What is changing in October 2026?

Since October 2024, employers have had a positive duty to take reasonable steps to prevent sexual harassment, introduced by the Worker Protection Act. From October 2026 the Employment Rights Act 2025 raises that bar to all reasonable steps. The difference is more than a word. The earlier standard asked whether an employer had done something sensible; the new standard asks whether it had done everything sensible. In practice, an employer defending a claim must demonstrate that no further reasonable step was available to it.

Two related changes land alongside it. From April 2026, disclosures about sexual harassment are explicitly recognised as protected disclosures under whistleblowing law, so employees who speak up gain stronger protection from retaliation. And from October 2026, employers face direct liability for third-party harassment — harassment of a worker by a customer, client, supplier or contractor — where they have not taken all reasonable steps to prevent it. Where a tribunal finds a breach involving sexual harassment, compensation can be uplifted by up to 25%.

The risk assessment is the heart of the defence

The Government has been clear that "all reasonable steps" is expected to include conducting risk assessments, publishing clear and accessible policies, and maintaining robust reporting lines and complaints procedures. Of these, the risk assessment is the foundation — the single most important piece of evidence an employer can produce. The logic is simple: you cannot claim to have taken all reasonable steps against a risk you never bothered to identify. An employer that has not assessed the risks specific to its workforce, its sites and the third parties its people encounter will struggle to show compliance, no matter what else it has in place.

A credible risk assessment has to be specific. Generic, off-the-shelf policies are precisely what tribunals see through. It needs to reflect your workforce: which roles involve lone working or public interaction, where power imbalances exist, which teams or locations carry elevated risk, and what your own people are actually experiencing. That last point is the problem — because the people who know are the least likely to tell you directly.

Surface harassment risks people won't raise in person

Why people don't report — and why that's your biggest blind spot

Sexual harassment is chronically under-reported. People stay silent because they fear they will not be believed, that complaining will damage their career, or that everyone will know who raised it. The result is that the formal complaints log — the data many employers rely on — systematically understates the problem. Building a risk assessment on "we've had no complaints" is building it on a measurement failure, and a tribunal will treat it as one.

This is the gap an anonymous survey is uniquely placed to close. When people are genuinely confident they cannot be identified, they tell you things they would never put in a named complaint: that harassment by customers is routine on a particular shift, that a certain team has a culture problem, that a behaviour has been tolerated for years. That intelligence is the raw material of a real risk assessment — and gathering it is itself one of the "reasonable steps" the law now expects.

How anonymous surveys evidence "all reasonable steps"

A well-run survey contributes to the defence in two distinct ways, and both matter.

First, it informs the risk assessment. By asking about experiences of harassment — including third-party harassment — and segmenting the answers by team, location and demographic, you find out where the real risks sit rather than guessing. You can ask whether people know how to report, whether they believe action would be taken, and whether they have witnessed behaviour that troubled them. Cross-referencing those answers with demographic data — what we call Lenses — shows whether particular groups are disproportionately affected, which a headline figure would hide. This is closely related to measuring psychological safety and spotting the microaggressions that often precede more serious behaviour.

Second, the survey is itself evidence. A dated record showing that you proactively sought out harassment risks, analysed the results and acted on them is exactly the kind of step that demonstrates you did everything reasonable — not just the bare minimum after something went wrong. Run on a regular cadence, it also shows a tribunal that prevention is an ongoing programme rather than a one-off box-tick, and lets you track whether interventions are working over time.

Anonymity has to be real, or it backfires

There is a sharp warning here. If you ask people about something as sensitive as harassment and your "anonymous" survey turns out to be traceable, you will not just get poor data — you will destroy trust and may expose people who disclosed to exactly the retaliation the new whistleblowing protection is meant to prevent. Anonymity on a harassment survey is not a nicety; it is a safeguarding requirement.

This is why how a survey is built matters as much as what it asks. On the Divrsity platform there are no cookies, no IP logging and no link between an answer and an email address: each response is tied only to a random 128-bit identifier, the participant's email is purged the moment they finish, and not even Divrsity staff can see how an individual answered. A GDPR Subject Access Request would reveal nothing. We have written at length about exactly how we protect participant anonymity — because on a topic like this, "we promise not to look" is not good enough; it has to be "we cannot look". Our results suppress any group too small to report on, so you can act on a problem in a small team without ever risking identifying the person who raised it.

What a compliant prevention programme looks like

A survey is one pillar, not the whole structure. A defensible "all reasonable steps" programme typically combines a specific, evidence-based risk assessment; a clear, accessible anti-harassment policy that explicitly covers third parties; well-publicised and trusted reporting routes (including anonymous ones); training that is refreshed rather than done once; and visible leadership ownership. The anonymous survey threads through several of these — it feeds the risk assessment, tests whether people trust the reporting routes, and measures whether training is changing behaviour.

On the Divrsity platform the analysis is automatic: an interactive dashboard is generated within about 10 minutes of a survey closing, with breakdowns by team and location and open-text themes already extracted, followed by a prioritised action plan within 24 hours — all running on UK-based servers and UK-built AI so sensitive disclosures never leave the country. If you are new to the mechanics, our eight-step guide to running a DEI survey walks through the whole process. And because harassment prevention sits within wider legal and ethical obligations, it is worth reading alongside our piece on the legal and ethical considerations of workplace surveys.

Build a defensible, evidence-based prevention programme

Frequently Asked Questions

What is the 'all reasonable steps' duty?

From October 2026, the Employment Rights Act 2025 strengthens the existing duty on UK employers from taking "reasonable steps" to taking "all reasonable steps" to prevent sexual harassment in the workplace. The test becomes whether the employer took every reasonable step open to it — meaning that, faced with a claim, an employer must show not only what it did but that there was nothing else it could reasonably have done.

When does the all reasonable steps duty come into force?

The enhanced "all reasonable steps" duty comes into force in October 2026. From April 2026, disclosures relating to sexual harassment are also explicitly recognised as protected disclosures under whistleblowing law, giving employees who raise concerns stronger protection from retaliation.

Is a risk assessment required for the sexual harassment duty?

A documented sexual harassment risk assessment is widely regarded as the single most important piece of evidence for the "all reasonable steps" defence. The Government expects all reasonable steps to include conducting risk assessments, publishing clear policies, and maintaining robust reporting and complaints procedures. An employer that has not assessed the risks specific to its workplace will struggle to show compliance, whatever else it has done.

Are employers liable for third-party harassment?

Yes. From October 2026, employers can be directly liable where a worker is harassed by a third party — such as a customer, client or contractor — and the employer has not taken all reasonable steps to prevent it. This makes risk assessment especially important in roles involving public or customer interaction.

How can an anonymous survey help with harassment prevention?

Anonymous surveys surface harassment risks that people will never raise through line management — where it happens, which groups are affected, and whether third parties are involved — so your risk assessment is based on evidence rather than guesswork. Just as importantly, a dated survey record demonstrates that you actively sought out problems, which is precisely the kind of proactive step the "all reasonable steps" defence requires. Genuine anonymity is essential, because people disclose harassment only when they are certain they cannot be identified.

Conclusion: prove you looked, prove you acted

The "all reasonable steps" duty changes the question a tribunal asks from "did you try?" to "did you do everything you reasonably could?" Answering that convincingly means starting from a real picture of the risks in your own organisation — and that picture only emerges when people can tell you the truth without fear. A genuinely anonymous survey gives you that picture, feeds it straight into your risk assessment, and leaves a dated, defensible record that you went looking for problems rather than waiting for them to find you.

Divrsity was built for exactly this kind of honest, sensitive disclosure: UK-built, UK-hosted, and anonymous in a way you can actually prove. It will not write your prevention programme for you — but it will give that programme the evidence base the law now demands.

Sign-up to run your DEI Survey today

Related Articles See All Blog Articles

• Learn how genuine, technically-enforced anonymity makes honest disclosure possible
• Understand how to measure psychological safety and spot the microaggressions that often precede more serious behaviour
• Read the legal and ethical considerations of running workplace surveys
• Follow our eight-step guide to running a DEI survey and learn to maximise participation
• Track whether your interventions work by benchmarking your own progress, and see why every UK industry needs to listen and act in 2026

References:

• GOV.UK. Employment Rights Bill / Act collection. https://www.gov.uk/government/collections/employment-rights-bill
• Acas. Steps for employers to prevent sexual harassment. https://www.acas.org.uk/sexual-harassment/steps-for-employers-to-prevent-sexual-harassment
• Equality and Human Rights Commission. Sexual harassment and harassment at work: technical guidance. https://www.equalityhumanrights.com/