A revised standard template and variation framework has been issued by the Department of Health (drawing from the Crown Commercial Services Procurement Policy Note and model clauses) for use in the purchasing of goods or services by the NHS.  This has been drafted to reflect the changes in requirements for data processing agreements brought about by GDPR.

If you are using the contracts, it remains necessary to identify whether the contractor is a data processor or controller, and, as appropriate, to amend the clauses with specific information so as to comply with Article 28 GDPR. 

For advice on this and other aspects of GDPR preparation, please let us know. You can find out how we can support your organisation with preparing for GDPR through our infographic.