave period. Or to require the employee to perform only some of their usual contractual duties, which are expressly assigned to the employee during the period. This potentially allows the employer a greater degree of control over the employee during the garden leave period. This may mean that the clause is easier to enforce, as it makes it harder for the employee to run an “imposed idleness” argument
  • Confirmation that the employee will continue to be paid during garden leave and will remain entitled to all contractual benefits.
  • A requirement that the employee should keep their manager informed of their whereabouts during garden leave. And how they can be contacted during their normal working hours.
  • A limitation or prohibition on the employee having contact with clients or other employees during the period. In most cases, an employee on garden leave will have no reason to contact clients or colleagues. The employer may want to use the period to cement its relations with its client base and take pre-emptive measures against any team moves.

What Are The Risks Of Enacting Garden Leave Without A Garden Leave Clause In The Employment Contract?

If there is no express contractual right to put an employee on garden leave, they can argue that to do so is a breach of contract, because they have an implied right to work. Employees may use this as a mechanism to extract themselves from their employment without serving due notice. By claiming that the breach is repudiatory, and accepting the breach, thereby bringing the contract to an end (and rendering any restrictive covenants void). An employer will need to weigh up this risk against the damage that may be done if the employee continues to work during their notice period.

The Obligations Of The Employer, And The Employee, Once Garden Leave Commences?

The employment contract continues to subsist during any period of garden leave. Therefore, the employer must continue to:

  • Perform all the terms of the contract.
  • Pay salary at the normal time.
  • Provide all other contractual benefits, such as medical and pension benefits and company car.
  • Allow the employee to exercise their normal holiday entitlement, and calculate holiday pay in the usual way.
  • The employee must also continue to abide by all their contractual obligations during the entire garden leave period except (in most cases) the obligation to carry out work for their employer. In many cases these will be negative obligations only. For example, not working for any other business; maintaining the duty of loyalty towards the employer; and not using or divulging any of the employer’s confidential information. However, in some circumstances the garden leave clause may provide for alternative duties to be carried out during the garden leave period.

The contract of employment continues to exist during garden leave. The employee continues to receive their normal remuneration and benefits. It’s logical to assume that any duties implied in that contract would continue to apply exactly as they did before notice was given. However, that is not always the case, and when it comes to the employee’s implied duty of good faith and fidelity, there are different schools of thought as to the effect of garden leave on an employee’s obligations.

This article does not constitute legal advice.

The opinions expressed in the column above represent the author’s own.

Start managing your legal needs with Zegal today

Terri Schofield is a first year LLM with LPC student at BPP, Manchester. Alongside completing her post graduate studies, Terri works full time at DWF Law as an Employment Law Legal Adviser. Terri also sits as the UK Chair of DWF OutFront, their LGBT+ Network, where she is proactive in increasing visibility and sourcing opportunities for DWF’s LGBT+ employees.


RELATED READING: New April Tax Rules In The UK: How To Rule IR35

READ MORE: UK Startup Grants You Probably Don’t Even Know About

Australia’s New Whistleblower Laws: What Employers Need To Do

Just to be clear, this is a picture of a lady blowing a whistle, not a whistleblower

Here’s what employers need to know

As of 1 July 2019, Australia’s new whistleblower laws apply. Following more than 12 months in Parliament, the new Federal whistleblower protection regime was enacted covering the corporate, financial and tax sectors. The new laws aim to expose corporate (and in some cases, personal) misbehaviour.

The Whistleblower Laws introduced:

  • expanded whistleblower protections for all Australian companies;
  • a requirement for larger Australian companies to introduce a Whistleblower Policy; and
  • new significant penalties for breaches of whistleblower protections, ranging up to $10.5million.

Who can make whistleblower disclosures?

The category has now expanded to include employees, officers and suppliers of companies as well as their family members.

Disclosures made anonymously are still protected by the laws.

What classifies as a protected disclosure?

Protected disclosures include where a person has reasonable grounds to suspect that:

  • there has been misconduct or an “improper state of affairs or circumstances” regarding any of the entities covered by the laws or their related bodies corporate;
  • conduct that breaches the Corporations Act 2001 or conduct that breaches the ASIC Act or a range of specified insurance, life insurance and superannuation statutes;
  • conduct that relates to an offence against any law of the Commonwealth which is punishable by imprisonment for 12 months or more; or
  • presents a danger to the public or the financial system.

It’s important to note that disclosures about personal work-related matters are not generally protected by the laws. This includes: 

  • employment matters that impact upon the employee personally;
  • interpersonal conflict with another employee;
  • decisions regarding promotions, demotions, terms and conditions of employment; and
  • in regards to disciplinary action against the discloser.

Who can protected disclosures be made to?

Protected disclosures can be made to:

  • officers of a company;
  • senior managers;
  • auditors of a company;
  • actuaries of a company; and
  • trustee’s of a superannuation entity.

In certain circumstances, if a discloser has taken the prescribed steps yet has reasonable grounds to believe action is not being taken corresponding to the issue, there is also protection towards disclosing to a journalist or member of Parliament.


If the confidentiality of a whistleblower’s identity is breached, fines of up to $1.05m apply to individuals and up to $10.5m apply to companies involved in the breach.

If a whistleblower is threatened or victimised, fines of up to $1.05m apply to individuals and up to $10.5m apply to companies involved in the.

New Requirements

The laws require all public companies to introduce a Whistleblower Policy.

This also applies to companies with:

  • consolidated ‘Group’ revenue in excess of $50m;
  • consolidated gross assets of more than $25m or more; or
  • 100 or more employees at the end of the financial year.
The Whistleblower Policy must be in place by 1 January 2020. A company that fails to comply may face fines of up to $12,600.

Employers Need To:

  • Implement a whistleblower policy. The policy must set out information regarding:
      1. the protection available to whistleblowers;
      2. the person/organisations to whom protected disclosures may be made, and how they can be made;
      3. how the company will support whistleblowers and protect them;
      4. how the company will investigate protected disclosures;
      5. how the company will ensure fair treatment of employees mentioned in protected disclosures, or to whom such disclosures relate;
      6. how the policy is to be made available to officers and employees of the company
  • Train staff. Employers must train senior managers and those to whom protected disclosures may be made know how to identify a whistleblower report, and the steps they must take if they receive one. It is important to adequately cover the importance of protecting the whistleblower’s right to anonymity from the outset. Employers must also train all staff to know how the whistleblower regime works under the Act. They must also provide training detailing the protections provided to eligible whistleblowers.

  • Assess procedures. The new regime requires analysis of any existing whistleblower procedures. Companies should also ensure procedures to protect whistleblowers’ information will be secure and comply with privacy laws. 


READ MORE: The Hong Kong Australia Free Trade Pact Outcomes



The Legal Differences Between a Full-time and Part-time Employee

By Sylvia Polydor

As a business owner, it is imperative to understand the difference between full time and part time employment in order to comply with the associated laws.

The number of weekly work hours is the most relevant aspect to categorise this.

In many jurisdictions, there isn’t an official definition of a part-time worker, other than that a part-time worker works fewer hours than full-time. In fact, it is up to employers to define the exact number of hours a full-time employee is required to work on a weekly basis in their company.

For fairness and transparency, the difference should be outlined in the Employee Handbook and/or Policies as employee status affects other employment conditions (i.e. pay, vacation, benefits, etc.).

Additionally, if the company staff includes part-time employees, an employer should draft a Flexible Working Policy where they state specific flexible working arrangements.

Generally speaking, full-time employees receive health benefits and salaried pay. Part-time employees are usually billed hourly and are not legally entitled to standard benefits.

However, the list of differences and legal requirements is much more detailed.

Laws and regulations on full-time and part-time employment differ from one country to another. For instance, if you are running a company in Singapore and wish to hire an employee who is not covered by the Employment Act of Singapore, you are required to draft an Employment Contract (Senior Executive), which is not always the case in other cities and countries.

Below you will find some of the general definitions of full-time and part-time employment regarding the number of work hours, benefits, and payment methods.

Work Hours

It is up to employers to define the exact number of hours a full-time employee is required to work every week. But, the following examples in different countries shows that in most jurisdictions a 35-40 hours a week would be considered a full-time employment.

In the United Kingdom, a full-time worker usually works at least 35 hours a week. Furthermore, the rights of part-time workers are legally protected by the Part-time Workers (Prevention of Less Favourable Treatment) Regulations 2000.

In Australia, the Fair Work Act 2009 classifies employment into full-time and part-time based on the number of hours an employee works a week. Full-time entails 38 work hours while part-time is anything less.

In the United States, traditionally, 40 hours a week has been considered as “full-time” employment. But the  U.S. Department of Labor does not state that full time workers are obliged to complete a 40-hour week and there are many current instances in which the hours required to be considered full-time have been lowered. The Bureau of Labor Statistics defines full-time as 35 or more hours a week, but this is just for statistical purposes and is not law. In addition, pursuant to the Affordable Care Act (ACA), a full-time employee is, for a calendar month, an employee employed on average at least 30 hours of service per week, or 130 hours of service per month.


Another distinction between part-time and full-time employees is that they may be paid differently, salaried vs. hourly. Some full-time employees may be salaried while employees working part-time are paid on an hourly basis.

Payment of overtime can also be different depending on the type of employment agreement.

In the United Kingdom for instance, legally, the employer must provide equal pay for equal work. The hourly rate for part-time and full-time workers doing the same work should be the same. However, employees working part-time may not be entitled to the same overtime rate as a full-time worker. This wouldn’t kick in until they have worked the same number of hours that a full-time employee would be required to work before getting the overtime rate.


Full time employees typically receive more benefits than part-time employees. For instance, full-time employees may be entitled to the the following exclusive benefits:

  • Medical insurance
  • Dental and optical plan
  • Retirement benefits
  • Paid time off (including holidays, vacation days, and sick leave)

Additional benefits can be included and they vary depending on the employer in question and the specific list of benefits they are willing to enlist within the Employment Contract.

In the United Kingdom, part-time employees have the right to all the benefits and the protection that full-time workers get in an equal proportion to the number of hours that they work (pro rata basis). That is unless the difference in treatment can be justified on objective grounds. This relates to benefits such as: annual leave, maternity pay and leave, parental leave, training, opportunities for promotion, pension schemes and travel allowance. Thus, mandatory benefits to provide to part-time employees may vary from jurisdiction to jurisdiction.

Notice of Termination

Neither full time or part time employees can be made redundant without notice. Employers must  provide written notice of the day of termination of the employment within a specified period of time. This usually depends on the amount of time the employee has been working for the company.

In Australia for instance, according to the previously mentioned Fair Work Act 2009, an employment contract can be terminated if:

  • An employer does not require employees’ job to be performed due to changes in operational requirements.
  • An employer becomes bankrupt.
  • The employee has not performed their work in accordance with the defined job requirements.

If the employer does not dismiss the employee in accordance with the legal requirements, they risk receiving employee claim for unfair dismissal.

Considering, an employer is required to:

  • Give Notice of Termination of Employment
  • Pay outstanding wages for hours an employee has worked
  • Pay accumulated annual leave
  • Cover redundancy pay
  • Pay accrued leave (if applicable)


This article does not constitute legal advice.

The opinions expressed in the column above represent the author’s own.

Start managing your legal needs with Zegal today


Read More: Sick Leave Policy

Read More: Employment Ordinance in Hong Kong

The Modern Apprentice: The Ins and Outs of Interns 

Not too long ago, the concept of an internship was virtually unheard of, but in the present the “intern” is a ubiquitous occurrence in the modern-day office. Prior to that, the closest relative for a whole a millennium was the role of the apprentice. Ever since the medieval ages (in the west at least) the idea of taking on students who are willing to learn a trade has persisted, particularly in technical and skilled trades. Back then, apprentices were expected to live with and serve their masters for no wage, remain unmarried, and often had to pay their masters to take them on as apprentices—a bit draconian to say the least.   

It was not until the 1990s that the trend of utilising unpaid students caught on in the office. For the university student today, undertaking one or more internships is a mandatory rite of passage. Thus, the laws around the employment of interns have also developed in many countries, including Hong Kong. The rules are straightforward and do not differ significantly from hiring any other employee. Here are a few key issues to look out for when hiring an intern: 

Does An Intern Need To Be Paid?

In the eyes of the law, an employer is exempt from paying two categories of student employees: “Student Interns” and “Work Experience Students”. The statutory exemption from paying the minimum wage applies to both categories of student employees. 

Student employees are defined as those enrolled in full-time programmes being provided by local education institutions specified by Schedule 1 of the Minimum Wage Ordinance—this basically includes all students in Hong Kong higher education institutions and vocational colleges. The definitional also covers all Hong Kong residents that are enrolled in a degree (or higher) programme anywhere abroad. And now for the specifics of the two: 

Student Interns
  • The internship in question must be arranged or endorsed by the higher education institution providing the degree programme 
  • The internship must also be a compulsory or elective part of the higher education syllabus of the student employee

If those requirements are fulfilled, the employer will not have to pay the student intern for the duration of the employment contract. Furthermore, there are no restrictions on age of the student intern, nor are there restrictions on the duration of the internship. Two formalities will have to be completed for the exemption to take effect:

  • The parties must sign a specimen confirmation of “student intern” status issued by education institutions.
  • Employers must also retain a copy of a document issued by an education institution showing that the period of work is arranged or endorsed by the education institution in connection with a programme being provided by it.
Work Experience Students

The more common type of student employee are the work experience students. These are higher education students whose internships have not been arranged by their schools and do not form part of the syllabus of the course they are undertaking. For the exemption to kick in here, these requirements have to be fulfilled:

  • The student employee must be under the age of 26 at the start of employment;
  • The duration of the internship cannot exceed 59 continuous days (this counts as one period); and
  • The student employee may only have ONE period of minimum wage exempt employment per calendar year

Three formalities will have to be completed for the exemption to take effect:

  • The parties must sign a specimen confirmation of “work experience student” status issued by education institutions.
  • Employers must also retain a copy of a confirmation of studies document issued by an education institution the student employee is currently enrolled in.
  • There must be a statutory declaration (or copy of the statutory declaration) provided by the work experience student verifying the fact that he or she has not commenced another exempt student employment period in the same calendar year.

Do Interns Need To Be Enrolled Into An MPF? 

If the student is employed as a regular employee for a continuous period of not less than 60 days, the offering organisation is required to enrol the student into an Mandatory Provident Fund  scheme within the first 60 days of employment and make mandatory contributions accordingly (unless the student is under 18 years old or an exempt person).

This means that student interns will not need to be enrolled into an MPF scheme for the duration of their employment, however long, as they are exempt. For work experience students, enrolment into an MPF is mandatory if employed for a period longer than 59 days and over 18 years of age.

Rest Days

The Employment Ordinance makes no distinction between interns and any other employees when it comes to rest days. Here’s the gist of it:

  • An employer is required to grant not less than one rest day in every period of seven days to an employee who is employed under a continuous contract—One rest day per week
  • All student employees are entitled to 12 statutory holidays every year
  • There is no statutory maximum number of hours

Regarding the employment of students aged 15-18:

  • They cannot work before 7am or after 7pm
  • Cannot work more than 8 hours per day
  • May not work more than 48 hours in a week
  • May not work for more than 5 hours continuously without a break of at least 30 minutes.

The intern-employer relationship is a symbiotic one. Interns get a chance to learn about their chosen industry and perhaps snag an employment opportunity with the employer further down the line, and the employers get to freely sift through potential talent that might benefit their business.

If the employer and the intern treat each other with respect, the relationship can become an extremely fruitful one. 

DOCUMENT: Letter Offering An Internship



Sikhei Leung is a law student and freelance writer. He holds a LL.M. in Human Rights from the School of Oriental and African Studies and a LL.B. from BPP University London. He also has a Psychology degree from Durham University.

The Differences Between An Employee and Independent Contractor

Eeny, meeny, miny, mo


What’s the difference?

For a business owner, it is imperative to understand the difference between “employee” and “contractor or self-employed person” to comply with the different rights and obligations your business has depending on the qualification.

Independent Contractor 

An independent contractor or self-employed person is not employed by the company but rather serves as an independent expert who provides a service to the client on a self-employed basis.

Independent contractors are not protected by employment rights like company employees. The entire basis of the relationship between a client and an independent contractor or self-employed person is contractual and subject to less statutory regulation. This subsequently means that core duties of an employee such as some level of fidelity or confidentiality are not provided with an independent contractor. Thus, in some cases it might be useful to consider entering into a Confidentiality Agreement with the independent contractor.  


An employee is employed by the company and protected by employment rights as set out in his Employment Agreement as well as in statutory regulations. In return, an employee has more extensive obligations towards his employer, i.e. with regard to fidelity and confidentiality.

How to differentiate between “employee” and “contractor”?

Common factors:



Contractor or Self-Employed Person

Control over work procedures, working time and method

No – normally the employer decides.

Yes –  contractor typically sets hours needed for job at hand.

Ownership and provision of work equipment, tools and materials

No – usually employer will provide.

Yes – typically contractor will have tools needed for job at hand. 

Whether the person is properly regarded as part of the employer’s organisation


No – usually a contractor or self-employed person is not considered part of the organisation of the client.

Insurance and tax responsibilities

Typically an employee bears no responsibility with regard to insurance or tax.

Yes – an independent contractor will usually be responsible for their own insurance and tax.

This list provides some guidelines. However, other factors may be considered to help qualify the relationship such as the traditional structure and practices of the trade or profession concerned or the payment structure (salary, lump sum, etc.). 

Bob’s got a nice office

Example Case : Bob The Programmer

Bob is a programmer. Your company contracts with him to write a program to manage the company’s inventory. Is he an employee or an independent contractor?

If Bob works within the premises of your company, has to comply with company working hours, your company owns and provides the work material and equipment (i.e. the IT tools to write the program), and your company bears the financial risks as well as the responsibility to provide insurance and pay taxes, then Bob would qualify as an “employee”.

However, if Bob works outside company premises with his own material and equipment (i.e. the IT tools to write the program) and is not bound by any working hours, but solely to deliver a product, then Bob would most probably qualify as an “independent contractor”.

Bottom Line

It is important to be aware of the qualification of  the relationship in place with the persons that work for you. In case a person hired qualifies as an employee, she will be entitled to more rights. Furthermore, while there is not a conclusive test and it highly depends from case to case, the criteria mentioned above can help identify the type of working relationship and related obligations.

For more information on when to outsource, hire independent contractor or prepare a Consultancy Agreement, check out the following:

For more information on hiring processes in general as well as pitfalls to avoid:


This article does not constitute legal advice.

Start managing your legal needs with Zegal today


READ MORE: 5 Tips For Handling Employee Complaints In Your Company

READ MORE: Learn About The Purpose Of The Contract Of Employment

8 GDPR Compliance Tips Explained Through Queen Songs

By Tess Priester of Privacy Perfect

Often the best way to tackle complicated matters is to make them fun. Because, the show must go on. Therefore, here are 8 essential tips to become and stay compliant with the GDPR if you don’t want to be the next one biting the dust.

1. Ay-oh – Get backing from the top

Ideally, you want the board to sing along with your privacy plans. Getting the support of, and back-up from the board is a prerequisite for an effective privacy compliance program within your organisation. Involve them from the very beginning and make clear what the specific risks are for the organisation. Bear in mind that the possible risks are more than just fines and penalties. They also consist of poor PR and ultimately loss of confidence in your organisation.

DOCUMENT: GDPR Compliance Toolkit 

2. We Will Rock You – Think about and formulate the organisation’s privacy ambitions

How will you rock your privacy compliance programme? By formulating a clear vision on privacy. What do the board and you want to achieve from this programme? ‘Being compliant’ is not specific enough. Make sure to have a clear and specific privacy ambition. Questions to use are:

– How compliant do we need to be from 0-10?

– How compliant can we be from 0-10?

– How compliant do we want to be?

– What does privacy mean to our company?

– How do we value privacy on a personal level?

Having a clear and specific privacy ambition makes it much easier to maintain your backing from the top.

3. Bohemian Rhapsody – Know your obligations

Is this the real life? Is this just fantasy? Do not only read the provisions that are the most appealing to you in the GDPR. Start by getting acquainted with the GDPR, by reading the recitals and learn how the chapters divide the different provisions. Because, you don’t always have to assign a DPO and there is more than consent in this world. Furthermore, it is good to know when you need to perform a DPIA and that it is not necessary to notify all your clients if your colleague loses his laptop.

READ: Understanding the new General Data Protection Regulation (GDPR)

4. Somebody To Love – Know your organisation

It is important to know the insights of your organisational structure and the corresponding managers per department or establishment. You should know what is happening in the organisation. What are the different establishments and departments doing? What is their core activity? Use this information to get a good view on the organisations’ activities. It is mandatory for getting an overview of your privacy activities.

Next step is to know your people. Could the knowledge that you can use, already be found in-house? Perhaps there’s someone who can assist you in getting the personal data security policy up to speed or someone has a decade of experience in organising training sessions. So, find yourself somebody to love, or at least someone that can help you achieve your goals and provide you the necessary knowledge.

5. I Want It All – Inventory the use of personal data

I want it all! Or at least 80% of it. The well-known 80/20 rule is a good rule of thumb when you are busy inventorying activities. You can either start with inventorying which systems and databases or inventory the processing activities per department. If you start with the first one, get your information security officer on board, as it is very likely that she or he can provide you with a list of systems.

If you start with inventorying per department, make sure to prepare beforehand.

– Create a comfortable setting, this exercise is not to test the employees

– Explain what qualifies as personal data

– Prepare a list of questions

– Don’t be afraid to dig deep!

– Do it together

6. We Are The Champions – Divide and conquer

In order to pull off your privacy compliance program, it is necessary to get some eyes and ears in the organisation. Yes, a bit like Big Brother. You can assign local privacy champions within the organisation who can easily identify the privacy issues and practical obstacles per department. In this way it is much easier not only to detect possible non-compliance, but also to solve it quicker.

Watch: Impact of the GDPR on businesses outside of the EU

7. A Kind Of Magic – Use what you already have in place

Performing a privacy compliance program within your organisation will obviously lead to new procedures and policies. If you want a higher success rate of these new procedures, make sure to stick to what you already have in place. Works like magic. For example, when you want to introduce a new personal data security policy in the organisation, align this new procedure with the existing policies on information security. Not only will it be much easier for the employees to find and follow the procedure, you will also prevent a proliferation of separate procedures within the organisation.

8. Don’t Stop Me Now! – Privacy compliance is never done

Create awareness. You have probably heard this often before. Awareness. To prevent that your efforts and outcomes will become dusty and rusty, you need to keep your program alive. A privacy compliance program is not a one-off. It requires a change of culture within the organisation. Therefore, you need to create awareness amongst the employees. Traditional ways of achieving more awareness within the organisation are offering training sessions and sending e-mails that emphasise the importance of not losing your laptop on the train. Of course, these methods are effective, but there’s always some space to be more creative and try different methods. Privacy and personal data protection are topics that capture the imagination par excellence. While training the employees, handle a positive approach and avoid mentioning negative consequences like fines up to 20 million euros. Not only is it quite unlikely that your organisation will face a fine that high, employees are much more inclined to comply with your procedures if you approach it in a positive manner.

Tess Priester is a Data Protection Consultant at PrivacyPerfect, one of the first high-end privacy compliance software providers on the market. Tess has over five years of experience in advising a wide range of governmental bodies, healthcare providers, and multinational organisations on complex legal privacy matters.


This article does not constitute legal advice.

Start managing your legal needs with Zegal today


READ MORE: GDPR: What Are the Changes and How To Keep Your Business Up To Date

READ MORE: How is GDPR Reshaping the Internet?

READ MORE: 5 Tips For Keeping Client Data Secure



Everything You Need To Know About Garden Leave

  What? I don’t have to garden? 

By Sikhei Leung

The Origins and Meaning of “Garden Leave”

Popularised by the 1980’s satirical sitcom “Yes Minister”, the term ‘gardening leave” or “garden leave”, is now frequently used in the United Kingdom, the Commonwealth, and former British colonies such as Hong Kong. It’s used to denote a situation that arises when employees are instructed to stay away from the workplace either after handing in their notices, or if they are terminated. It is generally accepted that during this period, employees continue to receive all their usual benefits, such as health insurance, and are paid their full salary. To the employee, it will sound like a cushy paid holiday, but in reality garden leave exists primarily to protect the employer from the possibly damaging actions of a leaving employee. The etymology of the phrase stems from (yes, we meant to) a semi-derogatory term used to evoke the image of British civil servants on suspension at home in limbo with nothing to do but tend to their gardens. 


Garden Leave 101

There are two ways to put an employee on garden leave in Hong Kong. 

  1. Put a clause in the employment contract. This is the most straightforward and fuss-free way to do it.  Exercise of the clause after the employee has given their notice or rightly terminated is at the employer’s discretion.
  2. Alternatively, if a garden leave clause isn’t included in the employment contract, the employer may only initiate garden leave with the employee’s consent. 

READ: Protecting Company Data From Employees 

Garden leave clauses are legal, and popular, in Hong Kong, but they are all subject to tests of enforceability. If the clause is challenged, for a court is to uphold the clause, a garden leave must: 

  1. Serve to protect a legitimate interest; and
  2. Last for a reasonable period. 

The test is left intentionally vague to allow the courts to take into account all the factors surrounding any issues that arise. Legitimate interest can include the protection of an employer’s goodwill fostered with clients and suppliers; to ensure the stability of an employer’s workforce; or to prevent the dissemination of any confidential information that the employee might otherwise possess. 

You can take the gardening part literally if you like

Fencing Off the Competition: Why Do Employers Bother Having Garden Leave Clauses?

Although a paid holiday probably sounds grand to most ears,  the true beneficiary of the garden leave is the employer. The cost of an employee’s salary and benefits paid during the garden leave period may be vastly outweighed by ultimately protecting the trove of knowledge of the employer’s affairs and transactions. 

During the garden leave, the employee that has given his or her notice must adhere to the same terms of employment that were originally agreed to, which would include the boilerplate alphabet soup of contractual clauses such as covenant not-to-compete clauses (CNCs), non-disclosure agreements (NDAs), non-solicitation clauses (NSCs) and more.  The employee—restricted to ‘gardening’—will cease to have knowledge of ongoing information about the nature of the company’s work and therefore prevent competitors from gaining an unfair advantage in the market. 

MAKE-IT-EASY DOCUMENT: Employment Contract

For the employer, there is absolutely no reason why a garden leave clause shouldn’t be included in any employment contract. The clause gives the employer the option to put the employee on garden leave and can only be exercised by the employer.

I wonder, is this considered a garden? 

Garden Leave and Post-Termination Restrictive Covenants

Garden Leave does not operate alone, instead it operates alongside the aforementioned contractual clauses that form a class of covenants (legal-speak for a type of agreement) that restrict employees from doing certain things after they are terminated. The principle behind post-termination restrictive covenants are wholly in line with the foundation behind the garden leave—to protect the business. While highly beneficial to the employer, these covenants can be incredibly unfair to the employee. 

For example, covenant not-to-compete clauses (CNCs) prevent the employee from seeking employment in the same field after termination, while receiving no remuneration or benefits. In Hong Kong, a three-month restriction is generally acceptable, but the period can be up to six months. Additionally, a CNC may be applied to the entirety of Hong Kong if the employer passes the test of enforceability (see above), meaning that the employee could well be agreeing to six months of unemployment. Non-disclosure agreements (NDAs), and non-solicitation clauses (NSCs) aren’t as restrictive to the employee but any employment contract that has a CNC will likely have an NDA and an NSC. 

DOCUMENT: Employment Contract

A balance of protection must be struck between the employer and the employee in order for an employment contract to appeal to both parties. Post-termination restrictive covenants will sway the balance towards the employer, and possibly dissuading the employee from signing on the dotted line. Here is where garden leave comes in as the carrot to the big, corporate stick. In the majority of cases, the garden leave period affords an employee the luxury to search for continuing employment, while simultaneously protecting the employer’s interest. A prospective employee may find that the garden leave period sweetens the deal considerably after being repeatedly subjected to a smattering of post-termination clauses. Keep in mind that the period of restriction set out by a CNC is reduced by any period of garden leave served by the employee. However, garden leave clauses won’t do any justice to employees’ whose income is derived primarily from commissions or other incentive-based remuneration, as they won’t be working during the garden leave. 

To summarise, garden leave clauses and post-termination restrictive covenants are one of the many forms of parallel negotiation and contracting when there is a possibility of an employment relationship. Together they form one of the many tools that protect both the employer’s business and the employee’s livelihood. 

This article does not constitute legal advice.


READ: Hiring Employees in the UK? Contracts, Policies and Procedures to Consider

READ MORE: The Purpose of a Contract of Employment

READ MORE: 7 Most Important Points You Should Look for Before Signing a Job Contract

Like what you just read?

Subscribe to our newsletter and be the first to hear of the latest Zegal happenings, tips and insights!