ExpertPolitical and legal factors affecting business
Learning outcomes
- Explain how the political system and government policy affect the organisation.
- Describe the sources of legal authority.
- Identify the principles of data protection and security.
- Describe the legal responsibility in relation to data protection.
Objective A: Explain how the political system and government policy affect the organisation.
Business organisations do not operate in a vacuum; they are heavily influenced by the political system of the country in which they reside. The political environment encompasses the stability of the government, its ideological stance (e.g., pro-free market vs. interventionist), and its specific policy decisions. Political stability is crucial; frequent changes in government, civil unrest, or corruption create uncertainty, deterring long-term investment. Conversely, a stable political system allows businesses to forecast and plan with confidence.
Government policy directly shapes the business landscape through taxation, subsidies, privatization, and regulation. A government might implement policies to encourage certain industries (e.g., offering tax breaks for renewable energy) or penalize others (e.g., imposing heavy tariffs on imported steel to protect domestic manufacturers). Furthermore, political decisions regarding infrastructure spending (building roads, ports, broadband networks) directly impact a business's supply chain efficiency and operational costs.
Consider 'Solaris Dynamics', a manufacturer of solar panels. A newly elected government with a strong environmental ideology passes a policy offering a 20% subsidy to homeowners who install solar panels. This political decision instantly creates a massive surge in demand for Solaris Dynamics' products. However, the same government also passes a policy increasing the minimum wage by 15%, significantly raising Solaris's manufacturing costs. Thus, political factors act as both opportunities and threats, requiring businesses to constantly monitor and sometimes lobby the political system.
Political vs. Legal
Examiners sometimes test the distinction between political and legal factors. Remember: Politics is the process of deciding policy and making laws (e.g., a government deciding to reduce carbon emissions). Law is the enforceable rule that results from that process (e.g., the Environmental Protection Act).
- 1
Step 1: Ideological Shift
A general election results in a change of government. The new administration is highly protectionist, believing that domestic manufacturing must be shielded from foreign competition.
- 2
Step 2: Policy Implementation
The government implements a new trade policy, placing a 30% import tariff on cheap solar panels from overseas. This political move artificially raises the price of competitors' products.
- 3
Step 3: Business Impact
Solaris Dynamics, a domestic producer, suddenly finds its products highly competitive on price. Their sales double. This demonstrates how a macro-political policy decision directly alters the competitive micro-environment of a specific firm.
Organisations must engage in environmental scanning to anticipate political shifts, as government policy can rewrite the rules of competition overnight.
Which of the following is an example of a political factor that could positively affect a business in the renewable energy sector?
Why is political stability generally considered crucial for business investment?
A government decides to privatize the national railway network. What kind of environmental factor is this primarily an example of?
Objective B: Describe the sources of legal authority.
To operate legally, businesses must comply with laws originating from multiple levels of authority. The three primary sources of legal authority are supra-national bodies, national governments, and regional/local governments. Supra-national bodies are international organizations whose authority transcends national borders. The most prominent example is the European Union (EU). The EU can issue Regulations (which are immediately binding on all member states) and Directives (which member states must incorporate into their own national laws). Other supra-national agreements, like those from the World Trade Organization (WTO), also dictate international trade laws.
National governments are the primary source of law for most businesses. National laws apply uniformly across the entire country and cover fundamental areas such as company law (how to incorporate), employment law (minimum wage, working hours), health and safety regulations, and national taxation. These laws are typically created by a national parliament or legislature and enforced by national courts.
Regional or local governments (such as state legislatures in the US, or municipal councils in the UK) create laws that apply only within their specific geographic jurisdiction. These often deal with localized issues such as zoning laws (where a factory can be built), local business licensing, waste disposal regulations, and local property taxes. For example, 'GlobalFreight', an international logistics company, must comply with supra-national WTO tariffs when crossing borders, national employment laws regarding truck driver working hours, and local municipal laws regarding nighttime noise restrictions at their urban depots.
Hierarchy of Law
In regions like the EU, supra-national law generally takes precedence over national law in areas where the member states have ceded competency (e.g., trade, competition law).
- 1
Step 1: Supra-national Compliance
GlobalFreight transports goods between France and Germany. They must comply with EU transport directives (supra-national law) which dictate the maximum emissions allowed for heavy goods vehicles crossing European borders.
- 2
Step 2: National Compliance
The company employs drivers based in France. They must adhere to the French national labor code (national law), ensuring drivers receive the mandated national minimum wage and statutory holiday pay.
- 3
Step 3: Local Compliance
GlobalFreight wants to build a new distribution warehouse in a specific district of Paris. They must apply for permits from the Parisian municipal council and comply with local zoning and building codes (regional/local law).
A single business operation is often simultaneously governed by three distinct layers of legal authority.
Which of the following is an example of a supra-national legal authority?
A business is fined for building a factory in an area designated strictly for residential housing. Which source of legal authority has most likely been breached?
What is the primary difference between an EU Regulation and an EU Directive?
Objective C: Identify the principles of data protection and security.
In the digital age, businesses collect vast amounts of personal data (information relating to an identified or identifiable living individual). To protect individuals' privacy, governments enact data protection laws (such as the GDPR in Europe). These laws are built upon core principles that dictate how organisations must handle personal data.
Firstly, data must be processed lawfully, fairly, and transparently. The organisation must have a valid legal basis (like user consent) and be clear about what they are doing. Secondly, data must be collected for specified, explicit, and legitimate purposes (Purpose Limitation); a company cannot collect data for a newsletter and then secretly sell it to advertisers. Thirdly, data collection must be adequate, relevant, and limited to what is necessary (Data Minimisation); a pizza delivery app needs your address, but not your medical history.
Furthermore, data must be accurate and kept up to date. It must not be kept for longer than is necessary (Storage Limitation). Finally, data must be processed securely, protecting against unauthorized access, accidental loss, or destruction (Integrity and Confidentiality). Consider 'MediTrack', a health-fitness app. If MediTrack collects users' heart rates, they must explicitly state this in their terms (Transparency), only use it to provide fitness metrics (Purpose Limitation), ensure the data is encrypted against hackers (Security), and delete the data if the user deletes their account (Storage Limitation).
Personal Data Only
Data protection principles apply strictly to personal data (data about living individuals). They do not apply to corporate data, like a company's secret recipe or financial forecasts.
- 1
Step 1: Data Minimisation
During account creation, MediTrack asks for the user's age, weight, and email. The marketing team suggests asking for the user's political affiliation to sell to advertisers. The legal team vetoes this, as political affiliation is not relevant to a fitness app, enforcing the principle of Data Minimisation.
- 2
Step 2: Purpose Limitation
MediTrack uses GPS data to map users' running routes. An insurance company offers to buy this data to adjust health premiums. MediTrack refuses, because the data was collected explicitly for fitness tracking, not insurance profiling, enforcing Purpose Limitation.
- 3
Step 3: Storage Limitation
A user uninstalls the app and requests account deletion. MediTrack's servers automatically purge all of that user's historical health data within 30 days, ensuring personal data is not kept longer than necessary.
Adhering to these principles ensures that businesses respect individual privacy and avoid catastrophic legal penalties.
A retail company collects customers' email addresses solely for the purpose of sending electronic receipts. Six months later, the company decides to sell these email addresses to a third-party marketing firm without asking the customers. Which data protection principle has been breached?
Which of the following best describes the principle of 'Data Minimisation'?
To which type of information do data protection laws (like the GDPR) primarily apply?
Objective D: Describe the legal responsibility of the individual and the organisation in relation to data protection and security.
Data protection laws impose strict legal responsibilities on both the organisation and the individuals working within it. The organisation acts as the 'Data Controller'. The controller is legally responsible for determining the purpose and means of processing personal data. They must implement appropriate technical and organizational measures (e.g., firewalls, encryption, staff training) to ensure data is secure. If a breach occurs due to negligence, the organisation faces severe financial penalties (under GDPR, up to 4% of global turnover) and reputational ruin.
Individuals within the organisation (employees, managers) also bear legal responsibility. They must adhere to the organisation's data protection policies. If an employee intentionally steals personal data, accesses records without authorization (e.g., a nurse looking up a celebrity's medical file out of curiosity), or recklessly loses data (e.g., leaving an unencrypted laptop on a train), they can face disciplinary action, dismissal, and even criminal prosecution depending on the jurisdiction.
Consider 'FinServe', a wealth management firm. FinServe (the organisation) is legally required to encrypt its client database and appoint a Data Protection Officer. Mark, a financial advisor at FinServe (the individual), downloads a list of high-net-worth clients onto a personal USB drive to work from home. He loses the USB drive. FinServe will be heavily fined by the regulator for failing to prevent data exfiltration, while Mark will likely be fired and potentially face criminal charges for reckless handling of personal data. Both bear responsibility, but the ultimate accountability to the regulator rests with the organisation.
Data Controller vs. Data Processor
Understand the difference: The Data Controller (the organisation) decides why and how data is processed and holds ultimate legal responsibility. A Data Processor is a third party (like a cloud storage provider) acting on the Controller's instructions.
- 1
Step 1: Organisational Responsibility (The Controller)
FinServe collects client financial data. As the Data Controller, they are legally obligated to secure this data. They install firewalls, mandate complex passwords, and write a strict policy forbidding the use of personal USB drives.
- 2
Step 2: Individual Responsibility
Mark, an employee, signs the policy but ignores it, downloading client data to an unencrypted USB drive which he subsequently loses. Mark has breached his individual legal and contractual responsibility to handle data securely.
- 3
Step 3: Legal Consequences
The regulator investigates. FinServe is fined because their technical controls allowed Mark to download the data in the first place (organisational failure). Mark is fired for gross misconduct and faces potential legal action for the breach (individual failure).
Data security is a shared legal burden; the organisation must provide the secure environment, and the individual must operate securely within it.
In the context of data protection law, what is the role of a 'Data Controller'?
An employee at a hospital accesses the medical records of a famous politician out of personal curiosity, with no medical reason to do so. What are the likely legal implications?
Which of the following is a primary legal responsibility of an organisation regarding data security?