There are new General Data Protection Regulations (GDPR) coming into force from May 2018. Although many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), there are new elements and significant enhancements.
The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. This will require organisations to review their approach to governance and how they manage data protection as a corporate issue. Your organisation may well have a GDPR working party set up to consider all the implications of the new Regulations as there are wider impacts outside the scope of procurement activities. For more information on all the requirements of the GDPR see ICO GDPR Guide .
However where the GDPR may impact procurement activity is on those contracts where you share data with your suppliers. The GDPR now requires your suppliers (data processors) to have direct obligations. These include to:
- maintain a written record of processing activities carried out on behalf of each controller (your organisation);
- designate a data protection officer where required;
- appoint a representative (when not established in the EU) in certain circumstances;
- and notify the controller on becoming aware of a personal data breach without undue delay.
The new status of data processors will likely impact how data protection matters are addressed in your contracts with suppliers.
For contracts which involve the processing of personal data, you must set out, in each contract with suppliers, details of the nature, scope and duration of the data processing, and impose specific obligations on the Processor, including:
- the legal obligation to formalise working relationships with the Processor in contracts where processing of personal data is to be carried out by a third party on behalf of the Controller (see GDPR Article 28);
- a requirement to create and maintain records of processing activities (see GDPR Article 30(2)); and
- use only Processors who provide guarantees to implement appropriate technical and organisational measures that are sufficient to secure that the processing will (a) meet the requirements of the GDPR and (b) ensure the protection of the rights of the data subject.
The GDPR establishes a tiered approach to penalties for breach which enables the DPAs to impose fines for some infringements of up to the higher of 4% of annual worldwide turnover and EUR20 million.
Government guidance suggests you should identify existing contracts involving processing personal data* which will be in place after 25 May 2018 and then:
- write to all suppliers notifying them of changes you intend to make to relevant contracts to bring them into line with the new data protection regulations.
- conduct due diligence on existing contracts to ensure suppliers can implement the appropriate technical and organisational measures to comply with GDPR (i.e. provide guarantees of their ability to comply with the regulations).
- update the contract specification and service delivery schedules to set out clearly the roles and responsibilities of the Controller and the Processor and any Sub-processors.
- update relevant contract terms and conditions by issuing contract variations, using the change control procedure as set out in your own documentation
*Personal data means any information that relates to an identified or identifiable living subject i.e. staff member, member of the public, customer, etc. It will generally include an individual’s name, address, phone number, date of birth, place of work, dietary preferences, opinions, opinions about them, whether they are members of a trade union, their political beliefs, ethnicity, religion, or sexuality. It can also include an individual’s email address or job title if that sufficiently picks them out so that they can be identified (in isolation or with other information that may be held). The above is not exhaustive and any information that relates to an individual can be personal data.
For contracts to be awarded on or after 25 May 2018, Government guidance suggests you should ensure:
- you undertake sufficient due diligence of new suppliers to ensure they can implement the appropriate technical and organisational measures to comply with GDPR (i.e. provide guarantees of their ability to comply with the regulations).
- terms and conditions are updated to reflect standard generic clauses
- for relevant contracts including data processing activities, apply the specific guidance to all stages of the procurement, and relevant documentation.
The 02/18 PPN Changes to Data Protection Legislation and General Data Protection Regulations provides more information on how GDPR effects contracts including; example due diligence questions, model terms and conditions and example technical requirements you may wish to impose upon suppliers where relevant.
The CCS GDPR Toolkit provides more information on CCS approach to GDPR and includes example notification letter to existing suppliers, example terms and conditions and key considerations when assessing the impact of GDPR on your contracts.
Crescent Purchasing Consortium have also made available their template GDPR contract clauses which can be downloaded from their website.