Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you request to download our free implementation guide, we use your name, company name (which is optional) and your email address to email you a link to download the requested document. We may also email you after your download in order to follow up on your interest in our products and services. We will do this based on our legitimate interest in marketing to prospects for our products and services. Your name and email address are stored on our website which is hosted with Digital Ocean. Your personal data is stored for one year after you requested your download, after which it is deleted.

Reveal Menu

In this guest blog, Thornton & Lowe founder Dave Thornton looks at how the GDPR has changed the way public sector buyers engage with suppliers.

Thornton & Lowe aims to help organisations to bid better and now supports more than 400 tenders each year, with a 75%-win rate; 90% of these tenders are into the public sector. In the past 12 months, their team have trained over 500 delegates in the art of bid writing, as well as sourcing some of the leading bid consultants to spearhead the largest contracts across the UK..


Changing the way public sector buyers engage with suppliers

Over the past year, we have seen some key changes when it comes to procurement, supply chain management and bidding for contracts as a result of GDPR. In this brief article, we will highlight what is being requested, along with how you can best prepare for the new demands and requirements within the tender process.

What’s being asked?

When investigating a tender application, you will be presented with questions that look similar to the four examples listed below:

  • Provide details of your IG (information governance) and GDPR policies detailing how compliant you are. Evidence is key to a successful application, so ensure you provide evidence for this compliance and details of staff training.
  • Articulate your policy and practice in relation to GDPR and data that your employees will use within their roles in Senior Management Team. Outline what form of confidentiality agreement is signed by your employee.
  • Outline your current GDPR policies and describe the methodology and structure for fulfilment of data protection objectives, including legal requirements as data controller and/or data processor.
  • The GDPR introduces a duty on all organisations to report certain types of personal data breaches to the relevant supervisory authority. This must be done within 72 hours of becoming aware of the breach, where feasible. It is expected that you will meet this requirement. Please state the procedure you have for detecting and reporting such breaches.

The above points will be present within the standard selection questions (the prequalification stage) and/or the invitation to tender (ITT) document. They are largely pass/fail questions based upon compliance.  This means if you fail to respond as expected, your whole bid could be rejected.

In some tenders, where data control and management are of significance, questions can also be weighted. This process means you are not having to purely demonstrate compliance but compete with other bidders to demonstrate why your approach is better to maximise your quality score.


The best way to prepare is by deconstructing each part of the questions and considering what information you have that could provide reassurance, compliance and evidence. Typically, the information you will need includes:

  • Clear GDPR, data protection, information governance policies and procedures, along with a description of how they are compliant. At Thornton & Lowe, we like to use a brief table, where possible, which summarises your compliance and refers to your policies and supporting documentation.
  • A description of how departments and roles fit practically into the business. In practice, this includes, who is responsible, their experience and what practical measures can be referenced to demonstrate best practice.
  • Details of any specific training staff receive, which may be role dependent. Who delivers the training, is it refreshed annually and what does the training cover?
  • Any relevant accreditation’s such as ISO27001 or Cyber Essentials.

Do I need ISO27001 (information security management) certification?

From our experience, it is rarely a mandatory requirement, though frequently asked for.

If you are bidding regularly, being certified by a UKAS-accredited registered certification body to ISO27001 will prove useful and can set you apart from the competition.  However, Thornton & Lowe does work with many organisations, including SMEs, which do not have the certification but can show how they work in line with it and have all the policies and procedures in place.

Most importantly, you must be able to provide a contracting authority of reassurance which is the key.

With thanks from CertiKit

We would like to thank Dave Thornton for this article, which we hope our customers will find useful.

For those who are regularly bidding, in 2018 Thornton & Lowe introduced Tender Pipeline, which is a tender alerts and competitor analysis tool. This is free of charge –

Over 3000 businesses have purchased our toolkits


Full coverage of the subject, clearly written, three support questions I had were answered promptly and accurately

Uniteam Global Business Services

View all Testimonials