State Aid? State What?!

Do you need to think
about State Aid risk on
your procurement project?

Make sure you know what
to look out for with our
handy new guide
from our state aid experts.

Looking to challenge a procurement decision?

Suppliers wishing to challenge have only a short time frame in which to act. Click here for our useful guide.

Which Regulations do you need?

To get up to speed with the various new procurement law regulations, please click below;

> Concession Contracts Regulations 2016 

> Utilities Contracts Regulations 2016

> Public Contracts Regulations 2015 

If you're not sure which regulations apply, click here.

(Click to edit)

Change is coming to public sector outsourcing contracts

Change is coming to public sector outsourcing contracts

December 20, 2017 11:23 AM | Posted by Burton-Jones, Sophie | Print this page

Organisations that outsource their data processing operations need to ensure that the contractors they use are reliable, and take appropriate steps to keep the information secure. Cybersecurity failures can lead to serious reputational damage, being held to ransom by criminal hackers and sanctions by regulators, particularly where that information includes personal data.

Outsourced processing is normally governed by detailed contractual arrangements dealing with how the data will be stored and used. And, from May 2018, the General Data Protection Regulation, or GDPR, will require tougher and more detailed obligations in contracts.

New requirements for outsourced processing

The new requirements include compulsory details about:

  • the subject matter and duration of processing;
  • the nature and purposed of processing;
  • the types of personal data and categories of data subject; and
  • the obligations and rights of the controller.

The contract must also include terms requiring the data processor to:

  • act only on the written instructions of the controller (unless required by law to act without such instructions);
  • ensure that people processing the data are subject to a duty of confidence;
  • take appropriate measures to ensure the security of processing;
  • only engage a sub-processor with the prior consent of the data controller and a written contract;
  • assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
  • assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • delete or return all personal data to the controller as requested at the end of the contract; and
  • submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their obligations, and tell the controller immediately if it is asked to do something infringing data protection law.

Impact on public sector contracts

The requirements of the GDPR affect almost all organisations that process personal data in the EEA or about European citizens, with the public sector in the frame alongside businesses. So most public sector outsourcing will have to meet the new requirements.

The UK Crown Commercial Service has issued a Procurement Policy Note PPN 03/17 that explains the new rules and sets out the contractual changes that will be needed for processing personal data in the future. The new requirements will apply to all processing relationships from May 2018, and so as well as affecting new arrangements, existing relationships may need to be updated.

Businesses that are currently supplying data processing services to Central Government and other public sector bodies should expect to be contacted with a view to bringing existing agreements up to date, and ensuring that technical and organisational capabilities will measure up. Equally, those planning to bid for new contracts should expect to see the new obligations in future contracts.

The GDPR also imposes new obligations on processors. These include obligations to keep records of processing and in many cases employ a data protection officer. The PPN notes that public bodies should not accept liability for fines directly imposed on their processors under the GDPR.

Posted by Sophie Burton-Jones


Contact Us

The Procurement Portal aims to provide a "one stop shop" for procurement law queries and advice.

Click here to email our team with your query.

Managing and mitigating procurement risk course

This updated course is great for anyone who wants to make informed judgments around procurement risk and be able to handle potentially contentious issues with confidence.

You can access our updated course here.

Subscribe by email

> Subscribe to our blog updates by email

The "FeedBurner" subscription service is provided by a third party and Mills & Reeve LLP therefore accepts no responsibility or liability for this service. Please also refer to our full terms and conditions.

Procurement FAQs

We have over 100 questions and answers on a host of topics, from advertisement to managing a procurement challenge.

> Click here to find out more