NEW DATA PROTECTION REGULATIONS
The General Data Protection Regulation (GDPR)
New data protection legislation known as the General Data Protection Regulations (GDPR) is due to come into force on 25th May 2018; it aims to protect the privacy of all EU citizens (including UK post-Brexit) and prevent data breaches. It will apply to any public or private organisation processing personal data.
Established key principles of data privacy will remain relevant in the new Data Protection Legislation and there are a number of changes that will affect commercial arrangements, with both new and existing suppliers.
The new GDPR regulations specify that any processing of personal data, by a Data Processor (as defined by the legislation), should be governed by a contract with certain provisions included.
Is your work with Croydon Council in scope?
We are in the process of identifying which of our existing contracts after 25 May 2018 will involve processing personal data, as these will require an addendum or variation to bring them in line with the new regulations. Should your contract be in scope, we will contact you separately to in the coming weeks.
In addition, for contracts awarded on or after 25 May 2018 we will be updating our procurement documentation to reflect the new regulations.
What will be included in the addendum or variation?
The addendum or variation will be required to update any documentation that formalises your relationship with London Borough of Croydon (such as a contract) and ensure specifications and service delivery schedules reflect the roles and responsibilities between the Controller and the Processor as defined and as required by the new regulations.
Do you need to take any immediate action?
If you already do business with Croydon Council and have not already completed a GDPR information form, please complete contact email@example.com immediately to request one.
We would like to hear about any preparations you have already made towards compliance with the new laws, particularly any work undertaken and/or evidence you can provide in relation to your planned compliance with GDPR Article.30 and/or Part.3, Section.61 of the Draft Data Protection Bill – Records of Processing Activities, either of which will apply to data processors regardless of any contractual arrangements.
Costs and indemnification
Your organisation will already have duties in respect of Data Protection, and will be making arrangements to comply with GDPR. We acknowledge that any organisation (including Croydon Council) required to comply with the new Data Protection Legislation may incur costs in doing so, especially where new systems or processes are required. These costs are attributable to conducting business in the EU, and not supplying the UK public sector. As such, the expectation is that all suppliers will manage their own costs in relation to compliance.
As the Data Controller, we will not accept liability clauses where any supplier is indemnified against fines under GDPR as the Data Processor. The legal penalty regime has been extended directly to Processors to ensure better performance and enhanced protection for personal data. That means indemnifying Processors for any GDPR fines or court claims undermines these principles.
Where can I get more information?
If you would like to know more about the upcoming changes, the Information Commissioner’s Office is a useful source of information on the new regulations: https://ico.org.uk/
You are also welcome to contact Croydon Council directly: firstname.lastname@example.org