Managing suppliers and contracts

You need a written contract in place for your IT suppliers because they are ‘data processors’ under the General Data Protection Regulations (GDPR). This means they can hold, create or amend data on your behalf. 

Every time you employ a new supplier who will process data, you need to put a new contract in place. If your existing supplier employs another data processor, they will need to have your permission and put another contract in place. 

Under GDPR, both you and your data processors are responsible for complying with the law. This means that they can be given fines or have to pay compensation to data subjects (which may be your staff or service users) if they do not process data safely. 

Find out more about protecting your data on the Better Security, Better Care website

What your contract must include

Use the IT contract checklist (downloads in a spreadsheet) to check that your contract complies with data protection law. 

Visit the Information Commissioner's Office (ICO) website for more guidance on what contracts must include under GDPR.

Keeping track of your suppliers

It’s important to keep track of who your suppliers are and where your contracts are stored, so that you can plan for contract renewal or changes when your contract is up. 

The supplier tracker template (downloads in a spreadsheet) can help you to set out and manage your contracts with suppliers and staff. 

Changing suppliers

If for any reason you are not happy with your current supplier, you will need to cancel your contract. Consider the following steps:  

  1. Give notice 

Look at your contract to understand:

  • how to give notice – do you need to write a formal letter or is an email enough?
  • who to give notice to – do you need to contact a specific person?
  • when to give notice – is there a notice period for the contract?

2. Consider the transition period

You will need to decide when the old supplier stops working for you and the new MSP starts. You may need to pay both MSPs for a short period of overlap, called a transition period. Transition periods are useful for the new MSP to work alongside the old MSP and learn about your business and systems.

Ask further questions to understand what the transition looks like. How long will it last for and at what point will the new MSP take responsibility from your old supplier? How will the data be transferred across? 

3. Ask about documentation

Most MSPs will create documents about your computer systems, with details such as:

  • usernames and passwords for systems
  • lists of equipment and software
  • network information 
  • how, where and when your systems are backed up
  • third party phone numbers and contracts 

When changing suppliers, ask about getting access to these documents. At a minimum, your MSP should provide you with usernames and passwords to your systems. 

4. Communicate the change internally

You will need to tell your team: 

  • when to stop contacting your old MSP
  • how to contact the new MSP
  • what to expect when they contact the new MSP

Ask your new MSP about their onboarding process to find out these details. 

5. Remove access

Make sure your old supplier’s access to your systems is removed and passwords changed (your new MSP will normally do this).