Definition of SME expanded from under 250 to under 500 employees

Threshold could be raised again to 1,000 employees

The UK Government have announced that from today, 3 October 2022, it will treat firms with fewer than 500 employees as SMEs (small and medium-sized enterprises), as opposed to having fewer than 250 employees.

The prime minister announced the change in the Sunday Telegraph yesterday. She said:

The changed threshold will apply from tomorrow to all new regulations under development as well as those under current and future review, including retained EU laws. The government will also look at plans to consult in the future on potentially extending the threshold to businesses with 1,000 employees, once the impact on the current extension is known.

Prime Minister Liz Truss, 1 October 2022

These changes affect pay gap reporting, annual reports, rights to request time off for training, sick pay, as well as GDPR.

What regulations does this affect?

There is potentially a wide range of regulations which SMEs with fewer than 500 employees will no longer be subject to. These include:

Pay gap reporting

The Equality Act 2010 (Gender Pay Gap Information) Regulations 2017 require organisations with over 250 employees to publish information about the pay gap between men and women in their organisation on an annual basis. This will presumably not apply to firms with fewer than 500 employees from now.

Directors remuneration 

All quoted UK registered companies with more than 250 UK employees must annually publish in their directors’ remuneration report and justify the pay difference between chief executives and their staff – known as ‘pay ratios’. This will presumably not apply to firms with fewer than 500 employees from now.

Statement on employee engagement

Companies with more than 250 employees must include a statement in the directors’ report summarising how the directors have engaged with employees, how they have had regard to employee interest, and the effect of that regard, including on the principal decisions taken by the company during the financial year. This will presumably not apply to firms with fewer than 500 employees from now.

Right to request time off for training 

Since 2010, employees with at least 26 weeks of service have been able to make a request for (unpaid) time off to attend training, if they worked for an organisation that employed at least 250 employees. This will presumably not apply to firms with fewer than 500 employees from now.

Statement on stakeholder interest and decision making and statement on fostering business relationships

A company meeting at least two of the three following tests; more than 250 UK employees, more than £36 million turnover, and more than £18 million balance sheet total, are required to make statements on stakeholder interest and decision making and statement on fostering business relationships. The first of these tests will presumably not apply to firms with fewer than 500 employees from now.

Sick pay refunds

Businesses employing fewer than 250 people are entitled to government refunds on any sick pay they give to the employees in the first two weeks. This will presumably apply to firms with fewer than 500 employees from now.

GDPR documentation

The UK GDPR provides a limited exemption for small and medium-sized organisations for documenting processing activities. If you employ fewer than 250 people, you need only document processing activities that:                               

  • are not occasional (e.g., are more than just a one-off occurrence or something you do rarely)
  • are likely to result in a risk to the rights and freedoms of individuals (e.g., something that might be intrusive or adversely affect individuals)
  • involve special category data or criminal conviction and offence data (as defined by Articles 9 and 10 of the UK GDPR)

This will presumably apply to firms with fewer than 500 employees from now.

Appointing a DPO

Large businesses will need to create a dedicated Data Protection Officer role and appoint someone to the post. Small businesses with less than 250 employees are exempt from this requirement unless they process special categories of data at volume or the primary purpose of the business is to conduct large-scale data processing. This will presumably apply to firms with fewer than 500 employees from now.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.