Sourcing and Procurement
The Procurement Manager's Guide to GDPR
Everything you have wanted to know about GDPR and how it impacts you as a Procurement Manager.
What is GDPR?
GDPR (General Data Protection Regulation) is a legal framework that standardizes and protects personally identifiable information (PII) within the European Union. It lays stringent rules on how personal data should be handled by third parties, and it also allows individuals to have complete control of their personal data. GDPR has been implemented and is effective from May 25, 2018, replacing the 1995 EU Data Protection Directive and supersedes the 1998 UK Data Protection Act.
To whom does GDPR apply?
GDPR applies to all organizations who hold and process any form of personal data. For instance, technology firms, data brokers, marketers would directly fall under the radar.
When is GDPR applicable?
In terms of geography, GDPR will be applicable in scenarios mentioned below:
- All organizations operating within the EU (European Union)
- Any Organization outside the EU, but still offers any form of goods and services to the individuals or businesses in the EU
Key Components of GDPR
As most organizations are trying to make sense of GDPR, here are the four key components that will help you in this endeavor.
- Data Subject is an individual (natural person) from whom the data has been collected
- Personal data is any piece of information that can lead to an identifiable natural person (data subject)
- Data Controller is a natural or legal person, entity, firm, etc. who sets the objectives and determines how to collect, store and process data
- Data processor is any natural or legal person, entity, firm, etc. that processes the data on behalf of the data controller. Data controller and processor can also be one person/entity
- Data Controller is a vital component in GDPR, as this is where an organization ensures that all of its contracts with the data processors are GDPR compliant.
What type of Data is protected by GDPR?
Any personally identifiable information will be protected under GDPR. Data considered personal under the existing legislation:
- Name, address, phone numbers, ID numbers, photos
- IP address, location, cookies, RFID information
- Health and genetic records
- Biometric data
- Racial or ethnic data
Is work email protected under GDPR?
Yes. Work email ID of an individual comes under the purview of GDPR as it can serve as a medium through which an individual can be accessed, either personally or professionally. Whereas, generic business email ID such as email@example.com or firstname.lastname@example.org is not considered as personal data.
Procurement Manager and GDPR: How important is GDPR for Sourcing & Procurement?
The role of Sourcing and Procurement organizations in ensuring GDPR compliance is crucial as they exchange significant volumes of data with vendors to facilitate products and services to different businesses and functional units. Complexity in modern supply chains and the quantum of interactions with suppliers would demand procurement and compliance teams to ensure GDPR compliance levels through appropriate supplier due diligence. Focus on contract management and information flow across the supply chain is crucial in GDPR compliance.
Am I safe when my supplier is GDPR non-compliant?
No, it's a risk. GDPR has an accountability clause, which means that an organization not only need to comply but also have to demonstrate compliance. Organizations should have written contracts with its supplier on GDPR compliance and also conduct periodic reviews.
What is the cost of GDPR non-compliance?
Any non-compliance will result in heavy fines, which can be as high as EUR 20 million or 4% of a company's total global revenue, whichever is larger.
What are the key requirements of GDPR for Sourcing and Procurement organizations?
Any business firm that transacts with an individual based in EU and collects controls, or processes personal data comes under the purview of GDPR.
Below are the key requirements of GDPR from S&P organizations:
- Explicit consent from all stakeholders across the supply chain for the collection and processing of their personal data shared by them along with the objectives.
- Implement appropriate security measures to ensure data security and to ask the third-party data processors (vendors) for the same. Monitor, analyze and respond to security incidents/breaches in a timely manner (within 72 hours of revelation).
- Assure that all the third-party data processors (vendors processing / using the data shared by the company) are GDPR compliant through the addition of explicit clauses in the contracts.
- Update all the contracts with data processors (tools, solutions, service providers and BPO firms) and with clear written guidelines and scope of data processing. Some of the key data processors are cloud-based service providers, sub-contractors, etc.
- Appointment of a Data Protection Officer (DPO) (If the company internally monitors and/or processes data on a large scale in a regular or systematic manner). In case a third-party vendor is the data processor (at large scale), the DPO should be appointed by that third-party.
What are the key steps for business firms to become GDPR compliant? What are the key roles of Sourcing and Procurement in this?
- Manage locations of all personal data of vendors and other supply-chain participants to ensure that no crucial data is overlooked
- Categorization of all the suppliers based on their access to data
- Prioritize the above-established supplier categories based on volume and sensitivity of personal data for GDPR compliance
- Seek out a balance between removal of information from the system and encryption. There might be conflicting situations where another law might restrict your choice to delete certain information (purchase records for example). Check what needs to be retained, deleted, and encrypted.
How can a company ensure that its suppliers are GDPR compliant?
GDPR outlines that the scope of data processing must be clearly defined in the contract made between the data controller and data processor. In many cases, business firms and its suppliers share the same relationship of data processor and controller. Business firms can ensure that suppliers are GDPR compliant by:
- Conduct surveys with suppliers to understand their readiness and compliance level with GDPR
- Set clauses in existing contracts to avoid non-compliance risk and to reduce liability - clauses to hold vendors accountable for non-compliance based on their GDPR risk score, data security requirements and the scope of data processing
- On-site audits, particularly for critical suppliers based on spend value and the products/services they provide. There are also third-party specialized firms who provide data audits with GDPR focus.
Which are the key Spend and Supplier Categories that should be focused on or prioritized for GDPR compliance?
Business entities should start with category classification to in-house and outsource and then comb through all the outsourced categories to identify the ones where personal data is involved. It is important to focus on outsourced service providers for GDPR compliance. However, in-house managed spend would also have multiple categories that would require relatively higher focus from GDPR perspective.
- Marketing solutions and service providers must be compliant with GDPR as they collect and process a large amount of personal and sensitive data of target customers. Also, there are certain recommendations placed by GDPR around the storage of data, profiling of target customers, etc. that should be checked with all marketing vendors for their compliance. Suppliers' competitive landscape is also changing as many foreign firms (particularly smaller marketing firms) find it difficult to operate under new standards.
- Other indirect spend categories such as travel, HR, health and insurance, etc. The vendors providing solutions/services in these categories should also be evaluated by S&P organization as these vendors collect and process a higher amount of personal and sensitive data of employees
- IT solutions and services would also witness changes in supply base (consolidation, switching), contracts review and clauses, particularly all the third-party cloud-based solution and service providers. S&P organizations have to go through individual contracts with these IT solutions providers (for which the number may be huge) to check for the scope of modifications.
How are the e-Procurement Solution providers reacting? How are these solution providers helping their clients' to comply with GDPR?
Currently, preferences would be inclined towards the vendors who are fully compliant to GDPR. This is largely due to the fact that, GDPR is still in the nascent stage with less maturity and also buyers are also looking to avoid any uncertainty.
Below are the reactions from leading e-procurement solutions providers.
- Providing new features/functionalities aligned with GDPR to clients to improve their control and access over the data they share. These new features are as per the GDPR directives including rights of access and rectification, right to erasure or right to be forgotten, right to data portability, and right not to be subject to automated decision-making, including profiling.
- SAP Ariba has added new functionalities to support GDPR compliance for its customers. The key features are - Explicit consent for data usage and its purpose, self-service opt-out to enable the recipients to unsubscribe from unwanted communications, personal data deletion, retention and rectification, sub-processor compliance, etc. Other leading e-procurement solution providers are also offering (or working towards these) similar functionalities.
- Revised Data Processing Agreements set forth by solution providers to align their service and solution with GDPR
- Review their risk management strategies and processes and explicit mention of all the activities conducted to ensure GDPR compliance on websites and other publications.
- The key standards and certifications being highlighted by e-procurement solutions (Ariba, Coupa, Zycus) in regards to their effort towards complying with GDPR are ISO 27001, SOC1, SOC2, cloud security certifications, etc.
- Article 25 of EU GDPR mandates the need of Privacy by Design and by Default - Privacy by design requires that data protection and security should not be tagged as an addition or layer onto the system / IT infrastructure but should be built-in into the system as an integral part. Privacy by Default requires that any product/service released to the public must adhere to the strictest privacy settings by default. Procurement solution providers are working towards adhering to this article and are expected to release fully compliant versions in the near future of their respective offerings
What is the role of technology towards GDPR compliance? How is the technological landscape shaping up with the introduction of GDPR?
Technological advancements in AI and Blockchain are expected to complement the efforts being put by business firms towards attaining GDPR compliance.
Below are some of the technological solutions that could facilitate GDPR readiness for the future:
- AI-based data miners can facilitate identifying personal and sensitive data from multiple sources that fall under the scope of GDPR efficiently.
- Machine learning and natural language processing can be helpful for consent management and to help business firms to deliver the GDPR suggested functionalities (right to be forgotten, right to rectify, right to access), especially for e-procurement solution providers
- On the other hand, GDPR also has the potential to affect the growth of AI implementations in EU owing to multiple rules and restrictions on data collection and processing. Prohibition on the repurposing of data, right to erasure, the requirement of a manual review of key algorithmic decisions can hamper the effectiveness of AI tools. In simplified terms, GDPR could limit the level of processing allowed on personal data.
- According to Article 22 in GDPR, business firms are required to manually look at decisions made by algorithms and thus limiting the benefits derived from AI. Article 22 of EU GDPR says - "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."
- Racial or ethnic data
GDPR's future outlook:
GDPR is a step in the right direction towards protecting an individual's personal data and privacy. A considerable amount of efforts and investments towards GDPR compliance is evident across buyers, suppliers, consultants and other intermediates in the supply chain.
In the sourcing and procurement space, GDPR is expected to further tighten the way how personal data is handled. Rising digital transformation (from e-procurement tools to smart contracts), will further increase the scope of GDPR in sourcing and procurement industry.
As organizations need to be GDPR compliant and also demonstrate compliance amongst its suppliers, the focus should be on both internal and external processes.
- For internal GDPR compliance: Internal compliance, risk management and dedicated GDPR teams need to have a continuous check in framing the guidelines, monitoring and reviewing how data flows in, processed, stored and used.
- For external GDPR compliance: organizations need to have written contracts with its suppliers and also conduct due diligence at periodic intervals. It is also essential to review whether the supplier has GDPR contracts with its suppliers.
Moving forward, chances are more than organizations will engage with GDPR consultants to strategize and ensure compliance, both internally and externally. This is largely due to the fact that, any level of non-compliance will have a significant impact on an organization's financial, operational and reputational landscape.