The Office of Government Procurement has published an Information Note on the General Data Protection Regulation (GDPR). The purpose of the Information Note is to provide guidance to contracting authorities on the implications of the GDPR for public contracts and the actions they need to take in respect of existing and future contracts in this regard.

The GDPR will apply from 25 May 2018.

The GDPR aims to protect the privacy of all EU citizens and prevent data breaches. It will apply to any public or private organisation processing personal data. Established key principles of data privacy remain relevant under this new data protection legislation but there are also a number of changes that will affect commercial arrangements, both new and existing, with suppliers. Further information on GDPR can be found by following this link GDPRandYou

The Information Note reminds contracting authorities that compliance is a matter for each individual contracting authority. The Information Note provides guidance on mechanisms that can be used under existing and future templates to ensure compliance and, in particular, the steps to follow:

Review all existing ongoing contracts
The OGP recommends that contracting authorities review all of their existing contracts to identify those contracts where personal data is being processed by the contractor. If the contract does not involve the processing of any personal data by the contractor, then no further action is required. If the contractor is processing personal data, action is required along the lines as set out below.

Consider issuing Directions where appropriate for existing contracts
Where a contracting authority is using an OGP template for a goods or services contract, or an OGP Framework Agreement, it is entitled to issue directions to contractors which could be used to meet the requirements of the GDPR. If a contracting authority is not using an OGP template or an OGP Framework a different approach will be required for these contracts and they should seek separate legal advice.

Use revised OGP templates for all new contracts
Where a contracting authority uses OGP template documents for any future contracts, the revised templates which incorporate the GDPR related amendments should be used where the contractor is acting as a “Data Processor” on behalf of the contracting authority.

Where a contracting authority considers that the contractor is or might be a data controller in its own right or a joint data controller with the contracting authority, the new Data Protection and Security clauses either will not be suitable or may need to be adapted. When a contracting authority is not using OGP template documents for any future contracts they need to ensure that those contracts comply with the GDPR.

The Information Note can be accessed here. The Information Note contains links to updated template documentation and to template Directions to contractors.