The Crown Commercial Service has published a procurement policy note (PPN 03/17) to explain how government departments (including executive agencies and NDPBs) should bring existing and future commercial arrangements into line with new data protection laws.
Government contracts which relate to the processing of personal data are subject to data protection legislation. Data protection law will change significantly on 25 May 2018 when the EU General Data Protection Regulation (GDPR) comes into force. The procurement policy note (the "Note") requires government buyers to take immediate action with current suppliers and to ensure that future procurement contracts comply with GDPR.
Who is affected?
The Note sets out the requirements for all central government departments, their executive agencies and NDPBs, referred to as government buyers. Those government buyers must take steps to identify and amend contracts they are currently managing which involve the handling or processing of personal data and to put in place steps to ensure that future procurements take account of GDPR requirements. In addition, any private businesses which have current public contracts, or are bidding for future contracts, need to ensure they are ready to comply with GDPR and for contract amendments associated with it.
What are the changes to data protection and how do they affect procurement?
GDPR will come into force on 25 May 2018, and the anticipated Data Protection Act (DPA) (subject to Parliamentary approval) which will take effect shortly before that. Visit our GDPR hub for more information on the new regulation.
GDPR provides a greater degree of protection for individuals’ personal data and imposes stricter obligations on organisations that process such data. New GDPR obligations include requirements to provide additional information to individuals about how their data will be used and additional rights for individuals to have their data rectified, erased or accessed. The DPA implements parts of GDPR so that they still have effect after Brexit.
The data protection legislation applies to data "controllers" and "processors". The data controller determines how and why personal data is processed and the data processor processes data on the controller’s behalf.
In most procurement contracts the controller will be the government body and the processor will be the supplier.
There are significant risks of non-compliance with the GDPR. There is the potential for large fines of 4% of global annual turnover (for undertakings) or €20m (whichever is higher). Importantly for future bidders, processors can face direct legal liability for compliance and fines by the Information Commissioners Office. Currently, only controllers can be liable for breaches of data protection law.
What steps need to be taken?
Government bodies will need to review and conduct due diligence on existing and future contracts under which personal data is processed. Once identified, those contracts should be updated to reflect the new requirements of the GDPR. Many of those contracts will need to be amended (likely in most cases to be through contract change processes in the contracts) to ensure suppliers will implement the appropriate technical and organisational changes to comply with GDPR. The public body will need to set out in existing contracts details of the nature, scope and duration of the data processing and impose specific obligations on the data processor including:
- an obligation to formalise working relationships where processing of personal data is to be carried out by a third party
- a requirement to create and maintain processing records
- an obligation to use only processors who provide sufficient guarantees to implement appropriate technical and organisational measures.
In many cases government bodies will send a letter to suppliers explaining what changes to contractual arrangements they intend to make. Standard clauses are proposed in the Note for inclusion in relevant contracts. Current suppliers and future bidders may also have to provide guarantees of their ability to comply with GDPR. Suppliers may want to prepare their response to explain how they are intending to comply with GDPR or steps they have already taken to do so.
GDPR requires the roles and responsibilities of the controller and processor to be clearly set out and in accordance with the data protection legislation. To do this, the Note includes a service delivery schedule to be included in contracts and tailored to their requirements. The schedule sets out, amongst other things, the subject matter, duration and purpose of the data processing.
In relation to future contracts, procurement processes will require compliance with GDPR and a Data Protection Impact Assessment may need to be created by the buyer.
If you would like any further information or specific advice, please contact Ian Tucker or your usual Burges Salmon lawyer.