Tender Tips: Meeting GDPR


Bidding for contracts often involves a number of hoops to jump through. However, with minimum benchmarks set, there needs to be a method to separate the wheat from the chaff. After all, the public sector has a duty to ensure taxpayer’s money is spent wisely; business can’t simply be done on the basis of a promise and a handshake.

The latest challenge for businesses is to consider the ramifications of the replacement to the Data Protection Act – GDPR. Not only is it more expectant, there are also more serious consequences if you are found to be using data improperly.

As a result, the supply chain will seek to protect itself. After all, there is no point investing in becoming GDPR compliant if one of your suppliers is allowed to undermine efforts.

TENDERING ADVICE: Read our 10 tips on tendering.

Organisations are now starting to see the result of this in Pre-Qualification Questionnaires and other tender documents. Below is a direct copy of a question set out in a recent public sector tender:



The legislation leaves much to interpretation, saying that companies must provide a “reasonable” level of protection for personal data without actually defining what constitutes as “reasonable.”

You can get an overview of what needs to be done by reading the Information Commission’s Office (ICO) 12 step guide on preparing for GDPR. Significant points to note are:

  • You can only store and process personal data with individual content
  • It can only be sorted for as long as is necessary
  • The data must be erased upon request
  • Data breaches must be reported within 72 hours

Of course, the proactive step is to manage any potential risks and fix any existing vulnerabilities you may already have when it comes to managing your data and security controls. This makes it more than just an issue for your IT guy – your marketing, finance and sales teams likely collects or analyses customer information regularly.

Managing information security is not a new concept, and a solution has been in place for some time: ISO 27001 certification. A standard created through global consensus, ISO 27001 helps organisations manage all of their information security risks through the creation of a management system.

MORE ON ISO 27001: Read the Beginner’s Guide.

The British Assessment Bureau now also offers a GDPR Health Check in combination with ISO 27001 to give organisations confidence that they have addressed the legislation’s requirements. We take clients through the key elements and changes, as well as an Action Plan to help interpret the GDPR legislation into straightforward actions.

Whilst GDPR may seem like additional work, reviewing how you manage your customer’s data is a great excuse to ensure you are targeting them in the best way possible, which should increase your conversion rates. As the tender questions show above, being proactive with GDPR could also mean competitive advantage when bidding for contracts.