Background
The General Data Protection Regulation (GDPR), first adopted in 2016 and subsequently implemented as enforceable legislation in 2018, contains 11 chapters designed to address the storage, transfer and use of individuals’ personal data (the term ‘data subjects’ is commonly used to refer to individuals to whom personal data pertains). Despite initially remaining in place post-Brexit, the UK Government has recently announced the Data Reform Bill, which details proposals to replace GDPR with new legislation.
Rationale
The intention is for the new legislation to replace the complex, ‘one-size-fits-all’ GDPR approach – which has potentially restricted many organisations from using data as effectively as they could – whilst preserving sufficient levels of data security.
Rather than a prescribed process which places the same (often disproportionate) burden on SMEs, the Bill will introduce an outcome-focused approach to be applied when seeking consent from individuals (data subjects). This will still avoid any risk of non-compliance with data security and privacy laws, but in a way that is reflective of the relative risk of each organisation’s data processing activities.
Implication
By removing some of GDPR’s more prescriptive requirements, organisations will be given more flexibility to manage data risks in a way which is relevant to their operations. As such, the requirement for certain organisations to have a designated Data Protection Officer (DPO) will be removed where they can demonstrate they can manage the risks themselves.
From the perspective of public sector tendering and public procurement, this may result in:
• SQ and ITT questions in tenders seeking to understand how bidders intend to identify, manage and review risks which are specific to their industry and/or that particular contract they are tendering for. This is in contrast to questions which request details of how bidders would comply with GDPR and data security/privacy requirements more generally.
• Bidders having the opportunity in tenders to propose more innovative and dynamic ways of using personal data as part of their solution, demonstrating the benefits this will deliver for the buyer and its customers. Such an approach would need to be complemented with robust, bespoke risk management measures as above.
• Compliance costs for businesses, specifically SMEs, being reduced, enhancing their ability to compete. Government research has shown this will be particularly evident in the health and social care sectors, where small providers typically operate and the need to obtain and access personal data is a critical requirement for delivering services effectively.
Analysis by the Department for Digital, Culture, Media and Sport (DCMS) shows the reforms will create more than £1 billion in business savings over 10 years by reducing burdens on all organisations.
The future
It will be interesting to see how the reforms do impact organisations and how this filters into public sector tendering, and this is something which we will explore in a future blog post. Thank you for reading and for any further questions or requests for support with tendering and public sector procurement generally, please don’t hesitate to contact us on 0800 612 5563 or email info@executivecompass.co.uk.