Crown Commercial Service

UPDATED: New data protection legislation is coming – how to ensure data processing contracts comply with the law

The EU General Data Protection Regulations (GDPR) and Data Protection Act 2018 will come into force on 25 May, the aim of which is to protect all EU citizens from privacy and data breaches by putting stricter obligations on those who process personal data. The new regulations apply to all organisations operating in the EU that control and process personal data, both public and private, as well as those operating outside the EU that offer services to individuals in the EU.

What is GDPR?

The GDPR applies to data processing, which includes collecting, keeping, using, passing on and deleting personal data. It requires that individuals be given more information about how their personal data will be used through ‘enhanced privacy notices’, and gives individuals stronger rights to have their personal data updated, deleted or shared with them if they request it. Importantly, the systems used by organisations must be able to honour these rights, and organisations will need to keep a record of all personal data processing activities, and ensure that their contracts with suppliers contain specific clauses governing data processing by third parties.  

What action should I take on contracts to ensure they are compliant?

GDPR will apply to new contracts let on or after 25 May and also to existing contracts put in place before May 2018 that continue after 25 May, that involve data processing.

The new regulations state that any processing of personal data by a ‘processor’ (e.g. a supplier which processes personal data on behalf of a customer) must be governed by a contract. This contract must include certain terms as specified in the regulation itself.  

We have recently published a Procurement Policy Note (PPN) to inform you of your responsibilities – read the advice in the PPN here.

The PPN contains guidance on how to bring your existing and new contracts into line with these new requirements and provides a standard generic clause that can be inserted into contracts.

Please note the PPN was updated on 17 January to correct an error in clause 1.13.

The main actions to take include:

  • writing to your suppliers to notify them of the changes you intend to make to relevant contracts to make them compliant with the new data protection regulations
  • conducting due diligence on existing contracts to ensure suppliers can implement the appropriate technical and organisational measures to comply with GDPR
  • updating your contract specification and service delivery schedules to set out clearly the roles and responsibilities of the controller and the processor and any sub-processors
  • updating relevant contract terms and conditions, using the standard generic clauses provided in Annex A of PPN 03/17.

What about CCS commercial agreements – will they be updated too?

We are working hard to ensure all relevant existing and new commercial agreements are updated in line with the new regulations, that suppliers are well informed of our plans, and that customers will be able to access GDPR compliant deals as soon as possible.  

The role of the Information Commissioner’s Office (ICO)

There is a risk the ICO will issue fines to organisations found not to be compliant with GDPR. Commercial teams should work closely with their data protection leads in their organisations to ensure a seamless transition to GDPR compliant data processing.

Got a question? Please get in touch.