Time fast running out for procurement on GDPR

GDPR complicance

There are approximately 570 million procurement contracts in the UK alone that are not currently compliant with the new General Data Protection Regulations (GDPR), which could equate to £300bn worth of fines. With the May 25th deadline looming, the reality is that unless organisations act quickly, they will not meet the new requirements in time.


GDPR is intended to strengthen and unify data protection for all individuals within the European Union. For procurement, the regulation will affect every contract that is still live and has an element of data that needs protection, for example, information identifying an individual or company.


GDPR, therefore, presents a major challenge to procurement; there are a number of external supplier interactions needed and a whole transactional process to navigate – all of which need to be managed and controlled in a structured manner. The process is complex and time-consuming, and when you consider some companies will be dealing with more than 2,000 contracts, the task can become overwhelming.


Simply finding and retrieving contracts can be onerous – they may be years old, there may be duplicates, some will be on paper and others will be by email. The process of gaining compliance then adds to the challenge and requires a highly structured process that can identify relevant contracts, specify the clauses or deeds that need to be added, analyse them and send them to suppliers for sign off. Once all of this has been completed, amendments must be legally bound before full compliance is achieved.


A specialist team of ten would typically take around three months to get a company and its contracts to full GDPR compliance, emphasising the significance of the task ahead.


Along with its complexity, GDPR poses a very serious legal concern and as such, should be something that is being thought about at board level, not just in procurement. While contract authoring software and compliance checking software are important factors, more specific solutions are required to ensure businesses are able to meet their legal obligations and avoid the severe financial penalties – up to €20 million, or 4% of global annual turnover, whichever is higher – and reputational damage that could come from noncompliance.


With around 52% of companies believing they will be fined for noncompliance and predictions that the EU could collect as much as $6bn in fines and penalties in the first year, it is critical that procurement and supply chain businesses act now.


Nick Ford, Executive Director at Odesma


Procurement Leaders members can read a more detailed analysis of what GDPR will mean here and here.


In light of the forthcoming GDPR, ensure you stay up to date with the latest procurement insights, shared intelligence and opportunities from Procurement Leaders by subscribing to alerts.


This article is a piece of independent writing by a member of Procurement Leaders’ content team.

Nick Ford
Posted by Nick Ford

Want to learn more? Please fill in your details to hear from us.