Category Archives: Guest Author

GDPR: The “Contract” (Part XI)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

Marvin Ammori, the US innovation lawyer suggests that:

one goal of law — as we learn in Law School from the first day of Contracts, is to deter bad behaviour”.

There is some truth in this statement. The GDPR has largely been a response to the failure of legislation to control data privacy issues. The UK Data Protection Act (1998) was deemed, in many respects, to have a series of major shortcomings — as did other EU member state privacy legislation. There was also the issue of Commission wide inconsistency between member states. So, the GDPR was born and ratified quickly by all 27-member states – a miracle in its own right.

So how are contracts likely to be framed?

There has been much dialogue on supervisory body sites around the notion of model clauses. The UK ICO website contains a range of links that have been carefully and studiously followed. The site makes very clear that any model clauses cannot be altered if they are used by organisations.

Eventually, despite searching, it is clear that there are still no model clauses that have been agreed and issued by the EU. The ICO website clearly states:

The GDPR allows for standard contractual clauses from the EU Commission or a supervisory authority (such as the ICO) to be used in contracts between controllers and processors – though none have been drafted so far.Source

Implementation of the regulation is history — and yet there is still little guidance for companies on these contracts.

However, the site does provide a broad and wide-ranging series of guidance states for processors (we covered these in the last posting).

The guidance is confusing. However, over the next few posts we will attempt to try and provide some of the core elements that processors, both within and outside of the EU should provision for contractually during this transition period.

Given the impact and wide-ranging nature of the regulations it does tend to communicate that the implementation of the detail of the EU legislation is still underway — but is still literally an unfinished symphony (or cacophony).

However, over we will try and rationalise some next steps while the clauses are drafted. In many respects, most companies can take the available guidance – and create compliant contracts. Like most of the posts — we suggest you take legal advice if you are in doubt.

We did say it wasn’t easy.

Thanks, Tony!

GDPR: Processor obligations (Part X)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

In the last post, we looked at some of the conditions and responsibilities that processors have regarding personal data that is exported outside of the European Union – we will continue with that theme and then move on to start examining the contractual elements. There’s a lot to digest, even if we are breaking this series into digestible chunks — so grab some coffee first if you must.

The GDPR is quite clear on the responsibilities of processors – in addition to the responsibilities itemised in my last post, they must:

  • assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR – this means that a processor may have to help identify and report any data that is part of a data subject access request (DSAR);
  • Data Subject Access Requests will be the focus of a separate post – DSARs are likely to create a lot of overhead for some types of company;
  • assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • delete or return all personal data to the controller as requested at the end of the contract;
  • submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR – or another data protection law of the EU or a member state.

Be aware that each member state within the EU may have local country specific conditions. You would be well advised to check especially if you operate across multiple EU member states.

For example, the UK ICO (Information Commissioners Office) warns that processors should be aware that:

  • they may be subject to investigative and corrective powers of supervisory authorities (such as the ICO) under Article 58 of the GDPR;
  • if they fail to meet their obligations, they may be subject to an administrative fine under Article 83 of the GDPR;
  • if they fail to meet their GDPR obligations they may be subject to a penalty under Article 84 of the GDPR; and
  • if they fail to meet their GDPR obligations they may have to pay compensation under Article 82 of the GDPR.

It’s a lot of potential fails – and a lot of potential penalties.

How enforceable this is for non-EU suppliers has yet to be attempted – but there is a high probability that an EU test case will emerge quickly post GDPR implementation. Like most commercial relationships, it will also revolve around the notion of a contract.

The ICO makes two points on this with its own data processing contracts:

  • that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR; and
  • the contract will enforce any indemnity that has been agreed (upon).

We will look at the contractual obligations in the next post. We cannot promise that the guidance gets any clearer from any other Supervisory Bodies across the EU.

Thanks, Tony!

GDPR: The Legal Side of the Equation (Part IX)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

As they used to say at the start of the Star Wars Movies, the saga continues. Having explored the physical options of minimisation and anonymisation, information security standards and certification –- we have the option of just, well … complying.

So, what has to be done? If you are a large global vendor in the analytics space -– binding rules is the key option as we have already suggested. For smaller, niche vendors, the regulations are a little more complex. However, not insurmountable. As we have highlighted in several posts, for US providers –- Privacy Shield is a great start.

It is illegal from 25th May to move personal data outside of Europe without the right data controls and contractual agreements in place. The UK based Information Commissioners Office (ICO) as the supervisory authority of the UK is a good place to start for detail. The ICO has written several key documents on how commercial relationships are supposed to work if personal data is moved outside of the EU. The most common arrangement is likely to be the Controller-Processor relationship. In effect, data is controlled within the EU — but processed externally. As we mentioned in a previous post, processors must have representation within the EU if they reside outside of the European Union. This is for notices from client — this contact must be published and available.

The second group of conditions relates to processor operations. The ICO documentation on this is clear. Processors must:

  • only act on the written instructions of the controller (unless required by law to act without such instructions). This means that controllers need to be clear what operations and processing will take place on the supplied data;
  • ensure that people processing the data are subject to a duty of confidence. This means that supplier organisations cannot simply state that staff “stole the data”. This means that data access in processor organisations needs to be contractually managed;
  • must take appropriate measures to ensure the security of processing. This is where the notion of certification and standards becomes prevalent.
  • must only engage a sub-processor with the prior consent of the data controller and a written contract.

None of these conditions are insurmountable –- many procurement practitioners within the European arena will have started to scrutinise a wide range of non-EU supplier contracts. Many vendors may have already been engaged on this process.

In the next post we will continue the controller-processor theme. There are several additional conditions that are required for processors.

We will post these in small doses — this keeps reading and understanding the changes a little more digestible.

We do need to warn you that from here, the GDPR starts to appear somewhat incomplete.

However, it’s a big change that has yet to be combat tested.

Thanks, Tony.

Transformation, Transmogrification …. or business as usual?

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

The web is a fascinating place, your capacity to search, ponder and read is unlimited in reality. However, whilst rummaging around I happened to read an article in Forbes from 2015 entitled Why Business Transformation Fails and How to Ensure It Doesn’t.

There is little or no doubt that the “T” word has appeared in all functional areas of business life – Finance, Operations, Procurement, Human Resources and just about any type of business. Forbes suggests most transformations that fail are due to inefficient execution (41%), followed by resource and budget constraints (35%). It is likely that failure levels are much higher – but how do you define failure? Forbes also suggest that many failures are due to a “lack of buy-in”. Sadly, that phrase is largely overused — and meaningless if you think about it for a moment or two.

Many employees go to work for income — they may not see buying-in to changes as a high priority. The article also suggests that everyone needs to be “on the same page”. Again, there is a difference in understanding and interpretation by individuals of the reason why a change is occurring and what it means for them. As with many things — there is large scale charity, change and transformation fatigue – people just see inefficient execution as the same internal muddle repeated on a regular basis. Meanwhile, every day of the week the transformation word continues to bounce back. It is clearly a fad with some time to run.

Having been part of, and subject to, a considerable number of transformations over a number of years, the best performing companies (large and small) take changes in their markets and competitive environment as business as usual drivers. Change or die. There is no such thing as transformation. It’s simply good business management. No fanfare, just outcomes, jobs and profits.

In the procurement space in particular, social media articles exhort many large organisations who have managed to deliver “empowered staff within a learning organisation” and yet very little on “the net hard savings from this transformation were … $X”. In an analysis of some (as yet un-published) recent survey data, around 43% of Chief Procurement Officers in large companies had no analytics capability. However, many had advanced contract management, e-procurement and other sourcing capability. But no analytics numbers. One can assume the usual array of uncoordinated spreadsheets.

Whilst it is easy to accept the premise that executives inherit environments, the procurement focus should be on numbers and savings or realized value (if Procurement helped with an initiative that increased sales, that should be captured too). If you don’t have the numbers, get them. The issue may simply be that inefficient transformation execution means that little or no rigour is attached to the expected outcomes. It starts with a pre-change number and ends with a post-change number. What gets measured gets attended to. What people need to read are change strategies that they can emulate to drive down costs.

As will emerge shortly, the collapse of Carillion is likely to have been driven by managers who were transforming visionaries. They just needed to manage the business through market and competitive change. In effect, just get on with it.

Thanks, Tony.

GDPR – still avoiding the problem? (Part V)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

In our last post we noted that those with extensive risk management experience know that avoidance is a key strategy for risk minimisation.

We also noted that this may well be a very feasible option f-or those analytics suppliers outside of the European Union.

The GDPR actively supports the anonymisation approach:

The principles of data protection should …. not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”

By removing or replacing data elements this satisfies another element of the Regulation – pseudonymisation:

the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” (Article 4).

Credit card or card account numbers can be used to identify a person – many card systems encrypt or hash the card number if expense managers are used. Once again, it pays to do the data homework.

The salvation for many spend analytics providers is to encourage the client to set data extract routines that eliminate these types personal data.

However, that still leaves us with the less easily manageable data component of personal data buried within invoice line descriptions or other ERP free text fields.

Once GDPR becomes recognised as the “new paradigm”, analytics providers are likely to claim that they have all sorts of (chargeable) capability to remove this data or anonymise it. This is more likely to revert to a line by line manual check as opposed to anything technically complex or ground breaking.

There is nothing intrinsically wrong with this approach. It may be time consuming but will follow the usual pattern of spend analytics data management. The first stage of the dataset build is historical data construction. If all historical spend data is checked and anonymised, then monthly refresh data is much lower volume – and patterns where personal data may exist may have already made their presence known – a pattern.

Vendors and clients are therefore taking all reasonable precautions with the data. If the data can have all personal elements removed, then GDPR does not apply. The “shotgun approach” for web providers is to use full access encryption…but this could be prohibitive in cost terms.

So, what is the risk? Spend data with personal data content has to align with the Regulation both within the EU — and transferring data outside of the EU. The use of surgical data techniques can reduce the risk and perhaps even reduce the data to non-personal in nature.

The alternative option is to leave the personal data and adhere to the range of controls that are required to manage that information. We have yet to cover these controls in any detail.

As we will discuss later in a later post, staff, employee data and personal data may also be subject to consents. A considerably more complex issue under GDPR. With new elements like right to be forgotten it may be simpler just to remove the data components.

No one said this was going to be easy.

Thanks, Tony.