The intense conversation surrounding data security and digital privacy will reach a new peak this week with the EU's General Data Protection Regulations finally coming into effect. Throughout the two-year transition period, questions have circulated and tensions have run high across the globe. The new regulations promise hefty fines (up to 4% of annual global turnover) and have made GDPR the scariest acronym since Y2K.
GDPR provides 'data subjects' with greater control over how their information is collected, distributed, and applied. More than ever before, data 'collectors' and 'processors' will be held accountable for protecting the subject's privacy. They'll not only need to comply with regulations, but are responsible for clearly and consistently demonstrating their compliance. This is particularly distressing news for companies who've historically taken a hands-off approach to maintaining their databases and auditing their third-party partners.
Are North American organizations in the clearly? Absolutely not. Any business that processes information from EU data subjects is required to adhere to GDPR.
These companies aren't just accountable for how they handle data. They're also responsible for ensuring their third-party vendors remain responsible and compliant. If they haven't already, they'll need to refine their contracting, auditing, and reporting processes to reflect GDPR's sweeping reforms.
On paper, GDPR compliance might look like a job best left to IT and IT alone. The looming risks and lingering questions presented by this legislation, however, are largely associated with supplier relationship management. In other words, "the most important change in data privacy regulation in 20 years" could provide Procurement with the perfect opportunity to set itself apart as an indispensable strategic asset. Leading departments have already distinguished themselves as valuable risk management and mitigation functions. Now, even laggard Procurement teams have a chance to follow suit.
Companies with robust Procurement departments are well equipped to answer the performance and contract management questions that GDPR poses. First, the department can serve an as investigator across the supply chain. They can take a deep dive into relevant data, identify which suppliers come in contact with EU data subjects, and point out risky contracts and relationships.
Procurement's contract management skills will play a major role in preventing violations. Teams will have to assess existing contracts, amend them where necessary, and develop effective repositories for keeping high-risk documents readily available. It will also fall on Procurement to refine workflows and ensure communication is clearer and more efficient than ever.
Enforcing compliance could mean a complete overhaul of Procurement's methods for managing supplier relationships. GDPR-specific performance reviews, audits, and supplier surveys will become an integral component of its efforts.
To succeed, Procurement will have to work closely with internal stakeholders. IT, in particular, will prove an all-important ally. Though the two functions have a history of butting heads within some organizations, they must come together as partners in a post-GDPR world.
Stressful times await businesses in the EU and everywhere else. A fully strategic Procurement department could be the perfect antidote to that stress. Need help auditing your supply chain or promoting compliance? Contact the supply chain risk team at Source One today.