top of page

scaling up: legal

As your business continues to grow, you may want to create different business units or even a group structure with different affiliates, perhaps in different countries or with a focus on different products or services.  

If you have not already done so, at this stage it is important to tighten up on your company's policies and processes for compliance with external statutory and regulatory requirements, as well as internal governance of its activities and management of its legal operations.


There are many compliance areas to think about.  Some will be more important than others for your particular business, but you need to be mindful of compliance across all areas.  Sanctions for non-compliance can involve hefty fines (for example up to 4% of global turnover for a serious personal data breach incident) and possibly even prison sentences.  Keys areas include:

  • Health & Safety

  • Equal Opportunity & Diversity

  • Data Privacy

  • Competition

  • Anti-Bribery & Corruption

  • Anti-Money Laundering

  • Trade Control

  • Environment & Sustainability

  • Modern Slavery

  • Industry-specific regulations (Auto generally, Autonomous Vehicles, etc.), incl Brexit impact if any

  • With contract obligations incl. NDAs (link to Contract Management System)

  • With court orders for search/seizure (process, identified staff + external counsel)

  • With litigation court rules (eg document preservation)

  • Financial / Investment Regulations

  • Company & Tax Reporting


Once your leadership and managerial team expands, it can become harder to ensure different business areas remain aligned in support of overall business objectives.  Having effective governance processes in place can help impose a consistent approach across the business.  The exact processes you need will depend on the scale and nature of your business activities, but they typically include:

  • Delegation of Authorities: Corporate (sign docs) vs Organisational (sign off)

  • Finance/treasury: spending / loan sign-offs

  • Information Management (how you handle confidential information - your own AND third parties' - see below)

  • Intellectual Property Management (your own AND third parties')

  • Record Retention

  • Cybersecurity

  • Risk Matrix capturing key risks, how likely each is to occur, and what mitigating actions the business is taking to address them

  • Data privacy: data breach/subject access request response processes

  • Employee onboarding/offboarding to ensure they are aware what compliance and governance policies they are expected to observe whilst working for the company, and in some cases expected to continue to observe after they leave (for example preserving ongoing confidentiality of company information)

If you don't already have one, consider developing a Code of Ethics for your business, with Business Conduct guidelines for all members of staff to follow, setting out company policies on the different compliance areas and the processes in place to manage this.

INformation management

One specific governance area to consider is how your company manages the protection and disclosure of its own sensitive commercial or technical information, as well as the information it receives from others.  This can help avoid loss of value in your own technology or business plans, and avoid any unwelcome claims of breach of confidence or misappropriate of trade secrets from third parties that have shared their information with you.  Steps to take here include:

  • Clear guidance over when to enter into NDAs (consider 1-way as well as 2-way)

  • Information classification system, for example:

    • Unrestricted

    • Confidential

    • Strictly Confidential (Trade Secrets, highly sensitive commercial/business info)

  • Appropriate storage, security, markings

  • Guidelines for making public disclosures eg at conferences, on social media, on collaborative R&D projects etc.

  • Guidance re. managing info disclosure (your company's and 3rd parties’) and receipt of info under NDAs

  • Consider secure/appropriate personal data storage/processing & data privacy compliance

  • Employee onboarding (ongoing secrecy obligations to previous employer) / offboarding (ongoing secrecy obligations to your company)


There are many reasons why it may make sense to consider setting up a group structure, perhaps making your existing single company the 'parent' or holding company, or perhaps setting up a new holding company that will own your existing company, and then perhaps to set up other affiliated companies as well.  This could be to enable you diversify product or technology areas, perhaps with a view to divesting one or more specific companies separately but not the whole group.  Things to consider include:

  • Creating a holding company

  • Subsidiaries for particular technology applications/countries

  • Intellectual property holding company, perhaps in a tax efficient country.

  • Intragroup intellectual property ownership/licensing arrangements so all relevant subsidiaries can use the necessary IP

  • Intragroup services: will different subsidiaries provide technical or other services to each other?  Which internal functional support (eg finance, HR, legal) be managed centrally and then provided to other subsidiaries?

  • Intragroup loans?

  • Tax, transfer pricing considerations when sharing IP/know-how between affiliates

  • Data Privacy – 'Binding Corporate Rules' for sharing personal data intragroup


There are various threads to all of this, and it can be very helpful and cost-effective to manage the preparation, negotiation, execution and implementation of contractual arrangements with partners in a coordinated, consistent manner.  A legal counsel providing 'in-house' support can help pull all this together, including assistance with the following:

  • Review areas for compliance and governance and support development and implementation of policies and processes as needed.

  • Contract templates: NDAs, supply, procurement, employment, licences, proof of concept, joint development etc. (including pre-agreed 'fall-back' positions you may be prepared to accept on different issues, and guidance fur purchasing and sales teams to follow)

  • Contract management system – think about software to assist with tracking negotiations & signed agreements

  • Records & corporate docs repository

  • Training to staff: key compliance and governance areas, information management, use of templates

  • Signature: powers of attorney for authorised signatories; electronic signatures

  • Corporate response preparedness eg personal data breaches, dawn raids/court orders

  • Links with Finance, Procurement, HR, Technology/R&D, Sales/New Business

  • Involving other external legal counsel as needed for specific issues

  • Help develop/refresh Code of Ethics, Business Conduct guidelines or similar

bottom of page