Gartner, Inc. said many organizations are still not compliant with GDPR legislation even though it has been in force since May 2018. This is because they have not properly audited data handling within their supplier relationships. Sourcing and vendor management (SVM) leaders should, therefore, review all IT contracts to minimise potential financial and reputation risks.
“SVM leaders are the first line of defense for organizations whose partners and suppliers process the data of EU residents on their behalf,” said Yanni Karalis, research director at Gartner. “If you don’t have clarity on your organization’s role with regards to personal data handling, you have to urgently address this.”
There are two key roles identified in the GDPR: data controllers and data processors. With GDPR already in force, SVM leaders should already have identified any vendor-supported businesses processes that result in either the vendor or the organization operating as a controller or processor of EU citizen or resident data.
“Data controllers are the customers of data processors in any specific activity handling the personal data of EU citizens, and these roles can change depending on the activity,” said Mr. Karalis. “If the controller has chosen processors that are not compliant with the GDPR, they are risking penalties for their organization of up to four percent of annual revenue or €20 million.”
GDPR imposes many requirements on data processors. These requirements include obligations to process personal data only on instructions from the controller, to inform the controller if it believes said instruction infringes on the GDPR, to notify data controllers of data breaches without undue delay, and to restrict personal data transfer to a third country unless legal safeguards are obtained.
“If you aren’t sure your suppliers meet all GDPR requirements, you need to rectify the situation immediately,” said Mr. Karalis. “Once existing relationships have been secured, you need to begin updating procurement processes to ensure GDPR requirements are built in for the future.”
The following non-exhaustive list is a great starting point for SVM leaders to set out expectations and requirements around GDPR in new contract negotiations:
“Being explicit about what you need from vendors is critical,” said Mr. Karalis. “Moreover, it’s important to explain the implications of key GDPR clauses to your stakeholders as well as to your suppliers.”