New Law Protects Your Shop Staff: What Every UK Retailer Must Do After the Crime and Policing Act 2026

A new law received Royal Assent on 29 April 2026 that every UK retailer needs to know about — and almost none do. The Crime and Policing Act 2026 creates a standalone criminal offence for assaulting or abusing retail workers, removes the £200 prosecution threshold that effectively decriminalised low-value shoplifting, and introduces compliance obligations that fall directly on retail employers. If you run a shop, a warehouse, a franchise, or any retail outlet with customer-facing staff, this law affects you now.

The retail sector loses an estimated £1.8 billion to theft annually. Behind those numbers are staff assaulted, threatened, and harassed on the shop floor — often without legal recourse because offences fell below prosecution thresholds or were classed as minor enough to be deprioritised. The Crime and Policing Act 2026 changes that. It also creates a new layer of duty on employers: the obligation to have systems in place to report, record, and act on incidents involving staff. Businesses that wait for police guidance before updating their own processes are already behind.

This guide explains what changed, why it creates employer obligations you need to address now, and — critically — how it connects with a second, broader law coming in October 2026 that will make every retail employer liable for customer-facing harassment unless they can evidence they took "all reasonable steps" to prevent it.

What the Crime and Policing Act 2026 Changes

Before the Crime and Policing Act 2026, an incident in which a customer assaulted or verbally abused a shop worker was typically prosecuted — if at all — under general assault provisions in the Offences Against the Person Act 1861. The "retail worker" context was an aggravating factor courts could consider, but there was no specific offence of assaulting a retail worker. That meant police and prosecutors frequently deprioritised incidents that did not result in serious physical injury.

The Act creates a new criminal landscape in three key ways:

• Standalone offence: Assaulting or abusing a retail worker in the course of their employment is now a distinct criminal offence, separate from common assault. This allows police to charge and prosecutors to pursue these cases without having to fit them into broader assault frameworks.
• Removal of the £200 threshold: Under the previous framework, shoplifting of goods worth less than £200 was treated as a summary-only offence with limited enforcement appetite. The Act removes this threshold, meaning low-value retail theft — including repeat, pattern-of-behaviour offending — can now be prosecuted without the value limitation creating a de facto ceiling on police action.
• Escalated penalties: The standalone offence for assaulting retail workers carries penalties that reflect the deliberate targeting of workers in a customer-facing role. The courts can treat the retail context as both the definition of the offence and an aggravating factor in sentencing.

This matters for retail operators not because it changes your criminal exposure — you are not the perpetrator — but because it changes what your staff expect you to have in place, what happens after an incident, and what your duty of care requires you to document.

The Standalone Retail Worker Assault Offence: What It Means on the Shop Floor

The creation of a standalone offence for assaulting retail workers is symbolically and practically significant. For the first time, there is a clear legal acknowledgement that working in a shop or customer-facing retail environment creates a specific risk of personal harm — and that the law must specifically address it.

For retailers, this creates an implicit duty of care signal. When Parliament passes a law that specifically recognises retail workers as a category of worker requiring dedicated protection, it simultaneously raises the standard expected of employers to prevent the circumstances that trigger that protection. Health and safety law under the Health and Safety at Work Act 1974 already requires employers to reduce the risk of violence to employees so far as is reasonably practicable. The Crime and Policing Act 2026 doesn't change that duty — but it reinforces it, and it sets a new baseline for what "reasonably practicable" means in a retail context.

If your shop has experienced incidents of customer aggression toward staff and you have no written policy, no incident log, and no risk assessment that addresses customer-facing violence, the existence of a law specifically designed to address this risk makes it harder to argue you couldn't have anticipated the need for one.

The £200 Threshold Removal: Practical Implications

The removal of the £200 shoplifting threshold has a direct practical effect on retail operations. Under the old summary-only rule, police in many areas operated an informal threshold below which shoplifting reports were effectively administratively dismissed. This created a two-tier reality: shops in high-footfall areas frequently dealt with repeat offenders who could steal up to £200 worth of goods with near-impunity because criminal enforcement made no economic sense.

With the threshold gone, retail security teams, store managers and loss prevention staff need updated guidance on:

• Incident reporting standards — what to record, how to record it, and how to support a police report that can now lead to prosecution regardless of value
• Evidence retention — CCTV footage, witness statements, and stock records that will be needed if low-value thefts are now prosecuted more frequently
• Staff interaction protocols — as prosecution becomes more accessible, tensions between staff attempting to detain or challenge shoplifters and the risk of triggering or escalating an incident that falls under the new assault offence becomes more acute
• Communication with police — what information a police report must contain and how to provide it efficiently so that cases are not dropped for lack of evidence

These are all employer responsibilities. The law creates the enforcement mechanism. Your documented procedures determine whether your business can use it.

Compliance Obligations This Creates for Employers

The Crime and Policing Act 2026 is a criminal law statute. It creates offences committed by third parties — customers — not employers. But it creates several compliance obligations for retail businesses that sit squarely within employment law, health and safety law, and data protection law.

Written Staff Safety Policy

Every retail employer with five or more employees must already have a written health and safety policy under the Health and Safety at Work Act 1974. The Crime and Policing Act 2026 does not change this requirement — but it significantly strengthens the case that any such policy must explicitly address customer-facing violence, verbal abuse, and threatening behaviour as foreseeable workplace risks. If your written H&S policy was last updated before this Act and makes no mention of retail-specific assault risk, it is now out of date.

Your updated policy should cover:

• The types of incidents staff may encounter (physical assault, verbal abuse, threatening behaviour, harassment)
• The reporting process — who to report to, within what timeframe, using what format
• What staff should and should not do when challenging a suspected shoplifter
• The business's commitment to supporting staff who report incidents or prosecutions
• Reference to the Crime and Policing Act 2026 and the standalone offence

Incident Log (Digital or Paper)

Every reportable incident — any assault, threatening behaviour, or significant verbal abuse directed at a retail worker — must be logged. An incident log serves multiple purposes: it creates the evidence trail needed if you wish to pursue prosecution under the new Act, it demonstrates your duty of care to staff in any subsequent employment tribunal or personal injury claim, and it provides data for your ongoing risk assessment obligations.

ComplianceAlert's Action Centre includes a digital incident log template as part of the retail compliance workflow. Customers can use it to record, track and export incident reports without the cost of bespoke legal documentation.

Risk Assessment Update

Your workplace risk assessment must be reviewed following any significant change in the working environment — and the Crime and Policing Act 2026, by formally recognising retail-worker assault as a specific category of criminal harm, constitutes exactly that. A risk assessment that does not address customer-aggression risk, staffing levels during high-risk periods (evenings, bank holidays, sale periods), physical layout of the shop floor, or the use of lone working arrangements can no longer be described as suitable and sufficient.

The October 2026 Link: Third-Party Harassment Liability

The Crime and Policing Act 2026 does not exist in isolation. It connects directly with a second major change arriving in October 2026 under the Employment Rights Act 2025: the third-party harassment provisions.

From October 2026, employers will be legally liable for harassment of their employees by third parties — including customers — unless they can demonstrate they took "all reasonable steps" to prevent it. This is not a new concept; a version of it existed before 2013 before being repealed. The Employment Rights Act 2025 reinstates and strengthens it.

The practical consequence is this: a customer who verbally harasses or physically threatens a member of your retail staff creates a potential employment tribunal claim against you, not just a criminal complaint against the customer. If you can evidence a written staff safety policy, a trained management team, clear reporting procedures, and a record of acting on incidents — all of which the Crime and Policing Act 2026 prompts you to build now — you have a strong defence. If you cannot, you do not.

The window between the Crime and Policing Act receiving Royal Assent in April 2026 and the third-party harassment provisions coming into force in October 2026 is not long. Retailers who use the next few months to build their staff safety framework are building the evidence of "all reasonable steps" that the October law will require. Retailers who wait until October are building it under the pressure of legal liability already in effect.

Five Steps Every Retailer Must Take Now

These five actions address the compliance gap created by the Crime and Policing Act 2026 and position your business for the October 2026 third-party harassment liability provisions simultaneously.

Step 1: Review and Update Your Written H&S Policy

Your existing health and safety policy must be reviewed to address customer-facing violence risk explicitly. Reference the Crime and Policing Act 2026 standalone offence. Set out reporting procedures. Do this now — before an incident forces you to do it under pressure.

Step 2: Implement a Formal Incident Log

Start recording every incident involving staff and customers — assault, threatening behaviour, verbal abuse, significant theft confrontations. Record date, time, location, nature of incident, staff involved, and action taken. This log is your evidence base for prosecution, your defence in tribunal, and your data for your risk assessment review.

Step 3: Update Your Risk Assessment

Conduct a specific risk assessment for customer-facing violence and aggression. Consider staffing levels at peak times, physical layout, lone working arrangements, cash handling, high-value stock display, and the interaction between security measures and staff safety. Document your findings and the controls you put in place.

Step 4: Brief Your Management Team

Every manager, supervisor, and team leader in your business needs to understand two things: (1) the new law means staff assaults can and should be reported to police regardless of value, and (2) how to receive, record, and act on an incident report from a member of staff. This briefing does not need to be a training course. A documented team meeting with a record of who attended is sufficient to evidence awareness.

Step 5: Review Your CCTV Data Retention Policy

With prosecution of lower-value shoplifting offences now more accessible, the period for which you retain CCTV footage becomes more operationally significant. Standard ICO guidance recommends retention of no longer than 30 days unless there is a specific reason for longer retention. If a reportable incident occurred two weeks ago and you have already deleted the footage, the case may be unprosecutable. Review your retention period against your typical incident-to-report timeline.

Frequently Asked Questions

Does the Crime and Policing Act 2026 apply to all retail businesses regardless of size?

Yes. The standalone offence for assaulting retail workers applies regardless of whether the employer is a sole trader, a small independent shop, or a major chain. There is no small-business exemption. Any business employing customer-facing retail workers is within scope.

Do I need to update my employment contracts?

Not necessarily, but your written policies (H&S policy, staff handbook) should be updated to reflect your incident reporting process and your commitment to supporting staff who report incidents. Employment contracts set out terms of employment; policies set out how those terms operate in practice. Both need to be current.

What should I do if a member of staff is assaulted at work?

Ensure the staff member's immediate safety and wellbeing. Record the incident in your incident log. Encourage and support the staff member to report the incident to police — the new standalone offence means it is now more likely to be taken seriously and prosecuted. Preserve any CCTV footage. Review whether your risk assessment for that area or situation requires updating.

How does the third-party harassment liability in October 2026 change my obligations?

From October 2026, you will be legally liable for harassment of your employees by customers unless you can show you took "all reasonable steps" to prevent it. The steps outlined in this guide — written policy, incident log, risk assessment, management briefing — collectively constitute the "reasonable steps" evidence you will need. Starting now gives you the audit trail.

Does this law affect online retailers too?

The Crime and Policing Act 2026 focuses on in-person retail settings and customer-facing roles. If your online retail operation includes warehouse staff, delivery drivers, or customer-facing representatives who interact with members of the public, the H&S and third-party harassment obligations apply. If your operation is entirely remote, the immediate practical impact is lower, but the October 2026 third-party harassment rules will apply to any staff with customer contact.

What This Means for UK Retail in 2026

The Crime and Policing Act 2026 is part of a broader pattern of employment and retail regulation that is converging on a common point: employers are increasingly being asked to take ownership of the safety and protection of their staff from the moment someone walks through the door, not just within the employment relationship itself. The Health and Safety at Work Act, the new standalone retail offence, and the October 2026 third-party harassment provisions are not separate compliance islands — they are a connected framework, and retailers who treat them as connected will be better protected than those who respond to each in isolation.

The good news is that the practical steps are not complex. A written policy. An incident log. An updated risk assessment. A briefed management team. These are achievable in days, not months — and they cover you across the Crime and Policing Act 2026, your existing H&S duty, and the October 2026 liability provisions simultaneously.

ComplianceAlert's Action Centre includes guided compliance workflows for retail employers covering staff safety policy, incident logging, and risk assessment documentation. You do not need to know every law in detail — you need a system that tells you what to do and walks you through it step by step.

Need a specialist to draft your staff safety policy or review your risk assessment? Find a verified employment lawyer or health and safety consultant at compliancemarket.co.uk/employment-lawyers.

👉 compliancealert.co.uk/retail — free forever, no card required