How Data Privacy Regulations Affect Your Supply Chain

This past May, the European Union’s General Data Protection Regulation (GDPR) went into effect. The comprehensive regulations shift the dominant paradigm of online data from an opt-out model, in which users had to take action to control their data, to a privacy by design model where privacy and user control must be up-front and center.

This small shift has wide-ranging impacts. While for most people, GDPR meant their email in-boxes were flooded with updated privacy notices and email opt-in requests, in the business world, it was when data privacy and protection became a required business practice and no longer optional.

In fact, companies would not have been caught of guard had they been following the basic tenets of corporate social responsibility. Privacy is increasingly being accepted as core to good CSR, and forward-thinking companies have been integrating it into the policies for years. Companies should not merely be taking privacy seriously, and ensuring that all of it suppliers and other actors along a supply chain are complaint merely because of GDPR, but because it is part of their core values as good corporate citizens.

One area especially affected is a company’s supply chain. Because GDPR gives little leeway for non-compliance, has strict enforcement mechanisms, and applies to all companies that do business in Europe (whether they’re based there or not) supply chains – which often cross multiple markets and borders – are key to GDPR compliance. This means that all companies that do any business whatsoever with Europe must not only comply with the GDPR by receiving adequate consent from users whose personal data they store, they must also ensure that all of their suppliers and the technologies they use are compliant as well.

“The revolutionary technologies that have enabled modern business, such as infrastructure as a service, platform as a service, software as a service, and business processes as a service, all need to be reexamined under the new rules,” said Nazli Erdogus, a senior solution consultant at Kinaxis, a supply chain management company based in Canada.

To do this, companies must first understand what data practices along their supply chains look like, which often requires audits and risk assessments centered around data privacy. While that sounds like a daunting task, forward-thinking companies should have had time to prepare as there were two years between GDPR being passed and going into effect. During that period, many supply chain experts, platforms operators, and industry leaders worked to create strategies for how companies around the world could factor in how GDPR’s data privacy requirements would impact operations.

“I believe most U.S. companies, especially ones that have global business, are aware of the GDPR impacts in their operations at this point,” said Erdogus.

At the same time, data shows that many companies have dropped the ball. A study from CompTIA in April 2018 of 400 U.S. companies discovered that only 13 percent were fully GDPR compliant. While that number is likely higher now, the survey shines a light on the scope of change that GDPR created in how businesses manage and handle data.

According to experts, some key factors that companies need to consider to ensure that their supply chains are GDPR compliant includes creating mechanism to structure data, audits to understand where data is held, protocols to react to situations such as “right to be forgotten” requests, and regular data and privacy audits.

The good news it that there are several new tools and platforms for vendor management that factor in GDPR compliance into their frameworks, reducing risk for companies, particularly smaller ones that may lack the resources to conduct detailed audits or even provide guidelines to all of their suppliers. But to truly succeed in this environment, Erdogus believes that companies need to make data privacy part of their corporate culture.

“Training employees is also a big part of this puzzle. Awareness comes from within, not just at a Data Protection Office,” said Erdogus. “Companies should ensure within their supply chain organizations, employees have been given right information as to what it is to protect data and the privacy of that data.”

GDPR is not going away. In fact, it is likely only the start, and we’re already seeing moves in other places, such as California, which passed its own strong data privacy law earlier this year. What this means is that companies can only be certain of one thing: Protecting privacy and ensuring that customer, supplier, and client data is compliant with all regulations will become only a bigger challenge in a more interconnected business world. The future of supply chains will be secure, privacy-protecting, and one in which data is no longer handed haphazardly.