Guidance

GDPR Customer Toolkit Guidance

Guidance for CCS customers on the changes to CCS commercial agreements and the actions customers need to take on call-off contracts to comply with GDPR

Documents

GDPR Customer Toolkit Template

This file may not be suitable for users of assistive technology. Request an accessible format.

If you use assistive technology (such as a screen reader) and need a version of this document in a more accessible format, please email info@crowncommercial.gov.uk. Please tell us what format you need. It will help us if you say what assistive technology you use.

Details

Introduction

The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 affecting all organisations processing personal data, and bringing new obligations on data controllers and data processors. General information about GDPR is available on the Information Commissioner’s website.

GDPR includes an important change that will affect commercial relationships between controllers and processors and these must be set out in contracts with specific terms included. These changes must be made to existing contracts involving personal data processing which will be in place beyond 25 May 2018, and new contracts let on or after 25 May 2018.

Government has already issued procurement policy guidance on GDPR, setting out what these specific terms are and how they should be used in public sector contracts. This is contained in Procurement Policy Note (PPN) 03/17published in December 2017.

What is this toolkit for?

This toolkit is aimed at CCS’ customers i.e. those public bodies currently using CCS Commercial Agreements. It provides an overview on:-

  • the work CCS is doing to update overarching commercial agreements to bring them into line with GDPR, and
  • sets out the actions customers need to take to ensure call-off contracts are also brought into line with GDPR.

This toolkit talks about controllers and processors. The controller of the personal data is the person or persons that determine(s) the purposes and means of the data processing. The processor is any other person (other than an employee of the controller) who processes the data on behalf of the controller.

How is CCS updating existing Commercial Agreements?

We are assessing each of our existing Commercial Agreements in turn, to establish the extent to which they include personal data processing, with each Commercial Agreement then categorised as ‘high’, ‘medium’, or ‘low’ risk for personal data processing:

  • High Risk – There is complex treatment of personal data, sensitive personal data or where the parties are joint controllers. These commercial agreements will be prioritised.
  • Medium Risk – There is personal data processing but it is not sensitive personal data and the parties are not joint controllers.
  • Low Risk – There is minimal or no personal data is involved

We will then work swiftly and closely with suppliers to issue contract variations (i.e. Change Notices) to include new GDPR compliant clauses, based on the generic standard clause contained in the PPN, and starting first with those Commercial Agreements considered ‘high-risk’ for personal data processing.

  • High Risk – A bespoke version of the GDPR PPN model clauses will be used.
  • Medium Risk – A standard version of the GDPR PPN model clauses will be used
  • Low Risk – No change will be made to the existing contract clauses.

How will CCS ensure new Commercial Agreements are GDPR compliant?

The templates on which all our commercial agreements are based have been updated to include GDPR compliant clauses.

What you need to do - Customer actions required now for ‘live’ call-off contracts

You must check each existing call-off from a CCS commercial agreement that will continue to be in place beyond 25 May 2018 and which will involve processing personal data, to ensure it is compliant with the GDPR.

Step 1 - Review all call-offs made from CCS commercial agreements

Review your contract portfolio to identify firstly those which are call-offs from CCS Commercial Agreements, and of those which include personal data processing. When reviewing call-offs for personal data processing you should involve your Data Protection Officer who can provide technical advice and guidance on data protection and the GDPR.

Step 2 - Establish who is the ‘Controller’ and ‘Processor’

You will need to identify and agree who is processing the personal data within each call-off contract, and who is determining how, when and where the personal data will be processed (i.e. the controller). In most of your call-off contracts, the controller will be you (the CCS customer), and the processor will be the supplier. If this is not the case, please contact your Commercial Agreement Manager.

Step 3 - Carry out a risk assessment of the call-off contracts

Now that you know which call-off contracts involve personal data processing for which you are the controller, you should establish if that processing is ‘high’, ‘medium’ or ‘low’ risk. You could do this systematically by using the Schedule Y template below which requires you to detail the nature and type of processing and any special conditions. You need to ensure the processor agrees with your approach as part of your discussions with them.

Schedule Y:

Description Details
Subject matter of the processing [This should be a high level, short description of what the processing is about i.e. its subject matter]
Duration of the processing [Clearly set out the duration of the processing including dates]
Nature and purposes of the processing [Please be as specific as possible, but make sure that you cover all intended purposes. The nature of the processing means any operation such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means) etc. The purpose might include: employment processing, statutory obligation, recruitment assessment etc]
Type of Personal Data [Examples here include: name, address, date of birth, NI number, telephone number, pay, images, biometric data etc
Categories of Data Subject [Examples include: Staff (including volunteers, agents, and temporary workers), customers/ clients, suppliers, patients, students / pupils, members of the public, users of a particular
website etc]  
Plan for return and destruction of the data once the processing is complete UNLESS requirement under union or member state law to preserve that type of data [This should be a high level, short description of what the processing is about i.e. its subject matter]
Subject matter of the processing [Describe how long the data will be retained for, how it be returned or destroyed]

It is possible that CCS may determine a Commercial Agreement to be low risk, and you may determine a call-off from that same Commercial Agreement to be high risk e.g. a mobile telephony commercial agreement where little or no personal data is involved at framework level but significantly more personal data is processed as part of the call-off. What is important is that you carry out your own risk assessment and act accordingly.

Step 4 - Ensure the terms and conditions governing the call-off match the ‘risk’ assessment for the type of processing

You need to ensure the call-off terms and conditions are suitable for the risk assessment you’ve made of the personal data processing. There are example clauses for you to adapt at Annex 1 and you should seek legal advice to ensure they fit your specific call-off.

When reviewing your call-off terms and conditions, you may need to consider whether the contract liabilities you’ve set for the call-off are appropriate. The legal penalty regime has been extended directly to processors in GDPR to ensure better performance and enhanced protection for personal data, therefore entirely indemnifying processors for any GDPR fines or court claims undermines these principles. This means, in theory, that Controllers should not accept liability clauses where Processors are indemnified against fines or claims under GDPR.

There are a number of commercial considerations to make when reaching a decision on appropriate liabilities for each party under GDPR. The maximum regulatory fine that can be levied against a party will increase from £500,000 to €20 million so, if your maximum liability cap is less than €20 million, it is possible that you could receive a fine from the ICO in excess of what could be recovered from your supplier, if the fine is the supplier’s fault.

GDPR will also increase the risk of damages being awarded against you if data subjects claim successfully that you have failed to protect their personal data.

You should continue with your current cap on liability if you think it is sufficient. However, if on review the cap is not sufficient, and this affects the risk profile of the the call-off contract, it could be addressed as follows: -

  • Excluding data protection breaches from the cap on liability and:-
    • Introducing a separate cap on liability for data protection breach or
    • Introducing a separate €20 million cap on liability for regulatory fines arising out of data protection breach.
    • Increasing the ‘general liability’ cap to ensure it can cover the highest fines.

Remember you only need to adapt the clause and include it in your Change Notice if the processing is high or medium risk.

Step 5 - Discussions with suppliers (processors)

Suppliers are under a duty to comply with the law, and the GDPR specifically sets out what must be included in contracts with suppliers in order to comply with the regulations. This is also set out for ease in the PPN 03/17.

The GDPR requires that organisations processing personal data have the relevant technical and organisational measures in place to do so, and you should obtain relevant assurances from processors that this is the case. This should form a key part of your discussions with suppliers.

Your supplier should also be in agreement with you on the details of the nature and type of processing and any special conditions. This is key to getting swift agreement to the contract Change Notice.

CCS terms and conditions contain a clause which requires the Supplier to accept a change of law at no additional cost, and contains a right to suspend or terminate if the Supplier does not agree to this.

Step 6 - Finalise Contract Change Notices for call-offs with High and Medium Risk personal data processing and issue.

For each call-off for high or medium risk processing:-

  • Use your completed Schedule Y
  • Your adapted GDPR clause; and
  • the template covering letter and issue this to your supplier. You should do this in time for it to take effect by 25 May 2018.

Further Assistance

If you need further information about anything in this update please do not hesitate to contact us by email info@crowncommercial.gov.uk or call our customer service team on 0345 410 222.

Published 13 April 2018