Everything a Procurement Manager needs to know about the GDPR (General Data Protection Regulation)

I.  What You Will Learn

The purpose of this article is to explain in easy to understand language, how Procurement Managers will be affected by the General Data Protection Regulation (GDPR) in the course of their work when it is related to personal data.

In the first instance, we will examine the fundamental elements which you need in order to comprehend GDPR, and then we will look at the ways in which Procurement Managers' work will be affected.

II.    GDPR in a Nutshell

a.    The Extent of the Regulations

In a nutshell, GDPR was initiated by the European Union, in order to protect the personal data of its EU citizens. It incorporates most personal data categories, therefore, you must be mindful of this fact, and know what to do in each instance.

With regard to the territory in which GDPR is applicable, when processing data, the number one criteria is the individuals' nationality. To that end, you can be certain that most people you are targeting in the European Union, will be a citizen of the latter, although of course, a small percentage are not.

There are three principle areas which involve the protection of personal data: technical protection, organizational protection, and legal protection.

b.   Legal Protection

Firstly, the most crucial aspect to be mindful of, is whether your data processing activity is lawful. The General Data Processing Regulation necessitates that, in order to process personal data, businesses should have the legal ground for doing so (article 6).

In order to make sure that you are lawfully processing personal data, you need to be aware of the six different steps. - With consent being the most crucial one.

Consent is one of six possible ways to legally process data and could be required from all individuals whose data you process. This is a very serious matter indeed, and tech giants Google and Facebook, could be fined up to a whopping $8 billion by the EU courts if found guilty of not abiding by this regulation. So you need to be sure that you have proof of a "legal basis" for every individual's data that you have collected, as well as the reason(s) for collecting it. You can process data using other legal grounds, such as research. Principally you need to document what you have done and on what legal basis you have it (one of the 6 possible ways to legally process data) 

Further, the consent that is given by the individual must be: opt-in, as opposed opt-out. Check boxes are permitted, however what is forbidden is to have a pre populated or pre ticked check box. The user MUST themselves select “I consent.”

Secondly, at the time you are processing personal data, the most vital element to be mindful of, is what the data entails. Moreover, you must be particularly wary when you are processing data which is sensitive. For instance, it could involve sexual, political or racial orientation, as well as genetic or biometric information. If any of this is applicable to you, then you need to look at article 9, as it is mandatory that you maintain a data processing activity record. Moreover, depending on the size of your company, you may have to nominate a DPO (Data Protection Officer), who will oversee matters relating to personal data.

Other matters that need to be focused on include: only processing the information that the company needs, and generating documentation showing exactly why this data is required. Further, you need to ensure that all the data is up-to-date and accurate. Further, make regular checks to guarantee the integrity and security of the data, and never keep the data you are holding, any longer than necessary.

c.    Protecting Technical Data

General Data Protection Regulation covers the protection of technical data. This is effectively about making sure that personal data is secure from a technical standpoint.

In order to successfully implement this requirement, you should look at all of the advice which is published by the national data protection agency relevant to your region, and download at a guide for security best practices.

The protection level will rise according to: how big your company is, the volume of data and the data's sensitivity level, as well as the data risk level relating to the data subjects' rights.

d.   Structural Protection

It is mandatory to ensure that there is an effective structure in place, so that personal data is protected. As with technical protection, the protection level will rise in the same way. The best course of action is to institute new policies which give guidelines on how personal data should be managed. Further, in order to make employees proficient at identifying threats, taking immediate action, and reporting the threats to the correct person, periodic awareness sessions are essential.

Further information on this subject can be found at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/#_What_organisational_measures.

e.    Analysing Risks

All companies should conduct a risk analysis. Once this is compiled, you should take appropriate action to: lessen the likelihood of the risks, and lower their effect, if they do happen. Procurement Managers need to contemplate worst case scenarios, and then install effective mitigation steps.

f.     The Evolution of GDPR

General Data Protection Regulation is very new, and has not yet evolved. The courts have not applied it yet, and to that end, it is essential to keep up to date with any changes.

When it comes to the serious matter of fines, officials who can charge businesses which are non-compliant, may begin by just issuing warnings, but this is not guaranteed. Therefore, it is essential to implement the new data protection measures and staff training right away, and to regularly review procedures and implementation. As well as regular staff meetings to ensure that all staff are up to speed on what needs to be done, and to discuss any issues that have arisen.

And lastly, the other crucial matter is that, under these regulations, every business is responsible for being able to give inspectors substantial proof of their compliance. For example, should a data subject file a complaint stating that their rights are being violated, then the responsibility is on the company to prove that they have complied with the regulations. So you will need to provide documentation which shows exactly what your company has done with their personal data; the reason/s for this; the company's current security measures, and details of how the company operates.

III.   How Procurement is Impacted by GDPR

Contracts with suppliers will be of primary concern. To that end, it is essential that Procurement Managers ensure that the contracts have confidentiality clauses which clearly state that personal data can be shared or exchanged.

a.    Supplier Relations

In many cases, suppliers work as data processors - that is to say, they process your businesses' personal data. They have a duty to be in compliance with (articles 28 – 37): GDPR data processor obligations. This involves having organisational and technical security in place, (as previously discussed). Further, the company must instruct the suppliers on the ways in which the data must be processed, and this must be in line with the subjects' permission to use their data.

Suppliers can also work as data controllers (if they opt to accumulate information in regard to your employees and business). In this scenario, suppliers must be totally GDPR- compliant. Consequently, you are authorised to request the necessary documents to verify this compliance.

As a general rule no sub-contracting out by suppliers should be permitted. This is because if you allow them to do this, each additional tier of sub-contracting will make your control weaker. However should your company need to sub-contract, then you need to ensure that the sub-contractors are legally bound to adhere to the contractor's obligations regarding your company and the personal data that it holds.

Further, with regard to the supplier, your company must be contractually entitled to conduct an audit to check that it has fulfilled its obligations.

In addition, you should make sure that you are informed about any transfer of private information to third countries by your supplier. There should be a clause in your contract to state this, as it is extremely important. In cases of suppliers transferring data to other countries which do not have robust safeguards for personal data in place, restrictions within the General Data Protection Regulation apply.

A DPO is necessary for some suppliers, for instance: if they have in excess of 250 employees, or if they process sensitive information.

b.   T&Cs and Contracts

Contracts have an important role under the new regulations. Contracts are used to implement T&C, policies for data privacy, and data subjects' rights.

If your company accrues personal data, then it is mandatory to grant your data subjects their legal rights:

1.     They must be told about the information you have collected on them, the way you use it, and so on.

2.     Right of access: inform the subjects about the information your company holds about them

3.     Right to rectification: permitting subjects to make corrections to their data

4.     Right to erasure: subjects can ask for their data to be deleted.

5.     Right to restrict: subjects must be allowed to place restrictions the how your company uses their information

6.     Right to portability: provide them with their data so that they can use it in another context

7.     Right to object: subjects must be allowed to fully object to processing

8.     The right to not be subjected to decision making via automation: subjects have the right to request that only humans make decisions

It is essential that data subjects are informed about who they need to contact in order to have their rights enforced, and how this can be carried out. The latter should be in easy to understand terminology.

If your company has a data breech, then in some instances, you are under a legal obligation to tell your data subjects that their information has been compromised. The best course of action is to deal with the matter in conjunction with your Supervisory Authority.

c.    Security and Information Systems

Personal data pertaining to clients and employees will normally be implicated whenever matters of security arise, and these situations are often dealt with initially by Procurement Managers.

To that end, as sensitive data might be included, it is essential to be extremely vigilant.

Where company data is being held by the supplier and in particulary on their servers it is worthwhile visiting and inspecting their actual premises to assess their security systems and access procedures. The best firewalls in the world would be useless if someone can just walk straight up to the server room unchallenged and plug in a USB stick.

d.    E-Auctions and Quotes

It is very likely that some personal information will be received at the time Procurement Managers call for project bids. Consequently, they must be certain to receive proof of the applicants' consent.

Procurement Managers should check that all the information they obtain is indeed required. Question why you are really asking for that information, for example do you really need an individuals full date of birth? If some profiling is required then would the year of birth not just be sufficient?

Procurement Managers must acknowledge why the data is required; and they must obtain the individual's consent. In addition, when the data is no longer required, there should be a procedure to delete it. There must also be a method of notifying individuals to let them know about the data that is held on them, and how the latter are able to access and control their data, and either stop or curtail what is being processed about them. Note: these regulations are not applicable to corporate applications.

e.    Staff

According to the regulations, staff could be data subjects if they come from certain countries. To that end, if they are, then they have the same rights as previously stated.

f.     B&D Data and Marketing

If a supplier provides your company with client databases or other forms of marketing data, then you are automatically a data processor. In this case, you have a duty to check that the information provided, has been obtained lawfully, and is disclosed to your company in a lawful way.

Consent issues are likely to crop up: it is not common for data subjects to give their permission to be on prospect lists, therefore, if you process such data, it can be deemed as unlawful. To that end, the best course of action is to request the individual's consent to utilise their information for whatever purpose you have, before your company actually does anything with it. The best advice in this scenario, is to be cautious, and ensure that the supplier you use is transparent regarding their procurement of the information and if it was sold and procured lawfully.

g.     Information Systems Interfacing

On the tech side, these systems need specific attention: if your company adheres to recommendations for best practices in information systems, then you need to ensure that your IT employees monitor your suppliers' activity very closely, and that the latter is only given the rights to access when it is essential.

Periodically deleting unused users' accounts, and reviewing accesses and logs, etc., is an excellent policy, along with the contractual obligations as laid out under title a.

h.    Database Access Management

As there will be personal data on your company databases, you must make sure that the necessary organizational and tech security is in place in this regard.

If personal data is stored on cloud services, then you need to check that the data processor is compliant with the General Data Protection Regulation, and that it is lawful for you to transfer the data to the said processor.

Generally speaking, your company must use encrypted databases, and there should be anonymity of data subjects.

i.      Contracts Which Are Pre-Existing

Generally all contracts written prior to May 25, 2018 require updating becasue they are unlikely to have adequately considered the impacts of GDPR. If this has not yet happened in your company then it is crucial to review them all immediately, suppliers could be holding personal data unlawfully.

You should contact the data subjects to let them know about the GDPR new policy regulations, and request their permission to use their data. Further, you should let them know that if they decline, it may not be possible for the company to offer them  the services they require.

IV.    Summary: Advantages

GDPR's prime advantage, secures your company against 3 main risks:

1.    A backlash from the public. If your company experiences a data breach, then it might put your company at risk of lost business, or even bankruptcy.

2.    Legal action and fines for not following GDPR personal data regulations. For example, your sub-contractor could lose client data, and as a result, you could be charged for not supervising them sufficiently .

3.    Theft of Data etc.

At the present time, most companies' tech systems are vulnerable to hackers. And in addition to this, human error or neglect on the part of an employee can put the entire system in jeopardy.

And while General Data Protection Regulation cannot stop these events from happening, companies which adhere to full implementation will be empowered to manage risks in the most appropriate way, so they carry out their business in a more formalised and efficient manner. For example, if there is a dispute, then proof is easily accessible. If Procurement Managers manage all the company's contracts and suppliers in an efficient manner, and work in conjunction with IT and legal, then the impact can be very beneficial.