A guide for Crown Commercial Service suppliers on the actions they need to take regarding GDPR.
The EU General Data Protection Regulations (GDPR) will come into force on 25 May. If you are a supplier on a Crown Commercial Service (CCS) commercial agreement it is your responsibility to make sure you understand how GDPR applies to you and what action you need to take.
GDPR applies to data processing, which includes collecting, keeping, using, passing on and deleting personal data. It applies to all organisations irrespective of size, including charities.
Failure to comply with the regulations after 25 May can result in significant fines and criminal prosecution.
Action to take now
If you are unfamiliar with GDPR you should consult the relevant pages on the UK Information Commissioner’s website.
If you are unsure whether it applies to the contracts you hold, you must check and obtain reliable advice from a data protection specialist or legal advisor.
You should make contact with your public sector buyer(s) with whom you have call-off contract(s). You may already have received a letter from a customer similar to the example included in Procurement Policy Note 03/17. Do not ignore it as it will contain essential information relating to that customer’s plans to ensure any data processing activity to be delivered under the contract is compliant with GDPR.
What is CCS doing to be ready by 25 May?
We are reviewing and changing CCS commercial agreements
CCS, like other public bodies, has started to implement Procurement Policy Note (PPN) 03/17, which was published in December 2017 setting out how public sector buyers should update their contracts, and included GDPR-compliant generic standard clauses to replace existing data protection clauses. The PPN points to a new Schedule which will be used to set out the type of personal data to be processed under contracts.
We are assessing each of our existing commercial agreements in turn, to establish the extent to which they include personal data processing, with each commercial agreement then categorised as ‘high’, ‘medium’, or ‘low’ risk for personal data processing.
We will then be working closely with suppliers to ensure contract variations (i.e. ‘Change Notices’) to include the new clauses are made swiftly, starting first with those commercial agreements considered ‘high-risk’ for personal data processing.
For all new commercial agreements, the GDPR clause will be included.
We are reminding and supporting customers to change call-off contracts made under CCS commercial agreements.
Similar to the work CCS is undertaking at commercial agreement level, once a call-off contract has been identified by a customer as requiring GDPR related clauses, a Change Notice must be issued to the supplier by the customer.
As a part of this Change Notice, there will be a new Schedule included which will set out the type of personal data to be processed under the contract. This Schedule will be agreed between you and your customer.
Customers using CCS commercial agreements are responsible for issuing this Change Notice to you to make the necessary amendments to any of their call-off contracts, and may already be in touch with you with if the call-off involves personal data processing.
We are advising buyers to check their liabilities and indemnities
It is important for you to note that public bodies set their own policies on the issues of liabilities and indemnities, but that the PPN advises them not to accept adapted liability clauses where suppliers (acting as processors) are indemnified against fines or claims under GDPR.
- GDPR comes into force on 25 May 2018
- all relevant contracts must be amended to reflect GDPR by that date
- contact your CCS commercial agreement customer - don’t wait or delay!
- if you have any concerns with a call-off in relation to GDPR that is not being addressed by your customer, please get in touch - call us on 0345 410 2222.
Is there training available?
A number of law firms are offering free training events and free briefing materials which can be downloaded.