Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

In this guest blog, Thornton & Lowe founder Dave Thornton looks at how the GDPR has changed the way public sector buyers engage with suppliers.

Thornton & Lowe aims to help organisations to bid better and now supports more than 400 tenders each year, with a 75%-win rate; 90% of these tenders are into the public sector. In the past 12 months, their team have trained over 500 delegates in the art of bid writing, as well as sourcing some of the leading bid consultants to spearhead the largest contracts across the UK..


Changing the way public sector buyers engage with suppliers

Over the past year, we have seen some key changes when it comes to procurement, supply chain management and bidding for contracts as a result of GDPR. In this brief article, we will highlight what is being requested, along with how you can best prepare for the new demands and requirements within the tender process.

What’s being asked?

When investigating a tender application, you will be presented with questions that look similar to the four examples listed below:

  • Provide details of your IG (information governance) and GDPR policies detailing how compliant you are. Evidence is key to a successful application, so ensure you provide evidence for this compliance and details of staff training.
  • Articulate your policy and practice in relation to GDPR and data that your employees will use within their roles in Senior Management Team. Outline what form of confidentiality agreement is signed by your employee.
  • Outline your current GDPR policies and describe the methodology and structure for fulfilment of data protection objectives, including legal requirements as data controller and/or data processor.
  • The GDPR introduces a duty on all organisations to report certain types of personal data breaches to the relevant supervisory authority. This must be done within 72 hours of becoming aware of the breach, where feasible. It is expected that you will meet this requirement. Please state the procedure you have for detecting and reporting such breaches.

The above points will be present within the standard selection questions (the prequalification stage) and/or the invitation to tender (ITT) document. They are largely pass/fail questions based upon compliance.  This means if you fail to respond as expected, your whole bid could be rejected.

In some tenders, where data control and management are of significance, questions can also be weighted. This process means you are not having to purely demonstrate compliance but compete with other bidders to demonstrate why your approach is better to maximise your quality score.


The best way to prepare is by deconstructing each part of the questions and considering what information you have that could provide reassurance, compliance and evidence. Typically, the information you will need includes:

  • Clear GDPR, data protection, information governance policies and procedures, along with a description of how they are compliant. At Thornton & Lowe, we like to use a brief table, where possible, which summarises your compliance and refers to your policies and supporting documentation.
  • A description of how departments and roles fit practically into the business. In practice, this includes, who is responsible, their experience and what practical measures can be referenced to demonstrate best practice.
  • Details of any specific training staff receive, which may be role dependent. Who delivers the training, is it refreshed annually and what does the training cover?
  • Any relevant accreditation’s such as ISO27001 or Cyber Essentials.

Do I need ISO27001 (information security management) certification?

From our experience, it is rarely a mandatory requirement, though frequently asked for.

If you are bidding regularly, being certified by a UKAS-accredited registered certification body to ISO27001 will prove useful and can set you apart from the competition.  However, Thornton & Lowe does work with many organisations, including SMEs, which do not have the certification but can show how they work in line with it and have all the policies and procedures in place.

Most importantly, you must be able to provide a contracting authority of reassurance which is the key.

With thanks from CertiKit

We would like to thank Dave Thornton for this article, which we hope our customers will find useful.

For those who are regularly bidding, in 2018 Thornton & Lowe introduced Tender Pipeline, which is a tender alerts and competitor analysis tool. This is free of charge –

Over 3000 businesses have purchased our toolkits


The sample documents are very rich in their scope. Our attorneys have reviewed our edits and can find no fault with what is presented.

Institute for Supply Management

View all Testimonials