The supply chain is saturated with data. At every touchpoint, numerous data points are collected, stored, and analyzed. Everything from vendor payment information to highly sensitive employee data to customer data acquired through sales and marketing funnels flows through the database system of each supply chain partner. But the reality is that major data breaches are occurring with increasing frequency. Plus, data is often sold to other companies — whether within the same industry or not — and, prior to the General Data Protection Regulation (GDPR) enacted by the European Union in May 2018, the original owner of the data had very little, if any, say in how their data would be used.
International supply chains run far and wide. The GDPR is now at the nexus of a network that is increasingly digital. Data sharing is quickly becoming instantaneous. But the GDPR has caused a shift in data ownership. For EU citizens, including supply chain partners located within the EU, the right to “be forgotten” and the “right to consent” regarding how their data is used clearly delineates that data ownership must remain in the hands of the individual.
Consequently, if supply chain partners haven’t yet established full compliance with the GDPR’s requirements, they are risking hefty fines. Here is where the cost tradeoff comes into play: Implementing GDPR compliant policies does require upfront and ongoing costs, but noncompliance can result in fines anywhere between 2% and 4% of an enterprise’s global revenue. There is also the risk of reputational damage. Customers and employees want assurance that their data is safe, and the GDPR represents a monumental step in ensuring that enterprises are deploying specific mechanisms for data privacy.
A Snapshot of GDPR Compliance
While it’s best to review the actual language of the GDPR itself, there are general rules of thumb to consider when aiming to meet the regulatory guidelines — and avoid the financial penalties associated with noncompliance. Also, keep in mind that any pre-existing contracts with supply partners within the EU should be amended to address GDPR regulations.
- Hire a data protection officer (DPO). The DPO oversees the monitoring of GDPR-compliant processes.
- When initializing all data collection processes, the data owner must have a clear understanding of what they are consenting to in regard to their data. The language used within supply chain contracts must be “given in an intelligible and easily accessible form” and use “plain language.”
- Prepare to deliver a notification within a 72-hour time span in the event of a data breach. Supply chain partners cannot wait until it’s most convenient for their enterprise to reveal an incident. Today’s customers must be made aware “without undue delay.”
- Customers can now demand an electronic copy of their personal data. As such, supply chain partners need to be prepared to supply this information upon request, without cost to customers.
- Consent for data storage and use can now be withdrawn. This “right to be forgotten” may include completely erasing data and/or extending a cease and desist for additional data sharing, including third parties with whom the data has been previously shared.
Ensuring GDPR Compliance in the Supply Chain
As stated previously, all of the above apply to both pre-existing supply chain partner contracts and post-GDPR enactment contracts. In addition to working with a DPO, supply chain enterprises must plan for continual evaluations of the protective measures in place to safeguard customer data, as well as ongoing analysis of GDPR compliance.
Ultimately, of course, supply chain partners can try to avoid the added costs of GDPR alignment by working with non-EU enterprises. But the GDPR has been a clarion call to other governments that are likely to adopt similar policies. In short, establishing a GDPR-compliant system will better prepare supply chain partners for future data regulation requirements stemming from non-EU jurisdictions.
Image credit: photofriday / Shutterstock.com