We live in a global community, meaning everything from our
toothbrush to our cell phones has a global footprint. With the advent of the
internet and newer technologies in the workplace, it’s easier than ever to
witness this global footprint in action. While this undoubtedly has created
ease of access for most everything we use in our daily lives, this has also
created some larger business implications – and complications. While GDPR may
not be directly tied to these newer technologies, the way these technologies
disseminate and transfer information certainly is.
In May of 2018, The General Data Protection Regulation
2016/679, or GDPR, went into effect, and brought with it a new set of
challenges for global organizations. GDPR is a set of regulations for
organizations in the European Union and European Economic Area focused on the
protection and transfer of personal data outside the EU. But, GDPR affects more
than just organizations in the EU or EEA.
eastern US. Most, if not all, of your clients or customers are located within
North America. Sounds like GDPR won’t have much of an impact on your daily
operations, right? Not quite. Let’s say as part of your core business, you have
to contract with suppliers in the UK and these contracts require access to
names and numbers of their employees, aka UK citizens. Now, suddenly, GDPR has reared its ugly head into
your operations. Failure to adhere to these regulations can have not only
financial implications such as sanctions or penalties, but also a reputational
impact if vendors catch wind that you have a less-than-stellar track record
with GDPR compliance. Fret not, there are things you can do to protect yourself
from any foreign liability. Better still, your Procurement organization may
actually be able to lead this effort.
Here are some tips you can incorporate into your current
process to help mitigate any potential risks:
Know the Scope
When you contract with a supplier,
make sure you are asking the right questions. The definition of PII, or
Personally Identifiable Information, can vary from organization to organization.
For protection, however it is often advisable to treat all information as
important and critical. If you are unsure the level or detail of information
you will be sharing, ask!
Use Your Resources
be handled by your Procurement team or subject matter experts, e.g. Purchase
Orders, Pricing Agreements, etc., don’t be afraid to tap into your legal
resources. Most legal teams function as a precautionary function, so engaging
them early on allows them to better do their job. In an instance when PII is
being shared, a Data Processing Agreement, or DPA, is necessary to detail the
levels or protections and procedures for any personal data being shared. Simply
an NDA will not cover your interests. Your legal teams should be familiar with
a DPA, or, at the very least, be comfortable reviewing a supplier’s DPA. If
your team doesn’t have a template, ask the supplier if they have one. Most EU
suppliers should have a template ready for engagements involving PII. If they
don’t, this may be a red flag that their organization isn’t very mature and
might not be the best fit.
Trust Your Process or Establish the Right
Process
process with detailed instructions or policies for everyone in your
organization to follow, make sure to not only follow that process, but trust that process. The reason we put
processes in place is to protect your organization’s interest and reduce any
potential risks. If your process calls for a Third Party Risk Assessment, don’t
skip this step. If your process calls for a legal review of certain contracts,
be transparent with your legal partner and let them know the international
element. But, beyond just trusting your partners, be sure to educate your team
on the importance of GDPR compliance and flag any issues. If your process is
already defined and established, then hopefully these items are already being
captured. But, if you’re gearing up for a Procurement
Transformation or looking to redefine your processes, now is the time to
establish policies surrounding supplier selection (through the RFx process or negotiations),
SRM, TPRM, and/or Legal review to safeguard your organization from some of
these risks.
age, the team can help spearhead any efforts with GDPR and compliance by
maintaining a strong Supplier
Relationship Management (SRM) system and effective Procurement
best practices. If your Procurement organization has established a full
procure-to-pay or source-to-pay model,
or even a process that dictates when and how to engage Procurement, it’s safe
to assume this team has insight into what vendors you’re currently contracting
with and the scope of these contracts and projects. If not, Corcentric has a
host of offerings that can help establish and stand up your Procurement
organization or help improve or restructure your current process.
There is no one-size-fits-all model to guarantee
you are in compliance with GDPR, but by exploring your Procurement process and
understanding the role it plays within your organization can reduce your
chances of being non-compliant. If your process needs to be reworked or
revamped, now is the time to visit how your organization handles GDPR and other
similar regulations. A strong and well-defined process can drastically reduce
any potential for gaps. Be sure to visit
Corcentric for a list of offerings we currently provide that can help not
only improve your Procurement organization’s functions, but better protect you
from unforeseen consequences.
Recent Comments