Procurement processes: six steps for assessing the impact of the GDPR

Procurement processes and GDPR
February 15th, 2018
Share :
{{totalComments}} comments

On 25 May 2018, the European Directive on the protection of personal information (GDPR*) will come into force. All companies affected will need to bring their processes into compliance or face a fine of up to €20 million or 4% of their annual worldwide turnover.

In light of the risks, some companies may see the GDPR as a constraint, especially in terms of their organisational structure. However, the new regulation heralds a real opportunity for all those concerned, since it means (re)focusing the contract formation processes and supplier relationships on the buyer.

* General Data Protection Regulation


When does the GDPR apply?

The GDPR will apply to each service involving the use of personal information.

Outsourcing, CRM*, purchasing information systems, accounting software... document conformity will no longer depend solely on companies' goodwill, but also on suppliers' ability to send information in accordance with the future regulation.

As such, buyers will play a key role in checking for compliance.

* Customer Relationship Management


The six steps for complying with the new regulation

1-   Designate a project manager

You will need to appoint a project manager to lead your GDPR project. Information, advice and operational implementation: the project manager, or owner, will be the single point of contact for organising all the necessary actions and staying on schedule.

Tool: How to become a data protection officer


2- List all the processes involving the use of personal information

To understand how the new regulation will affect organisations, you must first review all the internal and external processes involving the use of personal information.

Tool: Register of personal information processing activities


3- Prioritise the required actions

Once the register of processing activities has been established (see step 2), all that remains is to arrange the actions in order of priority in terms of the likely risk of influencing the freedom of the people concerned.

Tool: "Guide to personal information security" published by CNIL, France's data protection authority


4- Manage the risks

If major risks to people's rights and freedoms are identified when prioritising the actions (see step 3), the objective will be to quickly carry out a privacy impact assessment (PIA) for each action.

Tool: Download the PIA tool


5- Implement internal processes

To ensure maximum protection of personal information, organisations should focus on internal processes allowing them to keep constant track of all events that could potentially emerge during the life of a processing activity, such as a change in supplier, management of access requests and a modification to the data collected.

Tool: Example of a personal data breach form

(File used by public sector providers)


6- Document the compliance

Clarify your compliance as much as possible by grouping the necessary documentation together: the actions carried out to achieve the level of compliance and the work regularly required to maintain the level of data protection. This ultimate step is necessary to demonstrate that your organisation is in compliance with the level of conformity required by CNIL.




Décision Achats: The impact of the GDPR on the procurement function - a new risk to be incorporated into the purchasing process (French)

CNIL: Six-step guide to GDPR readiness (French)