The European General Data Protection Regulation (GDPR) come into force on the 25th May 2018. For companies, however, the race to comply started long before then. Although it is marketing or HR departments that immediately spring to mind, purchasing departments are equally affected.
GDPR: A priority for businesses
Companies will now have to reconsider how they collect and process digital data. In addition they are committing the funds to do it: Syntec Numérique (a French professional union) revealed that companies had invested nearly 958 million euro’s into software and services in order to be compliant by 2018. In 2019, that figure is expected to reach 980 million euro’s.
GDPR and purchasing: Opportunities to be seized
The European General Data Protection Regulation poses a new challenge for purchasing departments, but it also represents an opportunity to revisit relationships with suppliers and providers, as well as any related processes. Acxias has identified two major areas where purchasing departments are affected by GDPR:
- Where their information system uses their suppliers' information. It is stipulated that companies should introduce procedures and protection solutions such as anonymisation techniques.
- Where they use third parties or IT subcontractors to host or process data. It is essential that services offered by providers are compliant. To protect themselves as much as possible, companies must amend any contracts with their providers to include details of these obligations (security checks, implementation of procedures to be followed in the event of attack, impact analyses etc.).
AMRAE (Association pour le Management des Risques et des Assurances de l'Entreprise — Association for Corporate Risk and Insurance Management) has issued a warning regarding the management of subcontractors. If subcontractors are processing personal information for business, they are therefore considered to be "processing managers".
Whatever the issue, purchasing departments must work with the CIO (Chief Information Officer), the legal department and, ideally, the DPO (Data Protection Officer) to capitalise on the situation:
1. Deleting poor-quality data
"One of the advantages of GDPR", explains Cédric Messeguer, Deputy Managing Director of Digital Security, "is that it raises the subject of classifying data, which has not been addressed until now". This is an opportunity to delete any unnecessary information by mapping and categorising data.
2. Renegotiating the terms and conditions of contracts
Purchasing departments will be in a strong position to renegotiate contracts with suppliers and providers who are not yet GDPR-compliant. Why not take advantage of that to discuss rates and make savings?
Companies may need to update their CLM (Contract Lifecycle Management) tool, particularly once the new regulation has been integrated, for access to model clauses and documents. It is also a good idea to create a focus group as part of a broad approach to modernising your company's purchasing information system, particularly for areas affected by GDPR.
All you need to do is sort through your data and arrange meetings with your providers