GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers Terry Brewer Chief Executive.

Slides:



Advertisements
Similar presentations
Contract clauses The Central Point of Expertise on Timber Procurement.
Advertisements

Tendering Yuck!.
Auditing, Assurance and Governance in Local Government
3Kites Consulting/Kemp IT Law Breakfast Seminar Law Firms and the Cloud: Balancing Benefits and Risks London, 10 September 2014 Contracting for the Cloud:
ISO 9001 Interpretation : Exclusions
ZHRC/HTI Financial Management Training
Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
A SOUND INVESTMENT IN SUCCESSFUL VR OUTCOMES FINANCIAL MANAGEMENT FINANCIAL MANAGEMENT.
Frameworks agenda Definition Advantages, features
G17: Recordkeeping for Business Activities Carried out by Contractors Patrick Power, Manager Government Recordkeeping Programme Archives New Zealand.
Neighbourhood Planning. What is neighbourhood planning? Neighbourhood planning gives communities direct power to develop a shared vision for their neighbourhood.
SOLGM Wanaka Retreat Health and Safety at Work Act 2015 Ready? 4 February 2016 Samantha Turner Partner DDI: Mob:
1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.
Key Points for a Privacy Programme for Multinationals Steve Coope.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.
Audit Committee 1 June 2005 Overview of the Audit Function in the Council and Role of Audit Committee.
Information Governance Support Information Governance Services
General Data Protection Regulation (EU 2016/679)
Tony Sheppard Mobile Guardian
Accountability & Structured Privacy Management
Administration of a FIDIC Contract - Commencement Date to + 28 Days -
GDPR Module 3: Accountability and Governance
Understanding EU GDPR from an Office 365 perspective
Content of Tender Dossier Instructions to Tenderers
Particular Conditions of Contract & Appendix to Tender
WORLD OF CLOUD COMPUTING AFTER GDPR challenges, opportunities and the unknown Matjaž Drev, MA. National Supervisor for Personal Data Protection, Information.
EPA SUBCONTRACT TEMPLATE Overview September 2017
General Data Protection Regulations: what you really need to know
General Data Protection Regulation
Data protection issues in regulatory investigations
GDPR Any impact on procurement? 16/11/2017.
The EU General Data Protection Regulation (GDPR)
Particular Conditions of Contract & Appendix to Tender
GDPR support January GDPR support January 2018.
Bob Siegel President Privacy Ref, Inc.
GDPR - Individual’s Rights
Cyberforum 2018 March 8, 2018 Los Angeles GDPR & SECURITY
GDPR General Data Protection Regulation EU: Coming May 25, 2018
Introducing the General Data Protection Regulation 2016
Role & Responsibilities
State of the privacy union
The Public Sector Equality Duty
How to Tender: Andrea Weed Category and Contract Manager
General Data Protection Regulation
The National Working Group
Preparing for the GDPR - What do we need to do if we process children’s personal data? Data Protection Practitioners’ Conference 2018 #DPPC2018.
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
General Data Protection Regulation (GDPR)
How we’ll prepare for the General Data Protection Regulation (GDPR)
How is the GDPR enforced ?
GDPR (Patrix interpretation)
GDPR (679/2016) and Monitoring
Data Protection and Audit
Welcome!.
Data transfers to non-EU countries under the new GDPR
Legal Division Legal Risks for Business Managers, School Councils, & Principals Presentation by River McKenzie Principal Lawyer and Manager, Commercial.
The Public Sector Equality Duty
Procurement Reform Bill & New EU Procurement Directives
Fines, Sanctions and Compensation The teeth in the GDPR & Data Protection Act 2018 by Simon McGarr, CIPP/E Data Compliance Europe.
GDPR PERSONDATAFORORDNINGEN I PRAKSIS
Session 4: Data Mapping and Data Subject Rights
Appointing a Management Agent
Session 4: Data Mapping and Data Subject Rights
GDPR Session
General Data Protection Regulation “11 months in”
Is your medico-legal practice GDPR compliant?
GDPR Workshop – Partnerships for Jewish Schools
Data Security and Protection Toolkit Assurance 2018/19
Getting Ready For GDPR Simon Marks Director
Presentation transcript:

GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers Terry Brewer Chief Executive

Agenda Introduction Definitions PPN 03/17 What to do for existing contracts What to do for new contracts Discussion

GDPR - yet another thing to worry about!

Definitions Data Controller – “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” Council. Data Processor – “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” Suppliers

PPN 03/17 Published December 2017 Applies to government Depts and NDPBs only However councils should see this as best practice www.gov.uk/government/publications/procurement-policy-note-0317

GDPR How to implement in existing contracts

Existing Contracts - Preparation Appoint a GDPR implementation lead within the Procurement function who will be responsible for co-ordinating action Identify contracts that involve processing personal data and prioritise Conduct due diligence on existing contracts to ensure that suppliers can implement the appropriate technical and organisational measures to comply with GDPR (i.e. provide guarantees of their ability to comply with the regulations)

Existing Contracts: GDPR Implementation Write to the contractors identified setting out changes proposed to be made (Annex C of PPN provides a draft letter) to align to GDPR Ensure suppliers will be able to provide guarantees of their ability to comply Update specification and service delivery schedules setting out Controller/Processor roles plus sub-Processors Use contract variation clauses to update ts and cs May need some renegotiation with contractor to implement

Existing Contracts NB Don’t forget framework agreements you may have

GDPR How to implement in new contracts

New Contracts For contracts to be awarded on or after May 25th 2018: undertake sufficient due diligence of new suppliers to ensure that they can implement the appropriate technical and organisational measures to comply with GDPR (i.e. provide guarantees of their ability to comply with the regulations); terms and conditions are updated (standard generic clauses are included in Annex A of PPN 03/17); for relevant contracts including data processing activities, follow the guidance in Annex B of PPN 03/17 to all stages of the procurement, and relevant documentation.

New Contracts Contracts must set out: the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data and categories of data subject; the obligations and rights of the controller.

New Contracts As a minimum the processor must be required to: act only on Council’s written instructions; ensure that those processing the data are subject to a duty of confidence; take measures to ensure the security of processing; engage sub-contractors or suppliers only with prior consent and under a written contract; help to provide subject access and allowing data subjects to exercise their rights under the Regulation; help in meeting Council’s GDPR obligations; delete or return all personal data as requested at the end of the contract; submit to audits and inspections and provide whatever information is needed to ensure that both the Council and supplier are meeting obligations under GDPR; Inform the Council immediately of any infraction or of they are asked to do anything that will infringe GDPR or any other data protection of the EU or member state.

New Contracts GDPR allows standard contractual clauses from the EU Commission or a supervisory authority such as the ICO to be used in the contracts you enter into with your suppliers. Suitable clauses are included in PPN 03/17. GDPR also allows these standard contractual clauses to form part of a code of conduct or certification mechanism to demonstrate compliant processing This is under development.

What to do next Map the flows of personal data through supply chains. Identify the recipients of personal data, including sub-processors, and note where the data is processed. Identify and catalogue existing supplier contracts that involve processing of personal data. Review the data protection provisions in these contracts and map against GDPR. Consider your organisation’s approach to risk in existing and new contracts. Carry out due diligence on suppliers to check their GDPR compliance. Check whether existing insurance policies will cover data protection and security breaches including breaches by suppliers. Put in place an internal process to respond to breaches within the 72-hour requirement. READ PPN 03/17!

Discussion terry.brewer@talk21.com