We live in a global community, meaning everything from our toothbrush to our cell phones has a global footprint. With the advent of the internet and newer technologies in the workplace, it’s easier than ever to witness this global footprint in action. While this undoubtedly has created ease of access for most everything we use in our daily lives, this has also created some larger business implications – and complications. While GDPR may not be directly tied to these newer technologies, the way these technologies disseminate and transfer information certainly is.
In May of 2018, The General Data Protection Regulation 2016/679, or GDPR, went into effect, and brought with it a new set of challenges for global organizations. GDPR is a set of regulations for organizations in the European Union and European Economic Area focused on the protection and transfer of personal data outside the EU. But, GDPR affects more than just organizations in the EU or EEA.
Imagine you are a mid-sized company headquartered in the eastern US. Most, if not all, of your clients or customers are located within North America. Sounds like GDPR won’t have much of an impact on your daily operations, right? Not quite. Let’s say as part of your core business, you have to contract with suppliers in the UK and these contracts require access to names and numbers of their employees, aka UK citizens. Now, suddenly, GDPR has reared its ugly head into your operations. Failure to adhere to these regulations can have not only financial implications such as sanctions or penalties, but also a reputational impact if vendors catch wind that you have a less-than-stellar track record with GDPR compliance. Fret not, there are things you can do to protect yourself from any foreign liability. Better still, your Procurement organization may actually be able to lead this effort.
Here are some tips you can incorporate into your current process to help mitigate any potential risks:
Know the Scope
When you contract with a supplier, make sure you are asking the right questions. The definition of PII, or Personally Identifiable Information, can vary from organization to organization. For protection, however it is often advisable to treat all information as important and critical. If you are unsure the level or detail of information you will be sharing, ask!
Use Your Resources
While most supplier contracts can be handled by your Procurement team or subject matter experts, e.g. Purchase Orders, Pricing Agreements, etc., don’t be afraid to tap into your legal resources. Most legal teams function as a precautionary function, so engaging them early on allows them to better do their job. In an instance when PII is being shared, a Data Processing Agreement, or DPA, is necessary to detail the levels or protections and procedures for any personal data being shared. Simply an NDA will not cover your interests. Your legal teams should be familiar with a DPA, or, at the very least, be comfortable reviewing a supplier’s DPA. If your team doesn’t have a template, ask the supplier if they have one. Most EU suppliers should have a template ready for engagements involving PII. If they don’t, this may be a red flag that their organization isn’t very mature and might not be the best fit.
Trust Your Process or Establish the Right Process
If you have an established Procurement process with detailed instructions or policies for everyone in your organization to follow, make sure to not only follow that process, but trust that process. The reason we put processes in place is to protect your organization’s interest and reduce any potential risks. If your process calls for a Third Party Risk Assessment, don’t skip this step. If your process calls for a legal review of certain contracts, be transparent with your legal partner and let them know the international element. But, beyond just trusting your partners, be sure to educate your team on the importance of GDPR compliance and flag any issues. If your process is already defined and established, then hopefully these items are already being captured. But, if you’re gearing up for a Procurement Transformation or looking to redefine your processes, now is the time to establish policies surrounding supplier selection (through the RFx process or negotiations), SRM, TPRM, and/or Legal review to safeguard your organization from some of these risks.
Whether your Procurement organization is in its infancy or advanced age, the team can help spearhead any efforts with GDPR and compliance by maintaining a strong Supplier Relationship Management (SRM) system and effective Procurement best practices. If your Procurement organization has established a full procure-to-pay or source-to-pay model, or even a process that dictates when and how to engage Procurement, it’s safe to assume this team has insight into what vendors you’re currently contracting with and the scope of these contracts and projects. If not, Corcentric has a host of offerings that can help establish and stand up your Procurement organization or help improve or restructure your current process.