The Crown Commercial Service ("CCS") has issued a guide to CCS suppliers about the actions they need to take in light of the implementation of the General Data Protection Regulation ("GDPR") on 25 May 2018 ("the Guide"). The GDPR now strikes a more even balance between 'data processors' and 'data controllers' - a data controller determines how and why personal data is processed and a data processor acts on the data controller's instructions. Currently, direct obligations are placed only on data controllers. However, under the GDPR a data processor will now face direct legal obligations and can be fined by the Information Commissioner's Office (ICO) for non-compliance. In addition, data processors can now face claims for compensation if they fail to comply with their obligations. In practice, this means that changes will need to be made to existing supplier contracts.
The purpose of the Guide to is to highlight the action that suppliers must take and explain what the CCS is doing to ensure compliance with the GDPR. The Guide explains that CCS is implementing its previous Procurement Policy Note 03/17 ("the PPN"), which required certain public bodies to amend their existing contracts, and included some suggested template clauses. CCS is working closely with suppliers to ensure contact is made swiftly and will start with those commercial agreements considered high risk for personal data processing. All new contracts will be GDPR compliant.
The Guide makes it clear that suppliers should familiarise themselves with the GDPR, consider whether existing contracts are caught by the GDPR (and take legal advice if necessary), and make contact with their contracting authority in order to ensure the agreements are amended. Suppliers are reminded that the PPN issued by CCS advised public bodies not to indemnify suppliers for breaches of the GDPR and so suppliers should be prepared to receive push back from public authorities if they are seeking indemnities.
It's not long to go until the GDPR is in force – you should not delay checking your existing contract and implementing the required changes where necessary. If you are a CCS supplier, you may have already been contacted by your contracting authority in order to make changes to your existing contract. If not, you should make contact as soon as possible to help ensure that contracts can be updated before 25 May 2018.