With an emphasis on third parties, GDPR makes data protection procurement’s problem. Here’s how to turn it into an opportunity – and keep your job
It’s July 2018 and your phone rings. You don’t recognise the number, but you answer it anyway. “Hello,” says an automated voice at the end of the line. “We have evidence your personal data is being used without your consent.” We are all used to unsolicited messages about PPI misselling or that ‘car accident that wasn’t your fault’. But now there’s a new target for the ambulance chasers: General Data Protection Regulation, or GDPR for short. And it’s something that is – or at least should be – on every procurement professional’s mind.
GDPR, which comes into effect on 25 May 2018, overhauls how businesses handle and process data. It is Europe’s new framework for data protection, and replaces the 1995 data protection directive. The legislation is the “most important change in data privacy regulation in 20 years”, according to the EU’s GDPR website, and aims to “harmonise” data privacy laws across Europe and increase rights and protection for individuals (data subjects). It obligates businesses to look after personal data more effectively, and it raises the spectre of some hefty fines if they fail to do so: €20m or 4% of a firm’s annual global turnover (whichever is greater).
Right to privacy
In essence, GDPR represents “the law catching up with the digital world”, says Justin Harrington, a partner at law firm Blake Morgan who specialises in technology procurement and outsourcing. “Things have developed since the 1990s and people are much more aware of security. A big focus is the security of data and it being used for the purpose for which it was offered. It’s about information self-determinism: having control of your own data.”
Individuals gain more rights through GDPR, enabling them to ask companies to delete their personal data from their systems (‘the right to be forgotten’) and to request information about how their data is being used, within 30 days (‘a subject access request’).
So that phone call about data misuse, that leads back to your company’s poor data management? It could happen, and soon, warns Sarah Williamson, partner at law firm Boyes Turner.
“If consumers are encouraged to take up their new GDPR privacy rights en masse, the impact on a wide range of businesses could be more disruptive than the tech-driven consumer empowerment forced by the likes of TripAdvisor,” she says. In early 2018 the Information Commissioner’s Office (ICO) is expected to launch a major PR campaign, alerting people to their rights as data subjects.
“Before long there will be ‘GDPR chasers’,” predicts Maxine Bulmer, cyber security director at IT firm CGI. “Companies will be making calls about data, and helping people get compensation.” According to a 2017 study commissioned by SAS, 48% of consumers plan to wield their new rights over personal data.
So, why does this matter to procurement? In Williamson’s words: “GDPR is set to become a huge issue in the supply chain. If you’re outsourcing data processing services, the imposition of direct obligations onto processors down the supply chain does not exonerate or detract from your liability to your customers.” The reputational risk of a personal data breach is huge, and especially pertinent to procurement given 80% of information breaches occur in the supply chain.
Making things more complex is the fact that most companies now deal in data, even if it isn’t the core of their business model. This means that GDPR is one of those pieces of legislation that “grabs every company”, says Mike Corran, procurement and property director at TSB Bank. It applies to all companies, large and small, cascading through every level of a supply chain.
The new regulation requires much tougher controls over what an organisation’s suppliers do with personal data. “One of the most significant changes is the imposition of compliance obligations on both the data controller [the company that decides how the data will be used] and the data processor [the company that works on the data for the controller],” explains Leo Martin, director of business ethics and compliance firm GoodCorporation.
“Third parties involved in data processing as part of their contract are required to assist the contracting organisation in complying with its GDPR obligations. This involves accepting the contractual requirements that must now be included in any third-party agreement with an organisation processing data on your behalf.”
Bulmer adds: “Under GDPR, the initial data controller has liability for all the sub-processors [links in the supply chain dealing with data]. There is a lot riding on the shoulders of the data controller, which has to take responsibility and give assurances back. The spider’s web for service provision is very complex.”
The emphasis on third party risk puts procurement front and centre – something Hugh Cox, chief data officer at Rosslyn Analytics, believes not all in the profession are ready for. “This is the first time there has been a connection between data breaches in the supply chain and the CPO,” he says. “When personal data is breached, under your watch, [the CPO] will be the first person to be fired. In the data governance landscape of the organisation, this is your responsibility. For procurement it’s a very new level of accountability and responsibility that is not yet front of mind.”
Various pieces of research seem to back this up. According to a survey by Opus, 56% of companies experienced a data breach in 2017 caused by a third party, up seven percentage points from the year before. Yet the same survey found only 17% believe their organisation is effectively managing third party risk.
Another survey carried out in September by Blake Morgan, specifically on GDPR, found 77% of companies had not yet reviewed their data processing contracts. The research also found that 39% of businesses had not taken any steps to prepare for GDPR, and 38% were not confident they would be able to comply by 25 May.
Most of the experts SM spoke to said that not being fully compliant by the deadline was not a cause to panic – but the ICO will be looking for evidence that firms have “started on the journey to compliance”, in Cox’s words. And there are a number of practical steps that procurement should be taking the lead on to ensure supply chain compliance.
Take control of your data
Firstly, you need to really understand your data: know where it comes from, how you use it and who you are sharing it with. “Understand your supply chain and how far your data is reaching through it,” says Bulmer. Collaborate with IT to find out how to follow the flow of data out of your organisation.
Once you have a handle on your data, you’ll need to methodically go through your supplier base to work out which suppliers and contracts provide the biggest potential GDPR risks. “Procurement teams should review every aspect of how they work with their suppliers, including supplier onboarding, how they capture a supplier’s services, and the contract terms applied,” says Brioney Moore, global category lead – marketing and communications, procurement at CA Technologies.
About half the supply base at TSB deals with data, says Corran, so there is a large volume of contracts to be redone. “No one wants to create conflict with their suppliers; we’ve got to find the words that are robust enough, but don’t scare the horses,” he says. TSB is piloting new contracts with a group of suppliers to check the reaction before rolling out. “Supplier awareness is high, but some are more advanced than others,” says Corran.
Moore adds that working with suppliers of different sizes presents a challenge that procurement professionals need to be aware of. “This is an intensive process which takes time, and smaller companies don’t have as many resources,” she points out. “It’s a real resource struggle for some of our smaller vendors as they continue to keep their business running as well as prepare for May. Procurement teams will have to ensure they have strong relationships with key suppliers of all sizes to ensure compliance is a priority.”
Under GDPR, data controllers and processors will be jointly liable for any damage caused by their data processes. “The biggest issue is having proper clauses in place for processors,” says Harrington. Procurement will have to work with each supplier to work out liability demands that seem reasonable, which throws up its own challenges. “As processors will be liable under GDPR, you have some suppliers asking for indemnity from their customers,” he adds. “It is pretty novel.”
Changing contracts is just one piece, however: on-going compliance is as important, says Corran. “It’s easy to say you will [comply], but do you actively comply with the regulations, which are quite onerous? Suppliers have to live by our standards, and we have to work out what questions to ask them, and how to work out if their answers are worth the paper they are written on.” TSB is collaborating with other banks via the Hellios qualification system to ensure good practice and consistency in GDPR throughout the financial services supply chain.
To support continuous compliance, training and awareness within the organisation is critical. As Bulmer points out: “You can’t turn around on 25 May and say: ‘It’s GDPR day! Everything works differently now.” Corran is making sure all supplier relationship managers (and TSB has up to 100) are up to speed: “They deal with suppliers day-to-day, so it’s about tweaks in processes without drowning them in detail.”
Compliance is an opportunity
It’s true the amount of work procurement needs to do to get GDPR ready could look a bit overwhelming, but there also exist many opportunities that should excite the profession. Gary Salterpicco is procurement governance and compliance lead at satellite telecommunications company Inmarsat, and he is hopeful about the potential positive changes regulation such as GDPR could bring to procurement more widely.
“I see it as an opportunity to demonstrate how a well managed and structured approach to procurement adds value to an organisation above and beyond mere savings,” he says. While the 4% of turnover fine is a powerful argument for those who “find it difficult to move away from procurement ROI models based on savings alone”, Salterpicco believes GDPR has “given [him] the stage to showcase what good, compliant procurement can add to an organisation”.
TSB’s Corran adds that, as GDPR is a board level issue (those multi-million pound fines do help to focus the mind), it promotes the importance of procurement among senior stakeholders right across the organisation. “It raises our profile. You don’t want educated amateurs doing this, and GDPR gives more power to the elbow of trained professionals.”
Both agree that GDPR could help raise compliance with procurement policies more widely and in Salterpicco’s words, “demonstrate the risks associated with maverick spending”. “It gives [procurement] more control,” says Corran. “Everyone understands this is legislation – it’s not optional so there’s no point fighting it.”
Being forced to take a step back and review the supplier base could also offer opportunities to move towards a strategy of “fewer better suppliers” strategy and rationalise in some areas – “especially where the supplier base has built up without procurement involvement”, says Salterpicco.
Nick Ford, managing director of procurement consultancy Odesma, agrees: “There’s an opportunity to renegotiate contracts and drive fresh sourcing activities. [GDPR] creates a burning platform that enables procurement to say ‘let’s take a fresh look’.”
It’s also a catalyst, believes Nick Hyner, managing director for Europe at consultancy State of Flux, for organisations to unearth historic underinvestment in the supply chain. “Start looking further,” he advises. “Look into the state of your supply chain data. You will likely have a fragmented supply chain with more suppliers and more levels than ever before, and a historically substandard view of data.”
Raise the profile of procurement
As data becomes ever more valuable – a recent Economist cover proclaimed it had overtaken oil as the world’s most valuable commodity – its importance to business will only increase. And so on a much larger scale, GDPR presents procurement leaders with a stark choice: become more data savvy, or risk becoming irrelevant. As Hyner puts it: “When it comes to a technology contract, people’s understanding of things like data flow is often not great, but the challenge is that every service you buy now has a technology aspect.”
“Data has never been an area of expertise for procurement: when I ask for the IT lead [on a project], they look for the person who is best at Excel, rather than the best data person,” adds Cox from Rosslyn Analytics. “GDPR is an opportunity for procurement to step up their game on data knowledge.” Indeed, he predicts there will be a new role for a data procurement manager, “because this is continuous: you can’t just do it once and then leave it”.
By viewing GDPR through a lens of strategic risk then, it provides a platform for procurement to raise its profile and raise its game. Yes, the potential fines for non-compliance are huge – but so too is the opportunity for procurement to get involved with board level, business critical discussions that stretch far beyond May 2018. It could mean that, as Corran puts it: “Procurement is the one keeping the organisation safe.” And that’s a pretty exciting nettle to grasp.
GDPR: Need to know
Your GDPR checklist