Only 8% of organisations are ready for the new law, according to a survey of 400 European business leaders conducted by tax, audit and consulting network RSM. Around one-quarter (28%) were completely unaware of the regulation, while 26% of those who are familiar with their business’s GDPR strategy say the organisation will not be compliant before the law comes into force.
Businesses that fail to comply by the deadline face fines of up to 4% of their global turnover or €20m – whichever is greater.
Procurement executives should take note. Under the existing Data Protection Directive, suppliers are often classed as data processors with no primary liabilities. Under the GDPR, however, suppliers are directly liable. The new regulation also mandates data controllers, the organisations that ask for and decide what happens to personal data, to include specific provisions in supplier contracts.
While this will change things, there will be little in the way of immediate change after the deadline. An organisation’s GDPR preparations and compliance will only be tested in one of two instances. First, if there is a data breach, which requires investigation by the regulators. Second, if an individual makes a complaint to the regulator.
Sharad Patel, a GDPR expert at PA Consulting Group, says: “If there is a breach, the regulators will say: ‘We want to come in and look at all the preparation elements for GDPR.’”
“[When we] speak to the regulator, they say: ‘If you have an action plan, if you have prioritised the highest risk contracts and started remediating those, then we will look favourably on the case’. It’s unlikely they’ll impose €20m fines.”
"There is a mixed bag out there. Around 60% of organisations have put in place a workstream around supplier contracts and third-party risk management"
This is good news for businesses. Although most organisations have started to prepare for the new rules, few companies are ready, Patel says.
“There is a mixed bag out there. Around 60% of organisations have put in place a workstream around supplier contracts and third-party risk management. They have prioritised high-risk suppliers. That is the focus for most global organisations, who have thousands – maybe hundreds of thousands – of suppliers. They go where risks are high.”
He says risk measures could be based on both the volume and the nature of the data – whether it is sensitive and includes personal details, health records, home addresses, and so on. Jurisdiction will also be important, he says, pointing out that consideration needs to be given to whether a supplier is sending data outside of either the EU or the European Economic Area.
While large organisations will have established processes to work towards GDPR compliance, small and medium-sized enterprises (SMEs) may struggle to comply, leading to an imbalance in negotiating revised terms and conditions, Patel says.
“SMEs are facing a difficult position. The contract is the first step. If the supplier is an IT giant, they tend to say: ‘This is the updated contract, can you read and sign it.’ That is fine, and many organisations are quite pleased to have the work taken off them, but they need to read the new contract because it will place obligations on them,” he says.
A medium-sized marketing, asset management or retail firm will have many contracts to remediate in order to comply with the regulation. These companies will find it hard to get suppliers to agree to their standards, or desired terms and conditions, leading to different applications of the rules by different suppliers.
“They will face quite a lot of resistance from large suppliers and not get the traction that they need because of their size,” he adds.
Another risk is that procurement professionals only focus on the top suppliers by size, without realising there are ’shadow’ IT applications processing data using cloud-based suppliers.
“It is the areas that procurement doesn’t know about, that it needs to be worried about,” he says.
But, Patel says, GDPR presents an opportunity to prioritise supplier information governance and use it as a selection criterion in future procurement. There is also the possibility it could even help the function prepare to deal with other regulations.
“Organisations are starting to take notice of this. We see them becoming more aware when they do due diligence on suppliers. Their general approach to information governance is becoming part of selection criteria, rather than the tick-box exercise it is now. Organisations are becoming more aware of the importance of good information practice among suppliers in terms of dealing with regulation and risk in the future," he says.
"Some clients have 50-100 sources around the world. To try and coordinate data sources to understand risk across these locations is not simple. Some suppliers are upping their game, to make it a differentiator. Suppliers managing changes in legal requirements will be seen much more favourably. The year 2017 has been the year of panic. Once we get through that, suppliers will see clients asking for more information about information governance and it will make it a business differentiator.”
Hugh Cox, founder and chief data officer at Rosslyn Data Technologies, says GDPR presents a good opportunity for procurement executives to focus on supplier data.
“The nice thing, at the moment, is you are going to get a budget. There won’t be a struggle for money,” he says.
“The real issue is time, and also coordinating data among different locations. Some clients have 50-100 sources around the world. To try and coordinate data sources to understand risk across these locations is not easy.”
Cox says investing in software to analyse contract risks across multiple sources will help, as other forms of regulation are introduced and businesses want more detailed knowledge of supply-side risk.
“You can create a one-stop location to help people better understand their supply contract risk. The GDPR offers some timely motivation but, in finance, there is the Markets in Financial Instruments Directive (Mifid II) on the way and there are always more regulations coming down the line. Spending time assimilating data from multiple sources just to establish what the risk is, if any, is worthwhile preparation.”
Ken O’Connor, principal of data governance and GDPR at advisory firm Obséy International says businesses are often misled into believing GDPR is an IT issue. Instead, they need to understand their “end-to-end information supply chain”. That is, where data is coming from, who is responsible for it and how this information is processed.
“People worked in silos: that’s the way the world was, and what they were measured on. They were not measured by the quality of the information supply – that was IT’s job. Generally, there has been little joined-up thinking. In the future, we have to think about business ecosystems. You have to bring the stakeholders to the table and procurement needs to call out who is looking after GDPR.”
Georgina Kon, privacy partner at law firm Linklaters, agrees the new legislation will help organisations focus attention on the importance of managing the information supply chain to reduce business risk and promote efficient working.
“It is consistent with the idea that they need to manage the supply chain more carefully. Big security breaches have come via security flaws in the supply chain. When you have lots of different systems hooked up together, an issue in one can affect multiple systems. Good vendor management can be positive for many reasons.”
He says GDPR will encourage businesses to understand where their data is going and to keep accurate records of data processors.
“There are many good, practical reasons to ensure those records are kept accurately. It is quite a significant challenge for some businesses,” Kon says.
The first steps for every business should be on the upcoming legislation. But, he adds, it is imperative for organisations to continue with their efforts to comply with the legislation after the May deadline.
“It’s not a case of only doing so much and then stopping,” says Kon.
“Organisations have to keep going past May and have something to show to regulators – something to say they tried to do the right thing.”
The European Union General Data Regulation (GDPR) will come into force after 25 May 2018. Rosslyn Data Technologies has five suggestions on what to do next and why.
Coverage from Procurement Leaders