GDPR & Procurement: Time for Action


Now that the new year is well underway, many of us in the procurement profession are already looking ahead to 25th May 2018, when the new General Data Protection Regulations (GDPR) come into force.

With only four months to go, and budget-busting fines (up to 4% of annual turnover, or €20 Million) set to be levied against organisations that do not comply, it is important that procurement teams within the education sector take action now, to make sure they are ready for the changes.

As the recent case at Leicester Council demonstrates, it can be very easy to get data management wrong in procurement, with potentially disastrous consequences.

To help you make sense of the new requirements, Tenet Education Services and the Crescent Purchasing Consortium have produced some guidance (you can check out CPC’s article here). In this post, we will be answering some of your frequently asked questions, and suggesting some key steps that you might want to take now, before 25th May comes around.

What Does GDPR Mean for Us?

The GDPR applies to Data Processors and Data Controllers. The definition of these terms is broadly the same as under the Data Protection Act 1998:

Data Controller:
The person/organisation which determines the purposes and means of processing personal data.
In most cases, this will be your organisation.

Data Processor:
The person/organisation that processes personal data on behalf of the Controller.
In most cases, this will be the supplier you are contracting to deliver goods or services.

What has changed, however, are the types of data that come under the remit of the regulations, and the sanctions payable in the event of a breach. GDPR affects any contract where we share personal data with suppliers. This means that GDPR will impact on your existing contracts, as well as new ones.

If the Supplier Bears the Risk, Does This Mean I am Safe?

No – GDPR introduces a new accountability principle; not only do you need to comply, but you need to demonstrate compliance. Therefore, it is essential that you conduct appropriate due diligence of your suppliers, and monitor their GDPR compliance.

Also, it is now a general requirement to have a written contract with your supplier, containing certain specific terms as a minimum.

What Counts as Personal Data?

GDPR offers enhanced protection for personal data, imposes stricter obligations on those who process it, and gives more rights to individuals who have their data processed. Consequently, the systems that we and our suppliers use must be capable of meeting these stricter requirements.

The answer to “what counts as personal data” is, simply, a lot! Under GDPR, the definition of personal data is broad and encompasses many categories. For the education sector this can potentially include any information relating to an identifiable living subject (e.g. staff member, student, or member of the public), such as:

  • an individual’s name
  • address
  • phone number
  • date of birth
  • place of work
  • dietary preferences
  • opinions and opinions about them
  • whether they are members of a trade union
  • their political beliefs
  • ethnicity
  • religion
  • sexuality
  • email address
  • job title

What Contracts are Likely to be Affected?

Many of the typical goods and services contracts that education establishments use are likely to be affected by GDPR. Individual organisations are urged to check their own contract registers to identify all contracts potential affected, but for guidance, typical categories may include:

    • management information systems
    • payroll
    • finance
    • cashless payments
    • outsourced IT management
    • awarding body organisations
    • subcontracted training provision
    • employee benefit schemes
    • recruitment advertising
    • agency staff
    • employee screening contracts
    • mobile phones
    • insurance
    • audit
    • software products
    • legal services
    • student transport contracts

How Can We Prepare?

Although 25th May might seem like a long time away, there are key steps that your procurement teams could be taking now to plan ahead for the changes.

1) Existing Contracts

    • Contract Register: Complete a review of your current Contract Register to identify contracts where personal data is shared with your suppliers.
    • Data Mapping: Within these contracts, identify how personal data flows through your supply chain, identifying the key recipients of data, and how it is processed.
    • Review Terms: Check your current contracts, and the data protection clauses that they include. Are these robust enough to meet new GDPR requirements? Most likely not.
    • Give Notice: Contact suppliers and notify them of changes you intend to make to ensure contract compliance with GDPR.
    • Issue Variations: Update relevant contract terms by issuing contract variations (under the mechanisms provided in your original contract). Ensure that you include the right to audit within the contract, alongside other mandated data processing provisions.
    • Get Guarantees: Conduct due diligence on your suppliers, and obtain guarantees that they (and any other processors within their supply chain) will comply with GDPR requirements.

2) Future Contracts

    • Document Revisions: Update your standard documents (Ts and Cs, ITT, specifications, service delivery schedules, etc) to clearly outline the roles and responsibilities of the data controller.
    • Supplier Selection: Establish a robust due diligence process to assess new suppliers.

3) Other Considerations

    • Don’t forget to update your organisation’s standard terms and conditions.
    • Check that internal systems are in place to enable you to satisfy the 72-hour breach notification requirement.
    • Ensure that your existing insurance policies will cover data protection and security breaches, including breaches by suppliers.
    • Consider how your procurement systems store data, and the procedures you have in place for gaining staff and student consent when handling their information, such as when booking travel.

Be Aware of Price Increases

Government guidance recommends not to routinely accept contract price increases from suppliers as a result of work associated with GDPR compliance, and not to accept liability clauses where Data Processors are indemnified against fines or claims under GDPR. In fact, GDPR represents a potential opportunity for suppliers, and those who are well-prepared will perhaps have a competitive advantage over their less-organised competitors.

Seems Like a Big Task?

Yes, but it’s better to do it now than when you’re staring down the barrel of a statutory 72-hour data breach notification requirement!

What are the Risks of Non-Compliance?

As previously mentioned, the stakes are suddenly very high when it comes to data protection compliance. Organisations that are found not to be GDPR compliant by 25th May 2018 could be subjected to fines (of up to 4% annual turnover, or €20 Million – whichever is higher) or have an enforcement order issued.

Further Guidance and Support

The Cabinet Office has published a Procurement Policy Note (PPN) giving useful details on the approach to GDPR, from the impact on existing and future contracts, to the consideration of data processing requirements. It offers more detailed guidance on the specifics of securing contract compliance, in addition to several useful templates.

The Information Commissioner’s Office has also produced a Guide to the General Data Protection Regulations that provides a comprehensive overview of how the new rules will impact your organisation.

Crescent Purchasing Consortium are part of a working party with the Higher Education purchasing consortia sector to develop a set of contract terms that will apply to their relevant framework agreements and any subsequent call offs by members from 25th May 2018.

For further information on GDPR, or help with taking the steps to embed compliance in advance of the new rules, please contact Tenet Education Services on 01376 511 411.