About Jayne

This author has not yet filled in any details.
So far Jayne has created 3 blog entries.

Data Protection – Everything You Need to Know Part 2

Data Protection – Everything You Need to Know But Were Afraid to Ask – Part 2

‘It used to be expensive to make things public and cheap to make them private. Now it’s expensive to make things private and cheap to make them public.’- Prof Clay Shirky, NYU.

In Part 1, I outlined how the protection of personal data has become a critical risk area for business, not-for-profits and charities as the regulator, the Information Commissioner’s Office (ICO), takes a tougher stance on enforcement of the rules.  A series of high profile incidents have heightened public concern about privacy and the misuse of personal data. Now organisations will need to prepare for even more stringent rules: in spite of Brexit, the new EU-wide General Data Protection Regulation (GDPR) will still come into force on 25 May 2018.  In Part 2, I explain what will change when the GDPR comes into force from 25 May 2018.

What will change under the GDPR in 2018?

The GDPR will introduce a series of explicit rights for individuals in respect of their personal data, some of which are new, and some are enhancements of the existing position:

  • Right to access data (to be told whether personal data are being processed and access a copy)
  • Right to erasure (if consent is withdrawn, or there is no legal basis for holding the data individuals may request erasure)
  • Right to portability (the right to require data to be transferred to another data controller in a machine readable format)
  • Right to rectification – an individual’s right to have inaccuracies corrected or include a supplementary statement
  • Right to restrict processing – data to be held in limbo while any disputes are resolved
  • Right to be informed – i.e. to be told what information is being processed and for what purpose
  • Right to object – the right to stop personal data being processed by withdrawing consent or some other legal basis.

The key changes

  • The definition of ‘personal data’ will be widened to include IP addresses, genetic and biometric data.
  • Organisations will need to keep proper records of their data processing activities and make these available to the regulator if requested.
  • Data processors (as well as data controllers) have direct obligations for the first time. These include an obligation to: maintain a written record of processing activities carried out on behalf of each controller; designate a Data Protection Officer where required; appoint a representative (when not established in the EU) in certain circumstances; and notify the controller without undue delay on becoming aware of a data breach. How data protection matters are addressed in supply and other commercial agreements will need to be reviewed – especially the allocation of liability for data breaches.
  • The £10 fee for accessing records will be abolished and the time limit for dealing with a request to access or correct a record will be shortened from 40 days to 1 month. Extensions of up to 2 months may be allowed if the request is complex. Requests may be refused if they are ‘manifestly unfounded or excessive’
  • The right to request erasure of data has been strengthened. Under current rules the erasure can be requested if processing it causes unwarranted and substantial damage or distress. There will be specific circumstances where erasure can be requested e.g. the individual withdraws consent to processing, or the data was unlawfully processed in the first place. There will be very limited grounds to refuse to erase, e.g. to comply with a legal obligation in performing a public interest task or for public health purposes.
  • New right to ‘data portability’ – individuals will be allowed to obtain and re-use their personal data for their own purposes across different services (e.g. for use on a price comparison site). Organisations must provide the data free of charge in a machine readable format e.g. a .csv file within 1 month of a request.
  • There will be significantly harsher penalties for data breaches – the current limit of £500,000 will increase to 20 million euros or 4% of an organisation’s global turnover, whichever is greater
  • An explicit right for individuals affected by a breach of the rules by a data controller or a data processor to bring a claim for compensation which need not be for financial loss, it could cover personal distress and anxiety.
  • Special rules will apply to children’s personal data – privacy notices must be child-friendly. Before offering online services to children under 16 (most likely set at under 13 in the UK), parent or guardian’s permission will be required (except for online counselling and preventative services). (Note this does not affect the existing law for offline transactions where the capacity of the child may be relevant).
  • New privacy notices will be required which provide information about retention periods for data, the rights of the data subject, the right to withdraw consent, the right to complain to the ICO, whether it is a statutory or contractual requirement to provide the data, and whether any of the data will be used for automated decision-making about the individual.
  • There are potentially onerous new obligations on accountability and information governance. There is an explicit duty to put in place appropriate organisational measures to demonstrate compliance with the rules, which could include data protection policies, staff training, internal audits of data held and processing activities, privacy impact assessments when implementing new technologies or activities, reviews of internal HR policies and regular reviews of security arrangements. If your organisation has more than 250 employees there will be a more onerous duty to maintain records of processing activities. These records may be called for by the ICO as part of an investigation and may form an important part of your defence to any enforcement action.
  • Mandatory duty to appoint a Data Protection Officer for public authorities or organisations which undertake large scale monitoring of individuals or large scale processing of ‘sensitive personal data’. Note it is the scale of the processing, not the size of the organisation that matters. The DPO’s role is to (a) inform and advise the organisation and its employees about their data protection obligations, monitor compliance with data protection laws, conduct internal audits, train staff and coordinate data protection activities, be the first point of contact with ICO and supervisory bodies, as well as customers and suppliers whose data is being processed. The DPO is expected to report directly to the Board and must be given adequate resources and authority to perform their role. The role does not necessarily have to be an employee- it can be contracted out.
  • Duty to report data breaches to the ICO where it is likely to result in a risk to the rights and freedoms of individual affected; also a duty to notify the individuals affected if there is a high risk to their rights and freedoms. Notification must be made within 72 hours. The notification must detail the number of individuals and records involved, a description of the likely consequences of the data breach and the measures to be taken to (a) deal with the breach and (b) mitigate possible adverse effects. Failing to notify a breach can result in a fine of up to 10 million euros or 2% of the organisation’s global turnover!

What do we need to do to prepare for GDPR?

  • Ensure Board members and management are aware of the new duties and are taking active steps to prepare, including securing resources and budgets required.
  • Designate a Data Protection Officer to take responsibility for compliance and decide where this role will sit within your organisation’s overall governance structure.
  • Review all policies and procedures which are relevant to data protection and privacy.
  • Conduct information audit and privacy impact assessments – understand what personal data your organisation holds, where it comes from and with whom you share it; identify the legal basis for processing the information, document your findings. Is there a clear audit trail showing how and when individuals gave their consent to processing of their personal data and opted into marketing communications?
  • Review your privacy notices- see examples of good practice here
  • Take extra care if you are collecting information about children – bear in mind the new requirement to obtain parent or guardian’s consent to processing data about children in most cases.
  • Prepare to deal with subject access requests within the shorter time period of 1 month
  • When contracting out work to third parties (e.g. payroll providers, HR consultants, fulfilment houses)- check what measures they have in place to ensure compliance with the new duties – are they signed up to any certification schemes or codes of conduct? Ensure you have appropriate contractual clauses in place to protect your organisation against their failures.
  • Have robust procedures for detecting and investigating data breaches and internal reporting so that notification can be made to the authorities within the 72 hour period.
  • Review insurance covers to determine what risks or incidents are covered or excluded.

The new GDPR represents a step-change in the level of risk for organisations collecting, holding and processing personal data. It will be essential to begin preparations now, identifying resources, reviewing current procedures and policies in readiness.  Elderflower Legal offers specialist legal, governance and company secretarial services to help keep your organisation compliant elderflowerlegal.co.uk.


Elderflower Legal & Secretarial offers a cost-effective outsourced company secretarial service to small business, charities, social enterprises and academy trusts. For a fixed monthly fee we can provide peace of mind to directors and board members that compliance duties are being met, returns filed by the deadlines and risks properly identified.
Contact us today for a no-obligation chat or check out our website at elderflowerlegal.co.uk or call 01625 260577.
Find out for more details of our service packages here.
If you would like to be kept up to date on more topics like this, then why not sign up to receive our regular newsletter.

How to Choose the Right Legal Structure for Your Enterprise

Choosing the right legal format for your project is a very important decision.

From my work with inspiring entrepreneurs, community activists and visionary leaders over the past 21 years, I find there is always a thirst for knowledge about different legal structures and formats that can be used for entrepreneurial activity and community action. Whether you want to start a new business, set up a community or social enterprise or run a project in your neighbourhood, choosing the right legal form for your activity is a very important decision. It can have a real impact on your tax status, your exposure to liability, the public perception of your project, your ability to raise funds and borrow money, as well as your personal income and assets. Unfortunately, sources of information about this topic can be bewilderingly complex, inaccessible, sometimes biased and often out of date. Our mission at Elderflower Legal is to demystify and explain, helping you to flourish in your endeavours. We have produced a new concise guide to help you navigate through the many choices open to you and understand the key features of each one. The guide explains in clear language the main legal formats available for profit-distributing, as well as non-profit-distributing enterprises, including companies, associations, trusts, limited liability partnerships, charitable incorporated organisations, cooperatives and community benefit societies. The key constitutional features and governance implications of each format are summarised, along with the tax aspects, the main regulatory obligations, as well as sources of further information to find out more. We examine the benefits and disadvantages of having charitable status, as well as the ability of different formats to raise finance.

This will be a useful addition to any aspiring or seasoned entrepreneur’s bookshelf.

We hope you find it useful and please get in touch with us if you have any questions. We’ll be delighted to help.

Thumbnail Legal Structures v1

Download your free copy here.

Mark Johnson is an experienced solicitor and chartered company secretary working with charities, not-for profits, SMEs and social enterprises to help them set up new legal structures and governance arrangements, manage risk, secure new contracts and partnerships.  For more information visit our website elderflowerlegal.co.uk

If you enjoyed reading this post and would like to hear more from Elderflower Legal then why not sign up to receive our regular newsletter.

The Rights and Responsibilities of Members

What is the Role of Members in Ensuring Good Governance?

In a limited liability corporation, as well as unincorporated associations, the members can play an important constitutional role, acting as a check and balance on the powers of the board. Unfortunately, the rights and responsibilities of members are often misunderstood.

In our work with companies, social enterprises and charities, we find there is often confusion or a lack of clarity about the precise role of the members. But the relationship and balance of power between the board of directors/ trustees and the wider members of an organisation is really a vital fulcrum at the heart of the system of governance for any enterprise. In this piece, I attempt to explain and demystify the position.

Who are the members?

‘Members’ here are the persons who have a form of relationship with the organisation that enables them to exercise some right or power in relation to it. The nature of that relationship will vary for different organisations, depending on the way they are constituted and, specifically, what the constitution says about membership rights.

In a profit-making company, the position is usually clear-cut. The members are the shareholders who have invested their capital in the enterprise in return for certain rights (e.g. sharing in profits and voting on key decisions). However, in non-profit distributing organisations, the position can be more complex. In a company limited by guarantee, there will be no shareholders, but instead there are members who pledge to contribute a nominal sum (usually £1 or £10) if the company is wound up and unable to pay its debts. In the case of charities or unincorporated associations, there may be various types of member who expect to have some say or involvement in the way the organisation is run – these might include beneficiaries and service users, supporters who pay subscriptions or volunteer their time. The constitution may talk about full members, associate members, and supporter members, for example.

The power of members depends on the precise structure and wording of the governing document. At one end of the spectrum is the ‘oligarchical model’ where the members are the same people as the directors/ trustees. These people have absolute discretion to control the organisation. (Many academy trusts have historically been set up using this model, but the Department for Education has recently encouraged schools to appoint a wider group of members who can ultimately hold the board to account). At the other end of the spectrum is a wide membership model, where the members can exercise oversight and control over the board. The members may act as custodians of a particular ethos or values and may take action, if they feel the board is not acting in the best interests of the organisation. There are also hybrid models in between, where members enjoy certain limited rights, such as the right to attend the AGM, receive information or have privileged rights of access to facilities, but no legal right to control any aspect of the organisation’s governance.

Rights of members

The typical rights that members enjoy, either in the constitution or under relevant statute law, include the following:

  • to appoint and dismiss the whole board or individual board members
  • to change the organisation’s constitution
  • to wind up the organisation and distribute the remaining surplus after settling the liabilities (unless there is an ‘asset lock’ in place to prevent this, as with a community interest company or charity).
  • in a private enterprise, the shareholders expect a financial return on their investment, usually in the form of a dividend and/or a capital gain. However, shareholders cannot force the company to declare a dividend. Capital gain is achieved by allowing membership rights (shares) to be transferable (which is usually not allowed in not-for-profit corporations).

The members exercise these rights by calling a general meeting. The organisation’s constitution will lay down the conditions for calling a valid meeting and passing valid decisions (such as the minimum notice, quorum and required majority to pass resolutions). For example, a resolution to change the constitution usually requires a special resolution, which may require a 75% majority. Remember though, that may be 75% of those present at the meeting, rather than the whole membership. So in an organisation with say 500 members, the constitution might state that a valid quorum for a general meeting to proceed is 10% of the membership (i.e. 50 members). To pass a special resolution would require only 38 of those present to vote in favour. For that reason, some organisations choose to set the bar higher for fundamental changes. Sometimes the constitution may permit a decision of members to be made by circulating a written resolution for signature by a minimum percentage of members, rather than calling a meeting.

The constitution forms the basis of a contract between the organisation and its members, and between the members themselves: as such, it can be enforced by the courts. Proper running of general meetings is important: if the organisation is prospering, the members may leave the board alone to run the organisation. However, once problems and disagreements arise, then members may start to flex their muscles. If notice and quorum requirements are ignored, there is a risk that resolutions and decisions reached can be struck down as invalid, which could entail significant costs and embarrassment to unwind the situation.

If the organisation is a company (limited by shares, guarantee, or a community interest company) the Companies Acts also provide certain minimum statutory rights. These include the following rights:

  • to receive notice of, attend, ask questions of the board and vote at general meetings; to inspect minutes of the same and request copies.
  • to appoint a proxy to attend, speak and vote at general meetings if the appointor cannot attend.
  • to requisition a general meeting and to require that a resolution be put to the meeting (if the support of 5% of the members can be achieved). The members can also require the company to circulate a statement of up to 1000 words to other members. If the directors fail or refuse to call the meeting within 28 days, the members can proceed to call the meeting themselves and the costs of doing so are deducted from the directors’ remuneration! (Sections 303-305, 292-295 Companies Act)
  • to propose a resolution (with special notice) to dismiss a director
  • to be provided with a copy of the Articles of Association
  • to receive a copy of the annual accounts
  • to inspect the company’s register of members and other statutory books
  • to inspect copies of directors’ service contracts
  • to appoint and remove auditors or require the company to obtain an audit of its accounts, if it would otherwise be exempt
  • to bring a ‘derivative claim’ in the name of the company against directors or a third party for default or breach of duty
  • to bring an ‘unfair prejudice’ petition to request the court to intervene in the company’s affairs.

Under company law, the definitive test of whether someone is a member is whether their name has been entered into the register of members. Many companies, especially companies limited by guarantee, can be quite lax in keeping this up to date – which can cause problems later. By contrast, the new Charitable Incorporated Organisation set up under the Charities Act 2011 is obliged to keep a register of members and to keep it up to date.

Duties of members

Members also have certain duties, again depending on what the constitution says. Typically, they will be required to:

  • Contribute the agreed sum for their shares if not already paid, or for a guarantee company the nominal contribution of £1 or £10.
  • Sometimes members are required to pay a recurring annual subscription towards the running costs of an organisation, in addition to their upfront capital contribution.
  • Interestingly, the Charitable Incorporated Organisation specifically requires that members are obliged ‘to exercise their powers in good faith in a way which would be most likely to further the purposes of the CIO’. No such explicit rule applies to other types of legal format, however.

Stakeholder members

Sometimes organisations have corporate members such as local authorities, public bodies or other charities who have some interest in what the organisation does. The stakeholder member may often appoint an individual to act as its authorised representative. Sometimes they may have right to nominate, or even directly appoint, a board member. Problems can often arise where this representative (who may be an employee or officer of the authority) wishes to give priority to his appointor’s interests over those of the organisation. If the representative sits on the board, they will usually be obliged to put the interests of that organisation first and exercise independent judgment, rather than being fettered by their appointor. They are allowed to consult with their appointing organisation, however. A possible solution might be to limit the role of the authorised representative to that of observer – with a right to attend and speak at board meetings, but no voting rights.

Problems for not-for-profits

The Charity Commission looked in detail at membership issues after analysis showed that more casework was opened for internal disputes in membership charities than any other type. Their report found that there were clear benefits from membership structures, including enhancing the board’s transparency and accountability, providing better understanding of the needs of beneficiaries, improving the charity’s advocacy role, providing better fundraising opportunities and access to a source of new trustees. However, the most common reasons for problems were:

  • Trustees are often not clear about their role and their responsibility to the members
  • Members were not clear about their rights and responsibilities
  • There were insufficient or inadequate governance structures in place to manage the relationship with members
  • The board puts up barriers to member involvement either deliberately or inadvertently
  • The membership lacks diversity, so the board is change resistant and self-perpetuating group
  • The board deliberately or carelessly disregards proper procedures for calling valid meetings and passing resolutions, leading to disputes.
  • Weak administrative arrangements lead to problems such as invalid elections held on the basis of inaccurate membership lists or inquorate meetings.

How to manage the relationship with members

The following best practice tips could help your organisation to avoid problems:

  • Keep membership registers and contact details up to date – get specific written approval from members to communicate with them via email to keep costs down.
  • Include a provision in the constitution that if the member fails to keep the organisation informed of their current contact details, they forfeit their rights. A practical illustration of this problem is recent attempts by football clubs to move to a community membership model, only to be hampered by the need to trace and obtain approval from numerous shareholder members whose whereabouts are unknown.
  • The constitution should clearly set out the mechanics for a person to become a member, to leave or to be expelled (subject to a right of appeal). The board may usefully have an explicit power to determine conclusively whether a person is a member, if the position is uncertain.
  • Ideally, the detailed mechanics about categories of members and relevant criteria could be set out in a set of standing orders, regulations or a handbook, which can be amended from time to time without the need to pass a resolution to change the whole constitution.
  • New board members should receive an explanation about the various categories of member and their rights, as part of their induction.
  • The organisation should communicate regularly with its members to inform then about developments and keep them engaged.
  • Consider including specific mechanics to resolve disputes involving members without recourse to the courts, such as mediation or expert determination. Judges are reluctant to interfere in the internal workings of membership organisations and have been scathing about the dissipation of funds to pursue litigation relating to internal disputes.

Members can be a vital, but often a missing piece of the jigsaw, in a system of sound governance. Ignore them at your peril. Organisations as diverse as NHS Foundation Trusts, Network Rail and cooperative schools and academies have all sought the benefits of giving wider stakeholders a say in the running of their organisation. The move to create more mutuals for public service delivery, employee-owned organisations and growing interest in community share issues (where member investors contribute start-up capital) will increasingly throw the spotlight on an organisation’s relationship with its members.  The board should have a clear understanding of the role and rights of these members and the constitution should be kept up to date so that it is fit for purpose. Both the Chair and the company secretary can play an important role in ensuring harmonious relations with members and keeping them informed and engaged.

Mark Johnson is an experienced solicitor and company secretary helping SME businesses, charities, social enterprises to manage risk, ensure good governance and protect their legal position. elderflowerlegal.co.uk