General Data Protection Regulations (GDPR)

The EU General Data Protection Regulations (GDPR) come into force on 25 May 2018. The regulations introduce tougher fines for non-compliance and data breaches, and will give citizens more say over what organisations can do with their personal data. The GDPR will align data protection rules across the EU and are intended to protect EU citizens from privacy and data breaches, by placing a range of new obligations on organisations to be more accountable for data protection. Organisations found breaching the new GDPR rules could face heavy fines. Organisations will have enhanced responsibilities than those conferred upon the procurement process (such as assessing the kind of data it holds and the legal basis for doing so, and dealing with Subject Access Requests). Whenever a controller uses a processor it needs to have a written contract in place. Under GDPR, contracts must set out: 1. subject matter and duration of processing 2. nature and purpose of processing 3. type of personal data and categories of data subject 4. obligations and rights of the controller. The GDPR allows for standard contractual clauses from the EU Commission or a supervisory authority (such as the Information Commissioner’s Office), to be used in contracts between controllers and processors.

---