With new data protection laws on the horizon, it’s time to get better acquainted with your suppliers
Don’t look now, but it’s coming. And it will be here before you know it. Of course, I’m talking about GDPR, or General Data Protection Regulation, the new directive that promises to synchronize data privacy laws across Europe and alter how UK and EU companies are required to manage personal data.
GDPR will shift accountability for personal data management to the organization, introducing new regulations to exert oversight over companies that possess and manage the personal data of EU citizens, even if those companies are not physically located in the European Union. These companies will be required to demonstrate compliance. Failure to do so could result in stiff penalties—millions of Euros in some cases.
GDPR also aims to give citizens more rights related to who can access their personal data and the ability to “be forgotten” without having to retain a team of lawyers. The fact the UK will soon no longer be part of the EU is not expected to diminish the requirement of UK companies to gain compliance with the new world order.
In most organizations, compliance with GDPR is likely to fall to the shoulders of internal IT departments. But there is plenty for procurement to think about as well, especially for organizations that rely on suppliers – which is just about all of them these days – and even more so for those whose suppliers are based outside of Europe.
The time is now for procurement to get their house of suppliers in order. At Proxima, we’re often harping on the importance of having an intimate knowledge of your suppliers. With GDPR on the horizon, it’s never been more important.
Organizations need to conduct a due diligence exercise to gain a better understanding of their primary suppliers, sub-suppliers, third-level suppliers and so and so forth all the way down the chain. Why? Because if a supplier with access to personal data of an EU citizen runs afoul of the new regulations, chances are the parent organization will feel the sting.
For procurement teams, this means a number of activities including:
- Engaging in a thorough analysis and, if necessary, scrubbing of their supplier ecosystem
- Taking a look at supplier contracts and determining if they are still fit for purpose in this new environment or whether negotiations need to be reopened.
- Asking the necessary questions about how data is stored, processed and protected. What checks will the supplier have in place to ensure compliance? How will they monitor their secondary suppliers?
- Thinking about a contingency plan should it be necessary to replace a key supplier either unexpectedly or because they were incapable or unwilling to comply with GDPR.
- Considering a crisis plan should a supplier breach become public with the potential for damaging reputational impacts bubbling up to the parent organizations.
This is also a good time for procurement to revisit its internal contract management processes, often pushed to the side when procurement has its hands full with other priorities. Too often, companies simply are not diligent when it comes to managing existing suppliers and ensuring that even the most basic deliverables are being met in accordance with contract standards. As it relates to the sourcing of new suppliers, consider whether the same old RFI you’ve been using time and time again contains the right questions for the time, helping make the right decisions today that can avert a costly mistake down the road.
Finally, procurement should be a source of education to its suppliers. Ensure they understand GDPR inside and out so they can take the necessary measures in the remaining months to avoid any interruption of the existing business relationship.
The protection of personal data remains a hot-button issue around the world. The frequency with which data has been mishandled and stolen has necessitated newer and more stringent data protection laws. GDPR is the latest. Chances are, it is not the last.
With just a few months to go, procurement can and should play an active role in preparing suppliers and, by extension, protecting the organization as GDPR is implemented.