August 03rd, 2017

Legal & Tax Report

GK
Eurapean June 2017

The Warsaw conference saw greater interest than ever in the legal and other compliance topics which affect our industry and our individual businesses. These topics are diverse, as demonstrated by the Immigration Symposium and sessions on data protection and financial compliance. I have picked out some highlights below.

The challenge of very lengthy Relocation Service Agreements, which can impose challenging obligations on DSPs, has become a real concern for many businesses. I suggest below some areas to watch out for and how to minimise your exposure to unknown liabilities.

Finally, with IT hacking becoming an everyday occurrence, I am sharing some tips on how to improve your e-mail security.

Enjoy your Summer!

Gordon

 

Gordon Kerr

Employee Mobility Unit

Morton Fraser LLP

(gordon.kerr@morton-fraser.com)

 

Some Hot Topics from Warsaw!

1) Immigration

The Immigration Symposium contained a wealth of detail, with high levels of expertise shared on the challenges around "stealth expats" and a dive into African and Asian immigration issues.

Inevitably, the session on "Brexit and immigration" produced particularly strong views and a range of very different national perspectives. It seems certain that the UK/EU Brexit settlement will include the introduction of immigration controls for UK/EU movement, but we can only speculate on what these controls will look like - and what this will mean, in practice, for individuals and for businesses. It does seem clear, however, that not only will we see more business for immigration firms, but it is also highly likely that Brexit will produce at least a short-term boom in relocation activity.

Evidence for this projected relocation activity is already being seen in the UK financial sector, with companies such as HSBC and Lloyds Insurance already making announcements about switching some operations from London to Paris and Brussels, respectively. If UK headquartered banks and insurance companies lose their current EU "passporting" rights (i.e. the ability to operate across all EU countries), it is estimated that as many as 50,000 jobs will move from London to financial centres within the EU. Aside from Paris and Brussels, cities such as Amsterdam, Dublin and Frankfurt will be at the forefront of trying to attract these jobs.

An interesting perspective on this issue, highlighted at the conference, is that some cities, such as Dublin, already have such pressures on school places and housing availability, that it may be difficult to take full advantage of the potential opportunities for post-Brexit inward investment.

Away from the financial sector, it also seems highly likely that EU agencies, such as the London based European Medicines Agency, will move out of the UK. A wide range of cities, including Barcelona and Stockholm, are reported to be pitching to be the new hosts of these agencies.

There was general agreement at the Brexit session that the most pressing priority was to provide certainty around the rights of EU citizens working in the UK and vice versa. This is a major issue for employers across the EU and even more critical for the individuals and families who are directly affected. The next few months will hopefully bring clarity to this particular issue, but there is a growing view that Brexit negotiations, with a 2 year fixed timetable, are going to be very difficult. For relocation firms, it's a case of hoping that the stormy waters ahead will also create some real business opportunities!

2) Data Protection

The Data Protection session focused on what the EU's General Data Protection Regulation or GDPR, would mean for relocation businesses. The GDPR becomes law across all EU countries (including the UK) on 25th May 2018.

RMCs have already been tightening their data protection processes following the introduction, last year, of the EU-US Privacy Shield. This has implications for the whole relocation supply chain and we can expect to see further changes, including new contractual obligations, as RMCs and their corporate clients roll out their new, GDPR-compliant processes in advance of next year's deadline.

One reason why so much attention is being paid to the GDPR is the huge increase in the fines which will be imposed for non-compliance. These can now be as high as 4% of global turnover or 20 million Euros, whichever is greater.

Eye-watering penalties apart, the GDPR does not really alter, in a fundamental way, the basic legal obligations on businesses to protect personal data. In particular, the overriding requirement to take reasonable measures to keep personal data secure, whether that data is contained in electronic format or in a paper file, remains unchanged. And some new legal requirements, such as those relating to Data Protection Officers and Data Protection Impact Assessments, are aimed primarily at major data processing organisations and are unlikely to impact directly on relocation businesses.

So, what are the GDPR changes which are most likely to affect the relocation industry? I would highlight four areas:-

1. Individual consent: it will no longer be sufficient to rely on "implied consent" and all businesses will need to review the forms of consent currently relied upon to hold and use individuals' data;

2. Reporting security breaches: there will be stricter obligations on businesses to report, to the relevant data protection authority, any loss of personal data or unauthorised access to that data;

3. Handling enquiries from individuals: businesses must have processes in place to ensure that enquiries from individuals (e.g. to have their data deleted or corrected) are dealt with in a timely manner;

4. "Privacy by design": this is a responsibility to ensure that as new processes, software etc are rolled out in a business, key data protection principles, such as inserting a reasonable timetable for deletion of personal data, are built in to the new processes. With under a year to go to the implementation of GDPR, it is worth checking the practical guidelines now being issued by the various data protection authorities across the EU (e.g. the ICO for the UK). There will also be further information from EuRA on this topic over the coming months.

Service Agreements with RMCs

It seems that RMC service agreements get longer every year. To an extent, this is due to more complicated requirements in areas such as anti-bribery and data protection. The RMC clearly wants to ensure that its statutory legal obligations are replicated by contractual undertakings from its global suppliers.

But there can be no excuse for the huge ("kitchen sink") Agreements produced by some organisations, which are simply not fit for the purpose of governing the delivery of European destination services or whatever specific services are intended to be covered. For example, we sometimes see clauses in such Agreements which may be relevant to the delivery of US homesale services, but are simply not appropriate in the context of European homesearch.

The dilemma is that, having probably spent months trying to win the business, you will not want to allow contractual niceties to get in the way of a new source of income. So, do you accept a badly worded Agreement or do you (or your lawyer) try to make changes?

The practical problem here is that you could easily rack up substantial legal costs in "improving" the Agreement only to find that the new client insists on sticking to its "standard terms" and will not budge an inch. An alternative approach is to focus on the specific clauses of the Agreement which you believe could be harmful to your business. These may include:-

Financial penalties related to your "performance" - are these fair? - can you also win bonuses for "high performance"

• Are you clear on the extent of your liabilities if things go wrong? - be very wary about clauses that require you to "indemnify" the client; are you fully insured against your potential liabilities under the Agreement?

Payment terms - what currency are you required to invoice in? are you required to make any advance payments from your own funds? how quickly will your invoices be paid?

Data security - what are the client's audit rights? are you liable for "penetration testing”costs?

Choice of law - is the Agreement subject to foreign law and the jurisdiction of foreign courts?

These points are just illustrative of the clauses which can easily be overlooked in a long Service Agreement. They may appear to be technical, but they become very important when disputes arise.

It may be impractical to have a full pre-signing, external legal check of every Agreement, but it is important to have someone within your business who is able to spot the clauses which can come back to bite you later.

Tips for Improving Your Email Security

Email is fundamental to how we deliver relocation services. It has made all of us more efficient, but it can also give rise to security problems which can be very damaging to our businesses. Here are some tips to help you manage this risk:-

Choose a strong, unique password, that is:

  • Different from other passwords you use, such as for banking and personal e-mail
  • Neither so complex that you can never remember it, but complex enough that it will take hackers longer to break
  • Not part of your name, your school, first pet, home address or other personal information.

Add a second layer of protection:

  • "Two factor authentication" is available on most email systems and simply adds a second type of identity verification to your account
  • It can be activated when you want to change your password.

Do not send e-mails to the wrong person!

  • The biggest single cause of information security breaches is mis-sent e-mails - usually caused by the sender using "autocomplete" or "reply to all"
  • Always read down the whole email chain before sending - this reduces the risk of unintended information being sent to the wrong person
  • Tools such as SendGuard for Outlook prompt you to check the details of the person you have selected to email and can also prevent accidental replies to all.

Do not click on suspicious links or attachments:

  • Check the sender email address carefully and the naming of any attachments
  • Do not log in to other accounts from your email

Be aware of the risks with public wi-fi:

  • The data you are viewing and passwords being entered could be accessed by hackers
  • Avoid accessing sensitive material or logging into business accounts, unless you can access your work network via a secure "virtual desktop".

Consider encrypting highly sensitive data:

The Legal & Tax Report is produced for The EuRApean by Gordon Kerr, the Employee Mobility Unit at UK law firm, Morton Fraser LLP.

Gordon Kerr

Employee Mobility Unit

Morton Fraser LLP

(gordon.kerr@morton-fraser.com)

Previous ArticleNext Article