Latest legislative updates

Kurt JansonKurt Janson, Director of the Tourism Alliance, gives a monthly update on the latest regulatory changes affecting the hospitality industry. 

Last updated 16th April 2018

Disclaimer:  Whilst every effort has been made to ensure the accuracy of the information contained in the Pink Book of Legislation, we regret that we cannot be responsible for any errors. This guide is not intended to be a definitive statement of the law in England. If you require precise or detailed information on the legislation mentioned in this guide, or on the legal implications for you in particular, you should consult a professional legal adviser.

At a glance:

National Minimum Wage and Workplace Pensions update

  • In addition to changes in the Minimum Wage, there are also changes to the amount that both you and your employees have to pay into the new Workplace Pension Scheme.

Energy Performance Certificates: new requirement for rental properties 

  • Any property that is being rented to tenants is now required to have a minimum energy performance rating of “E”, but this does not apply to most holiday lets.

Reminder: Ban on Card Charges

  • As of 13th January you are no longer able to charge customers extra for paying by card.

Prepare now for changes to Data Protection Regulations

  •  The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the Data Protection Act (DPA).

National Minimum Wage and Workplace Pensions update

With the start of the new financial year there are changes to the National Minimum Wage rates:

  • 25 years old and over: £7.83
  • 21 to 24 years old: £7.38
  • 18 to 20 years old: £5.90
  • under 18s: £4.20
  • apprentice: £3.70

In addition to changes in the Minimum Wage, there are also changes to the amount that both you and your employees have to pay into the new Workplace Pension Scheme. As you will be aware, you are now required by law to automatically enrol all your staff into a pension scheme, and make contributions to this scheme, provided that:

  • The employee is aged between 22 and State Pension age
  • The employee earns least £10,000 per year
  • The employee didn’t opt-out of the scheme at least 12 months before the scheme started

When the Workplace Pension Scheme started employers were required to contribute 1% of the employee’s earnings, with employees paying a further 1% from their earnings. From 1 April 2018, you are now required to contribute a sum equivalent to 3% of the employee’s earnings with the employee contributing a further 2% from their wages (giving a total of 5%).

The amount is set to increase again next year with employer’s contributions rising to 5% and employee’s contributions rising to 3%. From this point (1 April 2019) all future contributions will remain at this level.

Energy Performance Certificates: new requirement for rental properties 

You may have heard that, from 1 April 2018, there has been a change to the requirements for Energy Performance Certificates. Under the new rules, any property that is being rented to tenants is now required to have a minimum energy performance rating of “E”. This means that it is now unlawful to rent a property with an “F” or “G” rating and doing so will risk a fine of up to £4,000.

However, there is an exemption to the new rules for properties that are being used for holiday lets so the operators of self-catering cottage do not have to worry about this requirement. One area where there may be a problem is if you are letting a property to people on short-term assured tenancy during winter periods or to house temporary workers for short periods. This type of activity would be deemed to be renting and the requirement for the property to have an energy performance rate of at least “E” would apply.

 Reminder: Ban on Card Charges

Remember that the law changed on the 13th January 2018 so you are no longer able to charge a processing fee for receiving payments via credit or debit card. This includes all payment methods linked to a card, such as PayPal or Apple Pay.

This new legislation has been brought in to prevent situations where the customer goes through a booking process only to find that charges are applied right at the end when the customer is about to pay – a practice that was relatively common in some sectors such as the aviation industry. As a consequence, you will now have to either absorb the cost of card payments or increase prices accordingly.

There is a quirk in that the new law only applies to purchases made by personal consumers and not to purchases made by businesses. So, if your customer is a business (e.g., a company booking rooms for an away day or someone travelling on business) then you are allowed to charge a card processing fee, provided that it is no more than the cost to you of processing the transaction.

However, in this situation it is important to note that a business traveller must be using a business card for you to charge a fee. You cannot charge a card processing fee if the business traveler is using their personal card, regardless of whether they will reclaim the accommodation as a business expense later.

There is currently a debate as to whether the new legislation allows you to introduce a ‘booking fee’ or ‘service charge’, provided that this charge is applied uniformly regardless of how the payment is made. For example, Deliveroo have recently replaced their 50p card surcharge fee with a 50p service fee, which is applied regardless of whether someone pays by card or with cash.

However, this approach is being challenged and the Advertising Standards Authority has pointed out that current legislation requires that all non-optional charges be included in or alongside the advertised price. Therefore, if you were to charge a separate booking fee, you would need to put this alongside your advertised prices and not simply add it to the cost at the end of the booking process.

Prepare now for changes to Data Protection Regulations

The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the Data Protection Act (DPA).

Generally, the requirements of the GDPR are much the same as the requirements of the DPA. This means that if you are complying with the DPA at the moment, then you probably do not need to change your current system of collecting, handling and storing customer data. You will need to concentrate on the additional requirements and modify your system accordingly.

The main changes are:

1.The Right to be Forgotten

This is the main change.  A customer can, at any time, request that you remove all their personal data from your system. If the customer has previously agreed that you could provide their data to a third party, you must also stop doing this if you receive a Right to be Forgotten request.  However, it is important to note that any Right to be Forgotten request does not override requirements to hold information under other legislation. For example, you are required by law to keep financial records for seven years, therefore a customer cannot request that you delete records of any financial transactions they undertook in the last seven years.

2. Improving Consent and Withdrawal of Consent

The conditions for consent have been strengthened so that you must be clear and upfront with customers about what exactly they are consenting to when they sign-up. This is to stop companies hiding the details in their terms and conditions. So, if you are planning to pass their information on to a third party and to email them a newsletter, you must tell them in simple and clear language next to the box they are ticking. 

Importantly, it must be as easy for customers to withdraw consent as it is to give consent.​ So if you have a simple tick-box online where customers give consent, then there should also be a simple tick-box online to withdraw consent.

3. Right to Access

The GDPR also expands the rights of customers to access the information that you hold on them. This has two parts – first, on request from the customer, you are required to inform them if personal data concerning them is being processed, where and for what purpose. Second, if requested, you must provide a copy of all the personal data you hold on the person electronically and free of charge. This includes any information you have made on the person’s file so if you have added notes such as, “likes the Sunday Times”, “owns a Spaniel called Arthur” or “never leaves a tip”, you also need to provide this information.

4. Notification of Data Breaches

The GDPR will require you to notify the Information Commissioners’ Office within 72 hours of first having become aware of the breach where that breach is likely to “result in a risk for the rights and freedoms of individuals”. For any breach, you are required to notify the customers “without undue delay” after first becoming aware of a data breach.

It is worth thinking about the impact of these changes on your business now to schedule any amendments that you need to make into your website maintenance and company policy manual update programmes.

Guidance and more information on GDPR can be found on the Information Commissioners' Office website