Public sector organisations are not allowed to simply award larger contracts. Required services must be put out to tender instead. This also applies to services in the area of data protection law. However, this often leads to problems. In this article, we give some tips on how to make tendering in data protection more sensible for both sides.
Tenders and the cost trap
The experts from activeMind are regularly invited to participate in tenders. In doing so, we always notice the same points that make it difficult to make a qualified offer.
The description of the required services is often so unqualified that an assessment of the expected effort is simply not possible. A concrete offer at the fixed price regularly demanded can therefore hardly be made, if at all. The offer would either have to contain a safety margin or be submitted in the dark, with the risk that one’s own calculation is no longer correct and it is no longer economically possible to actually perform the promised service well.
However, since the price of the offer is typically taken into account with an extremely high percentage in the decision for a provider, offers according to the first-mentioned alternative are hardly ever accepted. The consequences are also suffered by the clients, who then have to live with superficial advice and mediocre implementation for reasons of cost.
Main mistakes in tenders on data protection advice
In almost every performance specification, there are many requirements that are formulated so vaguely that it is not even remotely clear what kind of implementation effort is to be expected.
Basically, it’s like ordering the construction of a building from a contractor without revealing whether it’s a garage or a high-rise office building. To stay with this image: In most invitations to tender, it is not even possible to tell whether a plot of land that can be built on is already available and whether there is a ramshackle hovel on it that has to be removed first.
Some typical examples in calls for tender on data protection:
- All necessary policies are to be “reviewed or revised”. Whether and how many policies exist and how old and suitable they are is not disclosed.
- All “contractual relationships” are to be reviewed and “any deficiencies found” are to be remedied. How many contracts are in circulation is not stated. What proportion of these are relevant to data protection and whether and to what extent adjustments are necessary remains unknown.
- Accordingly, all data processors are to be reviewed and, if necessary, redefined. How many service providers are used in the area of data processing is not mentioned.
- The register of processing activities should be checked and corrected if necessary. However, the number of processing activities can only be guessed very approximately on the basis of experience.
- The entire data security should be assessed and, if necessary, brought up to standard. In this context, too, details are regularly lacking that allow the effort to be assessed.
In almost every call for tenders, these or other points can be found where it is not even remotely clear what is being ordered. How is an economically reasonable fixed price to be calculated on this basis?
Of course, most reputable consultants have some experience of what to expect in a particular environment and what tasks typically arise. However, to tie a fixed price as favourable as possible to this, with a firm promise to provide everything, is still risky in the end. At some point, particularly favourable offers will inevitably have to be made at the expense of quality.
Legal errors in calls for tenders on data protection
In addition, services are repeatedly demanded that the data protection officer is not allowed to provide at all:
- The “autonomous implementation” of the services must be mentioned here in the very first place. The data protection officer may not responsibly take on tasks that he or she is supposed to control and assess himself or herself in the end. This entails an unavoidable conflict of interest and calls into question the officer´s objectivity. Thus, a legally mandatory criterion for the appointment of a data protection officer is not fulfilled (Art. 38 (6) GDPR)! The person who promises to carry out the task on his or her own responsibility may not be appointed.
- The data protection officer can certainly participate in the negotiation of necessary contracts. However, he or she may not conclude them! The data protection officer does not have any power of representation for the supervised body, nor may he or she be granted such power.
Consequential problems of insufficient tenders
All in all, such a performance specification does not ensure that the tendering body will actually receive the services it needs in the end. Moreover, the uncertainty that is already apparent from the invitation to tender predictably continues when the service is accepted. The fact that the services actually received may be just as general and unqualified as the original catalogue of services remains hidden from the responsible body. As is unfortunately often the case in practice, the client often believes he is much better advised than he actually is. Perhaps the seductive but false hope of having finally handed over data protection contributes to this.
Certainly, there is the possibility for questions within the framework of every tender. Typically, however, these are only answered adequately if the question already contains all relevant individual points. Clarifying imponderables therefore involves a great deal of effort. In turn, it is risky for providers to make this effort, as there are always providers who submit a supposedly suitable and favourable offer quite quickly and are awarded the contract.
We are all familiar enough with the game that follows, that completely unpredictably and to the great astonishment and even greater regret of all involved, the money is far from sufficient in the end and everything also takes longer. Whether it’s a concert hall, a major airport, a railway station or an extension of the transport system – there are far too many well-known and interchangeable examples. In data protection consulting, things are often no different.
Conclusion: Expertise is already required during the tendering process
Even the drafting of the tender specifications requires a certain amount of expertise. It should therefore at least be drawn up with the support of experts who know which details are important and which information a potential service provider needs in order to draw up a fair and serious offer.
When assessing submitted bids, it is also urgent to involve someone who is able to assess the content (legal and organisational) as well as the economics. The extreme weighting of the price otherwise blocks the view of the actual suitability of a bid.