The University must comply with its statutory obligations under GDPR.

Procurement Privacy Notice

The Procurement Section may, on occasion, hold personal data relating to suppliers.  Please find attached a copy of the Procurement Privacy Notice.

Privacy Notice Procurement


GDPR - Procuring Goods, Services and Works

In order to assist with assessing the requirement for GDPR compliance, the University has developed a Due Diligence Framework for Working with Third Parties - GCU Connected - Information Matters.  This requires followed prior to commencing any Procurement Journey regardless of value.

Summary of Due Diligence Process

  • Step 1

Undertake screening questions for Data Protection Impact Assessment (DPIA).

If answer is yes to any question, undertake a DPIA and reflect outcomes in specification (some may already be reflected in Ts and Cs).

If no, move to step 2.


  • Step 2

Identify Confidential/Highly Confidential Information.

If answer is no to all questions, no further action is required.

If answer is yes to any question, move to step 3.


  • Step 3

Undertake an Information Security Risk Assessment and/or use the Contractor Assurance as part of Tender Documentation (in line with IS advice).

Incorporate risks identified into specification (some may already be reflected in Ts and Cs).

For procurements >£50k, GDPR risks shall be reflected in the Tender Strategy.  Procurement shall work with depts to develop this strategy.