28 January marks the 42nd celebration of Data Protection Day, a worldwide initiative to promote awareness of privacy measures and best practices for safeguarding data. With GDPR an ever-increasing theme present in public sector tenders, it seems well timed to reflect on the unique challenges that data protection requirements generate as part of the bid and tender process.
Why are data protection and GDPR relevant in tenders?
Data protection and GDPR compliance form a crucial element of tenders within industries such as health and social care, or anywhere else that bidders are required to store and/or transfer sensitive information, such as personal information relating to service users, residents or other stakeholders.
UK data protection requirements are subject to the Data Protection Act (2018), which superseded the initial EU-wide General Data Protection Regulations (2016), commonly known as GDPR. As the Data Protection Act and GDPR are nearly identical, the terms are typically used interchangeably, although recent legislative developments may relax regulations, with the Data Reform Bill currently awaiting its second reading in Parliament.
In addition to the complicated legal situation, many of the questions, requirements and general technical jargon surrounding data protection during the bidding process can be particularly mystifying for SMEs.
Here are a few things about data protection and GDPR to consider when bidding for a contract:
SMEs’ responsibilities as a data processor when tendering
By entering into a contract or framework agreement within the public sector with a local authority, NHS trust or housing association, bidders will typically incur responsibilities as a data protection processor. Although companies with fewer than 250 employees are not required to keep official records of processing activities, buyers may include questions within a tender to satisfy themselves that the bidder’s internal policies and procedures for storing, processing and managing the access of data safely are sufficient and effective.
As part of best practice, and in anticipation for responding to data-related questions in a tender, bidders should ensure their organisation’s practices align with minimum expectations, such as:
- Incorporating GDPR and information security training as part of initial induction and refresher training for all personnel
- Establishing control measures for the safe storage of electronic and hard-copy data, including restricting access to relevant employees
- Having an established data retention timeline and ensuring it aligns with the buyer’s requirements, supported by procedures for the effective deletion or destruction of obsolete data.
Demonstrating a comprehensive knowledge of responsibilities will assure the buyer that the bidder is well-positioned to deliver the key principles of data processing, including fair and lawful processing, purpose limitation and data minimisation/retention.
Minimum requirements for data protection may be included in the selection questionnaire when tendering
To adequately demonstrate the bidder’s business capability in data protection, buyers may be required to provide evidence of certification/memberships for information security standards as part of the selection questionnaire, marked on a pass/fail basis. Required standards may include:
Although it is sometimes possible to provide an equivalent internal process for the capture, storage and processing of data, investing in a universally recognised certification often allows the bidder to bypass certain elements of a selection questionnaire, in addition to giving greater legitimacy to their data protection activities.
Tender questions may also include methods for monitoring and reporting data protection measures throughout the contract
SMEs should be equally aware that they may be required to demonstrate a continuous process for monitoring and reporting data protection measures within the quality element of the tender. High-quality responses might include the following measures:
- Developing an organisational data protection policy which defines guidelines and responsibilities for the storage and use of data, and ensuring this is reviewed at least annually
- Appointing an employee to serve as designated Data Protection Officer to continuously monitor, report and review internal data protection standards for sufficiency and suitability
- Enlisting an external IT solutions company to strengthen the bidder’s security measures via application security assessments, phishing simulations and penetration tests.
By demonstrating that bidder’s information security measures are holistic, proactive and facilitate continuous improvement, evaluators are more likely to award high marks to any data protection responses. Furthermore, a sound understanding of data protection in relation to the buyer’s requirements is vital. Whilst at first glance a tender question around GDPR may appear generic, a buyer’s specific data requirements detailed in a specification (such as system integration) must be understood and reflected in any tender responses.
Our team of bid writers are highly experienced in producing competitive and impactful bid responses for a broad range of data protection, GDPR and information security questions within tenders. To find out more on how our tender consultants can support you with bid and tender submissions, contact our team today free on 0800 612 5563, or via email at firstname.lastname@example.org.
Latest NewsView All
Bid and tender submissions can vary in size and word count, ranging from 1,000 words to upwards of 50,000 words. This can depend on a number of factors, including the level of detail required by the buyer, complexity ...
Some clients occasionally conflate or confuse social value and added value when bidding for public sector contracts. We explain their differences, ideas for both topics and how best to respond to them within the tende...
On 26 October, The Procurement Act 2023 received royal assent, ushering in the widest-ranging changes to public sector procurement in decades. After 18 months in parliament and two years of consultation following the ...