Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

In our last article we noted that a key concept under GDPR (with respect to any data that potentially contains data that could identify an individual person) is the difference between a controller and processor, and what requirements are placed on each. Generally speaking, a spend analytics (service) provider will be a processor and may meet the requirements of a controller (and may not). [It all depends upon whether the customer provides them an ability to determine the purpose and/or means of data processing. In most cases, the provider will have some leeway and will be a controller as well.]

So, what does the regulation require of a processor/controller?

The first fundamental change is around where either the controller or the processor is not established within the Union.

In this case, suppliers will need to designate in writing a representative within the European Union.

“The representative shall be mandated to be addressed by supervisory authorities and data subjects for the purposes of the Regulation. Designation of a representative does not absolve controller or processor from legal liabilities”.

Simply, it means if you are outside of the EU, and you process any personal data that originates from within the EU area, you must have a representative within Europe.

This creates a range of issues as it may well imply that any provider that services data from multiple countries may require multiple representatives. It is likely that multiple representatives may be required as each supervisory authority within each European Country may require a representative.

However, given the volume of suppliers that are involved in managing and processing personal data outside of the European Union for EU clients, how well Supervisory Authorities can manage and track these volumes of suppliers is questionable. However, the fundamental shift in the regulation is that legally, suppliers must now declare that presence. If there are data breach problems later, and an investigation is required, it may well generate a much wide range of breach elements. Like unpicking the thread on a sweater, the Supervisory Authority has wide ranging investigative powers.

For those that opt to process or control personal data from the European-Union, the new Regulations contain a suite of additional procedural requirements. We will start to cover these elements in the next article. However, if you are unsure around the legal elements, as we have said on several occasions, we suggest you consult a Legal firm who specialises in the Regulations.

Thanks, Tony.

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

It was Glen Hoddle (English Soccer player) that wrote:

“I have a number of alternatives, and each one gives me something different”.

For many spend analysis providers (or other procurement tools providers) and their clients that manage personal data, the alternative may be simply to change nothing technically – and keep going with the status quo. In effect, implement the requirements of the GDPR regulations.

Like most alternatives there are trade-offs. If eliminating personal data is practicable – then that may be the first viable alternative for suppliers. However, leaving the process as-is and implementing the EU required controls may be the better option longer term.

However, there are several key changes required by 25th May. To be GDPR compliant requires those controls to be in place prior to that date.

The key concept in this article is ensuring that analytics suppliers understand the difference between a controller and processor. For commercial data that contains no personal data, this concept is inapplicable and no further action is required.

Under GDPR, the controller means:

“ … the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

In most cases, the controller will simply be the client.

After all, they will supply the data and direct what they want to happen with those transactions.

The processor is defined as:

“ … a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

To all intents and purposes, most spend analytics providers within (and external) to the EU may be either a controller or provider (or both).

For companies that use serviced systems outside of the EU, providers are therefore processors. Being outside of the EU creates a number of key criteria that need to be met for compliance.

There is also a very clear definition in the Regulation about what constitutes processing:

“ … It means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

Therefore, by default, any serviced analytics provider generically meets the definition.

So, what does this mean? Come back tomorrow for out next installment!

Thanks, Tony.