As we all know, companies that don’t comply with the new General Data Protection Regulation (GDPR) risk massive fines of €20m or 4% of their annual turnover. In recent months this has caused a fervour of activity among organisations, especially as the final deadline approaches on 25 May 2018 and the regulations come into effect.
Organisations in the UK must pay particularly close attention to internal and external compliance, and managers must ensure that their supply chains comply with GDPR as well as their own internal practices. This is an opportunity that businesses should seize, as it will give them a competitive edge over other companies that are not as well prepared.
GDPR and procurement: the responsibility
The most important factor that organisations preparing for GDPR must realise is that the legislation places direct obligations on processors. It mandates that all contractual provisions should be part of any data processing agreements and that contracts should also lay down the conditions for sub-contracting and sub-processing. In light of this, organisations, managers and procurement staff will have to hold extended contractual negotiations with their suppliers as they seek to shift liabilities and ensure that their processes are water-tight.
Any breach in the supply chain will be devastating for an organisation, regardless of where the breach occurs. It will damage the company’s reputation and also wreak havoc with their finances due to the potentially huge fines. For this reason, any UK business that processes customer data should undertake detailed due diligence of suppliers and carefully check whether they comply with the terms and conditions of the GDPR before entering into an arrangement.
What should procurement do for GDPR preparedness?
Procurement teams should undertake the following steps to ensure they comply with GDPR:
- Map data through the supply chain and identify who receives a customer’s personal information and where it is processed.
Check supplier contracts to identify which contractors process data. This will allows you to review the provisions they have in place for data protection.
- Figure out the approach-to-risk of your organisation when it comes to existing and new contracts. Your organisation will need a different approach when it comes to liability for data protection and data breaches.
- Make sure that your suppliers are compliant with GDPR and get guarantees from them to ensure this.
- Ensure that current insurance policies cover breaches, including those made by suppliers.
- Finally, have proper systems in place to notify the authorities of any breach within 72 hours.
By taking these measures, you will demonstrate to your customers and suppliers that you take data protection seriously. This will send a clear signal to those at either end of the supply chain that your organisation is ready for the future and serious about its business.
Nick has over 30 years procurement experience in consulting, outsourcing and line roles within industry with international experience across many sectors and industries and led many procurement programs with blue chip organisations.