GDPR is less than six months away. SM asked data experts and practitioners for advice on what you need to do to make sure your business and your supply chains are ready
Get to know your data
You can’t plan for GDPR without a clear idea of where your risk areas are. Collaborate with IT to find out what data you hold, where it’s coming from, how you use it and who you are sharing it with. Create a data map of your organisation and learn how data flows through it and the supply chain. If your data is not digitised, now is the time to do so.
Identify contract risk areas
Identify the spend categories that provide the biggest GDPR risks and identify which contracts GDPR applies to. You will need to go contract-by-contract rather than supplier-by-supplier, says Nick Ford from Odesma.
Update your contracts
Work with your legal team to ensure all relevant contracts include protection against GDPR-related risk and categorise your suppliers accordingly. Engage your suppliers and work with them on issues like liability and indemnities.
Look at your processes
Make sure assurance forms part of your supplier selection process. Update all your tender documents to ensure they include information on data protection. Check internal systems to ensure that processes are in place to enable the organisation to satisfy the 72-hour breach notification requirement.
This isn’t a one-time event: you need to think about ongoing contract management. How will you ensure ongoing compliance? Consider audits and spot checks for key suppliers.
Rehearse your response
Under GDPR, data subjects will have the ability to request their information and have the right to be forgotten. These requests must be dealt with within a month. Are you able to respond in those time scales, with a complex supply chain? Work out who you would need to communicate with to satisfy such requests. Practice makes perfect, after all.
Every company large and small is dealing with GDPR right now, but the lack of case law or history means everyone is feeling their way. Keep an eye on what your peers and competitors are doing, and consider collaborating on good practice to ease the burden on suppliers, as banks are doing via financial sector qualification system Hellios.
It’s no good having the right strategy in place if your employees aren’t aware of any changes to how you manage data. Make sure anyone who deals with suppliers and data (such as contract managers or supplier relationship managers) is aware of the new rules and their responsibilities.
Main GDPR feature
GDPR: Need to know