New Data Protection Legislation and Contracts

The new data protection legislation which comprises of the General Data Protection Regulation (GDPR) and the new Data Protection Act (DPA) 2018 is coming into force on the 25 May 2018, which aims to further protect people’s privacy and prevent data breaches. The new law applies to all public bodies, businesses and other organisations that process personal data.

What’s new- The GDPR builds on existing data protection laws. It provides enhanced protection for personal data and imposes stricter obligations on those who process personal data, which will affect commercial arrangements, both new and existing contractors (suppliers).

Statement of Assurance Form- The new legislation requires us Avon Fire Authority (which is operationally known as Avon Fire & Rescue Service), as a Data Controller, to ensure that all organisations who process personal data on our behalf (Data Processors) are fully aware of their legal responsibilities and are processing in line with the law and our requirements.  For this reason Avon Fire Authority are asking all contractors (suppliers) to complete GDPR Contract Assurance Form.

Updated terms and conditions- Avon Fire Authority has updated its Standard Terms and Conditions for the Supply of Goods and Services to reflect the new regulations.  Any new contracts or purchase orders to be awarded on or after the 25May 2018, will take on the new terms and conditions. 

Schedule of Processing- For all goods and services that concern the processing of personal data on behalf of the Authority, the Authority will provide the contractor (Data Processor) with a Schedule of Processing, which must be adhered to.  These will be sent out to those contractors concerned within the next few weeks.

Existing Fixed Term Contracts– Avon Fire Authority will also be contacting all contractors with existing fixed term contracts for the processing of Avon Fire Authority’s personal data, inviting them to sign a Contract Variation to take on board the new legislation.

Cost of Compliance- Please be aware that any organisation required to comply with the new Data Protection Legislation may incur costs in doing so, especially where new systems or processes are required. However, these costs are attributable to conducting business in the EU, and not supplying the UK public sector. We therefore expect all contractors to manage their own costs in relation to compliance.

Liability Clauses- As the Data Controller, Avon Fire Authority will not accept liability clauses where organisations are indemnified against fines under GDPR as the Data Processor. The legal penalty regime has been extended directly to Data Processors to ensure better performance and enhanced protection for personal data. That means indemnifying Data Processors for any GDPR fines or court claims undermines these principles.

Data breaches – As Data Controller, Avon Fire Authority are required to report any high risk data breaches to the Information Commissioners Office (ICO) within 72 hours of detection. Please therefore ensure that any data breaches that concern the processing of our personal data are reported to us within 24 hours of the breach being identified, by contacting the AF&RS Service Control on 0117 926 2061 Extension: 311/312.

How to find out more - The Information Commissioners Office can supply more details about GDPR, Data Processors’ obligations and contracts. Please visit their website: also provide a GDPR information sheet for Data Processors.

In the event that you would like to discuss this matter further, please contact Amy Harraway on Telephone: 0117 926 2061 Extension: 213

We would like to take this opportunity to thank contractors in advance for your cooperation, which will allow a smooth transition and for us to remain compliant with the new legislation.