Finance
GDPR
The University must comply with its statutory obligations under GDPR.
Procurement Privacy Notice
The Procurement Section may, on occasion, hold personal data relating to suppliers. Please find attached a copy of the Procurement Privacy Notice.
GDPR - Procuring Goods, Services and Works
In order to assist with assessing the requirement for GDPR compliance, the University has developed a Due Diligence Framework for Working with Third Parties - GCU Connected - Information Matters. This requires followed prior to commencing any Procurement Journey regardless of value.
Summary of Due Diligence Process
- Step 1
Undertake screening questions for Data Protection Impact Assessment (DPIA).
If answer is yes to any question, undertake a DPIA and reflect outcomes in specification (some may already be reflected in Ts and Cs).
If no, move to step 2.
- Step 2
Identify Confidential/Highly Confidential Information.
If answer is no to all questions, no further action is required.
If answer is yes to any question, move to step 3.
- Step 3
Undertake an Information Security Risk Assessment and/or use the Contractor Assurance as part of Tender Documentation (in line with IS advice).
Incorporate risks identified into specification (some may already be reflected in Ts and Cs).
For procurements >£50k, GDPR risks shall be reflected in the Tender Strategy. Procurement shall work with depts to develop this strategy.