GDPR and procurement

Contract 2 iStock 000003466551XSmall 146x219The introduction of the GDPR has significant implications for procurement practice, writes Jenny Beresford-Jones.

The fact that the GDPR has come into force needs no introduction, given the constant bombardment of all our inboxes with requests to ‘opt in’.

Whilst you may have heard quite enough about the GDPR for now, there are some important implications in the public procurement/public contracts context.

Specifically, we note that the Crown Commercial Service has just updated its original Procurement Policy Note on Changes to Data Protection Legislation and GDPR – the previous PPN (03/17) has been amended and replaced by Action Note PPN 05/18.  You should now refer to the updated version only.

The new PPN states that "for any contract amendments yet to be agreed and for new contracts to be let after 25 May, you should use the provisions of the new PPN including the updated standard generic clauses at Annex A". This suggests that there is no need to go back and amend model clauses based on those in the older PPN, where these have already been agreed as part of your GDPR preparation work stream.

The scope of the PPN continues to include Central Government Departments, their Executive Agencies and Non Departmental Public Bodies, with other public bodies being advised to follow it given that they are also subject to the GDPR and Data Protection Act obligations.

The original PPN included model GDPR clauses for new contracts and guidance on how to make existing contracts compliant. The updated note was issued to provide greater clarity on questions and issues that arose in response to organisations preparing to use those model clauses in practice. For example:

  • The new PPN clarifies the distinction between Controllers and Processors, pointing out that a Processor does not process personal data for its own purposes. A Processor has no interest in the personal data save to the extent it is obliged to process it as a part of its contract with the Controller.
  • There are also updates to the model clauses to try to build in some flexibility to reflect the fact that not every contract that involves the processing of personal data will automatically involve a Controller to Processor arrangement. For example, we have become aware of public bodies seeking to incorporate the model “Controller to Processor” clauses into all their contracts on the basis that they were within scope of the old PPN, even when it was not appropriate to do so because the arrangement was in fact a “Controller to Controller” arrangement.
  • The original PPN noted that you should avoid liability clauses which purported to protect a Processor from any liability for its GDPR breaches (on the grounds that this would be to undermine the purpose of the new legislation). The new PPN amplifies this with drafting suggestions for liability clauses to ensure a Controller is able to recover the full costs of civil data protection claims or regulatory fines issued by the ICO, where the breach was the Processor’s fault.
  • The original PPN acknowledged that in some cases there could be Joint Controllers and explained that there would need to be a transparent agreement between these Controllers as to how the arrangement is to work; the new PPN expands on this with more detail of the features you should include in such an arrangement with a Joint Controller.
  • The new PPN also addresses the question of expired/ legacy contracts, where personal data is still being processed (e.g. stored) by a Processor, even though the contract has expired. The PPN reminds us that data being processed like this after today will become subject to the GDPR and this means the Controller must decide whether the data must be retained or deleted. A Processor who has been instructed to delete by the Controller but continues to process, will be in breach of the GDPR.
  • The model clauses contain an obligation on the supplier to adopt “protective measures” to protect against data loss. The new PPN has amended this slightly to confirm that the Controller is not obliged to approve the “protective measures” of the Supplier (although it may reject these, acting reasonably). This is to address to concerns raised by Controllers that (1) they would not have the resources to check adequacy of protective measures in each case and (2) that any such approval would amount to a ‘blessing’ of a Processor whose protective measures turn out be insufficient in the event.
  • In terms of procurement procedures, the new PPN contains guidance on additional questions and due diligence for new procurements (including a new standard SQ question) and a suggested model question for the ITT/award stage. The standard SQ will be updated in due course but this hasn’t been done as yet. This means that in the interim period, you will need to add the model clauses/suggestions in the PPN to Selection Questionnaires/ITTs.

There is a fair amount to get to grips with here! If you need more information/guidance about the GDPR generally, please take a look at our GDPR Hub where you can find free-to-access resources and, if needed, contact one of our data protection law specialists for an initial chat about your query.

Jenny Beresford-Jones is a Professional Support Lawyer at Mills & Reeve. She can be contacted on 0161 235 5422 or This email address is being protected from spambots. You need JavaScript enabled to view it.. This article first appeared on the firm's Procurement Portal.