A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 19 April 2018
The Crown Commercial Service ("CCS") has issued a guide to CCS suppliers about the actions they need to take in light of the implementation of the General Data Protection Regulation ("GDPR") on 25 May 2018 ("the Guide"). The GDPR now strikes a more even balance between 'data processors' and 'data controllers' - a data controller determines how and why personal data is processed and a data processor acts on the data controller's instructions. Currently, direct obligations are placed only on data controllers. However, under the GDPR a data processor will now face direct legal obligations and can be fined by the Information Commissioner's Office (ICO) for non-compliance. In addition, data processors can now face claims for compensation if they fail to comply with their obligations. In practice, this means that changes will need to be made to existing supplier contracts.
The purpose of the Guide to is to highlight the action that suppliers must take and explain what the CCS is doing to ensure compliance with the GDPR. The Guide explains that CCS is implementing its previous Procurement Policy Note 03/17 ("the PPN"), which required certain public bodies to amend their existing contracts, and included some suggested template clauses. CCS is working closely with suppliers to ensure contact is made swiftly and will start with those commercial agreements considered high risk for personal data processing. All new contracts will be GDPR compliant.
The Guide makes it clear that suppliers should familiarise themselves with the GDPR, consider whether existing contracts are caught by the GDPR (and take legal advice if necessary), and make contact with their contracting authority in order to ensure the agreements are amended. Suppliers are reminded that the PPN issued by CCS advised public bodies not to indemnify suppliers for breaches of the GDPR and so suppliers should be prepared to receive push back from public authorities if they are seeking indemnities.
It's not long to go until the GDPR is in force – you should not delay checking your existing contract and implementing the required changes where necessary. If you are a CCS supplier, you may have already been contacted by your contracting authority in order to make changes to your existing contract. If not, you should make contact as soon as possible to help ensure that contracts can be updated before 25 May 2018.
DAC Beachcroft will be running some free training sessions on the impact of the GDPR. If you are interested in attending one of these sessions or would like to speak to someone about GDPR further, please contact us.
+44 (0)113 251 4727
+44(0)191 404 4192
Vanessa Taylor-Byrne, Jenny Eacott
Louise Watson-Jones, Dr Alexandra von Westernhagen
Jonathan Deverill, Rishi Solan
Corinne Slingo, Hamza Drabu
Hamza Drabu, Sarah Woods
Mary Mundy, Sophie Devlin
Corinne Slingo, Anne Crofts, Heather Durston-Hillyer
Hamza Drabu, Anne Crofts
Hamza Drabu, Charlotte Burnett, Alistair Robertson
Hilary Larter, Zoe Thomas, Udara Ranasinghe
Charlotte Burnett, Hamza Drabu, Louise Watson-Jones, Mary Mundy