The General Data Protection Regulation to Be Taken Into Account in Public Procurement
15 September 2017
Author: Outi Jousi
The new Act on Public Procurement entered into force at the beginning of January 2017. The act is based on the Procurement Directives issued in 2014. Another significant reform, the General Data Protection Regulation (the “GDPR”), was simultaneously prepared in the EU, and it sets more strict and detailed requirements for the handling and processing of personal data than before. In practice, the GDPR may affect, for instance, all stages of a procurement process, such as the tender suitability assessment, mandatory requirements, as well as the entire contract term. This is particularly true for the public procurement of IT systems for the social and health service sector.
New IT systems must comply with the GDPR, i.e. they must, among other things, provide privacy by design and by default. For instance, it must be possible to erase user data from a system, no matter how extensive it is, whenever deemed necessary. In modern systems, erasure of data has in fact often been taken into account, but it is also recommendable to update legacy systems to comply with the GDPR by May next year. Although complying with the regulation is obligatory, it is clear that, for instance, old tape systems cannot be updated to comply with the regulation, because it is impossible to erase a specific piece of information from them.
Failing to comply with the regulation will, in practice, result in a substantial reputational risk. Additionally - as many have heard being said over and over again - the authorities may impose unprecedentedly large fines amounting up to EUR 20 million or 4 per cent of a group's global turnover. The amount of the fines resulting from a failure to comply with the regulation is left to the discretion of the competent data protection authority, and the regulation does not provide for a default fine. However, the risk of being fined is substantially greater than it was before. In order to avoid being fined, it is essential to understand, among other things, the meaning of accountability: the contracting entity must be able to verify by means of, for instance, documentation that it is complying with the regulation. This is partly in conflict with the principles of agile software development, which has become common in the public sector, so increased attention should be paid to the requirements set for documentation in agile projects.
As far as the data systems used by contracting authorities are concerned, complying with the regulation often equals the need to request significant modifications from the system provider. However, contracting entities cannot, pursuant to the Act on Public Procurement, make essential amendments to an agreement unless they have already been taken into account in the original agreements. Thus, contracting entities should, in fact, evaluate on a case-by-case basis whether or not the modification could be made, for instance, by virtue of the wording of the different parts of the Act on Public Procurement or phrasing of the agreement. Based on the evaluation, it may be appropriate to have an entirely new system set up, wherefore the evaluation work should be initiated without delay.
Suppliers also benefit from the evaluation of the legality of the amendments made to the agreement. Under the new Act on Public Procurement, a contracting entity has the right to terminate an agreement to which a material, i.e. unlawful, amendment has been made. The Market Court, for its part, has the right to declare an agreement void and invalid, so it is advisable to have the risks identified before an investment is made.
In practice, contracting authorities should first evaluate to what extent the data systems comply with the GDPR, i.e. what types of modifications the systems require. When the extent of the needed modifications is known, it should be further evaluated whether the Act on Public Procurement provides grounds for the modifications.
Gartner estimates that, despite the threat of a fine, half of all companies will not meet the requirements set out in the GDPR in time. In the Finnish public sector, the Government Information Security Management Board (VAHTI) in co-operation with the Permanent Advisory Committee on Information Management in Public Administration (JUHTA) are trying to spread knowledge by publishing teaching videos. Both Gartner’s estimate and the actions taken by VAHTI support the observations we have made – not enough attention has been paid to the issue in all data systems and agreements by contracting authorities and private entities. Thus, if the investigation and modification project is not already underway, now is definitely the time to take action, since there is not much time left before the deadline.
This article was originally published in Finnish on Edilex, the Finnish legal information portal. As for new developments, the Working Group on Finnish Data Protection Law has not yet produced a recommendation for administrative sanctions concerning the public sector. Based on the recent announcement by the Swedish Data Protection Authority (Datainspektionen), followed by our team in Sweden, the Swedish public sector will be treated equally with the private sector companies in this regard. The end result of this debate and legislative action should not, however, have an effect on how meticulously the Finnish public sector puts the regulation into action.