Varying a contract

Varying a Contract: Things to Consider

Varying a contract (changing it) can be done orally or in writing. However, most commercial contracts contain a clause which states that any changes made to a contract are ineffective unless made in writing and signed by or on behalf of both parties. This is called a variation clause or no oral variations clause. This generally means, therefore, that in the majority of cases when varying a contract, a written agreement needs to be in place between the parties to effect such a change. Read this blog to find out more about the law concerning varying a contract.

Varying a contract - consideration

Any agreement that varies the terms of an existing contract must either be supported by "consideration" or be executed as a deed.

What does "consideration" mean? In contract law it is required that some form of reciprocity takes place between the two parties to a contract i.e. one party cannot enforce a contract unless he has promised to deliver something to the other. Put another way, in order for a contractual relationship to exist there must be some form of exchange taking place in which each party agrees to give something to the other. The most obvious example of an agreement that is not supported by consideration, and therefore unenforceable, is an agreement to make a gift, that is, an agreement to provide a benefit with no act being required of the recipient.

Therefore, it follows that when varying a contract, in order for the variation of the agreement to be enforceable, it needs to be supported by consideration. This becomes complicated because it can often be the case that, when varying a contract, only one party is promising to do something new whilst the other party is simply re-affirming its obligations in the original agreement. One way of getting round this issue is by executing the variation agreement as a deed.

Varying a contract - execution as a deed or nominal consideration

Practically speaking, many commercial contractual parties vary contracts by deed and therefore negate the need to take consideration (as described in the last section) into account. This is because deeds are generally enforceable despite a lack of consideration. Deeds require additional formalities such as witness signatures and are used when varying a contract to avoid the potentially complex law around whether each party has given consideration to the other.

Another way of getting round the consideration problem is by referring in the written document, which is varying the contract, to the payment of a small sum. Such small sum will amount to consideration.

How to execute a deed?

  • In writing. A deed must be writing.
  • Face value requirement. It must be clear from the face of the instrument that it is intended to take effect as a deed.
  • A deed must be delivered. A deed becomes binding on the date of delivery, not from the date of execution.
  • By affixing the common seal of the company; or more practically, by the signatures of two authorised signatories (such as a director or secretary of the company); or the signatures of a director of the company attested by a witness.
  • By following any other formalities which a company may have in place for the execution of deeds.

Varying a contract - third party rights

Under the Contracts (Rights of Third Parties) Act 1999, where a third party has a right to enforce a contract term, the parties cannot vary it so as to extinguish or alter the third party’s right without its consent. However, the parties to the contract may expressly provide that no consent is required from third parties for varying a contract.

Unilateral right to vary

Unless the parties have agreed that one party should have such a right, a unilateral notification by one party to the other cannot constitute a variation of a contract. However, contract terms may give a party the unilateral right to vary obligations under a contract. It is important to check the terms of a contract on this point!

Varying a contract - some case law

Here are some relevant cases concerning the law around varying a contract:

Case: Rock Advertising Ltd v MWB Business Exchange Centres Ltd [2018] UKSC 24

Facts: Rock fell into arrears with MWB and, in a phone call, put forward an amended payment schedule. When MWB sought to terminate the relationship because of the arrears Rock argued that, in fact, the parties had varied the contract by agreeing the amended payment schedule in the phone call. Rock Advertising had paid an agreed sum of £3,500 on the same day as the phone call in accordance with this revised (varied) agreement. But then MWB went on to deny any revised agreement and stated a) variation of the original written contract had to be in writing since oral variation was denied by the terms of the contract (the contract included a no oral variations clause) and b) any variation would be unenforceable for lack of consideration.

Ruling: The supreme court found in favour of MWB on the basis that the no oral variations clause was effective and by doing so ensured commercial certainty between the parties. This was after the County Court ruled in favour of MWB and the Court of Appeal in favour of Rock! This shows this was a contentious case but also upholds the eventual strength of no oral variations clauses. It was mentioned by the judge Lord Briggs that if in the telephone call the parties had explicitly stated that the no oral variations clause did not apply to this new agreement varying the contract then it would have been effective! So be careful when discussing the relevance of such a clause.

Case: Nash and others v Paragon Finance Plc [2001] EWCA Civ 1466

Facts: This case concerned the existence of a unilateral right for varying a contract clause favouring Paragon. Mr & Mrs Nash obtained a mortgage from Paragon Finance. The mortgage agreement allowed Paragon to vary the rate of interest ‘at their discretion’. After the Bank of England base rate of interest dropped, Paragon failed to match the drop in interest and continued varying the contract and charging a significant amount above this rate. The Nash’s failed to make their payments and Paragon applied for an order of possession of their home.

Ruling: Under the Consumer Credit Act 1974 the rates could not be capricious, dishonest, improper or unreasonable. The court held that the rate was not applied in an unreasonable or unfair manner by Paragon and so the clause allowing discretion to unilaterally vary the contract was not void. Whilst the lenders had not reduced their interest rates in line with other lenders, they had a commercially legitimate objective in doing so, and so the court deemed Paragon to have acted ‘reasonably’ in line with the Consumer Credit Act 1974 and the unilateral right for varying the contract clause was deemed valid.

Case: Stilk v Myrick [1809] EWHC KB J58

Facts: And finally, a blast from the past. Decided over 200 years ago, this case explored the relationship between consideration and varying a contract. Stilk was contracted to work on a ship owned by Myrick for £5 a month, promising to do anything needed in the voyage regardless of emergencies. After the ship docked at Cronstadt two men deserted (constituting an ‘emergency’), and after failing to find replacements the captain promised the crew the wages of those two men divided between them if they fulfilled the duties of the missing crewmen as well as their own. After arriving at their home port, the captain refused to pay the money he had promised them.

Ruling: It was found that Stilk (and the rest of the crew) were under an existing duty to work the ship back to London and had agreed to submit to all the potential emergencies that could arise along the way. Therefore Stilk (and the crew) had not given any consideration for the promise of extra money by the captain. And so, they were not entitled to anything. This highlights the importance of looking at exactly what your obligations are in an agreement before assuming you have performed consideration for the variation of that contract. If you have not gone beyond the scope of your original obligations, then no consideration has taken place and varying the contract has been ineffective. (Of course, you can use a deed to get round this problem as described above).

Keeping it simple

The simplest way to vary a contract, and therefore the most used method in practice, is by executing a deed. It is also important to check if a no oral variations clause is contained in your contract (as will be in the majority of cases), especially when looking to rely upon informal arrangements, which alter contractual terms, during its performance.

If you have any questions about varying a contract or about contract law more generally please contact Neil Williamson.

Legal checklist for startups

Legal Checklist For Startups - A Quick Guide

Starting a business can be hectic – hopefully this legal checklist for startups will help you avoid falling into the kinds of traps that we often see businesses falling into before they come to us for advice.

Ideally you want to have all of the following in place as soon as possible:

  • Customer contracts
  • Supplier contracts
  • Staff contracts
  • Data protection compliance
  • Licence to occupy / lease
  • Shareholder agreement
  • Legal notices / policies
  • Insurance
  • Tax
  • Companies House
  • Other

Legal Checklist For Startups: Customer Contracts

If you do not have proper contracts in place with your customers then there’s a high risk that sooner or later there will be a problem. If the goods or services that you are supplying are low priced or if you take payment in advance then the risk of non-payment for those goods or services shouldn’t hurt you as long as non-payment only happens rarely. However, a contract is not just there to protect you from non-payment. If your contract isn’t clear on things like when it starts, how it ends and what the goods or services are that you are delivering then you run the risk of having time-consuming arguments with your customers about what the true position is or worse, they sue you. Other clauses can be very important as well such as clauses limiting your liability and ownership / licensing of intellectual property rights. If you don’t protect yourself properly in your contracts you are not just running the risk of being sued or losing your rights, you are running a business that investors won’t find attractive. Check out our blog here about what you should look out for in a contract.

Legal Checklist For Startups: Supplier Contracts

More often than not you will need to contract on your suppliers’ terms and conditions of business. The previous section refers to the kinds of things you need to look out for. If you can’t navigate your way around a contract then find someone who can help you if you are going to enter into a contract with a supplier that is important or high value. If you are having something crucial like software being built for you then you should get the contract checked but above all you should read what is put in front of you. Do not assume that the agreement will be fair or that because it is for a basic service it won’t contain “nasties”. It happens less so now thanks to paper being less prevalent in offices but in the past, many businesses fell foul of office photocopier contracts that tied them in to paying for support charges for 5 years or more.

Legal Checklist For Startups: Staff Contracts

You need to have appropriate contracts in place with your employees because it is a legal requirement. You should be able to source basic contracts at low cost. Basic contracts should cover you for an employee who, if they leave, is not going to hurt your business by working for a competitor or by taking confidential information such as client lists or intellectual property out of the business. However, if your business could be damaged in these scenarios, then ensure that your contracts are drafted by an employment lawyer who will include appropriate provisions to make it easier for you to take action against a departing or rouge employee. In practice, having properly drafted clauses restricting what a departing employee can and can’t do often prevents the mischief occurring in the first place.

Although there is no legal requirement to have a written contract in place with a consultant, the usual reasons for having written contracts in place with any supplier apply – clarity being one of them. Also, if your consultant is going to create anything for you, for example, software, reports, designs – i.e. things that contain intellectual property rights – then if you don’t include appropriate written clauses, the consultant will be the owner of those things that they are creating for you and your business will have limited rights to use them.

In addition to your employment contracts you should consider having a staff handbook drafted. The staff handbook contains your policies about behaviour and standards as well as disciplinary and grievance procedures. It makes things a lot easier to deal with if there is an issue with an employee down the line. If you are a high growth start up then you should put a staff handbook in place from the outset.

Finally, it’s a legal requirement to offer your employees a pension so make sure you understand what you need to do in this regard.

Legal Checklist For Startups: Data Protection Compliance

Firstly, you need to register your business with the Information Commissioner’s Office and pay their fee.

All businesses need to comply with the retained EU law version of the General Data Protection Regulation ((EU)2016/679), called the UK GDPR along with the Data Protection Act 2018 (DPA 2018), and if using such data to market to customers, then the Privacy and Electronic Communications Regulations (PECR).

To comply with data protection laws you need to understand them and how they impact your business and then put appropriate policies and notices in place. It can be expensive getting professional advice but it will save you a lot of time because data protection compliance is complex and, in our experience, it is unlikely that you are going to get things right if you don’t seek professional help. If you are processing “special category data” i.e.

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; or
  • data concerning a person’s sexual orientation

then we highly recommend you obtain expert advice from the outset because the ICO is more likely to come down hard on an organisation that gets things wrong when they are processing this kind of data.

If you want to send marketing communications to your customers or potential customers then it is important to get your opt-in / opt-out messaging correct and to comply with PECR. Again, either follow online guidance or have an expert advise you.

Legal Checklist For Startups: Licence To Occupy / Lease

Most start-ups nowadays don’t take on the commitment of a lease, opting instead to use a serviced office on a 12 month licence to occupy. If you are going to sign up to a licence to occupy then make sure you have read and understood the terms. You must be clear on what payments your business will be liable for, looking out for those hidden extras. The other really important clauses are those around termination. Look out for a clause that says the licence will automatically renew for another 12 months unless appropriate notice to terminate is given by you. So many businesses miss this and then find themselves tied in for another 12 months.

If you are going to enter into a lease then get the lease checked by a lawyer who specialises in this area because leases often contain traps for the unwary. You are not going to spot the issues unless you are an expert and getting this wrong can be very costly.

Legal Checklist For Startups: Shareholders Agreement

If you have set up a company with someone else you should put a shareholders agreement in place, especially if you hold a minority of the shares. You don’t have to have one – you can rely on the articles of association of your company and company law to protect you and regulate how things are done in the company. But if you don’t have a shareholders agreement in place it makes things much harder to deal with if you fall out with the other shareholders. You probably will fall out at some point and we see this all the time – businesses coming to us for help because the shareholders can’t agree on how to do things. We have to try and resolve things often with another lawyer on the other side of the table and it ends up costing the business dearly when it wouldn’t have been the case if a shareholders agreement had been in place.

Legal Checklist For Startups: Legal Notices / Policies

Your website should be displaying a privacy notice and, if it is using cookies, a cookie notice. Other website notices such as acceptable use and website terms of use policies aren’t essential but they are very low cost to obtain, give you some protection and make you look the part.

If your business employs five or more people you must have a written health and safety policy.

Although not mandatory, you should put an equal opportunities policy in place. If you don’t then this can count against you if an employee claims discrimination.

If there is any risk at all of someone in your business or supply chain bribing another person then you should have an anti-corruption and bribery policy in place. If you don’t then it’s unlikely that you will be able to demonstrate that your company had adequate procedures in place to prevent bribery and criminal sanctions may be applied.

Legal Checklist For Startups: Insurance

If your business has staff you need to have employer’s liability cover in place – it’s a legal requirement.

Depending on the industry you are in, your regulator may require you to have other types of insurance in place such as professional indemnity insurance.

Legal Checklist For Startups: Tax

You must register your business with HMRC and pay tax. Engage an accountant for this.

Companies House

If you have set up a company in England & Wales then you must ensure that your filings are up-to-date at Companies House. Register for “Companies House Webfiling” so you or whoever you have outsourced to can make filings online.


You should consider whether anti-bribery compliance is necessary for you. You can read more about this here and we have done a blog about the Bribery Act here. If you are providing services to the public sector, in an industry where bribery is medium risk or above (e.g. the construction sector) or working in jurisdictions where the corruption perception is medium risk or above you should put a compliance programme in place from the outset – having an anti-bribery policy is not enough.

If your business activities are regulated, you will need to register with and obtain the relevant consents from those regulators.

You should also consider:

Having a non-disclosure agreement ready to send to individuals / other businesses. It’s unlikely you will find investors right at the beginning but if you have built an exciting product then you may be able to find investment rapidly and you should put an NDA in place with potential investors before you start discussions.

Protecting your trademark. If you can live with changing your brand name if someone else comes along with the same or similar name then not to worry. If you can’t then register your trademark asap.

Final Thoughts

Hopefully you will find this legal checklist for startups useful. It’s very much a guide and you should do your research or ask for help around compliance issues specific to your industry. Good luck with your business and if we can be of any help please get in touch.

ICO Fines Transgender Charity Mermaids

ICO Fines Transgender Charity Mermaids

The Information Commissioner’s Office (ICO) has fined charity Mermaids £25,000 for failing to keep personal data (some of which was sensitive personal data) secure. ICO fines for failing to comply with data protection laws can go up to £17.5 million or 4% of an organisation’s total worldwide annual turnover, whichever is higher.


Mermaids is a charity that supports transgender and gender-diverse children and their families. It started out as a support group formed by parents whose children were experiencing gender incongruence. It registered with the Charity Commissioner in 1999. The Charity Commissioner’s website shows that most of Mermaids’ income is derived from donations and legacies with total income for the financial year ending 31 March 2020 standing at £902,437.

In August 2016 the CEO of Mermaids set up an internet-based email group service at The CEO created GeneralInfo@Groups.IO so that emails could be shared between the CEO and the 12 trustees of the charity. The email service offered various settings for security and privacy:

  • “Groups listed in directory, publicly viewable messages”
  • “Group not listed in directory, publicly viewable messages”
  • “Group listed in directory, private messages” and
  • “Group not listed in directory, private messages”.

The Mermaids group email service was set up under the default option “Groups listed in directory, publicly viewable messages”.

The Groups.IO email service was in active use by Mermaids from August 2016 until July 2017. After it became dormant it continued to hold emails. In addition to communications between the trustees, the emails included some forwarded emails from individuals who were using Mermaid’s services. Those emails included personal data, in some case relating to children, and some of the data was special category data (i.e. data concerning health, sex life or sexual orientation).

In June 2019 a service user of the charity who was the mother of a gender non-conforming child, informed the CEO that she had been contacted by a journalist from the Sunday Times who had told her that her personal data could be viewed online. The journalist had informed the parent that by searching online he could view confidential emails including her child’s name, date of birth, mother’s name, her employer’s address, her mobile telephone number and details of her child’s mental and physical health.

On the same day, Mermaids received pre-publication notice from the Sunday Times that the emails were accessible online and the newspaper would be publishing an article about the incident.

Mermaids immediately took steps to block access to the email site and engaged lawyers. They began informing data subjects about the incident, contacted the ICO to report what had happened and took other measures to deal with the situation.

ICO findings

The ICO’s investigation found, amongst other things, that Mermaids had failed to ensure that adequate measures were in place to ensure the appropriate security for personal data and as a result, 780 pages of confidential emails containing personal data relating to 550 individuals were searchable and viewable online for almost three years by third parties. The ICO also found that in the period May 2018 to June 2019 there was a negligent approach towards data protection at Mermaids, data protection policies were inadequate and there was a lack of adequate training. The ICO found that Mermaids should have applied restricted access to its email group and used pseudonymisation or encryption to add an extra layer of protection to the personal data it held and shut down the email group correctly when it was no longer in use.

ICO fine

On 5 July 2021 an ICO fine was imposed on Mermaids of £25,000.

In arriving at the fine the ICO took into consideration:

  • Mermaids’ income
  • The gravity of the incident
  • The fact that special category data was made public
  • The duration of the data breach
  • The number of data subjects affected
  • The damage caused
  • The intentional or negligent character of the infringement
  • The action taken by Mermaids to mitigate the damage caused
  • The degree of responsibility of Mermaids taking into account the technical and organisational measures they implemented
  • Any relevant previous infringements
  • The degree of cooperation provided by Mermaids with the ICO in order to remedy the infringement and mitigate the damage caused
  • Other aggravating or mitigating factors

The ICO’s Monetary Penalty Notice (which gives further detail and explanation about the ICO’s findings) can be accessed here.


One never wants to see an organisation receiving an ICO fine. However, given the nature of the work that Mermaids does and the sensitivity of some of the personal data that was made public, the fine appears low. Many businesses, especially small businesses, will try and find ways to cut corners to make their budgets or resources stretch further. Some businesses, especially those who do not process special category data, may feel from reading this ICO decision that the worst that can happen to them if they do not have proper data protection processes in place is that they are going to be fined less than £25,000.

In its decision the ICO took into account not just “the prompt remedial action taken by Mermaids” but also that “this breach was highlighted in a national newspaper and that resulted in a degree of reputational damage to the charity”. It also seems that the fact that Mermaids was a charity had some bearing on the ICO decision with the ICO balancing the fine as a deterrent against not wanting to be “taking away donations made by the public.”

The ICO took into account the financial position of Mermaids. While we do not know what the content of Mermaids’ representations were in this regard, the charity made a loss for its financial year ended 31 March 2020 with total expenditure of £1,041,325 against income of £902,437. Without us knowing the true financial position, it appears that if Mermaids had received an ICO fine of, say, £250,000, this may well have caused the charity to shut down.

It is worth noting as well that in addition to the ICO fine imposed, Mermaids costs for engaging lawyers and other consultants and dealing with the fallout from the incident would have been significant. Mermaids is also vulnerable to claims being brought against it by the data subjects themselves.

If you have any questions on data protection law or compliance please get in touch with one of our data protection lawyers.