The legal pressure on employers to prevent workplace harassment is growing faster than most HR teams anticipated. Since October 2024, the Worker Protection (Amendment of Equality Act 2010) Act 2023 has placed a direct preventative duty on every UK employer to take reasonable steps to stop sexual harassment before it occurs. Now, with the Employment Rights Act 2025 set to raise that standard further from October 2026, organisations with large customer-facing workforces are up against a particularly demanding compliance challenge.
The issue is third-party harassment. Harassment committed not by colleagues, but by customers, clients, patients, or members of the public. It happens in contact centres, retail floors, bank branches, housing offices, and anywhere else staff interact with the public. It is common, it is often under-reported, and it is now explicitly within the scope of your employer duty.
This post sets out what the law requires, why large organisations are most exposed, and how the right HR case management software can help you meet your obligations in a way that is consistent, auditable, and defensible.
The Worker Protection Act 2023 amended the Equality Act 2010 to create a positive preventative duty. Employers can no longer wait for an incident to occur and then respond to it. They must actively assess the risk of sexual harassment, take steps to reduce that risk, and be able to demonstrate what those steps were.
The Equality and Human Rights Commission (EHRC) technical guidance, updated in September 2024, makes clear that this duty extends to sexual harassment by third parties, which includes customers, clients, service users, and contractors. If a member of staff is sexually harassed by a customer and the employer has not taken reasonable steps to prevent it, the EHRC can investigate and take enforcement action independently, regardless of whether a Tribunal claim has been brought.
The financial exposure is considerable. Employment tribunals have the power to increase compensation by up to 25% where an employer is found to have breached the preventative duty. Sexual harassment compensation in the Employment Tribunal is uncapped, which means a 25% uplift can represent tens of thousands of pounds in additional liability, on top of legal costs and any parallel EHRC enforcement action.
The stakes increase further from October 2026. Under the Employment Rights Act 2025, two material changes take effect. First, the standard rises from "reasonable steps" to "all reasonable steps" — a deliberately higher bar that changes how tribunals will assess employer conduct. Second, employer liability for third-party harassment is extended across all nine protected characteristics, not just sexual harassment. Racial harassment, disability-related harassment, and harassment related to religion or belief, committed by a customer, will become directly actionable against the employer.
For large organisations with customer-facing workforces, this is not a future concern. Preparation needs to start now.
Smaller employers can manage harassment risks through close supervision and informal communication. Large organisations can’t. When you have hundreds or thousands of staff spread across sites, shifts, branches, and contact channels, the compliance challenge is structural.
Third-party harassment is particularly difficult to manage at scale for several reasons.
A large retailer, housing association, or financial services firm handles an enormous volume of customer interactions daily. The incidents that cross the line may be a small fraction of those interactions, but the absolute numbers are significant. The EHRC's 2018 Turning the Tables report found that a quarter of people who reported sexual harassment had been harassed by third parties, with customer-facing roles particularly affected.
Staff in customer-facing roles often feel unable to escalate concerns about customer behaviour, particularly where the customer is a long-standing account or the harassment is brief and difficult to describe. According to the EHRC, four out of five people who experience sexual harassment do not report it to their employer. Anonymous or accessible reporting channels matter enormously.
In large organisations, line managers play a critical role in receiving disclosures and deciding how to respond. Without clear, consistent processes, responses vary. Some managers take immediate action; others minimise or dismiss what they are told. That inconsistency is precisely what the EHRC looks for when assessing whether an employer has taken reasonable steps.
When an EHRC investigation or Tribunal claim arises, the question is not just what policies you had in place, but what actually happened when an incident was reported. Without consistent case records, large organisations struggle to demonstrate that reports were investigated properly, that outcomes were communicated, and that patterns were identified and acted on.
Gaps in recording can only be closed with changes to operational infrastructure rather than policy documents alone.
The EHRC's 8-step guide for employers provides a framework for the preventative duty. For large, customer-facing organisations, the steps that carry the most compliance weight are:
The EHRC is explicit that without conducting a risk assessment, the preventative duty is unlikely to be met. For customer-facing organisations, it’s a case of assessing which roles, locations, and working patterns create the highest exposure to third-party harassment, and documenting what steps have been taken as a result.
Staff must know how to report third-party harassment, and the process must be straightforward enough that they actually use it. Multiple channels help: not everyone is comfortable raising concerns with their immediate line manager, particularly if the manager was present when the incident occurred.
Every report must be taken seriously and followed up. An investigation process that works for internal disciplinary cases needs to be adapted for third-party incidents, where the outcome may be a warning to the customer, termination of a contract, or a bar on future contact.
The duty is ongoing. Employers are expected to track patterns in harassment incidents, identify whether certain sites, shifts, or customer channels generate a disproportionate share of reports, and adjust their preventative approach accordingly. Robust HR data can become compliance evidence.
If a Tribunal or the EHRC comes asking, you need to be able to show not just that you had a policy, but that reports were received, investigated, concluded, and reviewed. Your audit trail is also your compliance record.
The requirements above describe a structured, repeatable, documented process for handling a category of sensitive HR cases at volume. That is precisely what HR case management software is designed to support.
At Workpro, we work with large organisations across financial services, social housing, local government, and other customer-facing sectors. Our case management platform gives HR and ER teams the tools to manage third-party harassment cases with the same consistency and rigour they bring to internal disciplinary and grievance processes.
Every report, from whichever channel it arrives, is captured in a single system. Workpro creates a structured case record from the point of intake, with all correspondence, investigation notes, and outcomes stored in one place. No records held in individual inboxes. No risk of documentation being lost when a manager leaves.
Workpro's configurable workflows ensure that every third-party harassment case follows the same investigation steps, with escalation triggers where needed. Having consistency built in provides the operational evidence of reasonable steps being taken.
Large organisations need assurance that cases are not sitting unresolved. Workpro tracks case age and alerts supervisors when response timelines are at risk, so nothing falls through the gaps.
Workpro produces the management information that makes root cause analysis possible. Which teams generate the most third-party harassment reports? Which locations? Which customer types? Analysis of the sources of the problem informs the risk assessment process and demonstrates to the EHRC that you are monitoring and learning, not just recording.
Every action taken in a Workpro case is time-stamped and attributed. If an investigation or enforcement inquiry requires a full case history, it is available, complete, and in order.
You can explore Workpro's features and modules to understand how these capabilities can be configured for your organisation's specific structure and case volumes.
The Worker Protection Act 2023 is already in force. The EHRC has stated publicly that it will use its enforcement powers actively, and early enforcement actions will set the standard for what "reasonable steps" means in practice. The Employment Rights Act 2025 will extend direct third-party liability across all protected characteristics from October 2026.
Large organisations with customer-facing workforces need more than updated policies and refreshed training programmes. They need the operational infrastructure to record incidents consistently, investigate them thoroughly, and demonstrate, with evidence, that they are taking their duty seriously.
Organisations that build that infrastructure now will be in a far stronger position when the tighter standard takes effect. Those that rely on informal processes and fragmented records will find the compliance gap hard to close quickly under pressure.