Regulatory compliance is a complex and potentially overlooked part of supply chain management. Organizations that don't devote enough focus or resources to managing their supplier networks may run afoul of legal authorities, suffering penalties that make any savings they've achieved from their third-party relationships appear small by comparison.
With legal requirements changing frequently, and major new rulings coming down the pipeline, it's a great time for organizations to reevaluate the parts of their risk-management strategies that relate to determining whether the company is meeting relevant standards. The General Data Protection Regulation, ensuring companies keep European Union residents' data secure, could be the next major law to demand practice changes.
Are third parties visible?
Supply chains today consist of tiers of agreements, with third parties dealing with their own networks of partners. In many cases, this arrangement is a necessary element of doing business at a global scale. However, it also makes visibility very difficult, and may make it tough for organizations to determine whether their suppliers are making responsible and compliant use of data.
A Deloitte report revealed widespread concern: More than half of companies worldwide don't think they have a close enough view of the subcontractors used by their third-party partners. Considering that the GDPR establishes rules for the appropriate use of data all the way to the furthest levels of the supply chain, these opaque business relationships have become very concerning.
Risk management policies that go beyond the first level of supply chain partnerships and take subcontractors into consideration aren't yet widespread. Furthermore, Deloitte found organizations are extending their road maps to attain this level of visibility. The new timelines, with 53 percent of companies expecting to take two or three years to reach monitoring maturity, are a realistic reflection of their progress, according to the researchers.
Considering the complex relationships that make up the modern supply chain, it's easy to imagine weak visibility becoming a major liability for organizations in the early days of GDPR. The risk of exposing data to a fourth- or fifth-party organization is real, and working this matter into risk management strategies is now a priority.
While the Deloitte report contained warnings for companies to hurry and increase visibility, that worrying perspective isn't the only way to view GDPR. According to industry law firm partner Sarah Williamson, contributing to Supply Management, firms that do a good job ensuring data protection throughout their supply chains can gain ground on competitors. Taking quick action to assess current information sharing practices and improve them where necessary can enhance a business's reputation.
Some of the measures associated with GDPR - such as the need to issue breach notifications within 72 hours - are likely much more stringent than firms have had to comply with before. Making internal efforts to get this level of protection in place immediately is a challenge, but Williamson noted that as the GDPR passes into active enforcement, they will only become more difficult. Rather than backing away from such responsibilities, procurement teams can take them on directly. Consumers may appreciate the proactive effort.