Main menu


+44 (0)151 600 3000


+44 (0)161 836 8800


+44 (0)1772 823 921

Search form

Search form



BA Data Breach – What has happened?
Tuesday 11th September 2018

British Airways (BA) has reported that between  21 August 2018 and  5 September 2018, its website and mobile phone app was subject to a “very sophisticated, malicious attack”. Hackers are reported to have stolen customers’ personal data, including their names, email addresses, credit card numbers, expiry dates and 3 digit CVV codes, for around 380,000 transactions that took place during this period. Commentators initially believe that the attack could have been an ‘interceptor’ style attack because BA has confirmed that it does not hold CVV codes, as this would breach international standards.

What are the implications for the data subjects?

As a result of the data breach, the hackers may be able to access customers’ accounts, open new accounts in the customer’s name, use the data to make fraudulent purchases and clone the credit/debit cards used. They may also sell the data on to third parties.

BA has advised all affected customers to change their online passwords, monitor their accounts and to be wary of phone calls from people claiming to be from their banks or BA, who may in fact be phishing for more information to carry out fraudulent activities.

BA has apologised and has stated that it will reimburse affected customers for any financial losses and will provide a credit checking service. The airline has also promised to pay compensation for the inconvenience and expense to customers.

What are the potential implications for BA?

BA appear to have complied with its obligations as data controller under data protection legislation by attempting to notify affected customers and the Information Commissioner’s Office (ICO), within 72 hours of becoming aware of the attack. However, there have been reports of affected customers who were not notified of the breach, and instead found out about the risk to their data from media coverage.

This data breach will be investigated by the ICO and the police. The police will focus on the criminal element of the attack in an attempt to track down and identify the attackers whilst the ICO will focus on BA in order to determine whether or not BA could have or should have acted differently. The ICO will consider the complexity and sophistication of the attack to ultimately form a view as to the extent of BA’s culpability based upon whether BA had put in place adequate organisational and technical measures to keep data subjects’ data secure.

The ICO investigation will be a concern to BA and its parent company, IAG, given the potential for huge fines if significant wrong doing is found. BA may be liable for fines of up to 4% of its global turnover.

If it is determined that the nature of the attack was an “interceptor” attack during the transfer of data, then very close attention will be focused on the third parties with whom BA shares personal data in order to deliver its services – in particular, payment processors. The GDPR requires that a written agreement is put in place which should, in theory, ensure that there are adequate protections to protect personal data throughout the transfer process. 

This is the first known major data breach to occur since the European Union’s General Data Protection Regulations (GDPR) and the UK’s Data Protection Act 2018 came into force on 25 May 2018. It is possible that this could be a test case for the ICO.

This incident highlights not only the importance of having in place appropriate procedures and security measures to avoid data breaches but also the need to have an effective disaster recovery plan specifically for a major data breach which can be initiated very quickly. Such a plan may include details of the reporting requirements under the GDPR and a communication strategy and PR management to protect the organisation post-attack.

If you would like to discuss GDPR or its potential implication on your business, please get in touch with a member of the commercial team


Contract or no contract? That is the question.
Wednesday 22nd August 2018

Earlier this year the courts addressed whether a contract can be considered concluded and in effect without the parties physically signing the contract document. They also considered the importance of a properly drafted clause that imposes good faith obligations.

In Rosalina Investments Ltd and Rosalina Investments UK Ltd v New Balance Athletic Shoes (UK) Ltd, Rosalina held the rights to exploit the promotional and commercial activities and services of Marouane Fellaini, a Manchester United footballer. Rosalina had entered into a signed written agreement granting New Balance exclusive rights to use certain image rights associated with Fellaini in return for Fellaini providing certain services.

In July 2016 the agreement came to an end. At this point, the parties corresponded about the terms of a potential renewal or extension. Fellaini continued to promote the New Balance products, which New Balance had continued to supply them despite the expiration of the agreement.

The parties negotiated the extension of the agreement for a period of six months before New Balance ended the relationship in January 2017, by notifying Rosalina of its decision not to approve the extension to the Agreement.

New Balance proposed to pay an amount based upon the terms of the proposed new contract up to January 2017 “in recognition of the services provided”, however Rosalina issued proceedings claiming over £2 million in lost retainer and damages.

The conflict between the two parties was that New Balance argued that the contract could only be concluded by signature whereas Rosalina claimed the agreement had come into force on 16th September 2016, at the point when the final contract amendments had been approved and arrangements for signature were discussed via email.

Rosalina also put an alternative argument forward stating that if the new agreement was not deemed concluded from the evidence provided, New Balance would be in breach of the continuing good faith obligation drafted in clause 9.1 of the expired 2012 agreement.

The Court decided that there was no concluded agreement as at 16th September 2016. Having taken an objective look at all of the communications between the two parties, it was plain to see that parties intended to be bound only when all parties had signed. When New Balance ended the relationship in January 2017, only Rosalina Investments Ltd had signed the contract. At this point it had not been signed by the other Rosalina entity, Rosalina Investments UK Ltd, nor New Balance. As such, a claim for breach of contract was bound to fail.

It was also held that there was not any good faith obligation imposed on New Balance, as Rosalina were in the position of strength by holding the valuable rights. This implied an obligation on Rosalina not to negotiate with anyone else but it was not a mutual good faith obligation. However, even if it been mutual, the obligation would have long since ceased before January 2017 when New Balance decided to end the sponsorship of Fellaini.

What does this mean for businesses going forward?

It is important to remember that the Courts will consider any such cases on their facts. Any and all communications or activities that have taken place between the parties prior to entering into a commercial contract will be considered. It is apparent that unless there is particular evidence provided that documents an intention to be bound by an unsigned contract, the Courts will be unlikely to accept a claim for breach of contract unless the contract has been signed by all parties.

Additionally, when there is a clause for the obligation of good faith during a negotiation period, it is essential that this is properly drafted. This includes consideration of the party’s position in the agreement in terms of the rights they are offering whilst also detailing a time limit for the obligation. It will not be recognised as legally binding in cases where the good faith obligation is open ended as that will be considered void for uncertainty.

If you would like more information on concluding contracts, please contact Michael Winder or another member of our Commercial team.                                    


Procurement Remedies
Monday 30th July 2018

Regular readers of our blog will know that entities considered to be “contracting authorities” must abide by the Public Contracts Regulations 2015 (PCR).

The definition of contracting authorities in the PCR captures local authorities and government departments, the NHS, social housing providers and is also likely to include other bodies who spend public money if they are considered to be “bodies governed by public law”. If an organisation is considered a contracting authority and they do not comply with the PCR, what consequences may await them?

The consequences of breach will first of all depend on whether the contracting authority has already entered into the contract with a supplier or not.


Standstill Period

The regime provides for a standstill period after the contracting authority announces its intention to award the contract to the successful bidder. This is to enable unsuccessful bidders to consider whether they have been treated fairly or if they have a potential claim before the contract that they bid for is signed. Contracting authorities must not enter into the contract (or conclude the framework agreement) before the end of the standstill period.

The standstill period usually ends 10 days after the contracting authority sends a compliant award decision notice to all the relevant bidders.

Automatic Suspension

If the contract has not been entered when a court challenge has been initiated then, as soon as proceedings are issued, the completion of the contract is automatically suspended unless and until a court brings it to an end or the proceedings are determined, discontinued or otherwise disposed of.

Considerable case law has developed in respect of automatic suspension and continues to do so. If you have found yourself in this situation it is certainly recommended that you consult with your legal representatives early in the process to determine the options available to you. To broadly generalise though, in most cases the court has lifted the automatic suspension and it remains an uphill struggle for the claimant to maintain the suspension pending trial.


When an automatic suspension has been maintained, the court will decide whether damages or setting aside the award decision is the most appropriate remedy.

The relevant considerations as to the appropriate remedy for a court to apply were set out in the leading case of Mears Limited v Leeds City Council:

  • the time it would take to retender the services
  • the absence of any interim contract pending any retender
  • the possibility that an interim contract could be challenged on procurement grounds
  • whether damages would be an adequate remedy for the claimant

The level of damages will be determined according to the profits lost to the claimant as a result of the breach and associated costs. The court will take into account whether the claimant would have been awarded the contract in the absence of the breach or whether they have merely lost the opportunity to bid in a fair and transparent tender procedure. If the claimant has merely lost the opportunity, they will only be able to recover a proportion of the lost profit.

Case law has confirmed that damages are an appropriate remedy when:

  • the contracting authority fails to award a contract to the tenderer whose tender ought to have been assessed as the most economically advantageous offer
  • a breach of an obligation regarding evaluation requirements would have affected the conclusion of the tender process.

Ultimately, damages will only be awarded under the Regulations where the breach is serious.


If a contract has already been entered into before a challenge is raised, the remedies are more limited. Generally the claim will be for damages on the same basis as outlined above.

The other option, which is more limited in availability, and more draconian in application, is the declaration of ineffectiveness.

Declaration of Ineffectiveness

In declaring a contract ineffective, the court cancels the prospective obligations under the contract entered into. This is widely considered a draconian measure because it leaves a contracting authority without a contract in place, needing to procure a new contract, and at risk of being sued for breach of contract by the winning bidder and paying damages to the claimant.

With the exception of Northern Ireland, it has only been awarded as a remedy in one case in the UK to date.

            There are 3 grounds for ineffectiveness, but the two most likely to be encountered are:

  • Where the contract has been awarded without the prior publication in the OJEU of a contract notice in circumstances where a contract notice was required (i.e. an illegal direct award); and
  • Where a contract is awarded without complying with the standstill or suspension rules AND there was a breach of the procurement rules that affected the chances of the claimant to obtain the contract BEFORE the contract was entered into.

The ineffectiveness remedy is absolute, there is no room for the court’s discretion. This means that if the court is satisfied that any of the grounds for ineffectiveness apply, it must make a declaration (unless one of the available exceptions applies).

If a declaration is made, the court must also issue a civil financial penalty (i.e. a fine) which is big enough to be effective proportionate and persuasive – another reason why the declaration of ineffectiveness is considered draconian.

Get in touch with one of our Public Procurement Law experts to discuss any concerns you have with your tender submission process.


28 Days Later – The Public Procurement Version
Wednesday 18th July 2018

In a “post-Carillion” world, the subject of payment terms for sub-contractors has come to the fore again.

As avid readers of public procurement law blogs and legislation will know, the Public Contracts Regulations 2015 (“the Regulations”) require that payment of undisputed invoices must be made within 30 days by contracting authorities, and they must pass this obligation down to the tier one contractor.

Although the Regulations came into force in 2015, Network Rail have recently become notable as the first major contracting authority to introduce teeth to payment clauses for their contractors.

Network Rail’s new Terms and Conditions will require all tier one contractors to pay suppliers within 28 days of work and all cash retention policies will be abolished. Most importantly, Network Rail’s new terms mean contractors will face the consequences of being in breach of contract if they fail to comply. Previously, it was only a voluntary framework in place with minimal checks on contractors.

Although the penalties have not yet been decided by Network Rail it is an important step in the right direction towards ensuring that contractors who do not treat their sub-contractors fairly will face penalties. The plans also include a function to allow the tier two contractors to report directly to Network Rail if a tier one contractor is not complying with the payment terms.

Network Rail aren’t the only ones backing up their talk with tangible actions, Build UK and CECA have also proposed abolishing retentions on construction matters by 2023 and Peter Aldous MP has proposed a bill in Parliament that would see a retentions deposit scheme established.

These developments are of interest to contracting authorities because Network Rail has shown how this obligation in the Regulations can have teeth and be beneficial and not just be a “tick box” exercise. It should also be of interest to the private sector who can use Network Rail’s lead in pushing for good payment terms for sub-contractors. If you are a tier one supplier though – be aware this obligation may be coming your way.

If you would like to speak to a Procurement Law expert about your, please contact a member of our team


Seeing Red - CJEU rules that Louboutin red sole mark does NOT fall within absolute ground for refusal
Wednesday 13th June 2018

In a long anticipated decision, the CJEU has ruled that a mark consisting of a colour applied to the sole of a shoe is not covered by the prohibition of the registration of shapes since such a mark does not consist ‘exclusively of the shape’.

Article 3(1)(e)(iii) of the 2008 Trade Mark Directive (“the Directive”)  is the absolute ground for refusal concerning signs consisting exclusively of the shape which gives substantial value to the goods. The description of the mark in question in the Louboutin case specifically states that the contour of the shoe does not form part of the mark and is intended purely to show the positioning of the red colour covered by the registration.       

Still, the CJEU was asked to consider the question referred by the Rechtbank Den Haag. Namely whether “shape” within the meaning of Article 3(1)(e)(iii) of the Directive was limited to the three dimensional properties of the goods or whether it extended to other properties of the goods, in this case, the colour.

Although the detailed judgment is not yet available, the CJEU has provided some initial details in respect of their decision in a Press Release published today. They have confirmed that as ‘shape’ is not defined in the Directive the word should be considered using its ‘usual meaning in everyday language’. The mark in question does not seek to protect the shape of the sole of the shoe but the colour applied to the specific part of that product.

Whilst some will be waiting for the full judgment to examine the Judge’s deliberations it seems the result is clear and confirms what most of us already knew, that colour is not a shape.

If you would like to find out more on the topic please contact Elke Kendall or another member of our commercial team


The Care Quality Commission Catch-22 Dilemma; and How Our Dental Lawyers Solve the Conundrum
Thursday 17th May 2018

When compulsory registration with the Care Quality Commission (CQC) was introduced for dental practices in England, another stage in the buying process was also introduced. Given that it is unlawful to operate an NHS practice without CQC registration, buyers needed to add the CQC application to their ‘to do’ list when acquiring dental practices. 

Shortly after the introduction of compulsory registration, the CQC took the stance that it would not register any person or company for a practice if it did not have an interest in that practice. This created a catch-22 dilemma, you couldn’t own the practice until you were CQC registered and you couldn’t be CQC registered until you owned the practice.

This dilemma was artificially solved by the introduction of ‘letters of comfort’ (now referred to as the CQC position statement), in which the CQC confirms it has have processed the application and intends to fully register the buyer following completion.

The next hurdle was introduced by the Local Area Teams (LATs). Upon submitting notices to transfer the NHS contract to a partnership name, the LATs began to request a copy of the CQC position statement. The LATs were looking to check that the CQC registration would be placed in the joint names of the seller and the buyer whilst the NHS contract was held by them as partners.

Specialist dental lawyers reacted with a solution, albeit a clunky one, that now involves multiple CQC applications when buying a practice. The seller is usually already registered at the practice, the buyer and the seller then apply to be registered as partners whilst the seller deregisters as an individual. Then following completion, the buyer and seller deregister as partners and the buyer registers as an individual. This allowed for a CQC position statement to be issued showing the seller and the buyer registered in partnership.

Other than on a few troublesome occasions, this status quo has now continued for a number of years.

However, it looks set to once again become a problem.

In April 2018, the NHS updated its Policy Book for Primary Dental Services including a new paragraph relating to how the LATs should deal with applications for new partnerships as follows:  

“Commencement of the new contract should be made conditional on the new contractor being CQC registered. The CQC will issue a sales and transfer position statement document but this is no guarantee of registration. A practice cannot commence seeing patients until they have received their registration certificate with the regulated activities included.”

This appears to suggest that all LATs will require not a CQC position statement but instead full registration with the CQC.

As we know already, the CQC will not fully register anybody who does not yet have an interest in the practice. So once again, we have a catch-22. The LAT won’t add the buyer’s name to an NHS contract without CQC registration and the CQC won’t conclude the registration without the buyer having an interest in the practice.

Fortunately, then antics of some troublesome LATs in the Midlands mean we are already one step ahead this time. For some time, dental lawyers have encountered ‘rogue’ LATs, who have already been insisting on full CQC registration prior to the commencement of the partnership (and have been doing so for some time before the April 2018 amendment to the Policy Book). On these occasions, the following structure and process has been effective:

  1. Seller and buyer apply for partnership CQC registration.
  2. Seller and buyer enter into a partnership for the dental practice. This partnership leaves the NHS contract in the seller’s sole name but gives the buyer a 0.01% stake in the practice. A partnership deed is entered into making it clear that control and running of the business will continue in the sole name of the seller. This allows the parties to inform the CQC that they are now in partnership.
  3. CQC registers both seller and buyer jointly and the practice is then fully registered as a partnership.
  4. Notice is sent to the LAT to add the buyer’s name as a partner on the NHS contract. The LAT is provided with a copy of the full CQC registration.
  5. The LAT adds the buyer’s name onto the NHS contract.
  6. The original partnership mentioned in stage 1 above is amended on completion of the sale. The interests in the practice are reversed meaning the buyer has the benefit of a 99.99% interest in the practice and assumes control of the day to day running.
  7. The buyer then applies for individual registration with the CQC and the partnership CQC registration can be deregistered.
  8. Following completion, the seller’s name is removed from the NHS contract and the partnership is concluded.

We have yet to see whether all of these stages will be necessary and how individual LATs will interpret the amended Policy Book. However, it is clear that having a specialist dental lawyer involved in your sale or purchase, who understands these complex requirements, will be vital to ensure that your transaction proceeds smoothly.

The Brabners specialist dental team would be happy to answer any specific questions or concerns that you have.



Court rules Google must allow Businessman his ‘Right to be Forgotten’
Friday 27th April 2018

Last week, the High Court in London ruled in favour of a businessman who had been unsuccessful in his request for Google to remove search results regarding his conviction from 10 years ago of conspiring to intercept communications for which he spent 6 months in jail.

Google says that of the 2.4 million requests they have received since the European Court of Justice (ECJ) ruled in 2014 that “irrelevant” and outdated data should be erased, commonly known as the ‘right to be forgotten’, they have removed links to approximately 800,000 pages.

This claim against Google was brought by two businessman, known by the Court as NT1 and NT2 due to reporting restrictions. NT1, who was convicted more than 10 years ago spent four years in prison for conspiring to account falsely, was unsuccessful in his claim. The Judge, Justice Mark Warby said that NT1 had continued to “mislead the public” whilst NT2 had shown remorse in respect of his conviction for intercepting communications.

Justice Warby noted that NT2’s conviction was not related to action taken by him against “consumers, customers or investors” and therefore ruled that Google must allow his ‘right to be forgotten’. The public interest reasons for maintaining the search results related to NT2 were not as strong as in NT1’s case where the Judge said the “information serves the purpose of minimising the risk that he will continue to mislead, as he has in the past”.

Google has said that it would accept the rulings and released the following statement:

“We work hard to comply with the right to be forgotten, but we take great care not to remove search results that are in the public interest. We are pleased that the Court recognised our efforts in this area and we will respect the judgements they have made in this case.”

It is important to note that although described as a ‘right to be forgotten’, Google is not actually removing the “irrelevant” information about an individual, they are simply removing a link to that information from their search results. Google complies with their ‘right to be forgotten’ obligations by having individual concerned provide a list of the URLs they would like removed via an online form. Google then assesses each request individually and decides whether it is in the public interest for the search result to remain, they do not conduct their own search on the individual.

This ruling demonstrates the Court’s willingness to consider and balance the impact of a historical record on the individual and search engine providers’, such as Google, right to maintain search results that are in the public interest. This case is likely to see a wave of new applications to the Court and it remains to be seen whether Google’s approach to requests for the removal of links may soften in light of this ruling.

For more information on the topic, please contact Elke Kendal on 0151 600 3149 or via email


Procurement Policy Notice: New CCS Guidance
Monday 16th April 2018

The Crown Commercial Service (CCS) has published new guidance on supply chain visibility (April 2018) (PPN 01/18) to coincide with the Cabinet Office’s announcement of a range of initiatives intended to make it easier for SMEs to win government contracts. The initiatives aim to make the process more transparent and accountable. The CCS have also launched a consultation as to whether it would be appropriate to exclude suppliers that cannot demonstrate a fair, effective and responsible approach to payment in their supply chain, this closes at 11:45pm on 5 June 2018.

PPN 01/18 is relevant to new procurements from 1 May 2018 and applies to central government departments, their executive agencies and non-departmental public bodies. From 1 May 2018 if a contracting authority is tendering a public contract valued at above £5m per year and is subject to the Public Contracts Regulations 2015 (PCR 2015), SI 2015/102 they must include provisions requiring suppliers to:

  • Advertise subcontract opportunities (post contract award) valued at above £25,000 on Contracts Finder; and
  • Provide reports on how much they spend on subcontracting and how much they spend with SME and VSCE organisations to deliver the contract.

Contracting authorities must ensure they are complying with these new rules on supply chain visibility with a view to ensuring more SMEs are winning government contracts.

If you would like further information about this or public procurement law, please contact Elke Kendall on 0151 600 3149 or via email at


Selling a dental practice that operates under either an expense sharing or partnership agreement
Friday 13th April 2018

It is not uncommon to encounter expense sharers or partnerships with either no documentation governing their relationship or alternatively agreements that have not been professionally prepared and may not be fit for purpose.

Before even considering selling the business (which could be either the whole of the business or your individual share) it will be beneficial to formally agree your everyday working arrangements and a clear pathway to retirement or sale.

If you do have an agreement already in place, you should review it to ascertain whether it clearly sets out the procedure for sale or retirement. The agreement may require you to offer to sell your share of the practice to colleagues in the first instance before you can market it externally.

Property considerations are also important. You will need to establish whether the property from which you operate the practice is occupied under a lease or a freehold. In most instances, there will need to be some form of transfer of the property to the new occupier. It is likely that your colleagues will need to be a party to any transfer documents and you may need to contribute towards the costs of them obtaining independent legal advice.  

You would need to establish whether your partners or expense sharers also want to sell. It may be that you can achieve a better price if you sold the entire group as a single business, rather than just your share.

If you are selling as a group, careful consideration will have to be made as to who is going to be responsible to the buyer and for what. You will each be receiving money for your respective interests in the business. Ideally you would only wish to give a warranty to the buyer for matters within your own control. This could result in what is seemingly more work- as each seller will need to give their own full and complete set of responses to enquiries. However, this should not be a cause for concern as this will be for your own benefit, as you don’t want to be held legally responsible for promises made by your colleagues without your knowledge or consent.  

If you are selling just your part of the practice (or your own business within an expense sharing arrangement), although not essential, it is often important to find a buyer that will fit in. This is not so much a legal consideration but a practical one. If you discover that your buyer and colleagues cannot get on half way through the selling process, the buyer may withdraw from the transaction, which will mean wasted fees and expenses.

Your buyer will also probably need to enter into new partnership and expense sharing agreements with your current colleagues as part of the completion process, which is something you may wish to address early in the negotiations.

Brabners have a specialist dental law team and will be able to assist with reviewing or preparing partnership or expense sharing arrangements which can ensure that future plans for retirement or sales run smoothly. Whether you are looking to make the move now or at some point in the distant future getting the right advice can mean fewer disputes and lower stress levels when it comes to selling. 

For more information please contact Nicola Lomas on 0151 600 3321 or via email


Now you fee me, now you do?
Friday 16th March 2018

The General Data Protection Regulation (GDPR) introduces many new obligations and represents a significant regulatory burden for organisations. In one respect however, it had been sold as lifting a key burden. The GDPR specifically calls for the abolishment of any “general obligation to notify the processing of personal data to the supervisory authorities.” In the recitals, the GDPR notes that such general obligations, of which the current UK system is an example, can produce administrative and financial burdens, without actually contributing to the effective protection of personal data.


Under the Data Protection Act 1998, all data controllers are currently required to register (or ‘notify’) with the Information Commissioner’s Office (ICO). A fee must be paid at the time of registration, and every subsequent year in order to maintain the registration.

The current fees are set by the Data Protection (Notification and Notification Fees) Regulations 2000 (the 2000 Regulations). The 2000 Regulations contain two tiers of fee for data controllers:

Tier 1 (controllers with a turnover of less than £25.9 million or fewer than 250 staff) - £35

Tier 2 (controllers with a turnover of at least £25.9 million and 250 or more members of staff) - £500

The level of the fee was set by the Secretary of State for Digital, Culture, Media and Sport (DCMS), specifically with regard to offsetting the costs incurred by the ICO in carrying out its data protection functions.

The new scheme

Despite the attitude of the GDPR to such notification requirements and financial burdens, the Digital Economy Act 2017 (DEA) makes provision to allow the Secretary of State for DCMS to set new fees to be paid by data controllers under the GDPR regime. Similarly to the former regime, the Secretary is to have regard to offsetting the ICO’s expenses incurred in performing its data protection functions. The Data Protection (Charges and Information) Regulations 2018 (the 2018 Regulations), laid before parliament last month, set the level of the new fees.

Under the new regime there will be three, rather than two tiers of fee:

Tier 1, micro organisations, includes charities, small occupational pension schemes those controllers having a turnover of £632,000 or less, or having fewer than 11 staff - £40

Tier 2, small and medium organisations, includes those controllers that do not fall within tier 1 and have a turnover of £36 million or less, or have 250 or fewer staff - £60

Tier 3, large organisations, includes all controllers that do not fall into either tier 1 or tier 2 - £2,900


Given that most data controllers that were paying £500 under the older system will fall into the new tier three, this represents quite a significant raise. If, for example, the £500 fee had risen with inflation, it would still only be £623.61.

The explanatory notes to the 2018 Regulations explain the extraordinary rise as reflecting the increased level of information risk presented by tier 3 controllers and the income required for the ICO to perform its new functions under the GDPR.

Though there is undoubtedly a more significant information risk for controllers under the GDPR regime than under the current rules, it appears that it is budgetary considerations that may have driven the tier 3 fee so high. A study undertaken by the Department for DCMS in 2016 projected that the ICO’s funding requirement for 2016/17 would be approximately £19 million. The financial forecast for 2018/19, the first year under the new GDPR regime, puts the ICO’s income requirement at £30 million.

Many organisations will be disappointed by the level of the new fees. Draft texts of GDPR, available for a number of years, had trailed the abolition of the fee which had been viewed as a small silver lining in a piece of legislation that would result in a significant compliance burden for businesses. Though increased accountability measures and stricter procedures will not result in any financial saving for organisations, the new fee may mean that the ICO will not feel the need to resort to the maximum possible fines of €20 million or 4% of global annual turnover for funding.