The EU’s General Data Protection Regulation (GDPR) is the most important change in personal data privacy regulation in 20 years. It’s aimed at tech giants and small and medium enterprises alike. As we count down the days until the GDPR enters into force on May 25, it’s important to recognize how your supply chain is affected and how it can become GDPR compliant.
What is GDPR and how will it impact my supply chain?
I’d like to take this opportunity to point out a few critical issues that will have a direct impact on your business and supply chain. You may be wondering, “If I’m in North America, am I’m bound by these new rules?” Well, the EU data protection regulation makes it very clear that its new rules do apply, no matter where you reside or where your business is based. As this broad territorial scope suggests, all companies processing personal data for those residing within the EU must comply—regardless of company location. Previously, this was subject to interpretation—but the rules are much clearer now.
Penalties for breaching GDPR are unforgiving
Organizations not in compliance with GDPR can be fined up to four percent of annual global turnover or €20 Million, whichever is greater. This would be the maximum fine for the most serious infringements, such as not having sufficient customer consent to process the data or a direct violation of the core of the GDPR’s Privacy by Design concepts.
Impact of GDPR on supply chains
The impact of GDPR on supply chains is no less severe. As the new rules apply for EU data—regardless of a company’s location—each tier in a supply chain (from third party suppliers to distributors) must comply and be transparent about the steps they’ve taken to comply. The amount of data produced today (let’s call it ‘big data’) fuels a company’s ability to make key decisions across all aspects of their business. The revolutionary technologies that have enabled modern business—such as infrastructure as a service, platform as a service, software as a service and business processes as a service—all need to be reexamined under the new rules.
And what about your supply chain tiers?
If your company is working with a new supplier, your contract with that supplier needs to precisely state what data will be shared, how long it can be kept and what happens to it at the end of a contract. For existing suppliers, contracts will require an update to reflect the new rules and must also go through a full review. Some suppliers may even need to complete an audit or be trained to ensure their infrastructure lives up to the new contracts. On top of that, the EU data protection regulation will also apply to all cloud software solutions used in your company. The prevalence of cloud-based BI tools from multiple vendors for different departments in the organization must also be considered. Any platform that collects and analyzes data deemed ‘personal data’ in your supply chain—be it raw, customer specific (i.e. price, volume) data or analyzed data through special analytics in calculated reports—are also very sensitive and must be in compliance. As you can see, GDPR permeates all levels of an organization and its supply chain, and it brings into play personal data management within supply chains very quickly. GDPR impacts specific measures such as data encryption within purchased services to ensure security, confidentiality, integrity, morality and resilience of data. How have you prepared for the GDPR data protection rules? Is your supply chain ready for it? Let us know in the comments.