Glasgow: 0141 221 5562 Edinburgh: 0131 220 7660

Public Contracts and the GDPR

Public Contracts and the GDPR

With less than a month to go before the implementation of the GDPR it is crucial that existing and future public contracts comply with the new legislation. What will change in respect of public contracts and the GDPR?

The Scottish Government has published a Policy Note on the impact the GDPR will have on public procurement and contracts. This blog will highlight the key features of the note alongside steps organisations should take to get their public contracts and procurement processes GDPR ready.

What is the GDPR?

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018.

The GDPR increases the protection of personal data. Those who process personal data will face stricter obligations as a result. There are significant risks for non-compliance with fines of up to 4% of global annual turnover or ?20m (whichever is higher).

Broadly, the GDPR will have the biggest impact on:

  • Controllers (who say how and why personal data is processed); and
  • Processors (who process personal data for controllers)

Generally public bodies and organisations subject to the public procurement regime will be 'controllers' when it comes to contracts. Suppliers are likely to be the 'processor' (although this may not always be the case).

What Public Contracts Are Impacted?

Any public contract that involves processing personal data will be subject to the GDPR. Crucially, the GDPR applies to public contracts that are in place before 25 May 2018.

Steps to Take: Existing Contracts

Organisations should identify any existing contracts which involve processing personal data that are going to be in force after 25 May 2018.

Once these contracts are identified organisations should:

  • Review the contracts to ensure they comply with the GDPR
  • If necessary, contact suppliers to notify them of changes required to relevant contracts to make them GDPR compliant and arrange for contracts to be amended
  • Conduct due diligence on suppliers to ensure that they can implement any measures required to comply with the GDPR

Steps to Take: Future Contracts

Organisations should ensure that any current or future procurement exercises will result in the creation of a public contract that complies with the GDPR.

In order to achieve this organisations should ensure that:

  • All relevant procurement documents refer to the new legislation
  • Due diligence of new suppliers is carried out to be certain they can implement any required technical and organisational measures to comply with GDPR
  • Any contracts to be entered into comply with ?the GDPR. When reviewing these contracts you should also make sure they deal with the wider implications of the GDPR (for example, how liability is dealt with when there is a breach of either party?s data protection obligations)


Organisations should take steps to get their existing and future contracts are ready for the GDPR. If you would like any further information or specific advice on GDPR and Public Contracts please contact our team.

CTA Freedom of information

Written by : Eileen Barr

Trackback URL