Over the past few months, more and more column inches have been dedicated to the introduction of the European Union’s new General Data Protection Regulation (GDPR), which is due to come into force on 25 May 2018.
While it may not sound like something procurement should worry about too much, the consequences of ignoring the law are substantial – both for the function and for the business.
GDPR replaces the Data Protection Directive 95/46/EC. It is designed to harmonise data privacy laws across the EU and to better protect and empower all EU citizens when it comes to data privacy. It is also designed to fundamentally change the way organisations approach data privacy. The regulation will apply to all organisations that offer goods and services or monitor the behaviour of EU citizens in any way. It covers both EU- and non-EU based organisations.
The sanctions for any GDPR breach are severe – with data protection authorities able to hand down fines of up to 4% of annual global turnover or €20m, whichever is greater. This is the maximum amount that can be imposed for the most serious breaches – those where the organisation concerned has not secured sufficient customer consent to process data or has violated the ‘privacy by design’ concept in which systems are engineered to take privacy into account during the entire process.
There are, however, smaller fines for less serious breaches. A company may, for example, be fined 2% for not keeping records in an orderly fashion (article 28). Businesses may also be fined for failing to notify a supervising authority and identified or identifiable natural person (the regulation uses the term ‘data subject’) about a breach or failing to conduct impact assessments.
GDPR applies to both controllers and processers of data and includes an accountability principle – businesses must demonstrate compliance. That includes within any data processing supply chain the business might have.
To gauge the thoughts of procurement executives and find out exactly what steps functions are being taken to ensure the function, the supply chain and the business was compliant before the 25 May deadline, Procurement Leaders hosted a virtual roundtable discussion call in early February among members. Here are some of the takeaways from that discussion:
GDPR is an issue for the entire business – not just for procurement. As such, the majority of participants thought it imperative to build a cross-functional team to ensure compliance.
Some were working within their own established third-party risk management teams, others within compliance or governance teams, all of which included experts from across the business.
Legal was one function whose presence was considered to be vital in any of these teams because of the specialised expertise – particularly in contract law.
One participant summed this approach up nicely when they said it is about “coordinating all activities to close gaps from a global perspective, not just in any one country”.
Every participant said the most important step in this whole process is identifying the suppliers that process data. They considered this to be crucial because the regulation requires businesses to demonstrate compliance.
Businesses work with thousands of suppliers. Many of those vendors will handle personal information in one way or another but knowing which organisations do have personal data and what they actually handle is an enormous challenge.
One executive, for example, said they had carried out an internal investigation and found the company had around 15,000 suppliers handling data.
Another executive said that while they had a lot of suppliers to review they were looking at “volume and sensitivity” when it came to the data that vendors handle.
Spend, they said, is not a “key ingredient”, it is more about considering what data they handle and ensuring that reviews of those organisations who administer the most sensitive data are prioritised.
Many participants said their reviews had found direct spend was unlikely to be affected by the regulation. Instead their focus has largely been on the indirect space, particularly spend on marketing communications, HR and travel.
Once those suppliers handling data have been identified, participants said the next step is to review contracts. While procurement executives disagreed to some extent over how far and on the wording of terms within the contracts, roundtable participants widely agreed that this is a crucial step.
One participant said they had found their contracts included the phrase that suppliers “must adhere to current laws” and so they and their legal department had concluded that, at this point, that wording was sufficient.
Others said they had found their current data processing agreement missed one or two regulations. As such, they were planning to send out an adjusted template that had been drafted by in-house counsel.
Going forward, the majority of participants said they would be moving suppliers onto contracts that specifically addressed GDPR, rather than relying on generic terms that require suppliers to comply with “all current laws”.
One procurement executive noted many local suppliers had said that they won’t adopt anything until it “flows through to local law”. Others said they have found suppliers trying to renegotiate their contracts by saying GDPR will add to their costs.
Procurement teams have responded to such attempt in a fairly blunt manner.
“If you have a clause in the contractthat makes suppliers adhere to applicable laws, if the laws change then that is part of the price,” said one participant.
Another said vendors “need to calculate price risk” and it is “up to them to do that”.
Preventing suppliers from pushing back on contracts is on reason why many functions are leaving contracts as they are at present.
Participants agreed that ensuring the business has a plan, that it is able to implement that strategy and knows what needs to be done is the key to not being fined on day one of the new regulatory regime.
“We have taken the approach that if we are audited we will be able to show we have
thought this through and have a plan,” said one participant. “If they can see the plan and when it will come in that is usually enough.”
Many participants said their weakness when it came to GDPR was around informing staff and training them on the regulation. These procurement executives said they have many category managers who handle data but did not know they were potentially sensitive data. They said it was crucial to bring employees up to speed and ensure they could recognise elements of the regulation they need to be aware of.
Insurance companies are only currently insuring against the notification procedure and there is no cover for data liabilities if there is a breach, said participants.
While a new market for insurers may exist, providers are not yet willing to take on the risk.
“No one is accepting our liability,” said one executive.
This increases businesses risk exposure and provides impetus for companies to get on top of GDPR before needs to get on top of the demands before the May deadline.
With such significant financial and reputational risks, there can simply be no delay in procurement chiefs and their colleagues across the business taking action.
Failure to do this will result in damage to the business for years to come.
Find out more: Procurement Leaders is supporting its members as they tackle GDPR. Stay up-to-date with the latest procurement insights, shared intelligence and networking opportunities from Procurement Leaders by subscribing to alerts.
This article is a piece of independent writing by a member of Procurement Leaders’ content team.