A couple of practical questions on Public Procurement and GDPR
The deadline for GDPR compliance is rapidly approaching. Crown Commercial Service (CCS) has published a Procurement Policy Note (PPN 03/17) reminding in-scope organisations of GDPR and data protection requirement in the context of public procurement. You can see our Procurement Byte on PPN 03/17 which we published in early January by following the link at the bottom of this article.
We are working with a large number of organisations in the public and private sectors who are dealing with the impact of GDPR. The tasks of review of existing contracts for GDPR compliance and preparing new compliant contract terms are well understood, if not entirely straightforward in practice.
On reading through PPN 03/17 we have picked up on a couple of practical questions about GDPR in the context of public procurement contracts which are worth some further discussion:
- Who bears the burden of the cost of GDPR compliance?
- Who pays the fines in the event that there is a breach of GDPR requirements?
Who bears the burden of the cost of GDPR compliance?
The cost of compliance with GDPR can be substantial. Where a supplier to the public sector incurs additional GDPR compliance costs on an existing contract it may well argue that the increased cost of compliance should be reflected in a negotiated price increase. Public sector organisations may well already have experienced "push back" from suppliers in discussions on amending existing contract terms to ensure that the contracts are GDPR compliant.
In PPN 03/17, CCS advises in-scope organisations not to routinely accept contract price increases as a result of work associated with compliance with data protection legislation including GDPR. CCS makes the point that the costs of compliance are attributable to conducting business in the EU and not to supplying the UK public sector. As the Data Protection Bill (once passed), effectively brings much of the GDPR into the UK's domestic legislation, the cost of complying with the GDPR won't disappear post-Brexit.
The draft letter to existing suppliers in Annex C of PPN 03/17 goes further. It notes that the burden of GDPR compliance is not limited to public sector contract but is required of any public or private organisation processing personal data. It tells suppliers that they are expected to manage their own costs in relation to compliance.
PPN 03/17 advises against routine acceptance of GDPR related price increases. This leads to the question of when such price increases may be justified. In our view, the only situations where a price increase should even be contemplated is where the GDPR requirements create a unique difficulty for a supplier which is significantly beyond the intended consequences of the GDPR. As much of the GDPR is predicated on updating existing laws and turning what was previously considered to be best practice into law, such a scenario is likely to be particularly rare. In these cases all parties need to be confident that a proposed price increase and any related contract changes fall within the permitted grounds for modification of contracts set out in Regulation 72 of the Public Contracts Regulations – careful thought and a robust audit trail will be critical.
Who pays the fines in the event that there is a breach of GDPR requirements?
Under the current data protection regime, processors are not directly responsible for complying with the statutory requirements and therefore do not risk a fine or legal action from individuals as a result of any data breach for which they are responsible. Under the GDPR both controllers and processors are under direct legal obligations and risk substantial fines for GDPR breaches. This represents a significant change in risk for suppliers who undertake the role of processors in public sector contracts. It is not surprising that in some cases suppliers may seek an indemnity from the public sector purchaser to cover liabilities for fines or claims arising under the GDPR.
PPN 03/17 explains that the legal penalty regime has been extended directly to processors to ensure better performance and enhanced protection for personal data and so "entirely indemnifying Processors for any GDPR fines or court claims undermines these principles". The draft letter to existing suppliers in Annex C of PPN 03/17 repeats this point and makes it clear that liability clauses with indemnity clauses covering GDPR fines are not acceptable.
Under the current data protection regime, processors routinely provide controllers with indemnities in relation to data breaches for which they were responsible. As processors are not directly liable under the current legislation, but could none the less be the cause of a significant data breach, such indemnities were perfectly reasonable. Processor indemnities have been commonplace for a long time, so it is understandable that controllers may be reluctant to relinquish indemnities provided by processors despite the processors being directly liable under the GDPR for a fine or civil claim in their own right. However, where a processor is providing a controller with an indemnity in respect of a data breach for which it is responsible, it could well be difficult for a controller to refuse an indemnity to the processor in respect of a breach for which the controller is responsible.
If you would like to discuss these points or other GDPR related issues please contact Jonathan Moore.
Follow this link to see our Procurement Byte on the coverage and content of PPN 03/17: