Skip to content

Are you ready for the new General Data Protection Regulations?

Are you ready for the new General Data Protection Regulations?

The EU General Data Protection Regulations (GDPR) come into force on 25 May 2018.

The regulations introduce tougher fines for non-compliance and data breaches, and will give citizens more say over what organisations can do with their personal data.

The GDPR will align data protection rules across the EU and are intended to protect EU citizens from privacy and data breaches, by placing a range of new obligations on organisations to be more accountable for data protection. Organisations found breaching the new GDPR rules could face heavy fines.

Organisations will have enhanced responsibilities than those conferred upon the procurement process (such as assessing the kind of data it holds and the legal basis for doing so, and dealing with Subject Access Requests).

Whenever a controller uses a processor it needs to have a written contract in place. Under GDPR, contracts must set out:

  1. subject matter and duration of processing
  2. nature and purpose of processing
  3. type of personal data and categories of data subject
  4. obligations and rights of the controller.

The GDPR allows for standard contractual clauses from the EU Commission or a supervisory authority (such as the Information Commissioner’s Office), to be used in contracts between controllers and processors.

Where can I get more information?

The Information Commissioners Office (ICO) has published a lot of information which may be of help to you. An overview of what GDPR means including a step by step guide to what you need to do is available here.

You may wish to share this with your suppliers, so they are fully aware of what GDPR means for them.

The Crown Commercial Service (CCS) has also published helpful guidance and standard clauses in the form of Procurement Policy Note 03-17.

Value Wales within the Welsh Government will publish brief guidance to supplement the Procurement Policy note by CCS, so please look out for this in future. This will likely consist of practical FAQs designed to support authorities in implementing the CCS guidance.

It is very important to ensure that individual authorities carefully consider with their own information specialists, what impact the new legislation will have for them, as there are implications for contracts awarded both before and after 25 May 2018.

What does GDPR mean for NPS customers?

Customers are responsible for ensuring contracts are updated in line with GDPR. NPS can not do that for you.
To ensure the NPS frameworks you use are GDPR ready:

  • we are reviewing all frameworks to identify any that need to be updated with the new GDPR clauses
  • we will prioritise and work with suppliers on those frameworks, to implement a change control notice in order to add these new GDPR provisions
  • we will provide updates regarding how this work progresses.

If you have any queries about this process or a particular framework do not hesitate to contact: