GDPR in Procurement
UK GDPR and Data Protection Act 2018 obligations relating to public sector contracts involving personal data processing.
Definition
GDPR in procurement refers to the UK General Data Protection Regulation and Data Protection Act 2018 obligations applying to public sector contracts that involve processing personal data. Contracting authorities are data controllers responsible for compliance with data protection law; suppliers processing personal data on their behalf are data processors with specific contractual and statutory obligations. Above-threshold procurement involving personal data triggers specific contract clauses (data processing terms, data protection impact assessments where relevant) and is heavily scrutinised at the Selection Questionnaire stage.
How it works in practice
Public sector contracts involving personal data must include a data processing agreement (DPA) covering: scope and purpose of processing, types and categories of personal data processed, data subject categories, retention periods, security measures, sub-processor controls, data subject rights handling, breach notification, and audit rights. The DPA is typically a contract schedule rather than a separate document. The supplier (data processor) must implement appropriate technical and organisational security measures (TOMs in data protection context; not to be confused with Themes Outcomes and Measures for social value); the threshold scales with risk and the nature of the data. For high-risk processing (special category data, large-scale processing, novel technology) a Data Protection Impact Assessment (DPIA) is required before processing begins; many public sector tenders ask the supplier to support DPIA preparation. Breach notification is time-bound: the data processor must notify the controller within reasonable time of detection (typically 24 hours); the controller must notify the ICO within 72 hours if the breach is likely to cause risk to data subjects. Failures attract regulatory penalties up to £17.5M or 4 percent of global annual turnover. The KimonBids compliance module tracks data protection commitments and surfaces emerging issues.
Common questions
What goes in a public sector data processing agreement?
Scope and purpose of processing, types of personal data, data subject categories, retention periods, security measures, sub-processor controls, data subject rights handling, breach notification windows, audit rights, and end-of-contract data handling. The DPA is typically a contract schedule and is mandatory for contracts involving personal data processing.
When is a Data Protection Impact Assessment (DPIA) required?
For high-risk processing: special category data, large-scale processing, novel technology, systematic monitoring of public areas, automated decision-making with significant effects. The data controller (contracting authority) is responsible for the DPIA but typically asks suppliers to support preparation by providing technical and operational detail about the processing.
How quickly must I notify a data breach?
The data processor must notify the controller within reasonable time of detection. Many DPAs specify 24 hours or sooner. The data controller must notify the ICO within 72 hours if the breach is likely to cause risk to data subjects. Severe breaches affecting many data subjects must also be communicated to affected individuals.