06 February 2018
Topics in this article
  • Cost Optimization
  • Data & Digital


With new GDPR and data protections laws on the horizon, it’s time to get better acquainted with your suppliers

Don’t look now, but it’s coming. And it will be here before you know it. Of course, I’m talking about GDPR, or General Data Protection Regulation, the new directive that promises to synchronize data privacy laws across Europe and alter how UK and EU companies are required to manage personal data.

GDPR will shift accountability for personal data management to the organization, introducing new regulations to exert oversight over companies that possess and manage the personal data of EU citizens, even if those companies are not physically located in the European Union. These companies will be required to demonstrate compliance. Failure to do so could result in stiff penalties—millions of Euros in some cases.

GDPR also aims to give citizens more rights related to who can access their personal data and the ability to “be forgotten” without having to retain a team of lawyers. The fact the UK will soon no longer be part of the EU is not expected to diminish the requirement of UK companies to gain compliance with the new world order.

GDPR and Procurement

In most organizations, compliance with GDPR is likely to fall to the shoulders of internal IT departments. But there is plenty for procurement teams to think about as well, especially for organizations that rely on suppliers – which is just about all of them these days – and even more so for those whose suppliers are based outside of Europe.

The time is now for procurement to get their house of suppliers in order. At Proxima, our procurement consultants are often harping on the importance of having an intimate knowledge of your suppliers. With GDPR on the horizon, it’s never been more important.

Organizations need to conduct a due diligence exercise to gain a better understanding of their primary suppliers, sub-suppliers, third-level suppliers and so and so forth all the way down the chain. Why? Because if a supplier with access to personal data of an EU citizen runs afoul of the new regulations, chances are the parent organization will feel the sting.

As a leading procurement consultancy, we recommended starting a number of activities, including:

  • Engaging in a thorough analysis and, if necessary, scrubbing of their supplier ecosystem
  • Taking a look at supplier contracts and determining if they are still fit for purpose in this new environment or whether negotiations need to be reopened.
  • Asking the necessary questions about how data is stored, processed and protected. What checks will the supplier have in place to ensure compliance? How will they monitor their secondary suppliers?
  • Thinking about a contingency plan should it be necessary to replace a key supplier either unexpectedly or because they were incapable or unwilling to comply with GDPR.
  • Considering a crisis plan should a supplier breach become public with the potential for damaging reputational impacts bubbling up to the parent organizations.

This is also a good time for procurement to revisit its internal contract management processes, often pushed to the side when procurement has its hands full with other priorities. Too often, companies simply are not diligent when it comes to managing existing suppliers and ensuring that even the most basic deliverables are being met in accordance with contract standards. As it relates to the sourcing of new suppliers, consider whether the same old RFI you’ve been using time and time again contains the right questions for the time, helping make the right decisions today that can avert a costly mistake down the road.

Finally, procurement should be a source of education to its suppliers. Ensure they understand GDPR inside and out so they can take the necessary measures in the remaining months to avoid any interruption of the existing business relationship.

The protection of personal data remains a hot-button issue around the world. The frequency with which data has been mishandled and stolen has necessitated newer and more stringent data protection laws. GDPR is the latest. Chances are, it is not the last.

With just a few months to go, our procurement consultants are ready to help play an active role in preparing suppliers and, by extension, protecting the organization as GDPR is implemented.

About Proxima

As a procurement consultancy, we are often inspired and defined by who we work with. We provide expert procurement services to clients in the UK, US and around the world. For more information on how our procurement consultants can help you prepare for GDPR, reduce your spend, increase your cost savings, and optimize your procurement strategy – simply get in touch.

Let’s talk.

If you are looking to drive purposeful and profitable change, get in touch.

Contact us