New Procurement Policy Note on changes to Data Protection Legislation and GDPR (General Data Protection Regulation)

Procurement Byte

04/01/2018

Susie Smith

Susie Smith

Consultant

On 19 December 2017 the Crown Commercial Service (CCS) published Procurement Policy Note/Action Note PPN 03/17 on Changes to Data Protection Legislation and General Data Protection Regulation.

PPN 03/17 applies to all Central Government Departments, their Executive Agencies and Non Departmental Public Bodies ("In-Scope Organisations"). CCS notes that other public bodies will also be subject to the new data protection legislation and may wish to apply the approaches set out in PPN 03/17.

PPN 03/17 comprises 20-plus paragraphs of notes and three annexes:

Notes

Annex A

Annex B Annex C
  • Issue
  • Scope
  • Timing
  • Action
  • Key considerations
  • Background
  • The Law Enforcement Directive
  • Sources of further information
  • Part 1 Generic Standard GDPR clauses
  • Part 2 Schedule of processing, personal data and data subjects
  • Guidance for In-Scope Organisations
  • Draft letter for suppliers

Timing: In-Scope Organisations must begin to apply the provisions of PPN 03/17 immediately, ensuring any contract amendments take effect from 25 May 2018 and new provisions are applied to all new relevant contracts awarded on or after 25 May 2018. For contracts that concern law enforcement processing, amendments should take effect from 6 May 2018.

Action: The Notes include a list of actions required to be taken by In-Scope Organisations.

In-Scope Organisations should identify existing contracts involving processing personal data which will be in place after 25 May 2018 and then:

  • write to all suppliers notifying them of changes the In-Scope Organisation intends to make to relevant contracts to bring them into line with the new data protection regulations. The draft letter at Annex C provides a guide;
  • conduct due diligence on existing contracts to ensure suppliers can implement the appropriate technical and organisational measures to comply with GDPR (i.e. provide guarantees of their ability to comply with the regulations);
  • update the specification and service delivery schedules to set out clearly the roles and responsibilities of the Controller and the Processor and any Sub-processors (these terms are defined in the GDPR). The table at Annex A Part 2 provides a guide.
  • update relevant contract terms and conditions by issuing contract variations, using the change control procedure as set out in your own documentation. The standard generic clauses at Annex A Part 1 provides a guide. Annex A Part 1 includes a warning that the generic standard clauses should be amended and adapted  to fit with existing contract definitions. When they are adapted for use in existing contract templates, users are advised to seek legal advice.

For contracts to be awarded on or after 25 May 2018, In-Scope Organisations should ensure:

  • they undertake sufficient due diligence of new suppliers to ensure they can implement the appropriate technical and organisational measures to comply with GDPR (i.e. provide guarantees of their ability to comply with the regulations);
  • terms and conditions are updated to reflect the standard generic clauses at Annex A;
  • for relevant contracts including data processing activities, they apply the guidance at Annex B to all stages of the procurement, and relevant documentation.

Particular points of interest

The Notes in PPN 03/17 and the Guidance for In-Scope Organisations in Annex B include a number of points which it is worth highlighting:

Cost of compliance: In-Scope Organisations are advised not to routinely accept contract price increases from suppliers as a result of work associated with compliance with the new data protection legislation (including GDPR). The draft letter at Annex C includes a statement confirming that all suppliers are expected to manage their own costs in respect of compliance.

Contract liabilities: In-Scope Organisations should not accept liability clauses where Processors (usually the supplier in the context of public contracts) are indemnified against fines or claims under the GDPR. PPN 03/17 explains that "the legal penalty regime has been extended directly to Processors to ensure better performance and enhanced protection for personal data, therefore entirely indemnifying Processors for any GDPR fines or court claims undermines these principles." The draft letter at Annex C includes a statement to this effect.

Framework agreements: The guidance in Annex B reminds In-Scope Organisations who have established framework agreements for use by others that they should ensure that the terms governing use of the framework agreement reflect the standard generic clauses at Annex A. In-Scope Organisations should also ensure that suppliers on the framework agreement are aware that users of the framework agreement (customers) "may refine their individual call-offs to assure themselves of compliance with the new data protection legislation." Customers using framework agreements are reminded to review each call-off to ensure that roles and responsibilities under the data protection legislation have been updated.

Procurement documents: The guidance in Annex B also requires In-Scope Organisations to ensure that all relevant procurement documents make reference to the new data protection legislation (including GDPR) coming into force and to update terms and conditions in line with the standard generic clauses at Annex A, taking appropriate legal advice when doing so.

Contractual arrangements relying solely on the supplier's terms and conditions: In-Scope Organisations must ensure that contractual arrangements relying solely on the supplier's terms and conditions must meet the requirements of the data protection legislation (including GDPR). There is a specific note in paragraph 3 of the guidance in Annex B addressing the situation where the supplier is acting as Processor.

For further information on GDPR follow this link to Bevan Brittan’s GDPR web page or contact a member of the procurement team.

You can download a copy of PPN 03/17 from the CCS Procurement Policy Note web page.

See also the Information Commissioner’s Office web page.

 

Download this article as a PDF.

Related Insights

Seminar: A Practical Approach to the General Data Protection...

by Jane Bennett

Seminar: A Practical Approach to the General Data Protection...

by Jane Bennett

Seminar: A Practical Approach to the General Data Protection...

by Jane Bennett

Breakfast Briefing: Public Sector Procurement - The models of success

by David Hutton

Authority Update 16/2/18

by Claire Booth

Brief details of recent policy and legal developments relevant to those in the local government sector

The General Data Protection Regulations ("GDPR"): A Practical Approach...

by Jane Bennett

Make your intentions clear: "Pass"/"Fail" scoring and rejection of...

by Scott Couzens

Keep up to date With Bevan Brittan

What interests you?

About you?