??Procurement and Data Protection??
Interview published in the annual #DigitalTransformation Benchmark of #PurchasingDepartments 2022 - InsideBoard & CNA

??Procurement and Data Protection??

???? ?Version Fran?aise ici


Stephane Py - Décoincez votre business B2B - B2BAD: In the first edition of the Purchasing Barometer , you mentioned the challenges linked to the digital transformation of the function . On the eve of 2023, to what extent do you think this digital transformation will continue to impact the function in the years to come?


Joel Aznar – ExQI/Schneider Electric: Generally speaking, and including for the Purchasing function, the digital transformation of companies and digital exchanges have become increasingly important over the last decade. In a highly digitalized world, the digital flows of digital supply chains are becoming just as crucial as those of physical chains.

Digitalization acts as an accelerator of data production, which quickly raises the question of data governance.

In addition to the traditional regulatory barriers, data regulations are also being introduced, making these exchanges all the more complex.


Stephane Py - Décoincez votre business B2B : I guess you are referring to the European regulation on personal data protection (GDPR)?


Joel Aznar : Indeed, the GDPR illustrates this phenomenon perfectly. The GDPR enforcement in May 2018 has already had a significant impact on the buyers' profession.

Companies that have outsourced and subcontracted an increasing part of their activities are now very dependent on their partners, especially when it comes to compliance issues.

With the increase in digital exchanges, any company today necessarily exchanges data, even if this is not its primary activity.

Even if the outsourcing of data processing services imposes direct obligations on subcontractors downstream of the supply chain, this in no way exonerates or decreases the company's responsibility to its customers, employees or any stakeholder. Therefore, the risk of a personal data breach to the reputation of any company is enormous, especially for Purchasing, as the majority of information breaches and personal data leaks occur in the context of exchanges with third parties. In fact, there is a direct link between the DPO (Data Protection Officer) and the CPO (Chief Procurement Officer).


??Digital technology inevitably leads to significant data exchanges between companies ?


Within the Purchasing department and due to his central role in the contracting process and in the management of relations with suppliers, the buyer has become a compulsory actor in the application and control of the GDPR, and is strongly involved in the control of the compliance of his company's practices.

In order to meet these contractual requirements, Purchasing has to take control of the company's data assets: understand the data, where it comes from, how it is used, and with whom it is shared. Understand incoming data flows in and out of the organization, understand the supply chain and how far the data flows through it.

Once the data is under control, it is then necessary to methodically go through the supplier base to determine which suppliers and contracts present the highest potential risks related to the GDPR, in order to review and update the contractual conditions applied through the addition of a DPA (Data Processing Addendum). As a result, under the GDPR, data controllers and their processors become jointly liable for any damage caused by their data processing.


Stephane Py - Décoincez votre business B2B : But since 2018, all this is supposed to be yet a given, isn't it?


Joel Aznar : Indeed, in Europe, the GDPR applies and every company must comply with it. However, what is new is the current acceleration and intensification of this type of regulation on a global scale...

Following the crises of confidence (e.g. Snowden revelations) and the growing mistrust towards the American hegemony in the digital sector, in a post-pandemic world that has highlighted the vulnerability, weaknesses, and extraterritorial dependencies of nation-states after the Health Data Hub (HDH) controversy concerning the choice of Microsoft to host and process the health data of the French citizens, in view of the increasingly frequent cases of cybercrime, all this in a context of economic instability, the energy crisis, the war in Ukraine, and growing geopolitical tensions... beyond protection, the question of ??sovereignty??, ??residency??, and ??localization?? is increasingly being raised.

The terms ??data sovereignty??, ? data residency??, and ??data localization?? are often confusing for companies that manage data across borders, especially on cloud infrastructure. They are actually three degrees of a single concept, namely the impact of data privacy on cross-border data flows.

This topic has become increasingly important in recent years in the context of the GDPR regulation following significant judgement known as "Schrems II" from the European Court of Justice, which invalidated the EU-US data-sharing regime (Privacy Shield). This judgement gives individuals more rights over how their data are used by companies both inside and outside the European Union. Organizations that process international data must now understand the legal requirements for storing that data wherever it is managed to ensure that data privacy is not compromised when it is shared across borders.


??The European regulatory reinforcement concerning data management requires increased mobilization from companies.??


? ??Data residency?? refers to a company specifying that its data is stored in a geographic location of its choice, usually for regulatory or policy reasons. A concrete and classic example of data residency decision is when a company wants to take advantage of a better tax regime. To do so, the company will generally have to prove that it does not conduct too much of its core business outside the borders of that country, including data processing. Data residency then requires the company and any cloud service provider to use certain infrastructure and operate strict data management workflows to protect their tax rights.


? ??Data sovereignty?? differs from data residency in the way that, data are not only stored in a designated location, but they are also subject to the laws of the country in which they are physically stored. This difference is crucial for businesses, as a government's access rights to data within its borders differ significantly from country to country. Ensuring that data are in a geographic location for any reason is a matter of data residency, which is about geography. However, the principle that data are subject to the legal protections and sanctions of that country is a question of data sovereignty, involving national legal rights and obligations.


? ...so, what is ??data localization???

This is the most stringent and most restrictive of the three concepts, and like data sovereignty, it is a version of data residency based on legal obligations.

It is also the fastest-growing concept internationally. Data localization requires that data created within certain borders remain there.

Unlike the two terms above, it is almost always applied to the creation of a new product and storage of personal data, with a few exceptions, such as tax, accounting, health, and gambling regulations in some countries.

In many cases, data localization laws simply require that a copy of the data be kept within the country's borders, usually to ensure that the corresponding government can verify the data on its citizens without violating another foreign country's privacy laws.

The Indian Data Protection Bill is an example. However, there are countries where the law is so strict that it prevents data from crossing the border. For example, Russia's personal data law requires that the storage, updating, and retrieval of data on its citizens be limited to data center resources within the Russian Federation. With the "Great Digital Wall" and the PIPL (Personal Information Protection Law) regulation, China is particularly at the forefront of this topic.

And guess which will be the first line of defense in the case of cross-border data transfer, in order to control the corresponding risks inherent in the various suppliers and their solutions or services?...Purchasing.

Purchasing will once again have a key role to play in the implementation of these regulations, particularly by auditing the suppliers concerned and applying TIA (Transfer Impact Assessment):

  • Identify specific obligations that apply to the business and more rigorously question and challenge the capabilities of cloud service providers.
  • Determine where each of the different categories of data (personal data, financial records, etc.) are created or processed and what obligations this entails.
  • Identify where this data are stored and who owns the data center. Our data may be located in a data center in the United Kingdom, but if that data center is owned by a company headquartered in the United States, the U.S. government may have the right to access your data under the Cloud Act.
  • Determine what the recovery procedures are.
  • Identify where data backups are.
  • Depending on the type of data in question, ascertain the local stipulations for the security or encryption of this data.
  • Assess how certain we are that the cloud partner(s) understand current and future data privacy regulations.
  • Evaluate how they have proven that their data centers meet all local and global privacy needs


Stephane Py - Décoincez votre business B2B : Aren't these arguments by States in favor of enhanced cybersecurity, or citizens' concerns about privacy, rather dissipating the real motivation of national protectionism, or even, in some cases, population control?


Joel Aznar : It is obvious that for governments, the issues surrounding the control and mastery of data are part of the same logic as the technological wars and are thus becoming new commercial wars. Data and technology have now become geopolitical. The United States has blocked semiconductor exports to China. In turn, China has sought to limit U.S. access to rare earth minerals, which are crucial to the manufacture of many technological products.

Several countries have banned Chinese Huawei from operating its 5G telecommunication networks. India has also banned the Chinese application TikTok, following border clashes between the two countries. The British government is investigating Nvidia's proposed acquisition of chip designer Arm on national security grounds.


??With the intelligence conveyed by the digitization of information, the security dimension is added to the economic and commercial aspects of purchasing policies.??


And that is precisely the main difference: these phenomena should not be analyzed only from an economic and commercial point of view, but rather from a security standpoint.

The interconnections of the digital age have blurred the distinctions between economic and security questions. Dominant technology companies are both engines of economic growth and channels of security risk. They also enjoy outsized profits, global market penetration, and the ability to set industry standards. Trade and industry policies are therefore easily diverted by broader security and geopolitical priorities. Providing security is a core function of any government, and indeed, growing insecurity will lead to an increased role for governments in cyberspace.

The Internet, in the sense of the "World Wide Web", emerged (officially on March 12, 1989) and grew at the same time as the fall of THE Wall... but today, new walls are most likely being built.


Stephane Py - Décoincez votre business B2B : Isn't there a risk that these new "digital fences" between jurisdictions will create new barriers for companies with global activities? A form of "de-globalization" in a way?


Joel Aznar : This risk definitely exists. It even has a name, ??the splinternet??: it is a contraction of the English expression ??splintering of the Internet??, which means the fragmentation of the Internet. It is a digital division and partitioning of data based on borders, in a way, a ??balkanization?? of the Internet as we know it today. The costs of Internet fragmentation would be both economic and social, preventing businesses and governments from realizing the full potential that data has to offer.


??We must resolve the contradiction between local laws and digital exchanges, which are inherently cross-border in nature... Data has no border??


Personally, I don't believe in such a dystopian scenario because I think that most states and organizations in general do not want the Internet to fragment into ??dissident networks?? that would reduce economic profits. Governments would ideally like to protect the Internet so that their companies can continue to benefit from it, but at the same time, they also want to protect their companies from what might come through the Internet. So, I think that the Internet of the World Wide Web, as we have known it so far, is bound to evolve as states extend their sovereignty into cyberspace in order to change its structures to best align the Internet with their national borders. Today, there is a conflict between the need to enforce local laws in each jurisdiction and the cross-border nature of Internet services.

As Diebert and Rohozinski (2010) put it, ??securing cyberspace has certainly brought about a 'return of the state', but not in a way that suggests a return to the traditional Westphalian paradigm of state sovereignty?? - the treaty between the major European powers that established state sovereignty, after the 1648 Peace of Westphalia, ended the Thirty Years' War. In such a neo-Westphalian model, it will be necessary for the new digital sovereign states to agree on multilateral arrangements to address cross-border flows - with the support of some global private sector players (such as telecom operators) whose services extend beyond each jurisdiction.

For the moment, we see an empire taking shape in 4 Kingdoms (or even more):

1.?? ?????? Russia

has proven that it was "ready" to disconnect from the global Internet via its draft law "on digital sovereignty" and then to a "disconnection operation" in 2019 to test the robustness of Runet, a Russian sovereign network parallel to the Internet, and therefore ultimately the possibility for the country to free itself, if necessary, from the global playing field.

2.????????? China

Unlike Russia, China is not seeking to develop its own sovereign network, but rather to strengthen its control over the existing network via its "Great Digital Wall" and to implement its own expansion strategy (the Belt and Road initiative, networks, platforms) via the Chinese BATX dragons (Baidu, Alibaba, Tencent, and Xiaomi), gigantic global service platforms (Taobao, Tmall, the Cloud, Youku) that collect user data and store it on national territory. At the same time, they are putting in place greater control over the protection of these same data in the event that these data are transited outside the national territory.This model of close collaboration between the Chinese government and its technology companies, similar to the American model, reveals a national strategy for capturing data, regardless of its geographical origin. China's objective is to control the Cloud and the data centers that host this gigantic data.Finally, in October 2021, China unveiled a plan to revise a wide range of technical standards to complement the Made in China 2025 industrial modernization strategy. In the past, U.S. and European companies and experts dominated standards development. But with this ambitious 15-year project, Beijing is pushing domestic companies and experts to participate in efforts to set global standards for next-generation technologies. The reform process, dubbed "China Standards 2035" and led by the Chinese Standards Administration, aims to give industry players a greater role in the process.

3.????????? United States

The United States is still home to world-leading IT companies: the GAFAMs (Google, Apple, Facebook, Amazon, Microsoft). They are, therefore, pushing for a deeply integrated market on a global scale, including the least regulated data flows and the most open Internet possible, so that their companies can fully benefit from expanded markets. Their motivation goes beyond business because most U.S. policymakers believe that technological innovation is essential to global gross domestic product (GDP) growth and societal progress, and that democratic values, norms, and processes are essential to human flourishing. They consider that U.S. policies, practices, and businesses maximize these elements.

4.????????? European Union

The European Union is advocating for a regulated Internet, with Thierry Breton at the helm to make Big Tech comply with European regulations, notably through the Digital Services Act and the Digital Markets Act.

What about India, which will surely have a say, if only because of its demographics? What about Africa? What about South America?


Stephane Py - Décoincez votre business B2B : A scheme based on nations, but what about the global companies that own and organize information technologies?


Joel Aznar : A Web Giant with hegemonic ambitions... as Eric Schmidt (former Google boss) said: ??States are inefficient. We are efficient, we have the vocation to replace them.??

Large technology companies often have greater powers than some states. They have proven that they can have a lasting influence on the lives of millions of people and have assumed, to some extent, the powers of a "private government". These actors will necessarily have a role to play in this redistribution of cards.

Traditional "geographic" sovereignty – controlling territory, resources, and people – remains a necessary function of modern states, but it is clearly not enough in a digital world. It must also reach a compromise with digital power, which controls data, software, standards, and protocols, and which remains mainly in the hands of global and mostly private technology companies.

Tomorrow, who knows, Data Centers could anchor in international waters, or even on the moon (certain companies and multi-billionaire leaders would have the means to do so) and thus free themselves from territorial constraints in order to offer real digital sovereignty to cyberspace or another metaverse, which could also benefit from its own currency and its own rules and institutions... this is not science fiction .

In short, whatever direction this new digital order takes, the Purchasing function will inevitably be at the helm, in the same way that it has accompanied and contributed strongly to the process of globalization over the last few decades. It will have to understand the logic, responsibilities, and challenges involved in order to better anticipate and comprehend it.


Find this interview and much more in the 2nd Edition 2022 Annual Benchmark of #Purchasing Departments' #DigitalTransformation - IsideBoard & CNA.
Monica Khowal

Data Protection and Governance

1 年

Thanks for sharing Joel! Great read it it ??

Corinne Schmuck

Data Privacy Manager at Schneider Electric

1 年

Bravo Joel! Thanks for sharing this! Your guidance is precious and very insightful to highlight what becomes priorities in this fast changing world, in particular for the Procurement function you know very well. It's an honour and pleasure working with you !

Data risk compliance apply to Procurement but also to other functions, and especially to HR function in a global environment. HR deals with sensitive personal data (employees, candidates,...) and 3rd party solutions from external partners. ?? Thank you Joel !very insightful !

Gilles Gaudiche

Scope Tree | BVT Solutions | Value Chains Performance Optimizer | Procurement & Supply Chain Expert

1 年

Joel Aznar, thanks for highlighting this key point, and at your disposal to support.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了