ARTICLE
19 May 2025

Outsourcing Spotlight – Spring/Summer 2025

TS
Travers Smith LLP

Contributor

Travers Smith LLP logo
It’s not just law at Travers Smith. Our clients’ business is our business. Independent and bound only by our clients’ ambitions, we are wherever they need us to be. We focus on key areas of work where we are genuinely market leading. If it’s hard – ask Travers Smith.
Explore Firm Details
Welcome to the fourth edition of Travers Smith's Outsourcing Spotlight. In this issue, we look at whether a possible change in the approach to equal pay could undermine incentives to outsource.
United Kingdom Employment and HR
Tim Gilbert,Adam Rice,Moji Oyediran
+17 Authors
 Your Author LinkedIn Connections

Welcome to the fourth edition of Travers Smith's Outsourcing Spotlight. In this issue, we look at whether a possible change in the approach to equal pay could undermine incentives to outsource. We also discuss the implications of the UK Government's Immigration White Paper, new legislation on premises and consumer-facing outsourcings and take an in-depth look at longer term outsourcings. Last but not least, we provide a roundup of relevant developments on contract law, AI, tech and data.

1. Call for evidence on equal pay: a threat to outsourcing?

The UK government has published a call for evidence on proposals which could have a significant impact on outsourcing. The proposals are designed to strengthen equal pay rights for workers on the basis of sex, gender and disability generally. However, one of the suggestions is to introduce measures to prevent outsourcing from being used to avoid equal pay.

What is being considered?

Under the Equality Act 2010, women are entitled to the same pay as men who are doing the same work or work of equal value (and vice versa). However, the right currently only applies where the man and woman are employed by the same entity or entities under common control. The government is exploring whether it should allow outsourced workers to compare themselves with 'in-house' employees of the client for the purposes of establishing equal pay rights. This could mean that outsourced service providers and/or businesses that outsource services face equal pay claims from employees of the service provider.

What would be the impact?

Whilst the Government's desire to promote fair pay is laudable, there are many legitimate reasons why staff at outsourced service providers may be paid less than comparable employees at the customer for the service e.g. staff employed by the service provider may generally be less highly qualified or need/want to work more flexible hours. Although cost is often a driver in outsourcing transactions, there are also many other reasons why customers look to outsource, such as access to service providers' expertise and economies of scale (both of which are often only achievable because the service provider acts for numerous other businesses as well). By raising the possibility of equal pay comparisons between the customer's staff and those of the service provider, the measures being explored could deter parties from pursuing outsourcings.

How should businesses respond?

The proposal is subject to consultation but reflects an election manifesto commitment of the Labour Party to implement measures to prevent outsourcing being used to avoid equal pay. The call for evidence is open until 30 June 2025. Businesses and service providers concerned about the impact are encouraged to respond directly – or alternatively, we can feed any comments through the response of industry bodies.

For further information, please contact: Tim Gilbert or Adam Rice

2. What does the UK Government's Immigration White Paper mean for outsourcing?

On 12 May 2025, the UK Government published a White Paper setting out plans to reduce net immigration to the UK. By making it more difficult for employers to recruit overseas workers on relatively low or minimum wage salaries, the Government hopes to drive up wages to a level where more UK citizens (particularly those not currently in work) would be attracted into the job market.

Impact on recruitment for outsourced service provision

To achieve these goals, the Government proposes a significant tightening up of the existing system. This may have implications for certain types of outsourced service provision, particularly in labour-intensive sectors such as social care or hospitality, where many service providers rely on immigrant workers for a substantial proportion of their staff. In particular, the following proposals are likely to impact on recruitment of new staff from outside the UK:

  • Closure of the adult social care visa route to overseas recruitment
  • Restricting the Skilled Worker visa route: both the minimum salary level and the required skill level for Skilled Worker visas will be raised. In practice, this last change is likely to remove certain occupations from the current list altogether – potentially around 180 jobs based on the government's own estimates. Although the White Paper does not indicate exactly which occupations are under threat, the current list includes the following which may be relevant to outsourced service provision across a range of sectors: some (but not all) care workers, workers with various construction skills, service managers, call centre managers, computer programmers, web designers, IT managers and chefs.
  • Increasing English language requirements: this is likely to reduce the pool of potential overseas recruits.

What about existing non-UK staff?

The White Paper proposes to increase the amount of time that those already in the UK on work visas need to live here before they can apply for "settled status" from 5 years to 10 years. This may mean that some individuals may choose to return home, in preference to seeking the right to remain in the country over the longer term. It would also mean increased costs for employers to cover visa extension fees for employees for longer periods on temporary visas. That said, the Government has promised to consult on a faster "earned settlement" route, offering a shorter pathway to settled status based on contributions to the UK economy and society. As regards adult social care, the White Paper states that there will be a transition period until 2028 where visa extensions will be permitted (as will changing from one visa category to another).

How will customers of outsourced service providers be affected?

Outsourced service providers are already facing increased staff-related costs from the rise in Employer's NICs. If, as the Government clearly hopes, they decide to raise salary levels in order to attract sufficient domestic staff to fill vacancies (and reduce reliance on non-UK staff), service providers may well look to pass the extra cost on to their customers. That said, as the CBI has pointed out, recruitment from overseas is neither a cheap nor a straightforward option for employers because of the need to apply for visas and pay relevant government filing fees (particularly if, as proposed, the Immigration Skills Charge is increased from £1000 to £1320 per year of the relevant visa, which comes on top of previous increases to filing fees earlier this year).

It may be that the more significant risk for customers is that, without access to immigrant workers, some outsourced service providers are simply unable to fill some vacancies (due to e.g. lack of relevant skills in the domestic workforce). This in turn could lead to increased problems with service delivery. Whilst the Government proposes that increased fees for work visas would be used to fund training programmes designed to address skills deficits, these are likely to take time to deliver results, which could result in a mismatch between the needs of the economy and the labour force available to employers.

What's the timing?

With a few exceptions, the exact timing of many of the proposals remains unclear. Some of the measures - such as those relating to settlement in the UK - will require further consultation or changes to legislation. As regards others, such as changes to the Skilled Worker visa route, the Government will need to ask the Migration Advisory Council to advise on the detail before it can act. As a result, these may take longer to implement. However, certain other rule changes could be made relatively quickly if the Government wished to do so.

For more detail on the proposals, see our briefing "Immigration White paper – proposed immigration changes".

For further information, please contact: Tim Gilbert, Katie Good or Moji Oyediran

3. Premises outsourcings: new protection from terrorism measures

The Terrorism (Protection of Premises) Act 2025 (which received Royal Assent on 3 April 2025) will require those in control of certain specified types of premises to take measures designed to protect individuals in the event of a terrorist public and to notify the Security Industry Authority. Providers of outsourced services relating to property and/or events (e.g. facilities/event management, security etc) should consider whether their activities are caught by the legislation and if so:

  • the extent to which they will be legally responsible;
  • what needs to be done to comply; and
  • who will pay the cost of additional compliance measures.

Which premises are caught?

The Act will apply to premises used for one or more specified purposes where it is reasonable to expect at least 200 individuals to be present at one time. For the full list of specified purposes, see our detailed "Terrorism protection of premises act 2025" briefing, but the following are likely to be covered, provided that they meet the size requirement:

  • retail premises
  • restaurants and bars
  • theatres and cinemas
  • leisure centres and other entertainment or recreation facilities
  • sports grounds
  • libraries, museums and galleries
  • conference centres, exhibition halls and similar venues
  • visitor attractions
  • hotels
  • holiday parks
  • places of worship
  • hospitals and other health care facilities
  • transport facilities such as bus or railway stations (unless already subject to security regimes – see under exclusions below)
  • schools, further education colleges, universities and other educational or childcare facilities

Which events are caught?

For an event to be caught, it must be expected to draw at least 800 attendees and be held at premises which are not subject to the enhanced duty (see below). It must also be open to the public and there must be measures to check entry conditions are met e.g. ticket checks.

Are there any exclusions?

Yes – among other things, parks, gardens and recreation grounds are excluded, as are various transport facilities which are already subject to security regimes (e.g. certain airports, ports or railway stations). For the full list of exclusions, see our detailed briefing. As regards events, the exclusions are fairly limited, but events held at premises used primarily as places of worship and for primary, secondary or further education will normally be excluded (but there is no exclusion for events held in parks etc).

Enhanced duty for larger premises

Larger premises – where it would be reasonable to expect that at least 800 people might be present at one time – will be subject to an enhanced duty. This will require them to take additional measures to reduce both the vulnerability of the premises to acts of terrorism and the risk of physical harm to individuals from such attacks. For more information, see our "Terrorism (Protection of Premises) Act 2025" briefing.

Who will be responsible?

The responsible person is the person who has control of the premises in relation to their specified use (see above). In some instances, this may be the provider of outsourced property management services. Even where that is not the case, an outsourced service provider is often likely to be regarded as having at least some degree of control over the premises – which means they will be required to cooperate with the responsible person, so far as reasonably practicable. For more discussion of this point, see the detailed "Who is the responsible person?" section of our briefing on the Terrorism (Protection of Premises) Act 2025..

Who will pay for any additional measures?

This will depend on what the contract says. Increased compliance costs due to changes in the law will often be dealt with in the change control provisions and the liability for them may depend on whether the changes are generic across the industry, which would apply to this Act, or specific to the contract in question.

When will the legislation come into effect and what does compliance involve?

The Act is not expected to be brought fully into force for at least 24 months, to allow time for affected parties to work out how best to comply. However, as noted above, the new obligations may have an impact on costs and some preparatory work is likely to be required, particularly for larger premises subject to the enhanced duty. Statutory guidance is expected to be made available before implementation.

For more information on all the above (including links to helpful factsheets on the legislation), see our "Terrorism (Protection of Premises) Act 2025" briefing.

For further information, please contact: Emma Pereira or Sarah Quy

4. Consumer-facing outsourcings: who is liable for breach of consumer law?

With most of the consumer law provisions of the Digital Markets, Competition and Consumers Act 2024 (DMCC Act) now in force, the risks for both customers and service providers involved in consumer-facing outsourcings – such as call centre operations – have increased dramatically. Among other things, businesses found to have infringed consumer law face the prospect of substantial fines of up to 10% of annual turnover (for more detail, see section 2 of Outsourcing Spotlight Autumn/Winter 2024).

Who will be liable?

In an outsourcing context, one of the key questions is: who will be liable under the new regime? In particular, will enforcement focus primarily on outsourcing customers with consumer-facing businesses – or will service providers be targeted as well? Legally, it is certainly possible for enforcement action to be taken against service providers. This because the concept of "trader" in the Act includes "a person acting in the name of, or on behalf of" the outsourcing customer, for purposes relating to that customer's consumer-facing business.

But in practice, how likely is it that the UK Competition and Markets Authority (CMA) or other regulators would look to enforce against, say, the service provider for an outsourced call centre? Our view is that for the most part, regulators will tend to focus their enforcement efforts on the outsourcing customer – but there are plausible scenarios where service providers could be in the firing line:

A fictional example: service provider at fault over fake reviews

The outsourcing is for a business which markets itself heavily on the quality of its customer service – as demonstrated by the high number of 4-5 star reviews. Operation of the call centre for the business' customer service operation is outsourced. The service provider's staff receive bonuses calculated in part by reference to the number of reviews of 4 stars or above that they obtain from customers. Some staff have been faking reviews to improve their chances of getting a bonus (fake or misleading consumer reviews are prohibited by the DMCC Act – see this briefing). Faced with this set of facts, it seems to us that the CMA might well decide to enforce against the service provider as well as its customer.

This example also serves to highlight the importance for outsourcing customers of ensuring that service providers take adequate steps to comply with the new legislation – and are alive to risks such as fake reviews which may arise from their own staff.

Don't forget director liability

Finally, remember that liability for consumer law infringements isn't confined to the relevant business. The DMCC Act also allows directors and managers to be fined up to £300,000 where the infringing conduct took place with their "consent or connivance". So far, the CMA has not provided much guidance on when it might use these powers.

However, we would expect it to at least consider using them where there has been a serious breach of consumer law and there is strong evidence that the director or manager either:

  • knew that the conduct was very likely to amount to a serious breach; or
  • didn't appear to care whether it would breach the law.

For further information, please contact: Richard Offord, Jonathan Rush, Stephen Whitfield or Theordora Zagoriti

5. Sexual harassment by third parties: are you doing enough?

In October 2024, a new duty was imposed on employers in the UK to prevent sexual harassment – including an obligation to take reasonable steps to protect employees from such harassment by third parties.

How is this relevant to outsourcing?

Both parties to an outsourcing are now under a duty to protect their own staff from sexual harassment by the other party's staff. In an outsourcing context, the most obvious scenario where such conduct could occur would involve physical interaction between staff of the customer and the service provider – either in the delivery of outsourced services (e.g. cleaning, catering, property management or security) or in a face-to-face meeting of contract representatives e.g. to review recent performance. However, it should not be assumed that sexual harassment is only a risk where staff of the customer and the service are physically present in the same space. On the contrary, technology such as chat functions and video calling, as well as social media and messaging services such as WhatsApp, provides ample opportunity for various forms of sexual harassment, even where most interactions between staff of the customer and those of the service provider take place remotely.

As we explain in our recent "Preventing sexual harassment: Are you doing enough?" briefing, it is important for both customers and service providers to be alive to the risks and take appropriate steps to mitigate them. These may include:

  • communicating anti-harassment policies to third parties;
  • including appropriate wording in contracts/codes of conduct;
  • considering whether indemnities in relation to third party sexual harassment claims are appropriate; and
  • putting processes in place so that victims of third party sexual harassment can report it (and are encouraged to do so).

Service providers in particular may increasingly face questions from existing and potential customers about what they have done to comply – and they should also consider asking the same questions of their customers (particularly given that, in terms of the dynamics of the relationship, staff at the customer may see themselves as holding a degree of power over staff providing an outsourced service).

For further information, please contact: Tim Gilbert or Anna West

6. Long term outsourcings: practical lessons from 20+ years of PFI deals

Long term outsourcings can be high risk. If they don't work out, the customer may find itself locked into a deal which is poor value and doesn't meet its needs, whilst the service provider may struggle to make the relationship profitable. So it's worth looking at the lessons from a similar type of long term contract, namely PFI deals – where the Government-commissioned White Fraiser report provides some interesting food for thought for both customers and suppliers.

What is PFI and how is it similar to outsourcing?

The Private Finance Initiative (PFI) was used by the last Labour Government to involve the private sector in building and maintaining new public infrastructure, from hospitals and schools through to parts of the road network, street lighting and waste management. The maintenance aspect means that these deals typically have an ongoing service element and in that respect, they can be regarded as a form of outsourcing – albeit that they are typically focussed around the asset that the PFI deal was used to create in the first place and the customer will normally be a public body. Their long-term nature also means that consideration needs to be given to the evolution of the contract over time (in response to changing market conditions and changing customer needs) and how the parties should exit the deal. In all these areas, the White Fraiser report – which was commissioned in response to concerns about "negative working practices" in PFI deals - provides some useful practical lessons for both suppliers and customers in outsourcing transactions.

Lesson 1: maintaining goodwill and some degree of flexibility is key

The report recognises that complex, long term contracts often encounter issues that were not fully anticipated at the time of drafting – and that as a result, a degree of flexibility is generally needed to ensure that the relationship between the parties continues to work effectively over time. This typically requires the maintenance of a reasonable level of goodwill – because over the life of the contract, both parties are likely to have occasions where one will need to ask the other to refrain from standing on their strict contractual rights.

As regards PFI, the report notes that where customers have suddenly switched to a more rigorous approach to contract management, sometimes with little explanation, such goodwill has often been lost. This in turn has prompted suppliers to adopt a less flexible approach.

At the same time, the report warns suppliers against underestimating the degree to which customers become frustrated by issues such as "variations taking too long and not being addressed with any urgency" or long delays in addressing problems which are not subject any penalties or deductions for under-performance. It points out that such behaviour often exhausts the goodwill of customers, leading them to conclude that they have no choice but to resort to stricter enforcement of the contract.

A bigger role for good faith?

From a contract drafting perspective, the report's findings might suggest that parties should consider placing greater reliance on contractual obligations to act in good faith. Typically, PFI contracts only made fairly limited use of good faith, in relation to issues such as refinancing or force majeure (see, for example, this Treasury document). In recent years, however, the courts have become somewhat more receptive to the concept of good faith (whereas historically there was often a concern that in some contexts, it would be regarded as too uncertain to enforce). There may be scope to make wider use of good faith with a view to deterring conduct likely to undermine goodwill in the relationship. However, parties should be cautious about applying it very widely, throughout the contract (for example, it may not be appropriate to apply it to termination rights).

Lesson 2: both sides need to put effort and resources into active contract management

A key recommendation of the report is that, in order to maintain goodwill, both parties need to invest in contract management. In particular, it notes that whilst PFI contracts are self-reporting i.e. the supplier is obliged to provide various performance metrics to the customer (as is the case with many outsourcings), that does not mean that they are self-monitoring. Insufficiently rigorous monitoring by customers has in some cases allowed problems to continue unaddressed, with customers only taking an active interest once matters have reached crisis point.

In our experience, this type of scenario is not uncommon in an outsourcing context, because part of the customer's rationale for the transaction is often to allow it to concentrate on other, core activities. Understandably, therefore, the customer does not want to have to spend significant amounts of time continuing to supervise the activity which has been outsourced. However, as the report points out, the reality is that complex, long-term contracts typically require oversight by staff at the customer with some understanding of the issues facing the supplier – and that customers which divest themselves of all expertise in this area often come to regret it.

Suppliers: some behaviours to avoid

Turning to private sector suppliers, the report is particularly critical of the following practices, noting that suppliers sometimes seemed to under-estimate the degree to which this type of behaviour undermines goodwill:

  • Suppliers prioritising the resolution of commercial issues with their supply chains before addressing the reported issue (referred to by some as "fight first, fix later");
  • Goodwill being used as a bargaining chip, with the threat of withdrawal of goodwill being used to discourage customers from exercising their contractual rights;
  • Self-reporting in a "self-serving" manner, with no or minimal deductions made for failure to meet performance targets; and
  • Generalised reassurance being offered on issues when a more rigorous approach to delivery is what is required.

Lesson 3: pick your battles carefully when it comes to strict compliance with the contract

A common complaint from customers was that some PFI suppliers were overly focussed on achieving strict compliance with the contract, at the expense of responding to the customer's operational priorities at the time. An example would be a supplier insisting on its contractual right to access a particular area to carry out a repair at a time when the customer is undergoing a significant internal reorganisation. Whilst the supplier may be legitimately concerned about failing to meet its contractual obligations, the customer may prefer to have the work delayed until that exercise is complete. In many cases, the customer is unlikely to be able to impose penalties where the cause of the delay was its own failure to grant access – so the supplier's concern here may be misconceived. However, it may be an understandable reaction if the customer has been engaging in overly strict enforcement of the contract.

Excessively rigorous enforcement by customers

The flipside of this was suppliers complaining about customers engaging in overly strict enforcement of the contract against them, in a manner which does little to achieve the customer's key objectives. An example would be a supplier which has responded to a customer's request to prioritise certain tasks later being penalised for a failure to meet KPIs on various other less critical tasks (from which it may have had to divert resources to meet the customer's priorities). The report noted a tendency for this to happen where, for example, consultants are brought in to secure cost savings, without having regard to the impact on the wider relationship (and particularly where the consultants are remunerated in part by reference to the savings they achieve or the monies they are able to recover for the customer).

Lesson 4: Disputes: make sure you have a strategy

Although maintenance of goodwill is clearly important, the report recognises that there will be occasions where the terms of the contract need to be enforced – including by reference to dispute resolution mechanisms. At the same time, it acknowledges that formal disputes are typically damaging to goodwill – and have often resulted in a situation where, after the dispute, "one or both parties...managed the [contract] in a strictly contractual (rather than relational manner), leading to a significant reduction in willingness of the relevant party to 'go the extra mile' or find solutions to unforeseen circumstances."

Preserving goodwill in the event of a dispute

But for that very reason, the report emphasises the importance of having a clear strategy before going into a dispute, where possible with a view to minimising and containing the damage to goodwill. Among other things, it recommends:

  • Seeking to resolve as many issues as possible informally so that the dispute is confined to a discrete set of problems where a formal DR process appears to be the only way forward;
  • Focussing on "needs", rather than "wants", when considering what a "win" would look like; and
  • Planning for life after the dispute has ended e.g. using it as an opportunity for a "reset" of the relationship, aimed at avoiding further disputes in future.

Lesson 5: Think carefully about exit at the drafting stage and keep it under review

Most complex, long term outsourcing transactions require consideration to be given to what should happen on exit. Whilst not specifically highlighted by the White Fraiser report, one problem that has arisen with PFI deals is that the contract typically only requires a survey of assets to be undertaken 18-24 months before they are due to be handed back to the customer. In practice, this is generally too late to allow remedial action to be taken to rectify problems. From the customer's perspective, the exit provisions would ideally have provided for a survey around 5 years prior to expiry (as highlighted in Government guidance to public sector customers on PFI expiry). This underlines the importance of thinking carefully about the practicalities around exit and keeping it under review (so that if deficiencies become apparent at a later stage, action can be taken to address them and the parties do not remain locked into an inadequate exit framework).

Don't forget the outsourcing opportunity from PFI expiry

Finally, don't forget that, as we highlighted previously (see the Public sector roundup section of Outsourcing Spotlight, Autumn/Winter 2024), PFI expiry presents an opportunity for private sector service providers to take over provision of related services on an outsourced basis, once the relevant asset has been handed back to the public sector customer (who may not have the capability to manage the relevant asset). For more information on PFI expiry generally, read our "Expiry of PFI deals: risks and opportunities" briefing.

For further information, please contact: Richard Brown, Louisa Chambers, Helen Reddish or Jonathan Rush

7. Artificial intelligence and the Trump effect: will the UK regulate?

Whilst artificial intelligence has the potential to be a game-changer when it comes to technology-focussed outsourcings, it also carries risks. This has led some jurisdictions (such as the EU) to regulate, whereas others (notably the US and the UK) have been slower to act, favouring reliance on existing legislation and expressing more concern about the potential chilling effect of regulation – see below for more discussion of this aspect. The upshot is that the onus remains very much on the parties to outsourcing transactions to manage the risks appropriately – see the "AI in service supply and outsourcing contracts: managing the risks" briefing for more detail on the key issues to consider.

The Trump effect on AI

The emphasis on deregulation under the Trump administration and the threat of tariffs has undoubtedly impacted AI regulation on this side of the Atlantic too. At the AI Action Summit in Paris in February 2025, the US and the UK refused to sign the AI Declaration on "inclusive and sustainable" AI. US Vice President, JD Vance, decried Europe's "excessive regulation" of AI at the summit. The UK representative referred to a lack of clarity on global governance and national security issues. In the wake of the summit, the EU also withdrew the AI Liability Directive from its 2025 work programme. Meanwhile, the delay to the UK's AI Bill has also been attributed to "the Trump effect".

What is the UK doing about AI regulation?

There is still no UK AI Bill. Given the current geopolitical climate (see above), it is likely to be delayed (a timeframe of "within 18 months" was mentioned by the data minister, Chris Bryant, in March 2025) and we can expect it to focus on the largest general-purpose AI models.

At the start of the year, the UK Government announced a new drive in its AI Opportunities Action Plan to accelerate the UK's AI development economy and to promote broader and more rapid AI adoption by the public and private sectors.

While we may not see specific AI legislation in the UK for some time, there is nevertheless a steady flow of AI guidance emerging from UK regulators to help organisations develop and use the technology in compliance with existing laws. For example, from a data protection law perspective, in recent months the Information Commissioner's Office published its response following an extensive consultation on generative AI models, specific guidance on AI's use in recruitment, and its views in response to the Government's consultation on data scraping.

Data scraping for training generative AI

The UK Government is grappling with the thorny copyright issues involved in training AI models on scraped data, attempting to find a compromise between AI innovators and IP rightsholders. It ran a consultation, which closed in February 2025, seeking views on a set of proposals to extend the current text and data mining (TDM) exception to UK copyright law to enable AI training for commercial purposes, but subject to rightsholders having the right to opt out. As part of these proposals, AI developers would also be required to disclose training material sources. The proposals have met with significant resistance from the creative industries, and there is pressure to include provisions addressing AI and copyright in the Data (Use and Access) Bill.

Don't forget the EU AI Act

Finally, don't forget that whilst the UK seems to be taking its time on AI, the EU has already put regulation in place. Parties involved in outsourced services directed at individuals or businesses in the EU should note that the following aspects of the EU AI Act came into effect from 2 February 2025:

  • The AI literacy requirement (an obligation to educate and train staff interacting with AI); and
  • the ban outlawing unacceptable systems under the EU AI Act.

Read our "The EU AI Act: the countdown begins – what you need to know" briefing for details of what and who are in scope. The extensive obligations on new high-risk systems and transparency requirements do not apply until 2 August 2026. However, organisations will need time to prepare to meet these requirements.

For further information, please contact: James Longster or Helen Reddish

8. Data protection: what's the latest on reform of UK regulation?

UK data reforms in the pipeline

The Data (Use and Access) Bill (DUAB) is currently making its way through Parliament. It sets out limited data protection reforms, scaling back on some of the reforms from the previous government's Data Protection and Digital Information Bill. It is likely to require few changes to data protection compliance on the ground but introduces greater flexibility to rules around automated decision-making to support AI adoption and innovation. It also aligns the penalties under the Privacy and Electronic Communications Regulations (marketing and cookie laws) with those under the GDPR. Our "The Data (Use and Access) Bill – limited data protection reforms in the pipeline" briefing describes the key changes from a data protection perspective.

New data schemes

The DUAB also sets out a statutory framework for three data schemes (which all require secondary legislation to trigger obligations and fill in the detail):

  • Digital verification services (DVS) - The DUAB will require the Secretary of State to publish a DVS trust framework, outlining rules for providing digital verification services. Organisations will be able to obtain certification against this government framework, receive a trust mark and there will be a publicly available register of certified DVS providers. This could help businesses to streamline digital identification processes, such as pre-employment and Know-Your-Client (KYC) checks.
  • A national underground asset register (a digital map of pipes and cables).
  • Smart data schemes - These are schemes which allow customer data, held by a company or other organisation which provides goods or services to that customer, to be shared with a third party at the customer's request. The objective is to open up the market for more innovative data-enabled services, build upon the success of Open Banking and extend it to other sectors.

EU adequacy decisions in favour of the UK extended

The EU's adequacy decisions in favour of the UK, which allow the free flow of personal data from the EU to the UK, were due to expire on 27 June 2025. The Commission has proposed to extend the effect of the decisions until 27 December 2025 to allow the UK time to finalise the Data (Use and Access) Bill.

Data protection and the Trump effect

There is some concern that the future actions of the Trump administration could undermine the Data Privacy Framework (DPF). The DPF is important because it allows personal data to flow freely from the EU to US companies that have signed up to the DPF. The UK has implemented a similar framework for UK to US transfers, which "piggy backs" on the DPF. The concern stems from certain measures that are perceived to chip away at the independence of oversight bodies. No steps have been taken so far which are likely to be sufficiently fundamental to cause the invalidation of the DPF and it is in the US' commercial interests too that the DPF is preserved.

For further information, please contact: Louisa Chambers or Helen Reddish

9. Cyber-security and tech update: ransomware payments, new cyber measures and the EU Accessibility Act

Ransomware consultation

Ransomware is currently very much in the news, with high profile names such as Marks & Spencer suffering considerable disruption from cyber-attacks apparently motivated by ransom demands. In January 2025, the UK Government launched a consultation on three measures, which aim to undermine the ransomware business model – making UK businesses less profitable for cybercriminals to target - and improve the Government's intelligence around ransomware threats. The proposals are:

  • a targeted ban on ransomware payments, covering public sector bodies and owners/operators of critical national infrastructure (although the consultation asks if the ban should cover essential suppliers to those sectors too);
  • a payment prevention regime which requires ransomware victims to report their intention to pay a ransom to enable to Government to prohibit certain payments; and
  • a mandatory incident reporting regime.

Our "Will the UK legislate to curb ransomware payments?" briefing describes the proposals and their implications in more detail.

New cyber measures for essential digital services and supply chains

Yet to appear, but promised for 2025, the Cyber Security and Resilience Bill is due to reform the Network Information Security Regulations 2018 (NISRs) and extend cyber defence rules to more essential digital services and supply chains.

EU pulls ahead with cyber legislation

The UK is lagging behind the EU in the cybersecurity sphere: the implementation deadline for the NIS2 Directive was October 2024, the Cyber Resilience Act, which regulates the security of products with digital elements, came into force in December 2024 and the Digital Operational and Resilience Act (DORA) began to apply to in-scope financial services firms in January 2025.

The European Accessibility Act – has it slipped under your radar?

Many businesses may not have heard of the European Accessibility Act ("EAA"). If it has slipped under your radar, now is the time to take note because this legislation has a broad reach across many sectors, significant implications for product and services design (as well as documentation) and a looming compliance deadline. The EAA becomes applicable from 28 June 2025 and aims to ensure that many categories of consumer products and services, particularly digital technologies ranging from payment terminals and smartphones to banking services and online shops, are accessible to all, including people with disabilities. The services aspect of the legislation has particular relevance to outsourcing. To find out more, see our detailed "The European Accessibility Act – has it slipped under your radar?" briefing.

For further information, please contact: Louisa Chambers or Helen Reddish

10. Contract law roundup: excluding loss of profits, jurisdiction and arbitration clauses, late payment and pricing issues

Beware mutual exclusions of loss of profits

In February 2025, the Court of Appeal ruled that the High Court was correct to find that mobile provider EE was not entitled to claim damages for loss of anticipated profits arising from alleged breach of exclusivity in relation to its supply agreement with Virgin Mobile. The key lessons are:

  • Don't treat blanket exclusions of lost profits as if they are "mere boilerplate" – always consider the impact on the specific deal you are negotiating; and
  • Beware reciprocal/mutual provisions – whilst they can often appear to be a "fair outcome" in negotiations, they can also deprive one party of remedies for breaches of certain key obligations (as in this case, where EE was left unable to claim damages for an alleged breach of exclusivity by Virgin).

For more detail, see our coverage of the first instance ruling.

Jurisdiction clauses: impact of 2019 Hague Convention

On 1 July 2025, the 2019 Hague Convention on Recognition and Enforcement of Judgments in Civil and Commercial Matters comes into effect between the UK, the EU (except Denmark), Ukraine and Uruguay. Whilst this shouldn't require you to take any action, it is an important and welcome development for cross-border outsourcings involving those jurisdictions. Here's why:

  • At present, where one of the parties obtains an English judgment against the other party, it only receives "near automatic recognition" in most EU states if (i) the agreement contained an exclusive jurisdiction clause in favour of the English courts; and (ii) the agreement itself was made after 31 December 2020 (i.e. after the UK left the EU).
  • As such, the current state of affairs leaves a "gap" when it comes to near-automatic recognition in most EU states – because such treatment is not extended to English judgments arising out of cross-border outsourcings which either (i) contain non-exclusive or asymmetric jurisdiction clauses; or (ii) were entered into before 1 January 2021. From July this year, however, that "gap" will be plugged – provided that the proceedings giving rise to the eventual judgment commenced on or after 1 July 2025.

Arbitration clauses: what's the impact of the Arbitration Act 2025?

The Arbitration Act 2025, which received Royal Assent in February this year, clarifies and enhances certain aspects of the UK's statutory framework supporting arbitration. For more detail, see our "Arbitration Act 2025 receives Royal Assent" briefing. However, in most cases, it is unlikely to require changes to arbitration clauses in outsourcing agreements – unless the parties wish to avoid the new Act's default rules on the law governing the arbitration clause (which will be the same as the law of the seat). This is only likely to be relevant to cross-border outsourcings.

Late payment in the UK: what's changed and why should you care?

In late 2024, the UK Government announced its intention to "crack down on late payments" and outlined several measures intended to support this. It proposes to step up enforcement of the late payment disclosure regime for larger businesses and to consult on further changes designed to promote additional transparency and scrutiny. Alongside this, a revised voluntary code has been published together with a more demanding prompt payment standard for many suppliers to the public sector. One key takeaway is that late payment is increasingly being seen as an ESG issue – and businesses that fail to take it seriously face an increasing risk of significant reputational damage. See our "Late payment in the UK: what's changed and why should you care?" briefing for more detail.

Pricing issues in commercial contracts: a 5-minute primer

Our 5 -minute video primer on key pricing issues in commercial contracts covers a range of issues which are relevant to many outsourcing transactions. This includes whether suppliers can raise prices unilaterally, how to deal with inflation, cost plus and open book pricing, audit clauses, "best price" or MFN obligations, price-matching clauses and benchmarking.

Watch now

For further information, please contact: Richard Brown, James Davis or Richard Offord

11. Our outsourcing experience and publications

Recent outsourcing publications

We wrote the UK chapter of the latest edition of the Chambers Global Practice Guide to Technology & Outsourcing. You may also be interested in the following very short (3 minute) "need to know" videos:

  • Dealing with inflation in an outsourcing: a 3 minute primer
  • Data protection and outsourcing: a 3 minute primer on key recent developments
  • Deploying Artificial Intelligence in an outsourcing: a 3 minute primer

If you missed our last edition (from Autumn 2024), you can read it here. Finally, for all our materials on outsourcing, see our Outsourcing Spotlight series page.

Our experience

We regularly advise both customers and suppliers on outsourcing transactions in a broad range of sectors. Recent examples include:

  • PAYMENT SYSTEMS: Advised Pay.UK on critical IT outsourcing arrangements relating to the UK's payment systems infrastructure responsible for processing £19.2 billion per day
  • IT TRANSFORMATION: Advised Rathbone Brothers PLC, a FTSE-250 listed provider of wealth management services, on outsourcing arrangements with Charles River and Investcloud to overhaul core aspects of its business-critical IT infrastructure
  • FINANCIAL SERVICES: Advised NEST, one of the UK's largest providers of workplace pension schemes with over £40 billion of assets under management, on a major outsourcing of fund administration, custody and investment services to Northern Trust
  • PENSIONS: Advised the pension funds of several major corporates on large scale outsourcings of scheme administration activities, including offshoring to service centres in Europe and Asia
  • MEDIA: Advised Channel 4 on the negotiation of its business-critical outsourced playout arrangements with providers Red Bee Media and Prime Focus Technologies
  • REAL ESTATE: Advised ZPG, owners of leading property website Zoopla, on a complex, technology-led outsourcing of customer support services
  • HOTELS AND CATERING: Advised AJ Capital Partners on key outsourcing arrangements relating to management and catering operations at its portfolio of UK hotels
  • LEISURE Advised a leading global operator of visitor attractions on outsourced arrangements to run over 30 theme parks worldwide, covering over 14 jurisdictions across the US, Europe and Asia
  • ENERGY: Advised Xoserve on a long term, large scale and highly complex outsourcing relating to critical infrastructure in the energy sector
  • BPO/CUSTOMER SERVICES: Advised Monzo Bank on a large-scale business-critical near-shore outsourcing with Sykes Enterprises Eastern Europe, relating to customer services for all of its 4.9 million account holders
  • TECHNOLOGY OUTSOURCING: Advised Fundsmith, the largest active mutual fund in the UK, on its IT outsourcing arrangements for transfer agency services
  • FOOD & DRINK: Advised Burger King on a major outsourcing relating to provision of information and communications technology services by Timico, the managed service provider, within Burger King restaurants
  • ENTERTAINMENT: Advised Ambassador Theatre Group on its outsourced ticketing arrangements and the outsourcing of the entirety of its UK logistics arrangements in relation to food, drink and hygiene products across all of its 30+ UK-wide theatre portfolio
  • MANUFACTURING: Advised Volta Trucks on complex, cross-border outsourced manufacturing arrangements for the launch of the Volta Zero, the world's first purpose-built 16-tonne electric truck
  • ASSET MANAGEMENT: Advised leading investment manager Brooks McDonald (with £13.7 billion in funds under management) on a highly complex exit from an existing outsourcing arrangement and migration to a new managed services technology platform

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Tim Gilbert
Tim Gilbert
Photo of Adam Rice
Adam Rice
Photo of Katie Good
Katie Good
Photo of Moji Oyediran
Moji Oyediran
Photo of Emma Pereira
Emma Pereira
Photo of Sarah Quy
Sarah Quy
Photo of Richard Offord
Richard Offord
Photo of Jonathan Rush
Jonathan Rush
Photo of Stephen Whitfield
Stephen Whitfield
Photo of Theodora Zagoriti
Theodora Zagoriti
Photo of Anna West
Anna West
Photo of Richard J Brown
Richard J Brown
Photo of Louisa Chambers
Louisa Chambers
Photo of Helen Reddish
Helen Reddish
Photo of James Longster
James Longster
Photo of James Davis
James Davis
Photo of Glen Evans
Glen Evans
Photo of Sarah Robinson
Sarah Robinson
Photo of Michael Ross
Michael Ross
Photo of Rosie Westley
Rosie Westley
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More