The Crown Commercial Services (CCS) has published Procurement Policy Note/Action Note PPN 02/18 on Changes to Data Protection Legislation and General Data Protection Regulation.

PPN 02/18 updates and replaces PPN 03/17, which was published in December 2017.

PPN 02/18 applies to all Central Government Departments, their Executive Agencies and Non Departmental Public Bodies ("in-scope organisations") with immediate effect. CCS notes that other public bodies will also be subject to the new data protection legislation and may wish to apply the approaches set out in PPN 02/18.

Our Procurement Byte on the original PPN 03/17 provides information on the structure and an overview of the content of that PPN. The structure of the new PPN 02/18 remains much the same, but with an additional annex, Annex D on Security -  which provides an indication of the types of security measures that might be considered in order to protect personal data.



Annex A

Annex B Annex C Annex D
  • Issue
  • Scope
  • Timing
  • Action
  • Key considerations
  • Background
  • The Law Enforcement Directive
  • Sources of further information
  • Part 1     Generic Standard GDPR clauses
  • Part 2 Schedule of processing, personal data and data subjects
  • Guidance for In-Scope Organisations
  • Draft letter for suppliers
  • Security

PPN 02/18 contains enhanced guidance and clarifications on a number of key areas:


  • Controllers and processors: enhanced guidance, in particular on the nature of the "Controller" and the "Processor".
  • Cost of compliance: amendment to the guidance to add reference to use of commercial judgment when considering who should bear the cost of compliance.
  • Contract liabilities: enhanced guidance on liability and indemnity provisions and identification of options for recovery of costs of civil data protection claims or regulatory fines, and a note of caution on whether substantial changes should be made in accordance with Change in Law provision in contracts.
  • Joint controllers: enhanced guidance on arrangements between joint controllers and reference to joint controller agreement in Annex A.
  • Crown to Crown data agreements: new guidance on arrangements between Crown bodies.
  • Expired/legacy contracts: new guidance on processing, retention and deletion of data in relation to expired contracts.
  • Protective measures: new guidance on protective security measures which processors must implement, cross referencing to new Annex D.


Annex A Standard generic clauses: enhancements to the standard generic clauses in Annex A, including use of "Processor" instead of "Contractor" and "Controller" instead of "Customer" and an amendment so that the Controller is not obliged to approve the protective measures of the Processor.

Annex B Guidance for in-scope organisations: new guidance on due diligence on GDPR compliance at the selection stage, an example model selection question and a note on a model award question to ask bidders at the award stage.

There is also mention of planned updating of the Standard Selection Questionnaire, to include a section on GDPR.

Annex D Security: a new annex sets out example technical security requirements that might be considered in order to protect Personal Data.

You can download PPN 02/18 from the CCS Procurement Policy Note webpage

For further information on GDPR follow this link to Bevan Brittan’s GDPR web page or contact a member of the procurement team.

You can download a copy of PPN 03/17 from the CCS Procurement Policy Note web page.

See also the Information Commissioner’s Office web page.

We have a series of Procurement Update Seminars across all of our offices in June.

Download this article as a PDF.

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.