The new European Data Protection Text requires procurement departments to ensure the security of supplier contact information through dedicated procedures and tools. They must also ensure compliance with providers who host or process data on behalf of their company, adapting purchasing contracts to describe new obligations and solutions in the event of a problem.
Since Friday, May 25, the European Union's General Data Protection Regulation (GDPR) has come into force. Therefore, all companies headquartered in Europe, but also all those that handle personal information collected in the Union, must comply with the new text which aims to make it easier for individuals to control how their data is collected, used, shared and stored. "Different from a directive, this regulation is binding on all European countries, with a very small margin of adaptation, only to take into account the support (certification, label, etc.) specific to each country," says Franklin Brousse, lawyer for the purchasing and digital departments.
If the GDPR particularly concerns marketing and human resources departments, which are greedy in data relating to customers/prospects or employees, purchases also have a responsibility. What for? First, because the function's information system manipulates information relating to supplier contacts. "The GDPR requires special measures, i.e. dedicated procedures and protection solutions, including encryption tools and anonymization or pseudonymization devices," explains Franklin Brousse.
Purchases are also concerned because of the company's use of third parties or IT subcontractors, potentially required to host or process data (employees, customers, suppliers, etc.) on its behalf. "In addition to implementing technical and organizational measures internally, companies must ask themselves the question of compliance of the services provided by their service providers," confirms Jules-Henri Gavetti, President and co-founder of the cloud host Ikoula. In order to ensure that they comply with the GDPR, and thus protect themselves, it is imperative to adapt the purchase contracts to describe their obligations (security verification, notification procedure in the event of an attack, impact analysis, etc.), possibly through a "Data protection agreement" to be annexed to the contract.
The GDPR project is first and foremost an opportunity to get rid of low-quality data. "The best solution is to set up a centralized, rules-based foundation that allows the company to be compliant," said Brenton Walton, Head of Business Development & Marketing North America at SynerTrade. "It can be effective to trace the data lifecycle, by registering it on a centralized and accessible medium," agrees Florian Douetteau, CEO of Dataiku. "This cycle must include an inventory of existing data, the people who access and regularly use it, as well as the methods of data processing: copying, deletion, etc." In this way, it will be easier to identify practices that involve the handling of personal data and those that present risks.
With service providers who are not compliant with the GDPR, "it is also an opportunity to be able to renegotiate the terms and conditions of contracts, and to take advantage of them to save money," continues Brenton Walton. The operation may also require updating its possible CLM (Contract lifecycle management) tool, in particular if the publisher has integrated the new regulations by making available specific clauses or documents. Or even to launch a more global reflection to modernize and upgrade the relevant part of its purchasing information system.