We use cookies to ensure that we give you the best possible experience on our website. Continuing to use www.supc.ac.uk means you agree to our use of cookies. For more information click here


What is SUPC doing to prepare for GDPR?

What is SUPC doing to prepare for GDPR?

As you may be aware The General Data Protection Regulation (GDPR) is coming into effect as of 25 May 2018.


SUPC is working with our partner UK HE procurement consortia to prepare for the upcoming GDPR compliance deadline. The General Data Protection Regulation (GDPR) enforcement date is 25 May 2018. This is also the date when the current Data Protection Act 1998 will be replaced by the new Data Protection Act 2018 – and there are actions we need to take before this date to ensure SUPC is compliant with the new requirements.


We are currently amending consortia framework and call-off agreements to update existing data protection clauses so that our contracts comply with the GDPR and the new Data Protection Act 2018.


We have taken a risk-based prioritisation approach to implementing GDPR into our current frameworks and contracts:


Low risk
-Where there is minimal or no personal data involved, we will not make any changes to include revised GDPR compliant clauses.
-However, regardless of risk, we will make changes to the T&Cs of all tenders currently in progress. This is entirely in line with the recently issued Crown Commercial Service (CCS) guidance and our own legal guidance.


High risk
-Each consortium will identify their agreements where suppliers process personal data, and once identified, the lead consortium will write to these suppliers to confirm relevant agreements.
-The consortia will vary the framework T&Cs with each relevant supplier and upload the new T&Cs to the Higher Education Contracts (HEC) Database.
-We will also ask suppliers to complete a GDPR assessment questionnaire, which we will assess and uploaded to HEC.
-The contracting consortium/authority will upload new call-off T&Cs to HEC.