The Crown Commercial Service (“CCS“) has this week published a Procurement Policy Note (“PPN”) explaining how upcoming changes under the General Data Protection Regulation (“GDPR“) and the proposed Data Protection Act 2018 (“DPA 2018“) affect contracts for goods and services entered into by public bodies.
The message for public bodies is to apply these recommendations immediately, so as to ensure that amendments to their contracts take effect and new contract provisions are applied from 25 May 2018. For law enforcement processing contracts, the amendments will take effect from 6 May 2018, when the UK translates Directive (EU) 2016/680 (the Law Enforcement Directive) into national law.
The PPN notes some changes brought by the new data protection legislation:
- The GDPR applies to both controllers and processors. In most public sector contracts, the controller will be the public body letting the contract or calling-off from a Framework Agreement and the supplier will be a processor. It is however important to check who determines the purposes and means of processing personal data before public bodies establish themselves as controller.
- Suppliers will be expected to manage their own costs in relation to compliance with the GDPR. Public bodies are advised not to routinely accept contract price increases from suppliers as a result of work associated with compliance with new data protection legislation.
- There is considerable risk of non-compliance, controllers and processors can face the risk of being fined or have an enforcement order issued by the ICO. The maximum fine being 4% of global annual turnover or EUR 20 million.
- Public bodies should not accept liability clauses where processors are indemnified against fines or claims under GDPR. The logic here is that the enforcement regime under GDPR now extends directly to processors. Indemnifying processors for any GDPR fines or third party claims undermines the GDPR principles.
- Joint controllers (a more common arrangement in the public sector than the private) need to have a transparent arrangement which reflects their respective roles and relationships vis-à-vis data subjects.
Remediation of Existing Contracts
For existing contracts involving the processing of personal data which will be in place after 25 May 2018, the PPN recommends:
- Notifying suppliers of intended changes;
- Conducting due diligence on existing contracts to ensure suppliers can implement appropriate technical and organisational measures (“TOMs“) compliant with GDPR (including in relation to data security and breach reporting, and compliance with data subject rights);
- Updating the contract, if necessary, to set out the responsibilities of the controller, processor and sub-processor, including by updating the specification and service delivery provisions;
- Including at least the minimum contractual terms mandated by Article 28 of the GDPR; and
- Ensuring suppliers on Framework Agreements are aware that customers may refine their individual call-offs to assure themselves of compliance with the new data protection legislation.
Procurement post-May 2018
For contracts awarded on or after 25 May 2018, the PPN recommends:
- Ensuring potential suppliers are aware of their obligations under the new legislation at the pre-procurement stage;
- Conducting a Data Protection Impact Assessment at as early a stage as possible in the procurement process, where the proposed project involves a high risk to data subjects;
- Undertaking sufficient information security due diligence of new suppliers to ensure the ability to implement of appropriate TOMs;
- Ensuring that the roles and responsibilities of the controller and processor are clearly set out throughout the contract delivery, including in the specification;
- Ensuring all relevant procurement documents make reference to the new law coming into force and that terms and conditions reflect the minimum GDPR requirements under Article 28;
- Building sufficient checks into contract management activities to ensure suppliers are meeting their obligations remedial action can be taken where obligations are not met;
- Checking, when contracts are formed on the basis of a supplier’s terms and conditions, (such as when using the CCS G-Cloud framework), the supplier’s terms do not prevail. This should be set out in the Framework documentation, but public bodies should check to ensure they are satisfied this is sufficient and supplement this where necessary.
The need to remediate a raft of supplier contracts is a logistical challenge shared by the public and private sectors. However, contracting in the public sector is frequently an especially complex business, with framework arrangements, multi-participant contracts and lengthy procurement processes, all of which can be naturally resistant to agile change. Consequently, this guidance from the CCS, which underlines the importance of a task many public bodies are already well aware of, is a timely impetus for those organisations which are still behind the curve when it comes to their GDPR contract remediation programmes.