The GDPR stands for the General Data Protection Regulation, a recent EU law that sets the rules for anyone handling personal data about EU residents. GDPR enforcement will begin on 25 May 2018.
Several people still think that only IT teams would need to worry about compliance with these news regulations. But the GDPR change could have significant implications for everyone in the industry who works with Customers or Suppliers, interacting with individuals and their personal data every day – meaning many common activities may fall under the GDPR scope.
Failure to comply can lead to fines of up to 20 million Euros. When the GDPR comes into effect, most organizations that collect, maintain, or process EU residents’ personal data (regardless of the organization’s global location) will be required to implement procedures and safeguards for that data.
How to ensure that your organization is GDPR compliant
The GDPR applies to Data Controllers and Data Processors. The Data Controller is the person or organisation that determines the purposes and means of processing personal data (probably, this will be your organisation). The Data Processor is the person or organisation that processes personal data on behalf of the Controller (probably, this will be the supplier that you are contracting to deliver goods or services).
Although a broad understanding of the entire GDPR would be great, you may focus on the principles set out in Article 5 of the GDPR (“Principles relating to processing of personal data”), in particular on the three key directives outlined below.
a) You need to ensure you collect as little personal data as possible and have legitimate grounds to process this
The GDPR includes a limited list of acceptable reasons for collecting data, so it is essential to generate as little data as possible. Personal data may only be collected for specified, explicit and legitimate purposes determined at the moment of collection. Also, personal data must only be processed in a manner compatible with those purposes.
If you need to process someone’s personal data based on a customer/supplier relation, you have a legitimate interest to do so in accordance with Recital 47 of the GDPR.
Otherwise, you must ask for consent. Consent has to be freely given, specific, informed and unambiguous and needs to be given through an affirmative action. It is required to record the consent and to be prepared and able to remove the relevant data if the person changes their mind.
b) Protect data and delete it after use
Protecting the individual is a core purpose of the GDPR. The GDPR requires you to make sure you have appropriate security for any personal data you process, such as strong passwords, access controls, data encryption and other industry standard technical security measures.
Additionally, you may keep the personal data only as far as necessary to identify the individuals for the purposes established. You should have a procedure to make it clear when data needs to be erased, for instance by establishing when certain conditions are met and automating the deletion process.
c) Ensure fairness, transparency and accuracy
You should always make sure your customers or suppliers are well informed of what you are doing with their data and why you are doing it. They need to be informed of the existence of the processing activities and its purposes at the moment of collection. The information shall include all necessary details to ensure fairness and transparent processing.
You also need to be prepared for individuals exercising their right to have access to the data. You need to make this process possible, and you need to be able to delete this data on request of the contact.
Also, it is necessary to take every reasonable step to ensure that personal data are accurate and up to date concerning the specific purposes for which they are processed.
How the GDPR may impact supply chain management
The supply chain is key to any business, and when GDPR comes into effect it will be one of the most critical areas because of the large amount of data processed.
In preparation, organizations need to analyse their supply chain to ensure data is being used and safeguarded correctly, focusing effort where it matters most from a privacy perspective.
You should be aware that the GDPR affects any contract where personal data are shared with suppliers; this means that the GDPR will impact on existing contracts, as well as new ones. The GDPR offers enhanced protection for personal data, imposes stricter obligations on those who process it, and gives more rights to individuals who have their data processed. Consequently, the systems that you and your suppliers use must be capable of meeting these stricter requirements.
Data shared with suppliers. You will need to control what your suppliers are doing with the personal data shared with them.
For new suppliers, contracts will have to outline precisely what data will be shared, what it can be used for, how long it can be kept and what will happen to it at the end of the contract. For existing suppliers, contracts should be updated to reflect this, following a full review of the current distributed data to ensure they only have access to appropriate information.
Transparency. A key element of GDPR is transparency, and needs to be achieved throughout the supply chain.
The contract is, once again, central to ensuring that this happens in practice. When developing contracts with suppliers, specific clauses with regard to the processing of personal data should be included. For instance, you might request access to files such as the supplier’s breach log (one of the new requirements of the GDPR, where any actual or suspected data breaches are recorded and tracked).
How NotifyMe is getting ready for the GDPR
With strong roots and two offices in Europe, the team at NotifyMe is well informed of the implications of the GDPR and we understand exactly how important these changes can be for NotifyMe users.
NotifyMe has established a comprehensive compliance program and is committed to partnering with its clients and service providers to help them in their GDPR compliance efforts.
Internally, we have adopted new procedures to make sure that our service meets GDPR requirements.
- Our EU Clients’ databases are stored in Amazon AWS data centers in Frankfurt, Germany, or in Clients’ own servers. Beyond that, we do not outsource any business or technical services to 3rd parties.
- The security of physical and logical access to Client data is very high: Amazon runs the physical data centers and provides protection against physical attacks, and the software can be only be accessed via encrypted connections (HTTPS). Also, Clients authenticate to NotifyMe using a combination of username and password.
- We have created a structured system to respond to data subject requests to delete, modify or transfer their data. Also, personal data are automatically erased as soon as they are no longer needed to provide our services.
- Our team has undergone extensive training to make sure the requirements and spirit of the GDPR are understood by everyone. The production systems can be only accessed by a carefully selected and specially trained Operations team. No subcontractors or any other 3rd party have access to the systems
NotifyMe is committed to incorporating the GDPR principles of privacy an security as a prerequisite for capturing benefits in digitally powered supply chains. At the end, we believe that the GDPR will strengthen the supply chain by making it more mature and transparent.