The Crown Commercial Service has published a policy note (PPN) on the impact on procurement of changes to data protection legislation and the General Data Protection Regulation.
The PPN says: “New data protection legislation is due to come into force during 2018, which aims to protect the privacy of all EU citizens and prevent data breaches. It will apply to any public or private organisation processing personal data.
“Established key principles of data privacy remain relevant in the new Data Protection Legislation but there are also a number of changes that will affect commercial arrangements, both new and existing, with suppliers.”
The CCS said in-scope organisations must begin to apply the provisions of the PPN immediately, ensuring any contract amendments take effect from 25 May 2018 and new provisions are applied to all new relevant contracts awarded on or after 25 May 2018.
The note covers actions to be taken by in-scope organisations, key considerations and important background information.
The key considerations cover:
- Controllers and processors: definitions; who the controller is in public sector contracts.
- Cost of compliance: including that in-scope organisations should not routinely accept contract price increases from suppliers as a result of work associated with compliance with the GDPR and the Data Protection Act 2018. Suppliers will be expected to manage their own costs in relation to compliance.
- Risks of non-compliance.
- Contract liabilities: the note says in-scope organisations should not accept liability clauses where processors are indemnified against fines or claims under GDPR. “The legal penalty regime has been extended directly to processors to ensure better performance and enhanced protection for personal data, therefore indemnifying processors for any GDPR fines or court claims undermines these principles.”
- Joint controllers.
- Data processing outside the UK.
A copy of the PPN can be viewed here.