Many client executives are currently working to become compliant with the new General Data Protection Regulation (“GDPR”). The GDPR regulation goes into effect on 25 May, 2018, and while GDPR is a European Union regulation, it is expected to be implemented worldwide due to its wide reaching or near universal regulatory umbrella.
Around 20 years ago, pretty much all data was stored in the corporate datacenter. Today, that data could be in multiple locations, stored on the edge in branch offices as well as in the public cloud. Critically, Personal Identifiable Information (“PII”) could exist outside primary systems. GDPR represents “the law catching up with the digital world”.
GDPR identifies the following actors:
- Data Controller – A controller is an entity that decides the purpose and manner that personal data is used or will be used.
- Data Processor – The person or group that processes the data on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data.
An Ernst & Young 2018 Global Forensic Data Analytics Survey found that with respect to readiness for GDPR, respondents indicated only 33% have an established plan for GDPR compliance, with another 39% signifying they are familiar with GDPR.
The new regulation requires much tougher controls over what your third-party suppliers do with employee and customer personal data. GDPR requires that both controllers and processors know where the personal data is located for storage and processing. They will share equal liability, and this has data processors scrambling to determine how best to make sure that the data their customers are putting on their servers is properly protected. In addition, data controllers must assess whether the security measures of their Cloud providers meet GDPR requirements by conducting periodic audits. And to make it even more complex, the same applies to a processor using a sub-processor.
It’s true the amount of Strategic Supplier Management (“SSM”) work that is needed to become GDPR compliant is significant, but there are also opportunities including a) demonstrating how a well-managed and structured approach to SSM adds value to an organization, b) raising the profile of SSM as GDPR is a board level issue and c) realizing compliance with SSM policies more widely.
With an emphasis on suppliers, GDPR makes data a SSM opportunity and priority:
- Get to know your data - Map the flows of personal data through supply chains to identify the recipients of personal data, including sub-processors and where the personal data is processed.
- Identify contract risk areas - Identify supplier contracts that involve the processing of personal data and review the data protection provisions. These are unlikely to cover all the provisions that must now be included under the GDPR.
- Update contracts - The financial and reputational risks posed by the regulation may change the risk profile of the supplier, leading to a different approach to liability for data protection and data security breaches. Breaches can include charges of up to €4 million or 4% of company revenue (whichever is higher)! Seems reason enough for clients to demand and ensure compliance.
- Look at processes - Carry out adequate due diligence on new suppliers, starting in the RFx process, to check their GDPR compliance, obtain guarantees regarding the measures that suppliers have in place and ensure there are rights of audit within the contract together with the other mandated data processing provisions.
- Monitor compliance - This isn’t a one-time event: clients need to think about ongoing SSM, including audits and spot checks.
As the cover of The Economist’s May, 2017 issue proclaims, “The World’s Most Valuable Resource is No Longer Oil, but Data”, its importance to business will only increase. The GDPR rules are very complex, but NET(net)’s advice is not to be overwhelmed by them or to see GDPR as your enemy.
NET(net) predicts protracted contractual negotiations with IaaS, PaaS and SaaS suppliers as the Data Processor will try to wrangle a shift in liabilities back to you, the Data Controller. NET(net) can help support you in minimizing that risk.
A PwC Pulse survey shows that 88% of companies expect to invest $1 million to meet requirements and another 40% expect to spend more than $10 million. And this is to get ready, however, getting ready is just the beginning. GDPR is not a single, one-time event. GDPR requires continuous active monitoring, and a visible, proactive SSM program. Through WIN(win), NET(net)’s proprietary platform, we provide capabilities to sustain value and ongoing compliance through Supplier Performance Management of your Agreements, Investments, and Relationships.
A November 2017 report published by Technology Law Alliance reveals that just 18% of companies will be ready for the introduction of the General Data Protection Regulation. Whether you belong to the 18% that is ready or the 82% that are not, GDPR should be viewed as an opportunity to improve your understanding, to renegotiate your agreements, and to build better procurement processes to safeguard and future proof your technology supply chain. GDPR puts strategic supplier management back in the forefront, and NET(net) has the capabilities you need to ensure your agreements include appropriate GDPR protections. Through NET(net)’s proprietary platform, WIN(win), and access to the Performance portal, clients are able to perform Strategic Supplier Management, including proactive ongoing management for GDPR. NET(net) can help you manage these strategic supplier agreements to minimize cost and risk while maximizing the realization of value and benefit.
Contact us here and we’ll arrange a call with one of our Subject Matter Experts who can immediately assess your situation.
Click below to see how clients use WIN(win) to proactively track and monitor GDPR compliance, as well as their other ongoing contractual obligations:
Celebrating 15 years, NET(net) is the world’s leading IT Investment Optimization firm, helping clients find, get and keep more economic and strategic value. With over 2,500 clients around the world in nearly all industries and geographies, and with the experience of over 25,000 field engagements with over 250 technology suppliers in XaaS, Cloud, Hardware, Software, Services, Healthcare, Outsourcing, Infrastructure, Telecommunications, and other areas of IT spend, resulting in incremental client captured value in excess of $250 billion since 2002. NET(net) has the expertise you need, the experience you want, and the performance you demand. Contact us today at firstname.lastname@example.org, visit us online at www.netnetweb.com, or call us at +1-866-2-NET-net to see if we can help you capture more value in your IT investments, agreements, and relationships.
NET(net)’s Website/Blogs/Articles and other content is subject to NET(net)’s legal terms offered for general information purposes only, and while NET(net) may offer views and opinions regarding the subject matter, such views and opinions are not intended to malign or disparage any other company or other individual or group.