The Crown Commercial Service ("CCS") has published a Procurement Policy Note ("PPN") in relation to the new data protection legislation that will be implemented shortly. The impact of the legislation and the PPN is that your contracts may need to be varied. Although the PPN applies to Central Government Departments, their Executive Agencies and Non Departmental Public Bodies, the new data protection legislation will apply to the wider public sector and therefore other public bodies may wish to apply the principles of the PPN, particularly the suggested draft clauses.

The General Data Protection Regulation (GDPR) is due to come into force on 25 May 2018 and will build on the existing data protection regime. The UK's Data Protection Bill is also in the process of being finalised and, among other things, will implement the EU Law Enforcement Directive, which applies in relation to the processing of personal data for law enforcement purposes.

All public sector buyers managing or procuring contracts that involve the processing of personal data and will be in force after 25 May 2018 (or 6 May 2018 if the contracts are in place for law enforcement purposes) will need to take action to ensure that the contracts are compliant with the new data protection legislation. We have highlighted some key points of the PPN in this briefing.

What do we need to know?

The PPN highlights the fact that the GDPR now strikes a more even balance between 'data processors' and 'data controllers' - a data controller determines how and why personal data is processed and a data processor acts on the data controller's instructions. Currently, direct obligations are placed only on data controllers. Under the GDPR, a data processor will face direct legal obligations and can now be fined by the Information Commissioner's Office (ICO) for non-compliance. In addition, data processors can now face claims for compensation if they fail to comply with their obligations. This redress of balance is particularly helpful for public sector organisations, which are likely to be acting as a data controller in a significant proportion of contracts.

The GDPR also sets out a number of requirements in terms of the content of contracts governing the processing of personal data. Data processing contracts must now include certain information, such as the nature and purpose of the processing.

What do we need to do?

The PPN requires organisations to act immediately to ensure compliance. All contracts involving the processing of personal data will need to be varied to ensure they are compliant with the new data protection legislation. Individuals managing contracts should therefore carry out an audit to identify existing contracts involving the processing of personal data that will be in place after 25 May 2018.

The PPN helpfully includes some generic clauses that can be incorporated into contracts that will be in force after 25 May 2018. There is also a draft letter for organisations to send to suppliers in order to notify them of changes they intend to make to relevant contracts. We suggest that you take the above action as soon as possible to allow enough time to make suitable variations to contracts ahead of the implementation deadline.

In relation to contracts that are yet to be procured, organisations will need to ensure that they carry out appropriate due diligence on new suppliers within the tender documents and that the contract terms reflect the clauses set out in the PPN. The PPN also makes it clear that where contracts are formed on the basis of a supplier's terms and conditions, organisations should check they are sufficient and supplement them where necessary.

The PPN makes it clear that any organisation required to comply with the GDPR may incur costs in doing so, and so suppliers are therefore expected to manage their own costs in relation to compliance. Public sector buyers should not routinely accept contract price increases from suppliers as a result of any changes required. Also, organisations should not indemnify data processors for any GDPR fines or court claims. This is because the legal penalty regime has been extended directly to data processors and agreeing such an indemnity would undermine the principles of the GDPR.


The deadline for implementation is fast approaching but there is still time to ensure compliance. If you need any assistance with varying contracts, procuring new contracts or if you have any general queries in relation to the new data protection legislation, please contact either Mary Mundy or Sophie Devlin.