Skip to content

Procurement in a Nutshell – Changes to Data Protection Legislation & General Data Protection Regulation

On 25 May 2018 the General Data Protection Regulation (GDPR) will enter into force representing the biggest change to data protection legislation in recent years. GDPR will affect both public and private organisations that process personal data. Consequently, this will be of specific relevance to organisations entering into public procurements.

Similarly, the Data Protection Act 2018 (DPA) is expected to come into effect on 6 May 2018. Again this will have major ramifications for both Contracting Authorities and tenderers, and it is vital that such organisations take preparatory measures.

Procurement Policy Note 03/17 – Changes to Data Protection Legislation & General Data Protection Regulation

In preparation for the changes, the Crown Commercial Service has published a Procurement Policy Note not only examining the changes but also seeking to advise affected organisations of action they should take.

The Note sets out key considerations which should be taken into account by central Government organisations involved in procurement exercises. However, the points are also relevant to, and should be taken into account by, other public sector bodies.


The Note stresses that prior to the implementation of the changes; organisations must take preparatory steps to identify how the changes will affect them.

The best way for organisations to do this is to carry out a data protection / GDPR compliance audit in order to establish what personal data is held, where it is stored and how it is used.

Furthermore, the Note explains that all public sector organisations must:

  • Appoint a data protection officer responsible for monitoring compliance with the GDPR, providing information and advice, and liaising with the supervisory authority;
  • Write to all suppliers notifying them of changes intended to be made to relevant contracts to bring them in line with new data protection regulations; and
  • Conduct due diligence on existing contracts to ensure suppliers can implement appropriate measures to ensure GDPR compliance.

Costs of GDPR Breaches

We set out a brief summary of the potential penalties for failure to comply with GDPR below:

  • The most significant breaches attract fines of the greater of €20,000,000 or 4% of global turnover; and
  • Lesser breaches attract fines of the greater of €10,000,000 or 2% of global turnover.

Consequently, the increased levels of fines make it more important than ever to ensure compliance with data protection requirements. Both Data Processers and Data Controllers are subject to oversight from the Information Commissioner’s Office, and both face potential sanctions should they breach the Regulations.

As such, it is vital that organisations take the necessary actions to ensure that they achieve compliance.

Contractual issues

As regards entering into contracts, the Note emphasises that:

“In-Scope Organisations should not accept liability clauses where Processors are indemnified against fines or claims under GDPR. The legal penalty regime has been extended directly to Processors to ensure better performance and enhanced protection for personal data, therefore entirely indemnifying processors for any GDPR fines or court claims undermines these principles.”

Accordingly, this advice should also be taken into account when entering into / drafting contracts. Under the regulations, Data Processors are unable to limit their liability for claims made under the GDPR and contracting parties should look to ensure that they do not attempt to do so.

Similarly, all organisations must ensure that prior to 25 May, any existing contracts which involve the processing of personal data are amended so that they contain the specific “mandatory processor” clauses. These include contracts providing that:

  • “The processor may only process personal data in accordance with written instructions unless they are required to do so by law” and
  • “The processor must obtain a commitment of confidentiality from anyone it allows to process the personal data, unless they are already under such a duty by law.”

It is essential that these requirements are satisfied prior to the 25 May and if you require any assistance in achieving this, please feel free to contact Ward Hadaway’s expert Data Protection and GDPR team.

Why is this important?

Given the short timeframe before the legislative changes are set to take place, it is vital that public sector organisations endeavour to achieve compliance. The majority of public contracts include some form of personal data and consequently the ramifications of the changes will be substantial.

This nutshell is only intended to be a very brief piece outlining the importance and significance of the upcoming changes. However, if you have any queries relating to any of the issues raised or you are unsure as to whether you are complying with the GDPR please contact our Data Protection and GDPR team. Similarly, if you have any other general procurement issues, please contact us via our procurement hotline on 0191 204 4464.

Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.

This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.

Follow us on LinkedIn

Keep up to date with all the latest updates and insights from our expert team

Take me there

What we're thinking