New Procurement Policy Note on GDPR (General Data Protection Regulation) 02/18

The Crown Commercial Services (CCS) has published Procurement Policy Note/Action Note PPN 02/18 on Changes to Data Protection Legislation and General Data Protection Regulation.

PPN 02/18 updates and replaces PPN 03/17, which was published in December 2017.

PPN 02/18 applies to all Central Government Departments, their Executive Agencies and Non Departmental Public Bodies ("in-scope organisations") with immediate effect. CCS notes that other public bodies will also be subject to the new data protection legislation and may wish to apply the approaches set out in PPN 02/18.

Our Procurement Byte on the original PPN 03/17 provides information on the structure and an overview of the content of that PPN. The structure of the new PPN 02/18 remains much the same, but with an additional annex, Annex D on Security -  which provides an indication of the types of security measures that might be considered in order to protect personal data.

PPN 02/18 contains enhanced guidance and clarifications on a number of key areas:

Notes

• Controllers and processors: enhanced guidance, in particular on the nature of the "Controller" and the "Processor".
• Cost of compliance: amendment to the guidance to add reference to use of commercial judgment when considering who should bear the cost of compliance.
• Contract liabilities: enhanced guidance on liability and indemnity provisions and identification of options for recovery of costs of civil data protection claims or regulatory fines, and a note of caution on whether substantial changes should be made in accordance with Change in Law provision in contracts.
• Joint controllers: enhanced guidance on arrangements between joint controllers and reference to joint controller agreement in Annex A.
• Crown to Crown data agreements: new guidance on arrangements between Crown bodies.
• Expired/legacy contracts: new guidance on processing, retention and deletion of data in relation to expired contracts.
• Protective measures: new guidance on protective security measures which processors must implement, cross referencing to new Annex D.

Annex A Standard generic clauses: enhancements to the standard generic clauses in Annex A, including use of "Processor" instead of "Contractor" and "Controller" instead of "Customer" and an amendment so that the Controller is not obliged to approve the protective measures of the Processor.

Annex B Guidance for in-scope organisations: new guidance on due diligence on GDPR compliance at the selection stage, an example model selection question and a note on a model award question to ask bidders at the award stage.

There is also mention of planned updating of the Standard Selection Questionnaire, to include a section on GDPR.

Annex D Security: a new annex sets out example technical security requirements that might be considered in order to protect Personal Data.

You can download PPN 02/18 from the CCS Procurement Policy Note webpage

For further information on GDPR follow this link to Bevan Brittan’s GDPR web page or contact a member of the procurement team.

You can download a copy of PPN 03/17 from the CCS Procurement Policy Note web page.

See also the Information Commissioner’s Office web page.

We have a series of Procurement Update Seminars across all of our offices in June.

Download this article as a PDF.