Procuring GDPR Compliance

Only the most selective readers working in the legal sector (and no readers of this blog) can have failed to hear something about the impending changes to data protection law, the most significant in 20 years. From 25 May 2018, the new General Data Protection Regulation (“GDPR”) will take effect across the EU. The equivalent directive applicable to data protection in the law enforcement context will take effect on 6 May. Both are to be implemented and given effect in domestic law by the Data Protection Act 2018, which is currently making its way through Parliament and will replace the Data Protection Act 1998.

There will be few contracts for the provision of procured services which will not involve the supplier engaging in some processing of personal data, be that of end-user customers or of employees of the procuring public body. All public contracts ought to contain some treatment of data protection issues, which outline the allocation of responsibilities between the parties and the standards required of the supplier.

The forthcoming changes under the GDPR are evolutionary rather than revolutionary. The core concepts and applicable principles remain much the same, but the protections for data subjects, and the duties on data controllers and data processors, are increased in various important respects. This has implications for the drafting of existing and future public contracts. Reflecting those implications is the purpose of the Crown Commercial Service’s, ‘Procurement Policy Note – Changes to Data Protection Legislation & General Data Protection Regulation’ (PPN 03/17, December 2017).

The PPN will of real practical use to public bodies. Aside from highlighting some of the most significant issues, it provides in Annex A some generic standard GDPR clauses for consideration and adaptation which helpfully guide the parties towards the required specificity of detail. In Annex B, it provides a pithy summary of its guidance, and in Annex C it provides a draft letter to suppliers explaining why existing contracts need varying to address the requirements of the GDPR.

Although good practice has long required contracting parties to detail what personal data is to be processed, how, and the nature of the organisational and technical measures taken to protect that data, one of the most significant changes in the GDPR is to require specific contractual provisions. The PPN suggests that in the majority of public contracts the supplier will be a data processor. This may be over-optimistic; certainly it will depend very closely upon the nature of the performed services and how the parties define their status in contract is not determinative. In many cases, the supplier will have sufficient autonomy over the use of personal data to be rendered a data controller themselves, possibly as a joint controller with the public body.

Under the GPDR, in a contract between a data controller and a data processor, Article 28(3) details a series of required terms. If a subcontractor is engaged by the processor, equivalent terms must be included in that contract (Article 28(4)), and the written authorisation of the controller obtained (Article 28(2)).

If the situation is one of joint controllers, Article 26(1) requires that a transparent arrangement be reached which sets out respective responsibilities for compliance. This need not be a contract per se, but in the procurement context it is hard to see how it could not be. A word of warning though which the PPN does not mention: the “essence” of that arrangement must be available to the data subject (Article 26(2)). Blanket confidentiality clauses in this respect will not be sustainable.

A critical change of real practical import is that contained in Article 30 GDPR, which imposes on both the controller and the processor a fairly onerous record-keeping obligation. This too is something which public contracts will need to make provision for.

Another of the significant changes implemented by the GDPR is to impose liability for breaches on the data processor as well as the controller, both in respect of regulatory action and as a defendant to a legal claim brought by a data subject. This re-balancing of risk has led data processors to seek to vary existing contracts and alter the fee structures to reflect their loss of protection. The PPN gives very firm advice to public bodies to have no truck with such attempts in the procurement context. It instructs contractors not to accept liability indemnification clauses, on the basis that this would undermine the intention of the GDPR’s enforcement regime and improvement in standards. Use of the supplier’s terms and conditions must not be accepted without careful consideration to ensure that the new legal standards are met.

The increase in obligations on controllers and processors unsurprisingly leads the PPN to advise public bodies to use existing contractual variation tools to amend their contracts to ensure that they remain compliant with the law after 25 May 2018. Given the obligation on controllers only to use processors who have adequate organisational and technical measures in place (Article 28(1), but not materially different from the existing law), that variation exercise is recommended to be preceded by appropriate due diligence to ensure the supplier can and will meet the required standards.

But as the PPN recognises, it is not only the contracts themselves for which the GDPR has implications. The requirement in Article 35 to carry out a data protection impact assessment in respect of processing posing a high risk to data subjects, or using new technologies, will need to be considered as a part of the tender process. How the tendering suppliers are able to meet the assessed risks will be a relevant part of any contract award, and it may also impact on whether a supplier is realistically able or willing to tender. The PPN states that the assessment could be completed after the contract is awarded, but that will be sub-optimal.

Most will be now be aware that the apocalyptic warnings of fines of up to €20 million belong more to the realm of fantasy than plausible reality. But there is an undoubted intent in the GDPR to increase the regulatory sanctions and to ramp up compliance activities. Public sector organisations are disproportionately the subject of enforcement activity in the UK, partly because of the nature of the personal data they process and partly because they take seriously their obligations to report breaches to the Information Commissioner. Failures on the part of public bodies to ensure that their contracts meet the requirements of the GDPR, and appropriately protect the rights of data subjects, will be increasingly in the spotlight. Careful attention to PPN 03/17 will only help reduce that risk.

(This post will be published in the next issue of 11KBW’s Procurement Law Newsletter.)

Christopher Knight