GDPR – What does it mean for Procurement?

If you entrust someone with your money or your property, you expect them to look after it. It should be the same with your personal data too, which is why (as EU regulation 2016/679) the General Data Protection Regulation (GDPR) comes into force on 25 May 2018.

The regulation is hailed as the most important change in data privacy regulation in the last 20 years. Its provisions are mostly common sense; they aim to compel organisations to look after personal data much more effectively, threatening them with heavy fines if they don’t. It talks about the data subject (the person whose data is being stored or processed) and lays compliance obligations on both the data controller (the person or organisation who decides the purposes for which and the manner in which personal data will be used) and on the data processor (the person or organisation that processes the data on behalf of the data controller).

So, what does this all mean for Procurement?

GDPR requires much tougher controls over what an organisation does with personal data. An organisation, as data controller, is accountable for the personal data it processes, whether it does this itself or uses third party data processors to carry out the work. These third parties are the organisation’s suppliers and their suppliers too, right down the supply chain. This heavy emphasis on third-party involvement and the risk that comes with it puts procurement right on the front line. Work will need to be done to write or rewrite contracts with suppliers who process data on your organisation’s behalf. And you will need to dive deep into the supply chain to ensure
GDPR compliance.

CIPS (The Chartered Institute of Procurement and Supply) offers some useful advice on how procurement departments should prepare for the impact of the regulation through its Supply Management Magazine. See “Six Steps to Prepare for GDPR” and “Your GDPR Checklist”.

But, don’t panic. This is just good practice and we should have been looking after people’s data carefully for a long time. Procurement is used to managing supply chain risk in a controlled way and the same principles can be applied here. In fact it’s a great opportunity for Procurement to take the lead and demonstrate yet again what
value it adds to the organisation.

If you’re looking for further information, The ICO (Information Commissioner’s Office) has published excellent guidance about GDPR: “Guide to the General Data Protection Regulation (GDPR” and “GDPR – sorting the fact from the fiction”.

Key is the principle that personal data must be processed lawfully and fairly and for processing to be lawful, there is a heavy emphasis on obtaining the data subject’s consent, although the regulation does allow for other possibilities. Personal data includes any information that can be used to directly or indirectly identify the data
subject and could be a name, email address, bank details, medical information etc. Individuals gain significantly more rights under GDPR, including not only the right to access their personal data and the right to correct it if wrong, but also the right to be informed about how their data will be used, the right to restrict this and the right to have their data deleted (“the right to be forgotten”).