Crown Commercial Service

How CCS is getting ready for GDPR – and what you need to do

The General Data Protection Regulation (GDPR) enforcement date is 25 May. This is is also when the current Data Protection Act 1998 will be replaced by a new Data Protection Act 2018 – and there are actions we all need to take before this date.

We recently provided a useful guide as to what this means for public sector buyers in our Procurement Policy Note (PPN) and want to tell you more about what we are doing at CCS  – and what you will need to do.

We are reviewing CCS frameworks and contracts

The PPN includes some standard clauses that can be used as the basis for replacements to your existing data protection clauses, so that your contracts comply with the GDPR and the new Data Protection Act. These clauses point to a new Schedule in which you must specify what type of personal data can be processed in the contract. This Schedule must be completed for each framework and call-off contract.

We will be re-issuing our template contracts so that all new frameworks are updated to include these clauses.

We will also be making a change to our live frameworks and contracts, including the template call-off contracts that our customers use to obtain goods and services.

What about my ongoing call-off contracts?  

You will be responsible for issuing a change notice to make these changes into any of your call-off contracts involving the processing of personal data beyond 25 May 2018.

We will shortly provide a toolkit (including template change notices) to help you do this for each CCS framework you use; however there is nothing stopping you from making the changes now if you prefer.  

You can make changes to the suggested wording provided in the PPN to tailor the clause to your organisation or procurement needs, but we encourage you to consult your data protection officer and consider taking legal advice before doing so.

Which CCS frameworks and contracts are being updated?

We have taken a risk based prioritisation approach to implementing GDPR into our frameworks and contracts:

  1. Low risk – where there is minimal or no personal data involved no change will be made to include the new GDPR compliant clauses.
  2. Medium risk – where the contracts involve a more significant amount of personal data we will implement the GDPR PPN model clause as standard.
  3. High risk – a bespoke version of the GDPR PPN model clauses will be provided where there is complex treatment of personal data, sensitive personal data or where the supplier is a data controller.

We have completed this risk assessment for CCS frameworks and the call-off contract templates are being finalised.

We will then distribute change notices to suppliers to effect these changes to their frameworks and contracts.

You do not need to follow this approach.

Do suppliers have to accept the change?

Yes, they are under a duty to comply with law, and the GDPR requires them to insert these provisions.

Most public sector commercial contracts include a clause that requires the supplier to accept a change at no additional cost when there is a change of law.

What are the key dates?

The GDPR comes into force on 25 May 2018. You must have contract clauses changed before this date.

We are aiming to ensure that all framework changes are signed by the end of March. We will confirm to you when this has been done.

You will then have until 25 May to apply the changes to your call-off contracts.

What can you be doing now?

You do not need to wait for the toolkit. You can start by identifying which of your contracts are likely to be affected.

You can start a dialogue with each supplier’s data protection officer and work with them to complete the Schedule to the PPN model clause so that you can understand what kind of personal data processing occurs under each agreement and act accordingly. A letter template has been included in PPN 03/17 to help you start these discussions with your suppliers.

Any commercial work, including the adoption of the standard generic terms and conditions as set out in the PPN, should be carried out in accordance with any GDPR projects taking place in your organisation and following the advice of your data protection officer or equivalent.   

What about changes to liabilities and indemnities?

You are responsible for setting your own policy on these issues. There are a number of commercial considerations to make, and key to making a decision is that the maximum regulatory fine that can be levied against a party has increased from £500,000 to €20 million. This means if your maximum liability cap is less than €20 million it is possible that you could receive a fine from the Information Commissioner’s Office (ICO) in excess of what you could recover from your supplier, if the fine is the supplier’s fault.

In addition to increased liability for regulatory fines, the GDPR will also increase the type of situations that you might be exposed to with a risk of damages being awarded against you if data subjects successfully claim that you have failed to protect their personal data.

In response to this change in risk profile you could consider:

  1. Excluding data protection breaches from the cap on liability
  2. Increasing the general cap to make sure that it covers higher fines
  3. Having a separate cap on liability for data protection breach
  4. Having a separate €20 million cap on liability for regulatory fines arising out of data protection breach
  5. Maintaining your current cap on liability if you think it is sufficient

Note that it is possible that suppliers may reject 1-3 as out of scope of a general change of law provision, meaning they could reject the change or seek to alter the charges before making the changes. As a result options 1-3 might only be available for new contracts.

Where can I get more information?

The Information Commissioner’s Office (ICO) website.

Is there training available?

A number of law firms offer free training events. Your organisation’s lawyers may also be able to provide some training on this area of law.

Training is also available via our General Legal Advice Services framework.

Who can give me further advice on this?

Every organisation is responsible for ensuring that it is compliant with the GDPR. You should first contact your data protection officer to assist you. They may then direct you to your legal team if needed.   

If you’d like more information on the work CCS is doing to get ready for GDPR please get in touch or call us on 0345 410 2222.

Stay in the know

Our monthly newsletter is a great way to stay up to date on our latest news that’s relevant to you. Fill in your email address to start learning more about how we can save you time and money.

Want to learn more?