What GDPR means for Procurement functions
Sally Davis
By now, you’ll already know that the enforcement of the General Data Protection Regulation (GDPR) is imminent. At present, data protection regulations typically classify suppliers as data processors, rather than controllers, meaning they have no primary liabilities. However, GDPR will make suppliers directly liable and also make it mandatory for data controllers to include specific provisions relating to GDPR in their contracts with suppliers. For that reason, the procurement teams of European businesses must make sure they are on top of the changes. So, what do you need to be doing to prepare before its implementation on 25th May?
Know your data
You must have a clear overall picture of how data flows through your organisation. Work with your IT providers to ascertain what kind of personal data is held and where it resides – both electronically and on paper. Learn how it is obtained, used and who it is shared with. Producing an organisational data map will help establish this overview as well as making it easier to pinpoint where your risk areas are. Going forward, digitise data so it is easier to control and track who has access to it.
Identify contract risk areas
When it comes to risk, you need to work methodically through your contracts, identifying which suppliers process data within the EU and, consequently, which ones are affected by GDPR. Of these, consider which handle the most sensitive data and prioritise reviews for those organisations. Also establish which spend categories have the biggest GDPR risks: direct spend is less likely to be affected than indirects such as human resources and marketing communications.
Engage your suppliers
As part of your assessment of any GDPR risk within your supply chain, work with your legal advisors to ensure that all relevant contracts include the necessary GDPR-related risk protection clauses and that tender documents make explicit reference to your data protection policy. When selecting suppliers, assurance must form part of the process. Categorise your suppliers so you are clear about where risk might be higher and work with them on pertaining issues such as indemnities and liability.
Prepare to continue monitoring compliance
A single set of checks in advance of GDPR legislation being introduced won’t suffice in the long term: you need to think about ongoing contract management and reviews. Consider spot checks and audits for your key suppliers. In future, you can use a supplier’s ability to demonstrate good practice as a selection criterion.
Have a clear plan for response
The GDPR means organisations are duty bound to report certain types of personal data breach to the Information Commissioner’s Office within 72 hours of becoming aware of the infringement, so check your internal systems to make sure that the processes are in place to enable you to meet this requirement.
Also, note that under GDPR individuals will be able to exercise their right to be forgotten or request access to the data held on them. No matter how complex your supply chain is, these demands must be met within a month. Consequently, plan the chain of communication –including templates for requests and details of who to contact- now so that you can satisfy such requests within the time frame.
Get all staff on board
GDPR is a whole company issue, meaning it is important to build a cross-functional team, rather than having departments working in isolation. If your organisation sets up a third-party risk management, compliance or governance team, ensure that it includes specialists from right across the business. Equally, everyone in the firm needs to know their obligations and responsibilities under GDPR, so all changes to the way that data is managed need to be clearly communicated across the business. In order to minimise risk at all points of the supply chain, any member of staff who deals with potentially sensitive data or suppliers should receive training on the new rules and their responsibilities. Recording details of such training will be an important step in being able to demonstrate that your organisation has taken reasonable steps to ensure that it is GDPR compliant.
Share and collaborate
The lack of case law or examples of best practice means that organisations can’t be certain if their approach to becoming GDPR compliant is covering all bases or not. Creating a centralised bank of resources, such as articles about what other firms are doing, which is accessible by all staff in your organisation will help keep everyone up to date with developments and best practice. Networking events can also be a useful way to discuss and collaborate with other procurement professionals.
Document your steps
If there ever is a serious breach, part of the investigation will involve the ICO examining how far your organisation tried to minimise the risk. So, when following any of the steps above, document them as part of a written action plan. No procurement department will be expected to be utterly perfect and without risk: the key thing is to show that you have done all you can to manage it as effectively as possible.
To find out how 1st Executive’s experts can help with your procurement and supply chain challenges, get in touch on 08432 163030 or enquiry@1st-executive.com