Sharad Patel, a GDPR expert at PA Consulting Group, discusses what enforcement will look like after the European Union’s General Data Protection Regulation comes into force on 25 May 2018.
Sharad says: "If there is a breach, the regulators will say: 'We want to come in and look at all the preparation elements for GDPR.'"
Sharad continues: "[When we] speak to the regulator, they say: 'If you have an action plan, if you have prioritised the highest risk contracts and started remediating those, then we will look favourably on the case'. It’s unlikely they'll impose €20m fines."
"While most organisations have started to prepare for the new rules, few companies are ready," says Sharad.
"There is a mixed bag out there. Around 60% of organisations have put in place a workstream around supplier contracts and third-party risk management. They have prioritised high-risk suppliers. That is the focus for most global organisations, who have thousands – maybe hundreds of thousands – of suppliers. They go where risks are high," Sharad says.
He adds: "Risk measures could be based on both the volume and the nature of the data – whether it is sensitive and includes personal details, health records, home addresses, and so on. Jurisdiction will also be important, he says, pointing out that consideration needs to be given to whether a supplier is sending data outside of either the EU or the European Economic Area."
"While large organisations will have established processes to work towards GDPR compliance, small and medium-sized enterprises (SMEs) may struggle to comply, leading to an imbalance in negotiating revised terms and conditions," Sharad says.
"SMEs are facing a difficult position. The contract is the first step. If the supplier is an IT giant, they tend to say: 'This is the updated contract, can you read and sign it.' That is fine, and many organisations are quite pleased to have the work taken off them, but they need to read the new contract because it will place obligations on them," he says.
Sharad continues: "A medium-sized marketing, asset management or retail firm will have many contracts to remediate in order to comply with the regulation. These companies will find it hard to get suppliers to agree to their standards, or desired terms and conditions, leading to different applications of the rules by different suppliers."
"They will face quite a lot of resistance from large suppliers and not get the traction that they need because of their size," he adds.
The articles notes that another risk is that procurement professionals only focus on the top suppliers by size, without realising there are ’shadow’ IT applications processing data using cloud-based suppliers.
"It is the areas that procurement doesn’t know about, that it needs to be worried about," he says.
The GDPR is a game-changer. Learn how PA is helping clients make the most of this opportunity.
But, Patel says: "GDPR presents an opportunity to prioritise supplier information governance and use it as a selection criterion in future procurement. There is also the possibility it could even help the function prepare to deal with other regulations."
"Organisations are starting to take notice of this. We see them becoming more aware when they do due diligence on suppliers. Their general approach to information governance is becoming part of selection criteria, rather than the tick-box exercise it is now. Organisations are becoming more aware of the importance of good information practice among suppliers in terms of dealing with regulation and risk in the future," he says.
Sharad adds: "Some clients have 50-100 sources around the world. To try and coordinate data sources to understand risk across these locations is not simple."
Sharad concludes: "Some suppliers are upping their game, to make it a differentiator. Suppliers managing changes in legal requirements will be seen much more favourably. The year 2017 has been the year of panic. Once we get through that, suppliers will see clients asking for more information about information governance and it will make it a business differentiator."