Latest legislative updates

Kurt JansonKurt Janson, Director of the Tourism Alliance, gives a monthly update on the latest regulatory changes affecting the hospitality industry. 

Last updated 14th May 2018

Disclaimer:  Whilst every effort has been made to ensure the accuracy of the information contained in the Pink Book of Legislation, we regret that we cannot be responsible for any errors. This guide is not intended to be a definitive statement of the law in England. If you require precise or detailed information on the legislation mentioned in this guide, or on the legal implications for you in particular, you should consult a professional legal adviser.

At a glance:

Reminder: GDPR

  • An overview of the changes to data protection regulations from 25 May.

National Minimum Wage and Workplace Pensions update

  • In addition to changes in the Minimum Wage, there are also changes to the amount that both you and your employees have to pay into the new Workplace Pension Scheme.

Energy Performance Certificates: new requirement for rental properties 

  • Any property that is being rented to tenants is now required to have a minimum energy performance rating of “E”, but this does not apply to most holiday lets.

Reminder: Ban on Card Charges

  • As of 13th January you are no longer able to charge customers extra for paying by card.


Preparing for the GDPR

The new General Data Protection Regulation (GDPR) comes into force on 25 May 2018 as part of new legislation designed to update and expand the Data Protection Act 1998.

Compliance with the GDPR is relatively straight-forward if you are already complying with existing data protection regulations. You need to remember three main things in looking at what changes you need to make to the way you handle and use the personal details of customers when the new regulations come into effect:

  • If you are already complying with the Data Protection Act, you will be complying with 80-90% of the requirements of the GDPR. The GDPR isn’t a whole new set of requirements, it simply builds on existing requirements.
  • The GDPR is designed to give customers more control over the information that companies have on them. If you look at it from the perspective of what you would expect from other companies when you give them your data, you will have a fair understanding of what you should do with your customers’ data.
  • Remember when looking at your storage and use of personal data, this extends beyond things like a person’s name, address, phone number and includes images and recordings (i.e., CCTV recordings), comments they have put on your website or notes that you have taken to help staff (e.g., “has a nut allergy”, “requires wheelchair access” or “reads The Times”).

Keeping these points in mind, here’s what you need to look at to make sure that you comply with the GDPR.

1. The information you take from people, and the length of time you keep it, should be determined by the purpose for which it is required

This a pre-existing requirement of the Data Protection Act but it is a good starting point for discussing the additional requirements of the GDPR. The level of information you have on someone and the length of time that you keep it must be proportionate to the legitimate purpose for which it is kept. This means that there is no blanket right for you to keep a customer’s personal information indefinitely and that you should always be reassessing what information you are keeping. This should include the regular removal of personal information where there is no justifiable reason for keeping it.

For example, CCTV footage of the car park used to help protect customer’s cars should be regularly wiped when it is no longer needed.

2. Personal data can only be used for the purpose that was agreed when the customer gave it to you.

For example, If the customer gives you their email address so that you can email them confirmation of their booking, this does not allow you to send them marketing emails or pass their details to a third party to send them offers. Customers have to actively give you express consent as to how you can use their information. This means that customers have to “opt-in” rather than “opt-out”, so you can’t have a “pre-ticked” consent box on your website which says, “tick here if you don’t want to receive emails with offers”.

3. The customer has the right to withdraw consent on how their information is used at any time and the process for doing this must be simple

This means that if the customer has agreed to allow you to use their information for a particular purpose, they still have the right to demand that you stop using it for that purpose at any time.

For example, if a customer has agreed to receive marketing emails, they can, at any time, inform you that they no longer wish to receive these emails and you must stop ending them. As a rule of thumb, the process for them withdrawing consent should be as simple as the process by which they gave consent. So, if you had an opt-in button than gave consent for marketing emails, you should have an “unsubscribe” button for allowing consent to be withdrawn.

4. The customer has the right to know what information you keep on them and why you are keeping it

There are two parts to this. First the customer has the right to ask you what personal information you are keeping on them and why you are keeping it. You are required to explain what the information you hold and justify why you are holding it. Bear in mind Point 1 above – you must explain why the level of information you hold and the time that you have held it is proportionate to the purpose for which it was taken.

The second part of this is that the customer has the right to ask you to show them all the person information that you hold on them. As mentioned above, this would include any CCTV recordings on which they appear and any notes you have attached to their booking.

5. The customer has the right to be forgotten.

The principle here is that the customer retains “ownership” of their data. This means that not only can the customer demand that you stop using the data they provided, they can demand that you remove all their personal data from your records. For example, rather than just asking you not to send emails, the customer can ask you to remove their email address from your database.

6. The customer’s rights under the GDPR do not over-ride the requirements of other legislation

It is important to note that the customer’s rights under the GDPR don’t over-ride the data requirements of other legislation. For example, the Immigration (Hotel Records) Order 1972 requires you to record the full name and nationality of all guests and to keep this information for 12 months. As such, a guest cannot ask you to delete this information from your records until 12 months have elapsed. Similarly, a customer cannot ask you to delete any financial information you are required to keep for tax purposes.

For more information and help guides, go to the Information Commissioner's Office website or call their dedicated small business helpline on 0303 123 1113.

National Minimum Wage and Workplace Pensions update

With the start of the new financial year there are changes to the National Minimum Wage rates:

  • 25 years old and over: £7.83
  • 21 to 24 years old: £7.38
  • 18 to 20 years old: £5.90
  • under 18s: £4.20
  • apprentice: £3.70

In addition to changes in the Minimum Wage, there are also changes to the amount that both you and your employees have to pay into the new Workplace Pension Scheme. As you will be aware, you are now required by law to automatically enrol all your staff into a pension scheme, and make contributions to this scheme, provided that:

  • The employee is aged between 22 and State Pension age
  • The employee earns least £10,000 per year
  • The employee didn’t opt-out of the scheme at least 12 months before the scheme started

When the Workplace Pension Scheme started employers were required to contribute 1% of the employee’s earnings, with employees paying a further 1% from their earnings. From 1 April 2018, you are now required to contribute a sum equivalent to 3% of the employee’s earnings with the employee contributing a further 2% from their wages (giving a total of 5%).

The amount is set to increase again next year with employer’s contributions rising to 5% and employee’s contributions rising to 3%. From this point (1 April 2019) all future contributions will remain at this level.

Energy Performance Certificates: new requirement for rental properties 

You may have heard that, from 1 April 2018, there has been a change to the requirements for Energy Performance Certificates. Under the new rules, any property that is being rented to tenants is now required to have a minimum energy performance rating of “E”. This means that it is now unlawful to rent a property with an “F” or “G” rating and doing so will risk a fine of up to £4,000.

However, there is an exemption to the new rules for properties that are being used for holiday lets so the operators of self-catering cottage do not have to worry about this requirement. One area where there may be a problem is if you are letting a property to people on short-term assured tenancy during winter periods or to house temporary workers for short periods. This type of activity would be deemed to be renting and the requirement for the property to have an energy performance rate of at least “E” would apply.

 Reminder: Ban on Card Charges

Remember that the law changed on the 13th January 2018 so you are no longer able to charge a processing fee for receiving payments via credit or debit card. This includes all payment methods linked to a card, such as PayPal or Apple Pay.

This new legislation has been brought in to prevent situations where the customer goes through a booking process only to find that charges are applied right at the end when the customer is about to pay – a practice that was relatively common in some sectors such as the aviation industry. As a consequence, you will now have to either absorb the cost of card payments or increase prices accordingly.

There is a quirk in that the new law only applies to purchases made by personal consumers and not to purchases made by businesses. So, if your customer is a business (e.g., a company booking rooms for an away day or someone travelling on business) then you are allowed to charge a card processing fee, provided that it is no more than the cost to you of processing the transaction.

However, in this situation it is important to note that a business traveller must be using a business card for you to charge a fee. You cannot charge a card processing fee if the business traveler is using their personal card, regardless of whether they will reclaim the accommodation as a business expense later.

There is currently a debate as to whether the new legislation allows you to introduce a ‘booking fee’ or ‘service charge’, provided that this charge is applied uniformly regardless of how the payment is made. For example, Deliveroo have recently replaced their 50p card surcharge fee with a 50p service fee, which is applied regardless of whether someone pays by card or with cash.

However, this approach is being challenged and the Advertising Standards Authority has pointed out that current legislation requires that all non-optional charges be included in or alongside the advertised price. Therefore, if you were to charge a separate booking fee, you would need to put this alongside your advertised prices and not simply add it to the cost at the end of the booking process.