By Joanna Frost
3rd Jan 2018
This month the Cabinet Office published a Procurement Policy Note (PPN) detailing how central government departments are approaching the impacts of GDPR on existing and future contracts with suppliers in consideration of data processing requirements. Although the PPN only applies to central government departments, it does provide information and templates that could be useful when planning your organisations approach to varying existing contracts to ensure they are compliant with the new Regulations coming into force on 25th May 2018.
Although there are wider implications for your organisation as a consequence of GDPR, there is an immediate impact on those contracts where you share personal data with suppliers. Personal data means any information that relates to an identified or identifiable living subject i.e. staff member, member of the public, student, etc. It will generally include;
It can also include an individual’s email address or job title if from that they can be sufficiently identified (in isolation or with other information that may be held). The above list is not exhaustive and any information that relates to an individual can be personal data. The PPN suggests that a review is undertaken to first identify these contracts. These could include contracts you have with suppliers to provide;
Once the affected contracts have been identified, Government guidance advises that you write to these suppliers notifying them of the changes you intend to make to the contract to bring it into line with the new General Data Protection Regulations, followed by a period of due diligence to ensure the suppliers can implement the appropriate technical and organisational measures to comply with GDPR (i.e. provide guarantees of their ability to comply with the regulations). Thereafter, it is suggested that you update the specification and any service delivery schedules to set out clearly the roles and responsibilities of the Data Controller and the Data Processor and any Data Sub-processors to the contract, plus update relevant contract terms and conditions by issuing contract variations. The guidance recommends not to routinely accept contract price increases from suppliers as a result of work associated with compliance with new General Data Protection Regulations and not to accept liability clauses where Data Processors are indemnified against fines or claims under GDPR.
The legal penalty regime has been extended directly to Data Processors to ensure better performance and enhanced protection for personal data, therefore entirely indemnifying Data Processors for any GDPR fines or court claims undermines these principles. Where you are relying solely on a supplier’s terms and conditions, Government guidance recommends ensuring that these meet the requirements of Data Protection Legislation. This is most likely to arise in the use of IT services into which personal data (such as names, email addresses, etc) are placed, and where the supplier is acting as a Data Processor. There are many examples of cloud-based services that handle personal data, and where standard terms and conditions are generally relied upon. More information on how to deal with these contracts is provided in the PPN. Crescent Purchasing Consortium are part of a working party with the Higher Education purchasing consortia sector to develop a set of contract terms that will apply to our relevant framework agreements and any subsequent call offs by members from 25 May 2018.
More information on the GDPR and a copy of the PPN can be found at https://www.felp.ac.uk/content/general-data-protection-regulations