Crown Commercial Service suppliers guidance for GDPR

We don’t need to remind you that the GDPR comes into force on 25th May - almost a month to the day. The Crown Commercial Service (the government agency that oversees procurement for the public sector, has published a guide for their suppliers, setting out actions they need to take in light of the forthcoming GDPR.


Need to know


Whilst this might all sound like yet another big change, what the guide explains is that the CCS is continuing to implement its Procurement Policy Note 03/17 - first published in December 2017. This sets out how public sector buyers should update their contracts, and includes GDPR-compliant generic standard clauses, to replace existing data protection clauses. The PPN points to a new Schedule, which will be used to set out the type of personal data to be processed under contracts.


The guide also explains that the CCS is reviewing all existing commercial agreements, in turn, to establish the extent to which they include personal data processing. Each commercial agreement will then be categorised as ‘high’, ‘medium’, or ‘low’ risk for personal data processing. They’ll also be working closely with suppliers, to ensure contract variations (i.e. ‘Change Notices’), to include the new clauses, are made swiftly. They intend to start with those commercial agreements considered ‘high-risk’ for personal data processing.


For more information about GDPR and preparing for it, please contact us today.