A few organisations are starting to pick up that on 25th May 2018, the new Data Protection Legislation (the General Data Protection Regulation (GDPR)), comes into force. It is targeted at improving privacy and preventing data breaches. It is based upon EU legislation. However, we expect that it will continue after Brexit, essential unaltered. The Public Sector is already being pushed into altering all existing and new contracts, to bring them into alignment with this legislation.
Under the new regulations, companies must keep a complete record of how and when any individual gives consent to store and use their personal data. Individuals, also, have the right to withdraw that consent at any time. When somebody does withdraw consent, their details must be completely, permanently and swiftly erased, and not just deleted from a mailing list. In other words, the legislation gives individuals the right to be forgotten. There is some good guidance at https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
The impact upon bidding organisations seeking both commercial and Public Sector contracts may be substantial. It is routine for us to include CVs and references in bids. We often name individual personnel to give credibility to their achievements or pass personal telephone numbers as emergency contact routes. From May, each business will need to record the consent to those involved and have an accurate system of managing withdrawn consent. It means we have to know where every instance of the personal data is lodged and to be able to amend it quickly. For instance, can you be sure of where every one of your old bids are located?
When the legislation kicks in, companies will be required to provide regular data audits for EU authorities to prove they are compliant. This means someone will have to go through every software application and database and record details such as the exact type of data they contain – whether it be names and addresses, or more personal information like achievements. They will also have to identify who has access to it.
We expect that any organisation looking to comply with the new Data Protection legislation will incur costs in doing so, especially if it needs new systems or processes to be put in place. The Public Sector view is that such costs are attributable to conducting business and not just supplying the Public Sector. As a result, it expects all suppliers to manage their own costs in relation to compliance. This means the overall costs of doing business with formal proposals is about to go up.
As bid professionals, we need to prepare for the changes now. We must maintain a register of the personal data we use, when it was agreed to be used and where it is included in all our bids. We need to let everyone who has personal data used in our work know where and the reasons for its use. Plus, we have to tell them how they can withdraw their consent and how they can be sure that this has been achieved.
We think that this is a good time to include a preamble in every bid which contains personal details. Like the statement that identifies that a document contains sensitive information which needs to be kept confidential, we now need to add something like:
“This document contains personal information provided with the consent of the individuals involved. This information is highlighted on pages 7 to 9 and in Annex B. This information is provided for the sole purpose of fair evaluation of our proposal and may not be copied or passed on to others for any purpose beyond the evaluation in this competition. The individuals may withdraw their consent for the use of this information at any time and you must account for all copies of this information so it can be recovered or destroyed, if circumstances require. Should you be unable to comply with this requirement, you must return this document and all copies to us immediately for all personal data to be redacted.” We must then highlight the information accordingly.
How we might deal with such information which has been distributed in past proposals, is uncertain. The GDPR covers the information in them too. No doubt, we will have some court cases in the future which will set the direction. In the meantime, your organisation may have a nominated Data Protection Officer and now is a very good time to talk through the issues with them.