What will General Data Protection Regulation (GDPR) mean to our suppliers?
New data protection legislation is due to come into force during May 2018, which aims to protect the privacy of all EU citizens and prevent data breaches. It will apply to any public or private organisation processing personal data.
Established key principles of data privacy will remain relevant in the new Data Protection Legislation but there are also a number of changes that will affect commercial arrangements, both new and existing, with suppliers. The new General Data Protection Regulations specify that any processing of personal data, by a Processor, should be governed by a contract with certain provisions included.
We have identified a number of existing contracts involving processing personal data, and which will be in place after 25th May 2018, that require updating to bring them into line with the new regulations. This will involve updating contract terms relating to Data Protection and ensuring specifications and service delivery schedules reflect the roles and responsibilities between the Data Controller and the Data Processor as required by the new regulations.
In addition, we will be updating our procurement documentation to reflect the new regulations for contracts to be awarded on or after 25th May 2018.
Any organisation required to comply with the new Data Protection Legislation may incur costs in doing so, especially where new systems or processes are required. However, these costs are attributable to conducting business in the EU, and not supplying the UK public sector. We expect all suppliers to manage their own costs in relation to compliance.
As the Data Controller, the Council will not accept liability clauses where the supplier is indemnified against fines under GDPR as the Data Processor. The legal penalty regime has been extended directly to Data Processors to ensure better performance and enhanced protection for personal data. That means indemnifying Data Processors for any GDPR fines or court claims undermines these principles.
Please Note: If the Council hold a contract with your organisation that involves processing personal data, our Procurement and / or Contract Team will be contacting you in the coming weeks to start work on varying the terms of any existing contracts.
Further information and guidance
If you would like to know more about the upcoming changes, the Information Commissioner’s Office is a useful source of information on the new regulations.