Discuss, debate and exchange ideas on latest trends and opportunities in the Business Process Management (BPM) landscape. Deliberate on adding “business value” to clients, vendors, employees and various other stakeholders to enhance customer satisfaction and sustain long term partnerships.

« August 2018 | Main | October 2018 »

September 24, 2018

The Procurement Manager's Guide to GDPR

Everything you have wanted to know about GDPR and how it impacts you as a Procurement Manager.

What is GDPR?

GDPR (General Data Protection Regulation) is a legal framework that standardizes and protects personally identifiable information (PII) within the European Union. It lays stringent rules on how personal data should be handled by third parties, and it also allows individuals to have complete control of their personal data. GDPR has been implemented and is effective from May 25, 2018, replacing the 1995 EU Data Protection Directive and supersedes the 1998 UK Data Protection Act. 

To whom does it apply?
GDPR applies to all organizations who hold and process any form of personal data. For instance, technology firms, data brokers, marketers would directly fall under the radar. In terms of geography, GDPR will be applicable in scenarios mentioned below:
All organizations operating within the EU (European Union) 
Any Organization outside the EU, but still offers any form of goods and services to the individuals or businesses in the EU

Key Components of GDPR
As most organizations are trying to make sense of GDPR, here are the four key components that will help you in this endeavor. Data Subject, Personal data, Data Controller and Data Processor are the key terms necessary to understand the overall concept of GDPR. 

  • The data subject is an individual (natural person) from whom the data has been collected
  • Personal data is any piece of information that can lead to an identifiable natural person (data subject)
  • A data controller is a natural or legal person, entity, firm, etc. who sets the objectives and determines how to collect, store and process data
  • Data processor is any natural or legal person, entity, firm, etc. that processes the data on behalf of the data controller. Data controller and processor can also be one person/entity
  • Data Controller is a vital component in GDPR, as this is where an organization ensures that all of its contracts with the data processors are GDPR compliant. 

What type of Data is protected by GDPR?
Any personally identifiable information will be protected under GDPR. Data considered personal under the existing legislation:

  • Name, address, phone numbers, ID numbers, photos
  • IP address, location, cookies, RFID information 
  • Health and genetic records
  • Biometric data
  • Racial or ethnic data

Is work email protected under GDPR?
Yes. Work email ID of an individual comes under the purview of GDPR as it can serve as a medium through which an individual can be accessed, either personally or professionally. Whereas, generic business email ID such as enquiry@xyz.com or contact@xyz.com is not considered as personal data.

How important is GDPR for Sourcing & Procurement?
The role of Sourcing and Procurement organizations in ensuring GDPR compliance is crucial as they exchange significant volumes of data with vendors to facilitate products and services to different businesses and functional units. Complexity in modern supply chains and the quantum of interactions with suppliers would demand procurement and compliance teams to ensure GDPR compliance levels through appropriate supplier due diligence. Focus on contract management and information flow across the supply chain is crucial in GDPR compliance.

Am I safe when my supplier is non-compliant?
No, it's a risk. GDPR has an accountability clause, which means that an organization not only need to comply but also have to demonstrate compliance. Organizations should have written contracts with its supplier on GDPR compliance and also conduct periodic reviews.

What is the cost of non-compliance?
Any non-compliance will result in heavy fines, which can be as high as EUR 20 million or 4% of a company's total global revenue, whichever is larger.  

What are the key requirements of GDPR for S&P organizations? 
Any business firm that transacts with an individual based in EU and collects controls, or processes personal data comes under the purview of GDPR. 
Below are the key requirements of GDPR from S&P organizations:

  • Explicit consent from all stakeholders across the supply chain for the collection and processing of their personal data shared by them along with the objectives. 
  • Implement appropriate security measures to ensure data security and to ask the third-party data processors (vendors) for the same. Monitor, analyze and respond to security incidents/breaches in a timely manner (within 72 hours of revelation).
  • Assure that all the third-party data processors (vendors processing / using the data shared by the company) are GDPR compliant through the addition of explicit clauses in the contracts.
  • Update all the contracts with data processors (tools, solutions, service providers and BPO firms) and with clear written guidelines and scope of data processing. Some of the key data processors are cloud-based service providers, sub-contractors, etc.
  • Appointment of a Data Protection Officer (DPO) (If the company internally monitors and/or processes data on a large scale in a regular or systematic manner). In case a third-party vendor is the data processor (at large scale), the DPO should be appointed by that third-party.

What are the key steps for business firms to become GDPR compliant? What are the key roles of S&P in this? 
  • Manage locations of all personal data of vendors and other supply-chain participants to ensure that no crucial data is overlooked
  • Categorization of all the suppliers based on their access to data
  • Prioritize the above-established supplier categories based on volume and sensitivity of personal data for GDPR compliance
  • Seek out a balance between removal of information from the system and encryption. There might be conflicting situations where another law might restrict your choice to delete certain information (purchase records for example). Check what needs to be retained, deleted, and encrypted. 
How can a company ensure that its suppliers are GDPR compliant?
GDPR outlines that the scope of data processing must be clearly defined in the contract made between the data controller and data processor. In many cases, business firms and its suppliers share the same relationship of data processor and controller. Business firms can ensure that suppliers are GDPR compliant by:
  • Conduct surveys with suppliers to understand their readiness and compliance level with GDPR
  • Set clauses in existing contracts to avoid non-compliance risk and to reduce liability - clauses to hold vendors accountable for non-compliance based on their GDPR risk score, data security requirements and the scope of data processing 
  • On-site audits, particularly for critical suppliers based on spend value and the products/services they provide. There are also third-party specialized firms who provide data audits with GDPR focus.

Which are the key Spend and Supplier Categories that should be focused on or prioritized for GDPR compliance?
Business entities should start with category classification to in-house and outsource and then comb through all the outsourced categories to identify the ones where personal data is involved. It is important to focus on outsourced service providers for GDPR compliance. However, in-house managed spend would also have multiple categories that would require relatively higher focus from GDPR perspective.
  • Marketing solutions and service providers must be compliant with GDPR as they collect and process a large amount of personal and sensitive data of target customers. Also, there are certain recommendations placed by GDPR around the storage of data, profiling of target customers, etc. that should be checked with all marketing vendors for their compliance. Suppliers' competitive landscape is also changing as many foreign firms (particularly smaller marketing firms) find it difficult to operate under new standards. 
  • Other indirect spend categories such as travel, HR, health and insurance, etc. The vendors providing solutions/services in these categories should also be evaluated by S&P organization as these vendors collect and process a higher amount of personal and sensitive data of employees
  • IT solutions and services would also witness changes in supply base (consolidation, switching), contracts review and clauses, particularly all the third-party cloud-based solution and service providers. S&P organizations have to go through individual contracts with these IT solutions providers (for which the number may be huge) to check for the scope of modifications. 

How are the e-Procurement Solution providers reacting? How are these solution providers helping their clients' to comply with GDPR?
Currently, preferences would be inclined towards the vendors who are fully compliant to GDPR. This is largely due to the fact that, GDPR is still in the nascent stage with less maturity and also buyers are also looking to avoid any uncertainty. 
Below are the reactions from leading e-procurement solutions providers.

  • Providing new features/functionalities aligned with GDPR to clients to improve their control and access over the data they share. These new features are as per the GDPR directives including rights of access and rectification, right to erasure or right to be forgotten, right to data portability, and right not to be subject to automated decision-making, including profiling.
  • SAP Ariba has added new functionalities to support GDPR compliance for its customers. The key features are - Explicit consent for data usage and its purpose, self-service opt-out to enable the recipients to unsubscribe from unwanted communications, personal data deletion, retention and rectification, sub-processor compliance, etc. Other leading e-procurement solution providers are also offering (or working towards these) similar functionalities.
  • Revised Data Processing Agreements set forth by solution providers to align their service and solution with GDPR
  • Review their risk management strategies and processes and explicit mention of all the activities conducted to ensure GDPR compliance on websites and other publications. 
  • The key standards and certifications being highlighted by e-procurement solutions (Ariba, Coupa, Zycus) in regards to their effort towards complying with GDPR are ISO 27001, SOC1, SOC2, cloud security certifications, etc.
  • Article 25 of EU GDPR mandates the need of Privacy by Design and by Default - Privacy by design requires that data protection and security should not be tagged as an addition or layer onto the system / IT infrastructure but should be built-in into the system as an integral part. Privacy by Default requires that any product/service released to the public must adhere to the strictest privacy settings by default. Procurement solution providers are working towards adhering to this article and are expected to release fully compliant versions in the near future of their respective offerings

What is the role of technology towards GDPR compliance? How is the technological landscape shaping up with the introduction of GDPR?
Technological advancements in AI and Blockchain are expected to complement the efforts being put by business firms towards attaining GDPR compliance. 
Below are some of the technological solutions that could facilitate GDPR readiness for the future:
  • AI-based data miners can facilitate identifying personal and sensitive data from multiple sources that fall under the scope of GDPR efficiently. 
  • Machine learning and natural language processing can be helpful for consent management and to help business firms to deliver the GDPR suggested functionalities (right to be forgotten, right to rectify, right to access), especially for e-procurement solution providers
  • On the other hand, GDPR also has the potential to affect the growth of AI implementations in EU owing to multiple rules and restrictions on data collection and processing. Prohibition on the repurposing of data, right to erasure, the requirement of a manual review of key algorithmic decisions can hamper the effectiveness of AI tools. In simplified terms, GDPR could limit the level of processing allowed on personal data. 
  • According to Article 22 in GDPR, business firms are required to manually look at decisions made by algorithms and thus limiting the benefits derived from AI. Article 22 of EU GDPR says - "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."

GDPR's future outlook: GDPR is a step in the right direction towards protecting an individual's personal data and privacy. A considerable amount of efforts and investments towards GDPR compliance is evident across buyers, suppliers, consultants and other intermediates in the supply chain. 

In the sourcing and procurement space, GDPR is expected to further tighten the way how personal data is handled. Rising digital transformation (from e-procurement tools to smart contracts), will further increase the scope of GDPR in sourcing and procurement industry. 
As organizations need to be GDPR compliant and also demonstrate compliance amongst its suppliers, the focus should be on both internal and external processes. 
  • For internal GDPR compliance: Internal compliance, risk management and dedicated GDPR teams need to have a continuous check in framing the guidelines, monitoring and reviewing how data flows in, processed, stored and used.   
  • For external GDPR compliance: organizations need to have written contracts with its suppliers and also conduct due diligence at periodic intervals. It is also essential to review whether the supplier has GDPR contracts with its suppliers. 

Moving forward, chances are more than organizations will engage with GDPR consultants to strategize and ensure compliance, both internally and externally. This is largely due to the fact that, any level of non-compliance will have a significant impact on an organization's financial, operational and reputational landscape.

Authored By

Gaurav Agrawal

Senior Domain Lead, Sourcing&Procurement, Infosys BPM

September 21, 2018

Rome and Data Can't Be Built in a Day

Data holds the title of the 'most important resource' and its position is getting stronger by the day. Many companies have realized the importance of data and its impact on corporate decisions, strategy and design. Even decisions on technology and tools are based on what companies want from their data.

The application of Big Data with advanced analytics helps in identifying emerging patterns and correlations that offer actionable information and insights, vital to policymakers and strategists. Every aspect of commercial and sociopolitical environments are governed by data. Hence the importance of data-based analytics and models cannot be undermined. 
Let us explore some of the areas, where data analytics can make a huge impact in procurement

Opportunity identification for enhanced savings and efficiencies:

Category managers are always looking for opportunities that help them optimize their operations. An analysis of Spend and transaction data reveals information and spend patterns which present opportunities for optimizing the supplier base. It also provides insights with regard to volume, spend and helps in the development of supplier models. 
Secondly, it helps in improving the spend-under management wherein items that were outside the procurement focus can be identified and specific interventions can be carried out. 

Designing the Buy-Pay channel:
Data analysis and technology can rapidly cut down order process time and cost, this feature alone is bound to bring about a higher user satisfaction and experience. The availability of relevant data also facilitates continuous improvements to the channel thereby optimizing performance. 

Ensuring compliance:
The right set of Data helps in identifying buying patterns and ensures that the purchase is made at the right prices, with the right suppliers that have been contracted. This avoids the savings leakage as well as third-party risks. 
Suppliers or products can also be categorized and flagged based on regulations, preventing penalties and adverse actions. Having a clear view based on the analysis of the in-house data, one can improve demand management; control unplanned spends and manage an effective working capital.

Master data of supplier and item:
Cleaner data helps to avoid redundant data and avoids duplicate records. The data, when mapped with the tables, requires less time for searching and reduces the cost of maintaining records.

Given these benefits, it is crucial that a clean structured data be maintained by organizations- which poses a challenge in itself. Often the discussion with some of our colleagues and clients highlight that this is not usually the case - either the data is not available or useful enough to determine the opportunity to transform. 

In my view, the sky is the limit when it comes to maintaining a clean database. The best way is to continuously look for ways your current database can be enriched. Tools or third-party experts can create a better ecosystem for the data, and also improve the overall procurement strategy. 

The importance of having relevant and useful data cannot be emphasized enough and the process of maintaining a clean database does not happen overnight. At the end of the day, the business will need relevant data that will enable and empower business analytics. The time is right to embark on a plan, to ensure the availability of structured and meaningful data. Data, like anything else, takes time to build, let us not forget that neither Rome nor data can be built in a day. 

Subscribe to this blog's feed

Follow us on

Blogger Profiles

Tweets by @InfosysBPM