GDPR and Procurement a blog from Data Vault

GDPR and Procurement

EU Data Protection – A Procurement issue?

It may come as a nasty surprise to some Procurement Managers but there are a new set of regulations which may mean a review of many supplier agreements.

It is important therefore that you review your agreements with your suppliers to ensure that they comply with the regulations because you are responsible for THEIR actions with your DATA!

New data protection rules apply from May 2018.  These regulations (known as GDPR) place obligations on organisations with regard to the processing and storage of personal information but importantly these obligations cascade down to your suppliers.  It is important therefore that you review your agreements with your suppliers to ensure that they comply with the regulations because you are responsible for THEIR actions with your DATA!  Fines could be up to 4% of global turnover or €20m whichever is greater.

There are some definitions to understand.  The regulations have a concept of a Data Controller and a Data Processor.  A Controller stipulates “what data is to be collected; for what purpose; and how it will be processed”.  A Processor “collects, stores and processes the data on behalf of the Controller”.

Processors may also now be liable for damages or be subject to fines so it is in their interests to get it right.

GDPR mandates that if a Controller uses a Processor it needs to have a written contract in place so both parties understand their responsibilities and liabilities.  There are specific things under the regulations that must be covered in the contract.  Controllers are liable for their compliance and must only appoint processors who can provide ‘sufficient guarantees’ regarding the protection of data.  Processors must only act on the documented instructions of the Controller but interestingly Processors will now have responsibilities and liabilities – in their own right.  Furthermore, Processors may also now be liable for damages or be subject to fines so it is in their interests to get it right.  The UK Information Commissioner’s Office provides guidance on contracts between Processors and Controllers on its website.  It is worth noting that there are some special rules for sending data to suppliers outside the EU but this is the subject of another blog.

Remember it is not only suppliers that handle customer data that are important.  It is equally applicable for suppliers processing ANY personal data such as data about your staff or your supplier’s staff.  Business processes may mean data ends-up in places you would never have expected from the outset.  For example this may be information about your employees that is shared.  The personal data of your employees is covered in the same way as customers.  An audit by all departments will be needed to identify all these suppliers.  It is also worth noting that there are special rules for data concerning children or “sensitive” personal data (e.g. Biometric etc.). 

This will be easier for some organisations than others but should be seen as an opportunity for improving an organisation’s data governance for the longer term.  Much like tidying a messy, cluttered room if your organisation hasn’t paid much attention to managing its data then there is some spring cleaning to be done.