Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at firstname.lastname@example.org.
It’s interesting that the more companies you speak to, the less certain you become about whether organizations have truly readied themselves for GDPR.
There are statistics around how companies in general are prepared for GDPR. The focus in most organizations is on the most obvious areas of a business – marketing and customer data. The Regulation is very specific around what is meant by personal data:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Well, spend doesn’t contain personal data … does it?
Be afraid, very afraid — spend data can be packed with personal data.
The Regulation states that in-scope data is:
Personal data that is processed wholly or partly by automated means. – Personal data that is part of a filing system or intended to be.
The only exclusions are things like immigration checks, police investigation, personal activity and personal data generated by an activity outside of EU Law.
So, should sourcing and procurement be worried? I would say yes.
In most company data sets within the EU there may be:
- Staff reimbursement data – many companies still pay staff by setting them up as vendors;
- Purchasing or corporate card data – many companies use an expense manager. Each card will have a name associated with it;
- Many invoices will have line descriptions with components like consultant names, “James Smith, managing consultant”;
- Temporary labour – the name of the person, rate and other details may be included in the invoice text.
There may be a lot more personal data across e-procurement and other data sources. Data inventory analysis is designed to identify those elements … assuming that someone has realized that spend data may contain personal information.
However, does it matter? We would say yes. A name in this type of data identifies a person very quickly. We even know who James Smith, our consultant, works for. Vendor name of course.
If you are not moving the data outside of your own environment (within the EU), the risk is reduced – but there are several elements to consider. However, if you have a spend analysis provider outside of the EU then the problems are suddenly more acute. Our guess is that many of the larger analytics providers will have scrutinized the Regulation and accommodated the required changes already.
For many smaller providers that service European clients from outside of the EU, recognition of the legislation complexities may not have even started.
The Regulation goes live in under a month. The question is – do European clients and analytics providers both inside and external to Europe have the right level of compliance – and understanding of the obligations? They aren’t optional either.
Perhaps it’s time you asked your provider if you are an EU company.
In the next article we will look at some of the complexities of spend data that sits in the GDPR domain. Part of the reason the GDPR legislation has been introduced is to fundamentally change how personal data is managed.
This isn’t a “nodding dog” legislative change – of that there is little or no doubt.