With only nine months before the General Data Protection Regulation (GDPR) is applied, procurement teams need to get to grips with the requirements.
While the eye-watering fines – €20 million or 4% of annual global turnover – have dominated the headlines, those that grasp the GDPR in advance of May 2018, both internally and within their supply chains, will be able to reap benefits in terms of enhanced consumer trust and reputation. The truth about GDPR is that it is an opportunity to be seized, which will give companies a real competitive advantage over less prepared and engaged competitors.
The GDPR introduces a new accountability principle – you need to not only comply, but to be able to demonstrate compliance. Comprehensive but proportionate governance measures are required, showing data compliance measures have been integrated into data processing activities at all stages. These concepts of ‘privacy by design’ and ‘privacy by default’ are explicitly recognised.
For those outsourcing data processing, these principles will require them to ensure compliance throughout their supply chains. As consumers become more aware of their rights – well-funded PR campaigns from the ICO and consumer groups make this a certainty – they will be looking to engage organisations that can demonstrate they will handle their data securely and responsibly. The shift in power from marketing teams to consumers as a result of the new regulation could be greater than that forced by disruptive innovations like TripAdvisor and Amazon reviews, according to a white paper we researched and published recently.
The GDPR places direct obligations on processors, stipulates the contractual provisions that must be included in data processing agreements and sets out the conditions for sub-processing. Protracted contractual negotiations with suppliers are inevitable as the parties wrangle to shift liabilities. Importantly, however, this will not exonerate or dilute the liability of controllers to the regulators or data subjects. A data breach within an organisation’s supply chain could be detrimental to the organisation, both from a financial and reputational perspective, no matter where in its supply chain it occurs.
Organisations therefore need to carry out appropriate due diligence of suppliers and monitor their GDPR compliance. Those who audit preparedness and what they expect from suppliers now will be in a much better position to weather any disruptive forces post May 2018.
Procurement teams should consider taking the following steps now:
- Map the flows of personal data through supply chains. Identify the recipients of personal data, including sub-processors and where the personal data is processed. If this seems difficult now, imagine trying to do it with a statutory 72-hour data breach notification requirement hanging over you.
- Identify existing supplier contracts that involve the processing of personal data and review the data protection provisions. These are unlikely to cover all the provisions that must be included under the GDPR.
- Consider the organisation’s approach to risk in existing and new contracts in light of the GDPR. The financial and reputational risks posed by the regulation may change the risk profile of data processing contracts, necessitating a different approach to liability for data protection and data security breaches.
- Carry out adequate due diligence on new suppliers to check their GDPR compliance, obtain guarantees regarding the measures that suppliers have in place and ensure there are rights of audit within the contract together with the other mandated data processing provisions.
- Check whether existing insurance policies will cover data protection and security breaches including breaches by suppliers
- Check internal systems to ensure that processes are in place to enable the organisation to satisfy the 72-hour breach notification requirement.
Taking time now will demonstrate to customers and suppliers that you take data protection seriously and only deal with suppliers who do likewise. Further, clearly defining at the outset your requirements for suppliers and the approach that your organisation will take to risk and liability for data breaches may well give you an upper hand in contractual negotiations with suppliers who have given little thought to compliance. A positive embracing of the principles of privacy by design and by default is the way to approach GDPR. Many of the companies we’ve spoken to have already found this to their benefit and competitive advantage.
Sarah Williamson is a partner at specialist technology and innovation law firm Boyes Turner.