GDPR Compliance and G-Cloud

We recently heard the news from CCS that G-Cloud will soon include GDPR clauses. These are our thoughts on the changes to the framework.

On 21st December, all Suppliers listed on CCS frameworks were notified that GDPR clauses will soon be included in the framework agreements and call-off contracts (where processing personal data). The clauses are currently drafts and may change, but can nonetheless be found in the procurement policy note PPN 03/17.

With all the statistics about organisations and governments either underestimating the impact of GDPR, or overestimating their preparedness, it’s encouraging to see that CCS is taking steps to ensure that public bodies and suppliers of technology (data processors) are compliant ahead of 25th May.

The G-Cloud framework agreement will be updated in line with GDPR and suppliers can expect to be contacted by the Commercial Agreement team shortly – “from January 2018”. “From February 2018,” it will be up to buyers to contact their suppliers to arrange for these clauses to be included in their on-going and/or up-coming call-off contracts.

What next in store for G-Cloud GDPR compliance?

As G-Cloud 9 has been extended, it is crucial that existing suppliers on the framework accept these new clauses or face suspension – seemingly harsh, but it is clearly expected that the private sector already have measures in place to meet these new responsibilities. We think that, for the time being, this is all that can be done without an entirely new iteration of the framework.

However, for G-Cloud 10, we would expect the selection and qualification questions asked during submission to dig a bit deeper into the measures taken or internal policies implemented by suppliers. This will allow buyers to include GDPR-related information in their criteria and evaluation of suppliers, and suppliers can begin to see compliance as a competitive advantage.

As many have been commenting over the last few months, GDPR should be seen as an opportunity and not a burden. Although much more of the responsibility will lie with data processors (suppliers), when we’re talking about public sector procurement this does have the benefit of reducing the risk of a data breach in the public sector. Seeing as we’re talking about the wide-reaching personal data of citizens who entrust the public sector to deliver safe public services, and that maintaining that trust is crucial to society, agreements like these between buyers and suppliers is essential.

That CCS are integrating GDPR clauses into the G-Cloud 9 framework agreement is simply a legal requirement, however it is a good move to do this several months prior to the regulation’s enforcement. It allows Suppliers some time to get everything in order – including amending their call-off contracts.

It will be interesting to see how GDPR is integrated into the G-Cloud 10 ITT and if suppliers will be given the opportunity to boast about their compliance measures to attract buyers who are serious about data protection.

Needless to say, we are not legal experts and this blog is not legal advice. We always suggest you consult a solicitor. In case you need a recommendation, our go to GDPR legal advisor is Lisa Downs from LJD Law Ltd.

Find out more about GDPR

Here’s a few resources we found useful in our own prep for GDPR:
• The ICO 12 steps to take now in preparation of GDPR
• The ICO checklists for Data Processors and Data Controllers
• Webinar: GDPR – how it applies to cloud, and what to do about it – Digital Leaders
• GDPR: Am I bothered? Written by Simon Hansford, Chief Executive Officer, UK Cloud
• UKA Live: GDPR… ready or not
• Computer Weekly’s Essential guide to the EU General Data Protection Regulation (GDPR)