Presentation is loading. Please wait.

Presentation is loading. Please wait.

GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers Terry Brewer Chief Executive.

Published byDerrick Walsh Modified over 5 years ago

Similar presentations

Presentation on theme: "GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers Terry Brewer Chief Executive."— Presentation transcript:

1 GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers
Terry Brewer Chief Executive

2 Agenda Introduction Definitions PPN 03/17
What to do for existing contracts What to do for new contracts Discussion

3 GDPR - yet another thing to worry about!

4 Definitions Data Controller – “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” Council. Data Processor – “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” Suppliers

5 PPN 03/17 Published December 2017
Applies to government Depts and NDPBs only However councils should see this as best practice

6 GDPR How to implement in existing contracts

7 Existing Contracts - Preparation
Appoint a GDPR implementation lead within the Procurement function who will be responsible for co-ordinating action Identify contracts that involve processing personal data and prioritise Conduct due diligence on existing contracts to ensure that suppliers can implement the appropriate technical and organisational measures to comply with GDPR (i.e. provide guarantees of their ability to comply with the regulations)

8 Existing Contracts: GDPR Implementation
Write to the contractors identified setting out changes proposed to be made (Annex C of PPN provides a draft letter) to align to GDPR Ensure suppliers will be able to provide guarantees of their ability to comply Update specification and service delivery schedules setting out Controller/Processor roles plus sub-Processors Use contract variation clauses to update ts and cs May need some renegotiation with contractor to implement

9 Existing Contracts NB Don’t forget framework agreements you may have

10 GDPR How to implement in new contracts

11 New Contracts For contracts to be awarded on or after May 25th 2018:
undertake sufficient due diligence of new suppliers to ensure that they can implement the appropriate technical and organisational measures to comply with GDPR (i.e. provide guarantees of their ability to comply with the regulations); terms and conditions are updated (standard generic clauses are included in Annex A of PPN 03/17); for relevant contracts including data processing activities, follow the guidance in Annex B of PPN 03/17 to all stages of the procurement, and relevant documentation.

12 New Contracts Contracts must set out:
the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data and categories of data subject; the obligations and rights of the controller.

13 New Contracts As a minimum the processor must be required to:
act only on Council’s written instructions; ensure that those processing the data are subject to a duty of confidence; take measures to ensure the security of processing; engage sub-contractors or suppliers only with prior consent and under a written contract; help to provide subject access and allowing data subjects to exercise their rights under the Regulation; help in meeting Council’s GDPR obligations; delete or return all personal data as requested at the end of the contract; submit to audits and inspections and provide whatever information is needed to ensure that both the Council and supplier are meeting obligations under GDPR; Inform the Council immediately of any infraction or of they are asked to do anything that will infringe GDPR or any other data protection of the EU or member state.

14 New Contracts GDPR allows standard contractual clauses from the EU Commission or a supervisory authority such as the ICO to be used in the contracts you enter into with your suppliers. Suitable clauses are included in PPN 03/17. GDPR also allows these standard contractual clauses to form part of a code of conduct or certification mechanism to demonstrate compliant processing This is under development.

15 What to do next Map the flows of personal data through supply chains.
Identify the recipients of personal data, including sub-processors, and note where the data is processed. Identify and catalogue existing supplier contracts that involve processing of personal data. Review the data protection provisions in these contracts and map against GDPR. Consider your organisation’s approach to risk in existing and new contracts. Carry out due diligence on suppliers to check their GDPR compliance. Check whether existing insurance policies will cover data protection and security breaches including breaches by suppliers. Put in place an internal process to respond to breaches within the 72-hour requirement. READ PPN 03/17!

16 Discussion

Download ppt "GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers Terry Brewer Chief Executive."

Similar presentations

Contract clauses The Central Point of Expertise on Timber Procurement.

Contract clauses The Central Point of Expertise on Timber Procurement.
Tendering Yuck!.

Tendering Yuck!.
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
3Kites Consulting/Kemp IT Law Breakfast Seminar Law Firms and the Cloud: Balancing Benefits and Risks London, 10 September 2014 Contracting for the Cloud:

3Kites Consulting/Kemp IT Law Breakfast Seminar Law Firms and the Cloud: Balancing Benefits and Risks London, 10 September 2014 Contracting for the Cloud:
ISO 9001 Interpretation : Exclusions

ISO 9001 Interpretation : Exclusions
ZHRC/HTI Financial Management Training

ZHRC/HTI Financial Management Training
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
A SOUND INVESTMENT IN SUCCESSFUL VR OUTCOMES FINANCIAL MANAGEMENT FINANCIAL MANAGEMENT.

A SOUND INVESTMENT IN SUCCESSFUL VR OUTCOMES FINANCIAL MANAGEMENT FINANCIAL MANAGEMENT.
Frameworks agenda Definition Advantages, features

Frameworks agenda Definition Advantages, features
G17: Recordkeeping for Business Activities Carried out by Contractors Patrick Power, Manager Government Recordkeeping Programme Archives New Zealand.

G17: Recordkeeping for Business Activities Carried out by Contractors Patrick Power, Manager Government Recordkeeping Programme Archives New Zealand.
Neighbourhood Planning. What is neighbourhood planning? Neighbourhood planning gives communities direct power to develop a shared vision for their neighbourhood.

Neighbourhood Planning. What is neighbourhood planning? Neighbourhood planning gives communities direct power to develop a shared vision for their neighbourhood.
SOLGM Wanaka Retreat Health and Safety at Work Act 2015 Ready? 4 February 2016 Samantha Turner Partner DDI: +64 4 924 3460 Mob: +64 21 310 216

SOLGM Wanaka Retreat Health and Safety at Work Act 2015 Ready? 4 February 2016 Samantha Turner Partner DDI: Mob:
1 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.

1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.
Key Points for a Privacy Programme for Multinationals Steve Coope.

Key Points for a Privacy Programme for Multinationals Steve Coope.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.

Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.
Audit Committee 1 June 2005 Overview of the Audit Function in the Council and Role of Audit Committee.

Audit Committee 1 June 2005 Overview of the Audit Function in the Council and Role of Audit Committee.
Information Governance Support Information Governance Services

Information Governance Support Information Governance Services
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian

Similar presentations

Ads by Google