GDPR In Procurement: A Handy Guide For Procurement Managers
Although the General Data Protection Regulation (GDPR) has been in effect since May 25th, 2018, to this day, there are still buying organizations that are not fully prepared to comply with this legislation.
The GDPR outlines rigorous rules on how personal data should be handled, and also allows individuals to have complete control of their personal data. It applies to all organizations that hold and process any form of personal data, including buying organizations that use suppliers’ contact information for business purposes (like the business email address).
GDPR in procurement is applicable to:
all organizations operating within the European Union (EU), as well as
any organization outside the EU that offers any form of goods/services to businesses or individuals in the EU.
One crucial detail European buying organizations don’t pay enough attention to is that, even if they are GDPR-compliant, if they work with suppliers who are not GDPR-compliant, they are still at risk and accountable. Therefore, you should have written contracts with suppliers that address the roles of data controller and data processor under the GDPR, handle cases of potential non-compliance, and allow to conduct periodic reviews.
Any non-compliance will result in heavy fines, which, in a worst-case scenario, can be as high as 20 million EUR or 4% of a company's total global revenue, whichever is larger.
If you’re not 100% sure whether you’re complying with this directive, here’s everything you should know about GDPR in procurement.
The impact of GDPR in procurement
Buying organizations, who most of the time are data controllers in GDPR terms, are accountable for the personal data they process, whether they do this themselves or through third-party data processors. Where data is involved, these processors represent your suppliers and their suppliers, down to the last link of your supply chain.
The Chartered Institute of Procurement and Supply (CIPS) has a six-step process for how you can prepare to become GDPR-compliant.
When it comes to your own GDPR compliance, the key principle you should remember is that there are a few legal grounds, in the GDPR, based on which you can process someone’s personal data, such as name, email address (even if it’s a work email address), bank details, phone number, etc.
One such legal ground is consent, but there are also other legal bases, such as legitimate interest. At the same time, individuals have the right to access their personal data and correct it if wrong, inquire about how their data will be used, restrict access to it, as well as ask for it to be deleted.
You should also consider how you’re storing personal data and who has access to it. If you’re still using paper and filing cabinets, now’s the perfect time to switch to a cloud procurement platform to prevent unauthorized access.
Last but not least, clearly map out the information flow within your supply chain to gain better visibility over your data. This will help you ensure you’re well prepared and able to face a potential data breach, either within your company or within the suppliers’ companies, for which you may be liable.
A very important aspect to consider is the 72-hour data breach notification requirement imposed by the GDPR. This means that, in case of a data breach, you have 72 hours to remedy the situation and inform the affected individuals.
GDPR compliance and Data Processing Agreements (DPA)
All businesses rely on third parties to process personal data. Just think of the tools you use on a daily basis - email client, cloud storage, website analytics, etc. You need a DPA with each of these services to achieve GDPR compliance.
The Data Processing Agreement is a legally binding contract that states the rights and obligations of each party concerning the protection of personal data. The European directive requires data controllers to sign such a document with any parties that act as data processors (meaning any company that helps you store, analyze, or communicate personal information) on their behalf.
Here’s what a DPA should contain:
The data processor agrees to process personal data only if they have written instructions from the data controller;
Technical and organizational measures are used to protect the data;
The data processor will not subcontract to another processor unless instructed in writing by the controller;
The data processor will help the data controller maintain GDPR compliance;
The data processor agrees to delete all personal data upon the termination of services or return the data to the controller;
The data processor must allow the data controller to conduct an audit and will provide any information necessary to prove compliance.
Key requirements for GDPR in procurement
Clear agreement from all stakeholders across the supply chain for the collection and processing of their personal data.
Appropriate security measures to ensure data security within your organization, as well as your suppliers’ organizations.
Explicit clauses in contracts that all third-party data processors are GDPR-compliant.
Clear written guidelines and scope of data processing (tools, solutions, service providers and BPO firms, etc.).
In certain cases (the GDPR clearly notes where), the appointment of a Data Protection Officer (DPO). If a third-party supplier is the data processor, the DPO should be appointed by that third-party.
How to ensure all your suppliers are compliant
Conduct surveys to understand suppliers’ readiness and compliance level with GDPR.
Set clauses in existing contracts to avoid non-compliance risk and to reduce liability - clauses to hold suppliers accountable for non-compliance based on their GDPR risk score, data security requirements, and the scope of data processing.
On-site audits, particularly for critical suppliers, based on spend value and the products/services they provide. (there are third-party specialized firms that provide audits with a GDPR focus).
How Prokuria is helping you become GDPR compliant
Because we know how important GDPR compliance is for our clients, we’re working on a GDPR assessment form template that we will publish soon. If you’re interested, drop us a line here to be the first to know about it.