By
1st Jun 2018

The Cabinet Office have updated their guidance on GDPR, how it affects contracts with suppliers and issued a revised PPN titled 02/18 Changes to Data Protection Legislation & General Data Protection Regulation.

It contains enhanced guidance and clarifications on a number of key areas:

  • Controllers and Processors
  • Contract Liabilities
  • Joint Controllers
  • Expired / Legacy contracts
  • Protective Measures
  • Enhancements to the standard generic clauses in Annex A
  • A new Annex D on technical security considerations

Although the PPN itself applies to Central Government Departments only, schools / academies and colleges will also be subject to the new data protection legislation and may wish to apply the approaches set out in this PPN. The PPN includes model selection-stage and award-stage questions that should be used when tendering contracts where the contractor will be processing personal data on your behalf. The mandatory Selection Questionnaire for use in above EU threshold procurements will be amended shortly by CCS to reflect this guidance.

There is helpful information on how to incorporate GDPR requirements into your specifications including example technical security measures that you may want to specify and what to look out for if you are contracting on suppliers terms and conditions (particularly in reference to IT Cloud based services). More information on GDPR and its effect on procurement activity can be found on FELP and we recommend reading the CPC guidance on our approach to GDPR that also provides template documentation that might be useful to you when modifying your existing contracts with suppliers to ensure they are compliant with the new regulations.

If you have any questions please contact Regional Procurement Advisor Jo Frost via email j.frost@thecpc.ac.uk or on 07990 763928.