General Data Protection Regulations (GDPR)

New data protection legislation came into force on 25 May 2018, which aims to protect the privacy of all EU citizens and prevent data breaches. It will apply to any public or private organisation processing personal data.

Established key principles of data privacy will remain relevant in the new Data Protection Legislation but there are also a number of changes that will affect commercial arrangements, both new and existing, with suppliers. ​The new General Data Protection Regulations (GDPR) specify that any processing of personal data, by a Processor, should be governed by a contract with certain provisions included.

We have identified existing contracts involving processing personal data, and which will be in place after May 2018, that require updating to bring them into line with the new regulations. This will involve updating contract terms based on the generic standard clauses and ensuring specifications and service delivery schedules reflect the roles and responsibilities between the Controller and the Processor as required by the new regulations.

If you have a contract with Qualifications Wales we will be contacting you within the next few months.

In addition, we will be updating our procurement documentation to reflect the new regulations for contracts to be awarded on or after 25 May 2018.

Any organisation required to comply with GDPR may incur costs in doing so, especially where new systems or processes are required. However, these costs are attributable to conducting business in the EU, and not supplying the UK public sector. We expect all suppliers to manage their own costs in relation to compliance.

As the Controller, we will not accept liability clauses where you are indemnified against fines under GDPR as the Processor. The legal penalty regime has been extended directly to Processors to ensure better performance and enhanced protection for personal data. That means indemnifying Processors for any GDPR fines or court claims undermines these principles.

You may also have received similar communications from commercial teams across the public sector. If you would like to know more about the upcoming changes, the Information Commissioner’s Office is a useful source of information on the new regulations ​(ICO Information on GDPR​)