Insights & Ideas

Five tips for procurement professionals to comply with GDPR

Depending on what you have read, the world of business as we know it may end on May 25, 2018, when the General Data Protection Regulation (GDPR) comes into effect.  On this date, organizations will need to comply with stringent rules on the responsible storing, processing and management of personal data belonging to EU citizens.

Much has been written on the obligations of organizations, especially in light of the large amounts of personal data they have on employees and customers. This includes the requirement for marketers to ask for consent to use emails from existing and prospective customers.  HR professionals must comply with the request of former employees to be forgotten within 30 days.  

These are just two of many examples of the new obligations facing business and technology leaders next year.  For many, compliance will be difficult because they never implemented best practices in data management and data governance.   Now, they have no choice. 

Nonetheless, rather than posing an apocalyptic threat, GDPR is a genuine opportunity for businesses to transform into a more streamlined, profitable organization. Let’s look at how procurement should respond to the GDPR and the benefits of doing so – beyond not being fined for non-compliance. (I prefer positive articles!) 

Procurement professionals, the unsung heroes in organizations, play a critical role in managing costs, compliance and risks.  When spend is under management, and decision-makers are leveraging insight to make informed decisions, profits soar. 

In the new world of GDPR, procurement teams have one more obligation to meet.  However, instead of seeing this as a costly exercise, it should be seen an opportunity to modernize how they work, delivering efficiencies like never before.

To help procurement professionals get ready for May 25, 2018, we have provided five suggestions on what to do next and why:

  • Locate your data.  Understanding where personal data resides within your organizations is critical to compliance.  This requires working with peers across your organisations to locate data stored in traditional systems, emails, etc. Here are three proposed steps:
    • Identify your data, its sources and use using it by conducting a data mapping exercise
    • Centralize your data by aggregating data in once place such as in a single data warehouse
    • Classify your data by type, location, etc., so you understand the importance of the data when you need to quickly access it
  • Digitize your data.  The GDPR applies to personal data that is both stored electronically and in traditional filing systems in your office.  So, if you haven’t done so already, start digitising your supplier information including contracts and agreements.  This will not only help with compliance, it’ll give you greater control and visibility of the documents you require to effectively manage suppliers and their obligations to your organization. 
  • Update your contracts. There are two sides to this tip.  If you have hired a company to process your data, you need to ensure that their work complies with the regulations.  On the other side, since you have personal data from suppliers, it’s important that you update your contracts. Here are three proposed steps:
    • Identify which suppliers the new GDPR rules affect and identify desired outcomes in terms of contractual relationships
    • Categorize contracts on this basis, prioritizing those suppliers that are considered business critical
    • Work with suppliers to update your contracts that cover liability, indemnities and other similar clauses
  • Improve your processes.  A benefit of complying with the GDPR will be improved business processes. This will happen after you map and identify areas of improvement.  Tasks that might have taken hours or days of manual labour, such as collecting information from a customer, processing Subject Access Requests (SARs) and the right to be forgotten, can now be automated and completed by a program, application or workflow, thus saving your colleagues time to focus on new and high value tasks. 
  • Leverage your collective insight. Now that you have identified and brought together your organization’s data, including key personal data, you have a requirement to report on any GDPR breaches.  You should also leverage your newly created single source of supplier information including data and related content such as contracts, to conduct in-depth analysis of your performance and productivity.  Since you have implemented data governance best practices, you’ll not only comply with the GDPR; you’ll now be able to create more business value with confidence.

GDPR is more than a regulatory obligation.  It’s an opportunity for you to modernize your operations and position the procurement function as a true differentiator for your organization.  The best news of all? This transformation will be paid for by compliance and IT leaders.

Our clients