What does GDPR mean for your supply chain?

NazliErdogus

How to Prepare for the EU’s New GDPR Data Protection Rules – KinaxisThe EU’s General Data Protection Regulation (GDPR) is the most important change in personal data privacy regulation in 20 years. It’s aimed at tech giants and small and medium enterprises alike.

As we count down the days until the GDPR enters into force on May 25, it’s important to recognize how your supply chain is affected and how it can become GDPR compliant.

What is GDPR and how will it impact my supply chain?

I’d like to take this opportunity to point out a few critical issues that will have a direct impact on your business and supply chain.

You may be wondering, “If I’m in North America, am I’m bound by these new rules?” Well, the EU data protection regulation makes it very clear that its new rules do apply, no matter where you reside or where your business is based.

As this broad territorial scope suggests, all companies processing personal data for those residing within the EU must comply—regardless of company location. Previously, this was subject to interpretation—but the rules are much clearer now.

Penalties for breaching GDPR are unforgiving

Organizations not in compliance with GDPR can be fined up to four percent of annual global turnover or €20 Million, whichever is greater. This would be the maximum fine for the most serious infringements, such as not having sufficient customer consent to process the data or a direct violation of the core of the GDPR’s Privacy by Design concepts.

Impact of GDPR on supply chains

The impact of GDPR on supply chains is no less severe. As the new rules apply for EU data—regardless of a company’s location—each tier in a supply chain (from third party suppliers to distributors) must comply and be transparent about the steps they’ve taken to comply.

The amount of data produced today (let’s call it ‘big data’) fuels a company’s ability to make key decisions across all aspects of their business. The revolutionary technologies that have enabled modern business—such as infrastructure as a service, platform as a service, software as a service and business processes as a service—all need to be reexamined under the new rules.

And what about your supply chain tiers?

If your company is working with a new supplier, your contract with that supplier needs to precisely state what data will be shared, how long it can be kept and what happens to it at the end of a contract.

For existing suppliers, contracts will require an update to reflect the new rules and must also go through a full review. Some suppliers may even need to complete an audit or be trained to ensure their infrastructure lives up to the new contracts. On top of that, the EU data protection regulation will also apply to all cloud software solutions used in your company.

The prevalence of cloud-based BI tools from multiple vendors for different departments in the organization must also be considered. Any platform that collects and analyzes data deemed ‘personal data’ in your supply chain—be it raw, customer specific (i.e. price, volume) data or analyzed data through special analytics in calculated reports—are also very sensitive and must be in compliance.

As you can see, GDPR permeates all levels of an organization and its supply chain, and it brings into play personal data management within supply chains very quickly. GDPR impacts specific measures such as data encryption within purchased services to ensure security, confidentiality, integrity, morality and resilience of data.

How have you prepared for the GDPR data protection rules? Is your supply chain ready for it? Let us know in the comments.

Discussions

  1. GDPR mandates that every business needs a breach log where any actual or suspected data breaches, whether large or small, are recorded and tracked. There is still some ambiguity around what a breach log must contain, but in preparation for GDPR, the general consensus is ‘the more, the better’.

  2. Thanks for your note, Jyoti. Absolutely agreed, I believe there will be a lot of data contained in the logs for a while, whether they are important to be processed. Hopefully the rules will evolve over time, to make the most sense and not get lost in data.

Leave a Reply