Mandatory Changes Proposed To UK Government Contracts' Data Privacy Terms

The UK government has announced that it intends to write to all government contractors in order to make unilateral changes to all UK government contracts to comply with impending changes in EU data privacy law.

It's not clear how the UK government intends to implement these contractual changes given that, in almost every case, the terms of the relevant government contracts don't allow for unilateral contract variation. But the official policy is that all costs of compliance with the new rules should be borne by the contractor and not passed through to the government.

The planned changes to EU privacy law have been known for some time. The EU's new General Data Protection Regulation (GDPR) will come into force in May 2018 and could potentially affect companies worldwide. The GDPR imposes far-reaching obligations for companies operating in the EU that collect, use, or otherwise process personal information. MoFo has a GDPR Readiness Center providing details about the changes.

In UK terms, because GDPR comes into force before Brexit, the UK government will be subject to the new legislation. While, in some cases, GDPR repeats established key principles of data privacy, there are also a number of changes that will affect commercial arrangements, both existing and new, between data owners and data processors (and their sub-processors).

In the light of the imminent effect of GDPR, the UK government's Crown Commercial Service has written to all government departments instructing them to begin work immediately to make contract amendments to all UK government contracts with effect from 25 May 2018 (the effective date of GDPR) - and, additionally, to ensure that updated GDPR-compliant provisions are applied to all new government contracts awarded after 25 May 2018.

Government departments will now have to go through the process of identifying existing contracts that involve the processing of personal data and then write to all government contractors notifying them of the changes that are intended to be made to relevant contracts to bring them in line with the new data privacy rules. Additionally, government departments will be expected to conduct due diligence on existing contracts to ensure that contractors can implement the appropriate technical and organisational measures necessary to comply with GDPR (i.e., to provide guarantees of their ability to comply with the new regulations). As well as updating relevant contract terms, it may also be...