A. Meet your general health and safety duty

The Health and Safety at Work etc. Act 1974 is the foundation. You must ensure, so far as is reasonably practicable, the health, safety and welfare of your employees and of anyone else affected by your work. In an office environment that means risk-assessing display-screen equipment use, workstation ergonomics, stress and mental health, lone working and any client-site visits, and providing information, instruction, training and supervision.

Health and Safety at Work etc. Act 1974 (HASAWA)

The Health and Safety at Work etc. Act 1974 - primary UK workplace health and safety legislation establishing employer and employee duties. Pure data reference.

The Health and Safety at Work etc. Act 1974 (HASAWA 1974) is the primary legislation governing workplace health and safety in the United Kingdom. It establishes the legal framework for protecting the health, safety and welfare of people at work and those affected by work activities.

Legal status: Primary legislation - principal UK health and safety statute
Royal Assent: 31 July 1974
Came into force: 1 April 1975 (in stages)
Geographic scope: Great Britain (separate legislation applies in Northern Ireland)
Applies to: All employers, employees, self-employed persons, and those who control work premises
Primary duty (Section 2): Employers must ensure, so far as is reasonably practicable, the health, safety and welfare at work of all employees
Duty to non-employees (Section 3): Employers must protect persons not in their employment (contractors, visitors, public) who may be affected by work activities
Employee duties (Sections 7-8): Employees must take reasonable care for their own health and safety and that of others, cooperate with employers, and not misuse safety equipment
Enforcement authority: Health and Safety Executive (HSE) and local authorities
Maximum penalties (post-2008 amendments): Unlimited fines in Crown Court; imprisonment up to 2 years for individuals; up to 6 months and/or £20,000 fine in Magistrates' Court
Referenced by regulators: Cited in 31 regulatory documents in the ORDS (Office for Regulatory Delivery and Simplification) dataset
Secondary regulations: Enables creation of health and safety regulations (e.g. Management of Health and Safety at Work Regulations 1999, COSHH, Manual Handling)

Reasonably practicable: The Act uses the term "so far as is reasonably practicable" throughout. This means employers must balance the level of risk against the time, trouble and cost of controlling it. However, the law is weighted in favour of health and safety - employers must demonstrate that control measures would be grossly disproportionate to the risk before they can be considered not reasonably practicable.

Self-employed persons: The Act also places duties on self-employed persons to protect their own health and safety and that of others who may be affected by their work activities.

Health and Safety at Work etc. Act 1974 (legislation.gov.uk)

HSE - Health and Safety at Work etc. Act 1974 guidance

B. Manage fire safety

Even in an office, the responsible person must carry out a fire risk assessment and maintain fire-safety arrangements. The duty is devolved: the Regulatory Reform (Fire Safety) Order 2005 in England and Wales; the Fire (Scotland) Act 2005 and Fire Safety (Scotland) Regulations 2006 in Scotland; and the Fire and Rescue Services (Northern Ireland) Order 2006 in Northern Ireland.

Regulatory Reform (Fire Safety) Order 2005

The 'responsible person' (employer, owner or occupier) must carry out a fire risk assessment for any non-domestic premises and implement appropriate fire safety measures. This applies to all hospitality premises including hotels, restaurants, pubs and nightclubs.

Who is the responsible person?

The responsible person is the employer, owner, landlord, occupier, or anyone with control of the premises. In hospitality, this is typically the business owner or manager.

Fire risk assessment

The responsible person must carry out and regularly review a fire risk assessment covering:

Identification of fire hazards (ignition sources, fuel, oxygen)
Identification of people at risk (employees, customers, vulnerable persons)
Evaluation and reduction of risks
Recording findings and fire safety plan (if 5+ employees)
Regular review and updates

Fire safety measures

Based on the risk assessment, implement appropriate measures including:

Fire detection and warning systems (smoke alarms, fire alarm panels)
Fire-fighting equipment (extinguishers, fire blankets)
Emergency escape routes and lighting
Fire safety signs and notices
Fire doors kept clear and free to close
Staff training on fire procedures
Emergency evacuation plan and drills

Fire Safety Act 2021 (from January 2022)

For buildings containing two or more sets of domestic premises (e.g. hotels, aparthotels), the responsible person must now assess fire risks in external walls, entrance doors to flats, and windows.

Step 1: Appoint a competent person to conduct fire risk assessment (may be yourself if trained)
Step 2: Complete fire risk assessment identifying hazards and persons at risk
Step 3: Implement control measures to reduce fire risk
Step 4: Ensure fire detection systems are installed and maintained
Step 5: Provide adequate fire-fighting equipment (extinguishers) and arrange annual servicing
Step 6: Establish clear evacuation routes with emergency lighting and signage
Step 7: Designate assembly point and ensure staff know evacuation procedures
Step 8: Train all staff on fire safety procedures during induction
Step 9: Conduct regular fire drills (at least annually)
Step 10: Record fire risk assessment findings if you employ 5 or more people
Step 11: Review fire risk assessment annually or after significant changes

Fire safety risk assessment guidance

C. Hold employers' liability insurance

As soon as you employ anyone, you must hold employers' liability compulsory insurance — normally at least £5 million of cover — and display or make available the certificate. This is a legal requirement across Great Britain, with an equivalent duty in Northern Ireland.

Employers' Liability Insurance Requirements

Legally required insurance for businesses that employ staff

Legal requirement: LEGALLY REQUIRED if you employ anyone (even part-time or family members working for you)
Minimum cover: £5 million minimum (most policies provide £10 million)
Penalty for non-compliance: £2,500 fine per day without insurance, plus £1,000 fine for not displaying certificate
What it covers: Compensation claims from employees injured or made ill at work
Exemption: Close family businesses may be exempt

Employers' Liability Insurance

D. Meet your equality duties

As an employer you must not discriminate against, harass or victimise people because of a protected characteristic. In Great Britain this is governed by the Equality Act 2010; in Northern Ireland separate equality legislation applies, enforced by the Equality Commission for Northern Ireland.

E. Handle personal data lawfully

Consultancies routinely process personal data — about staff, clients and their people, and prospective clients. You must comply with the UK GDPR and the Data Protection Act 2018, and in most cases pay the data protection fee to the Information Commissioner's Office (ICO). This applies UK-wide.

UK GDPR lawful bases for processing personal data

The 6 (now 7) lawful bases under UK GDPR Article 6 for processing personal data.

Under UK GDPR Article 6, you must have a valid lawful basis to process personal data. You cannot process personal data without identifying at least one lawful basis that applies to each processing activity.

1. Consent (Article 6(1)(a)): The individual has given clear, specific, informed consent for you to process their personal data for a specific purpose
2. Contract (Article 6(1)(b)): Processing is necessary to fulfil a contract with the individual, or to take steps at their request before entering a contract
3. Legal obligation (Article 6(1)(c)): Processing is necessary to comply with a common law or statutory obligation under UK law
4. Vital interests (Article 6(1)(d)): Processing is necessary to protect someone's life
5. Public task (Article 6(1)(e)): Processing is necessary for performing a task in the public interest or for official functions that have a clear basis in law
6. Legitimate interests (Article 6(1)(f)): Processing is necessary for your legitimate interests or those of a third party, unless overridden by the individual's interests, rights, or freedoms

Consent requirements: Must be freely given, specific, informed, and unambiguous. Must be as easy to withdraw as to give.

Legitimate interests: Requires a documented Legitimate Interest Assessment (LIA) balancing test. Not available to public authorities for their core tasks.

7. Recognised legitimate interests (NEW - from June 2025): Processing necessary for certain pre-approved purposes without requiring a balancing test (Data Use and Access Act 2025)
Recognised purposes include: National/public security, defence, emergencies, crime prevention/detection, safeguarding vulnerable individuals
Effective date: 19 June 2025

Note: Direct marketing and intra-group data sharing still require a Legitimate Interest Assessment even under recognised legitimate interests.

ICO guide to lawful basis

F. Follow the PECR electronic-marketing rules

If you market your consultancy services by email, text message or automated telephone calls, the Privacy and Electronic Communications Regulations 2003 (PECR) set specific consent and screening duties on top of the UK GDPR. You need prior consent for most electronic marketing to individuals (with a limited soft opt-in exception for existing clients), you must screen telephone call lists against the TPS and CTPS registers at least every 28 days, and automated calls always require prior consent. The ICO enforces PECR UK-wide, with fines now aligned with UK GDPR levels.

PECR electronic marketing rules

Core rules for email, SMS, and telephone marketing under the Privacy and Electronic Communications Regulations 2003. Common cause of ICO enforcement actions.

The Privacy and Electronic Communications Regulations 2003 (PECR) set specific rules for electronic marketing. Non-compliance is a common cause of ICO enforcement action, with fines now aligned with UK GDPR levels following the Data (Use and Access) Act 2025.

Email marketing (B2C): Consent required unless soft opt-in applies
SMS/text marketing: Same rules as email - consent required unless soft opt-in applies
Email to corporate subscribers: Consent not required for companies, LLPs, or government bodies
Live telephone calls: Must screen against TPS/CTPS; cannot call if person has objected
Automated calls (robocalls): Prior consent always required - no exceptions
TPS screening frequency: At least every 28 days
Legislation: Privacy and Electronic Communications Regulations 2003

Soft opt-in exception (4 conditions)

You can email existing customers without consent if ALL four conditions are met:

Contact details obtained during a sale or negotiations for a sale
Marketing is for YOUR similar products or services only
Opt-out opportunity given when details were collected
Easy opt-out provided in every subsequent message

Soft opt-in does NOT apply to: third-party marketing lists, details obtained outside sale context, or dissimilar products/services.

Electronic mail definition: Email, SMS, video messages, picture messages, voicemails, in-app messages, and direct messages over social media
Individual subscribers: Includes sole traders and ordinary partnerships (2-20 partners)
Corporate subscribers: Limited companies, LLPs, Scottish partnerships, government bodies
B2B email marketing: Consent rules do not apply to corporate subscribers - but respect objections

Telephone marketing requirements

Live calls: You can make live marketing calls without consent if the number is not on TPS/CTPS and the person has not objected to your calls. You must display caller ID and provide contact details if asked.

TPS/CTPS screening: Before making any marketing calls, screen your call list against both the Telephone Preference Service (TPS) and Corporate TPS (CTPS) registers. Screening must be done at least every 28 days.

Automated calls: Always require prior consent. General marketing consent is not sufficient - you need specific consent for automated calls.

Claims management cold calls: Banned without prior consent (since September 2018)
Pension cold calls: Banned except for FCA-authorised firms with existing relationship (since January 2019)
Fax marketing to individuals: Consent required; must screen against FPS
Fax marketing to businesses: No consent required but must screen against FPS and respect objections

Required information in marketing communications

Sender identity must not be disguised or concealed
Valid contact address for opt-out requests must be provided
Simple and effective unsubscribe mechanism in every message

1

1. Write your health and safety risk assessments

Assess display-screen equipment use, workstation ergonomics, stress and mental health, lone working and client-site visits under HASAWA 1974.
2

2. Carry out your fire risk assessment

Assess fire risk for your office premises under the fire-safety regime for your nation.
3

3. Take out employers' liability insurance and register with the ICO

Arrange at least £5 million of cover before anyone starts work, and pay the data protection fee unless you are exempt.
4

4. Put your PECR compliance in place if you market electronically

Get consent mechanisms, unsubscribe processes and TPS/CTPS screening in place before any email, text or automated-call marketing.

What to do next

This spine covers the duties every management consultancy and head office shares. Confirm you have covered everything with the management consultancy compliance checklist.

Official sources

Authoritative health and safety, data-protection and marketing guidance.

Set up and run a safe management consultancy

Management consultancy: compliance checklist

Office and business support compliance checklist

Advertising and market research compliance checklist

Telecommunications compliance checklist

Aggregate Levy for construction businesses

A. Meet your general health and safety duty

B. Manage fire safety

C. Hold employers' liability insurance

D. Meet your equality duties

E. Handle personal data lawfully

F. Follow the PECR electronic-marketing rules

1. Write your health and safety risk assessments

2. Carry out your fire risk assessment

3. Take out employers' liability insurance and register with the ICO

4. Put your PECR compliance in place if you market electronically

What to do next

Official sources

Related guides in Employment & HR

A. Meet your general health and safety duty

B. Manage fire safety

C. Hold employers' liability insurance

D. Meet your equality duties

E. Handle personal data lawfully

F. Follow the PECR electronic-marketing rules

1. Write your health and safety risk assessments

2. Carry out your fire risk assessment

3. Take out employers' liability insurance and register with the ICO

4. Put your PECR compliance in place if you market electronically

What to do next

Official sources