What does GDPR mean for your supply chain?

Supply chain is a significant part of any business and when the European Union’s General Data Protection Regulation (GDPR) takes effect on May 25, 2018, it will be one of the most examined areas because of the large volume of data that is processed as part of it. What does this mean for companies? To know exactly what the supply chain looks like, they must carry out a full audit; ensure data is being used correctly, and safeguard it with the right protocols. GDPR is also an opportunity to ensure that your customers make privacy as a significant tool of the customer experience. The EUs new data regulation also brings into play personal data management within supply chains while permeating all levels of an organization and its supply chain. It also impacts specific measures such as data encryption in purchased services to ensure confidentiality, integrity, security and resilience of data.

Let’s first take a look at how your supply chain may be affected and the compliance requirements needed to keep up with GDPR:

  • Data Processing

    Regardless of their base of operations, suppliers and companies can be subjected to GDPR because of the wider reach of processing data. Global manufacturing businesses that gather contact details from national insurance numbers of customers, employees or sub-contractors to contact details from bank account information will need to be secured.

  • Customer Consent

    Under the new EUs data protection laws, organizations must clearly define any procurement of personal information. Even if you have a pre-checked box on your website forms, it will no longer suffice. Manufactures relying on consent will need to consider how the consent is obtained to process data. The customer must also be provided an option to decline in an evident manner.

  • Right to erasure

    One of the latest rights to be included under the GDPR is the right to erasure. Here, the customer can request to see all the personal data a company holds as well as request to remove or delete them. Larger companies and supply chain manufacturers will have to allocate the time and resources to provide this information promptly.

  • New Accountability Principle

    The GDPR will require accountability that must be able to demonstrate compliance. The explicitly recognized concepts are ‘privacy by design’ & ‘privacy by default’ that must showcase data compliance measures integrated into data processing activities. Outsourcing data processing principles must also ensure compliance throughout the supply chain. Organizations must be able to demonstrate that they can handle their data responsibly and securely.

  • Direct Obligations

    Post GDPR implementation, data processing agreements will need to stipulate the contractual provisions and conditions will be set out for sub-processing. In addition, companies will have to carry out an appropriate due diligence of suppliers and monitor compliance. Within the supply chain, personal data management will require clear and specific robust policies and procedures to be in place.

  • Supply Chain Tiers

    If you are working with a new supplier, the contract with the supplier will need to have precise details such as the data that will be shared, the length of duration and also what happens at the end of the contract. The existing supplier contracts will need an update to reflect the new rules and also needs to go for a full review. Most suppliers may need to be trained to make sure that their infrastructure meets the new contract while some may need to complete an audit.

  • Cloud-Based Tools

    Cloud software solutions that enable modern business such as software-as-a-service, platform-as-a-service, infrastructure-as-a-service and other business processes will also need to be reexamined under the new GDPR rules. Organizations must also consider the different BI tools from multiple vendors used by different departments. Basically, any platform that collects and analyzes data in your supply chain, be it customer specific or raw, must be in compliance.

    The penalties for breaching are stringent, which means companies not in compliance can be heavily fined up to 4% of the annual global turnover or 20 million pounds. Customer consent will play a major role, as any data which does not comply will face serious violation. There are steps that organizations can take to ensure they can be compliant, such as mapping personal data through supply chain, carryout due diligence on new as well as existing suppliers and check their GDPR compliance. Suppliers can provide guarantees regarding measures they’ve taken to ensure that the mandate data processing provisions are within the contract. Clearly define the outset of your requirements and build contractual negotiations with suppliers to embrace a positive impact. Contact us today to learn how you can demonstrate to your suppliers and customers that you take data protection seriously.

Meet the Author

Rajendran headshot

Rajendran Nair

Chief Marketing Officer
Rajendran has over two decades in enterprise software in roles ranging from development to product management to marketing. He was most recently at Rootstock, the leading ERP for Manufacturing on the Salesforce platform. At Rootstock, he was responsible for driving topline, streamlining sales and marketing operations, and substantially increasing market awareness including favorable positioning in four major analyst reports.