GDPR – an overview for procurement functions

GRPR came into place almost a year ago. To avoid non-compliance, make sure you review and update your policies and procedures with our help. Read more.

In May 2018, companies across the country were frantically preparing vast amounts of new documents considering the impending implementation of the General Data Protection Regulations (GDPR).

Since its introduction several ICO penalties have been issued for breaches of GDPR. Facebook was fined £500,000 for collecting personal data about the Facebook friends of users, without those friends being informed that their data was being collected and without them being asked for consent. Charities including Cancer Research UK, Macmillan Cancer Support and The Royal British Legion were fined various amounts for failing to adequately indicate in their privacy notices that personal data may be processed for wealth analysis to identify those who were able to donate more money. And Uber was fined £385,000 for inadequate security arrangements that led to cyber attackers being able to download a large amount of personal data about drivers and customers.

Given the significant fines that can and have been given to organisations failing to meet with GDPR standards, it's never a bad idea to review and update your policies and procedures to avoid non-compliance.

What to consider

1. Know your data – review how data flows through your organisation. Has this changed and is it conforming to standards?
2. Continue to review contract risks - when it comes to risk, you need to continually work through your contracts, identifying which suppliers process data within the EU and which handle the most sensitive data and prioritise reviews for those organisations.
3. Engage your suppliers - categorise your suppliers so you are clear about where risk might be higher and ensure their documentation is up-to-date and that they have the necessary indemnities and liability. When selecting new suppliers, ensure tender documents make explicit reference to your data protection policy.
4. Continue monitoring compliance – hopefully you won’t have done a single set of checks in advance of GDPR legislation being introduced and left it at that! Carrying out regular spot checks and audits of your suppliers will be key to staying on top of things.
5. Have a clear plan of response - under GDPR, individuals can exercise their right to be forgotten or request access to the data held on them. No matter how complex your supply chain is, these demands must be met within a month. Consequently, ensure you have a plan for the chain of communication, including templates for requests and details of who to contact so that you can satisfy such requests within the time frame.
6. Document your steps - if there ever is a breach, part of the investigation will involve the ICO examining how far your organisation tried to minimise the risk. So, it’s important to continually document the steps you are taking as part of a written action plan. Working with a diverse supply chain comes with risks, so the key thing is to show that you have done all you can to manage it as effectively as possible. 

How we can help

SafeContractor and SafePQQ help businesses gain a vital insight into their supply chain so they can effectively monitor, manage and make an informed decision about who they work with. Through SafePQQ we collect and verify GDPR documentation from your supply chain, so you don’t have to. Our online contractor management system delivers up-to-date data and real-time vision of potential issues helping you stay on top of your supply chain. Sign up today to join our community of businesses who want to work and grow together, without compromising safety, sustainability, or ethics.