General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It has had a profound impact on procurement as suppliers are categorised as data processors. So, the procurement department of an organisation must ensure that suppliers, and the entire supply chain, comply with the requirements of the GDPR.
Knowing your data
GDPR mandates that organisations be fully aware of the data flow in the organisation, the kind of data they store, and where they store it. It requires that procurement personnel work with their company’s IT department to organise data, both digitally and on paper. They should ensure that the data is digitised as it will be easier to keep track of it.
Ensure supplier compliance
It is vital that suppliers are also fully compliant with the new regulations. Therefore, procurement professionals need to conduct their due diligence to ensure that they are taking the right measures. Otherwise, the organisation risks harsh penalties. This may mean writing and rewriting contracts with anyone down the supply chain who process data on behalf of the company. It is also prudent to ensure any future contracts with new vendors fall within the regulations.
Flow of information
The GDPR mandates that the Information Commissioner’s Office (ICO) and the stakeholders must be informed of any data breach within 72 hours of it occurring. Therefore, a procurement department needs to map the flow of information within the supply chain so that they are aware of how, and what type of information goes from one level to the next, as well as identifying loopholes.
Data security is an important aspect of GDPR, and so, procurement needs to ensure that the contract data is stored in a secure location. Also, access to the data has to be minimal, with only authorised personnel being able to access it. Most organisations have now reduced the number of systems they use to store data, making it easier for procurement and the organisation to comply with the GDPR.