Search Icon
HR 3 2 nc

Five tips for procurement professionals to comply with GDPR

By  Hugh Cox  on  17 Oct 2017


Depending on what you have read, the world of business as we know it may end on May 25, 2018, when the General Data Protection Regulation (GDPR) comes into effect. On this date, organisations will need to comply with stringent rules on the responsible storing, processing and management of personal data belonging to EU citizens.

Much has been written on the obligations of organisations, especially in light of the large amounts of personal data they have on employees and customers. This includes the requirement for marketers to ask for consent to use emails from existing and prospective customers. HR professionals must comply with the request of former employees to be forgotten within 30 days.  

These are just two of many examples of the new obligations facing business and technology leaders next year. For many, compliance will be difficult because they never implemented best practices in data management and data governance. Now, they have no choice. 

Nonetheless, rather than posing an apocalyptic threat, GDPR is a genuine opportunity for businesses to transform into a more streamlined, profitable organisation. Let’s look at how procurement should respond to the GDPR and the benefits of doing so – beyond not being fined for non-compliance. (I prefer positive articles!) 

Procurement professionals, the unsung heroes in organisations, play a critical role in managing costs, compliance and risks.  When spend is under management, and decision-makers are leveraging insight to make informed decisions, profits soar. 

In the new world of GDPR, procurement teams have one more obligation to meet. However, instead of seeing this as a costly exercise, it should be seen an opportunity to modernise how they work, delivering efficiencies like never before.

To help procurement professionals get ready for May 25, 2018, we have provided five suggestions on what to do next and why:

  • Locate your data. Understanding where personal data resides within your organisations is critical to compliance. This requires working with peers across your organisations to locate data stored in traditional systems, emails, etc. Here are three proposed steps:
    • Identify your data, its sources and who is using it by conducting a data mapping exercise
    • Centralise your data by aggregating data in once place such as in a single data warehouse
    • Classify your data by type, location, etc., so you understand the importance of the data when you need to quickly access it
  • Digitise your data. The GDPR applies to personal data that is both stored electronically and in traditional filing systems in your office. So, if you haven’t done so already, start digitising your supplier information including contracts and agreements. This will not only help with compliance, it’ll give you greater control and visibility of the documents you require to effectively manage suppliers and their obligations to your organisation. 
  • Update your contracts. There are two sides to this tip. If you have hired a company to process your data, you need to ensure that their work complies with the regulations. On the other side, since you have personal data from suppliers, it’s important that you update your contracts. Here are three proposed steps:
    • Identify which suppliers the new GDPR rules affect and identify desired outcomes in terms of contractual relationships
    • Categorise contracts on this basis, prioritising those suppliers that are considered business critical
    • Work with suppliers to update your contracts that cover liability, indemnities and other similar clauses
  • Improve your processes. A benefit of complying with the GDPR will be improved business processes. This will happen after you map and identify areas of improvement. Tasks that might have taken hours or days of manual labour, such as collecting information from a customer, processing Subject Access Requests (SARs) and the right to be forgotten, can now be automated and completed by a program, application or workflow, thus saving your colleagues time to focus on new and high value tasks. 
  • Leverage your collective insight. Now that you have identified and brought together your organisation’s data, including key personal data, you have a requirement to report on any GDPR breaches. You should also leverage your newly created single source of supplier information including data and related content such as contracts, to conduct in-depth analysis of your performance and productivity. Since you have implemented data governance best practices, you’ll not only comply with the GDPR; you’ll now be able to create more business value with confidence.

GDPR is more than a regulatory obligation. It’s an opportunity for you to modernise your operations and position the procurement function as a true differentiator for you. The best news of all? This transformation will be paid for by compliance and IT leaders.