Category Archives: Guest Author

GDPR – still avoiding the problem? (Part V)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

In our last post we noted that those with extensive risk management experience know that avoidance is a key strategy for risk minimisation.

We also noted that this may well be a very feasible option f-or those analytics suppliers outside of the European Union.

The GDPR actively supports the anonymisation approach:

The principles of data protection should …. not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”

By removing or replacing data elements this satisfies another element of the Regulation – pseudonymisation:

the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” (Article 4).

Credit card or card account numbers can be used to identify a person – many card systems encrypt or hash the card number if expense managers are used. Once again, it pays to do the data homework.

The salvation for many spend analytics providers is to encourage the client to set data extract routines that eliminate these types personal data.

However, that still leaves us with the less easily manageable data component of personal data buried within invoice line descriptions or other ERP free text fields.

Once GDPR becomes recognised as the “new paradigm”, analytics providers are likely to claim that they have all sorts of (chargeable) capability to remove this data or anonymise it. This is more likely to revert to a line by line manual check as opposed to anything technically complex or ground breaking.

There is nothing intrinsically wrong with this approach. It may be time consuming but will follow the usual pattern of spend analytics data management. The first stage of the dataset build is historical data construction. If all historical spend data is checked and anonymised, then monthly refresh data is much lower volume – and patterns where personal data may exist may have already made their presence known – a pattern.

Vendors and clients are therefore taking all reasonable precautions with the data. If the data can have all personal elements removed, then GDPR does not apply. The “shotgun approach” for web providers is to use full access encryption…but this could be prohibitive in cost terms.

So, what is the risk? Spend data with personal data content has to align with the Regulation both within the EU — and transferring data outside of the EU. The use of surgical data techniques can reduce the risk and perhaps even reduce the data to non-personal in nature.

The alternative option is to leave the personal data and adhere to the range of controls that are required to manage that information. We have yet to cover these controls in any detail.

As we will discuss later in a later post, staff, employee data and personal data may also be subject to consents. A considerably more complex issue under GDPR. With new elements like right to be forgotten it may be simpler just to remove the data components.

No one said this was going to be easy.

Thanks, Tony.

GDPR – avoiding the problem? (GDPR Part IV)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

For those with extensive risk management experience, avoidance is a key strategy for risk minimisation.

For those analytics suppliers outside of the European Union, this may well be a very feasible option. If we assume that spend data could contain P Card holder names, personal data in staff reimbursements and personal details in invoices – what are the avoidance options?

A myriad of options exist that analytics providers can deploy to avoid the personal data problem in risk terms. The first, and most obvious option (and least acceptable) is to refuse to take data from clients that that may contain personal data. However, the old adage applies that “some will always take the business, and someone will always do it cheaper”. Its also not a tenable under the GDPR, the fact that the client says the data is “personal data free” may not stand up if a breach occurs.

There is an old English adage that simply states that “you can’t eat a horse at one sitting”. If we start to break the problem up in to manageable components the potential issues become less intimidating.

One of the major areas of concern is P Card data. In the UK, many local councils and authorities publish their P card data for public access (in Excel files) on their websites – but with no personal cardholder data. It really focuses on the core question – does the client really need the name of the cardholder/Card number – or is the supplier spend the key focus? If the card data is extracted post reconciliation (if an Expense Manager is used for card management), the data will contain a cost centre. If the cost centre structure is loaded as a hierarchy it can be relatively easy to see where spend is occurring within the organisation – but not who incurred the cost.

The second key area is staff reimbursements. Many companies still set staff up as vendors to pay reimbursements. This spend too is quite insightful and may deliver several sourcing opportunities. However, it still leaves the personal data in the file that may be extracted from the ERP. For this element of the data, it may be far simpler to create a data mechanism that identifies those vendor master entries on the client ERP with a data flag of some kind. For statutory tax reporting purposes, many corporate clients are required to account for reimbursements for staff (for taxation purposes e.g. Fringe Benefits). So, if the client can remove staff names or attributable identifiers– then that will eliminate or avoid the data issue. In effect, there is the possibility that the problem can be eliminated on the client extract, but you must ask the client more about how they are extracting their data and guide them as to how they can better manage their data for GDPR compliance to prevent getting data you don’t want. .

In many respects, spend analysis providers have had it really easy up until now. They simply give the client a data extract request, the client provides what they can, and the provider builds the dataset. GDPR for EU clients makes this process less simple from 25th May. Why?

To be continued!

Thanks, Tony.

GDPR and non-EU Spend Analytics Providers … Mortal Peril? (GDPR Part III)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

While there has been much debate within EU countries around the preparation for GDPR on the 25th of May, the level of knowledge and preparation for those suppliers of analytics platforms and services outside of the EU remains largely an unknown. Controversially, our assessment is that many customers/suppliers will have ignored it and assumed that it doesn’t apply.

If your spend analysis provider is a large, well-known brand name with a global presence, it is highly likely that they will have opted for the binding corporate rules option. This is a complex and intricate process but is essentially a means of larger data service/analytics providers applying to the EU to establish the provision. The supplier applies a BCR to one of the EU Supervisory bodies (one of the 27 EU members). These are termed Lead Authorities. Once the checks have been completed and the Lead Authority is satisfied with the adequacy of the data privacy safeguards in place, the Lead Authority decision is binding across all Supervisory authorities in other European states. However, as in much European Legislation member states may have additional requirements.

Once Binding Corporate Rules (BCR) status has been achieved:

Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA in compliance with the 8th data protection principle and Article 25 of Directive 95/46/EC.

However, what of smaller providers? No so easy – and it can become rapidly more complex.

The EU has two other provisions for managing data that contains personal information – the rule of adequacy and safeguarding.

Not surprisingly (shock) all 27 EU members meet the rule of adequacy. Adequacy is simply defined around the level of protection at national level.

For other countries who are non-EU, the EU will judge this on the national rule of law; respect for human rights, fundamental freedoms and relevant legislation, both general and sectoral, including public security, Defence; National security and Criminal law. Simple enough …

Now the bad news. There are only some 11 countries globally that are deemed to meet this level of adequacy. These include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. If your spend analysis provider lives in any of these countries – that’s fine. Happy days.

However, what if they don’t? The new Regulation is simple in objectivity. The GDPR change removes a controller’s (or data owner, we will explain controller and processor in the next few posts) previous ability to transfer personal data outside the EU where this is based only on your own assessment of the adequacy of the protection afforded to personal data. More work to do.

This brings us to the last option – safeguarding.

Safeguarding means just that – can the supplier offer sufficient safeguards with data containing personal information?

However – can the problem be eradicated and avoid GDPR regulations?

We will cover these areas in the next post. Our advice as always – find a lawyer who understands the regulations and can guide you either as a customer or supplier. If you are in doubt, get advice.

If you breach the regulations – it could get expensive.

Thanks, Tony.

Recycling Efforts in Trouble due to the Political Climate?


Today’s guest post is from Brian Seipel, a Procurement Consultant at Source One Management Services focused on helping corporations understand their spend profile and develop actionable strategies for cost reduction and supplier relationship management.

There are plenty of opinions when it comes to the environment on both ends of the political spectrum. You can likely find thousands of posts across the internet on the topic, were you so inclined. I promise that this post doesn’t delve into either side’s take on the planet or our stewardship of it.

So where else might a post of recycling and politics go? More to the point, how does it align with news Procurement Pros may be interested in? As it turns out, plenty of Procurement pros have a stake in the fate of our collective trash.

And in terms of America’s biggest partner in the recycling process, China, we have a problem thanks to a ban set to take effect in Q1 of 2018.

Setting the stage

A good amount of paper, corrugated, and plastic packaging products can be recycled and reused to create new packaging materials. These same materials can also be transformed into other products and, likewise, other products can be turned into packaging. Plenty of packaging procurement initiatives touch upon recycled materials.

At the heart of this recycling transformation are the organizations who purchase these recycled materials so they can be remade into valuable products. Since the early 2000’s, these organizations have been overwhelmingly found in China. In terms of American exports of bales of scrap, China is our number one partner, with these facilities importing over $5.6 billion annually in American paper, metal, and plastic scrap.

It isn’t just the US that exports recyclable scrap to China – the International Solid Waste Association reported in 2014 that 56% of the world’s scrap was exported to China. Clearly, any disruption to China’s buying habits of this scrap material will have very real effects on recycling initiatives globally. In turn, companies involved in the purchase of products made from recycled materials should keep an eye on these import-export relationships.

So what’s the problem?

Recycling isn’t easy – a lot of work needs to be done to get scrap material in shape to recycle. It takes real resources to process scrap material. The cleaner and better sorted scrap is when it arrives at a Chinese factory, the easier, faster, and more lucrative it is to convert to recycled materials. As such, it isn’t surprising that China has been more and more interested in ensuring a quality scrap product in recent years.

This demand for better scrap material, and objection to what China is calling excessively contaminated shipments, have led the country to ban a number of solid waste imports.

This could potentially have a direct impact on the availability of “virgin” materials as we move forward into the ban next year. For example, fewer sources of recycled paper products could lead to a tighter pulp supply and higher costs.

How Will the Scrap Industry Respond?

Assuming China does, in fact, move ahead with plans to ban key scrap imports, American companies are going to have to come up with a response. Several are on the table:

  1. Forego recycling, and send scrap shipments to the landfill instead.
    This is not the greatest of solutions by any means, but if companies take no steps to change behavior, this will be the natural result of a “do-nothing” stance on the problem.
  2. Fight the ban on a socio-political basis.
    From the language of the ban, to the impact the ban will have on businesses both foreign and domestic, there is certainly opportunity to challenge China’s path forward in terms of viability.
  3. Add more quality controls.
    In terms of recycling, an empty soda can is both garbage and a product. If China’s main concern is one of quality control, then steps taken to improve quality levels (in other words, ensuring a process that removes contaminates before bales of scrap are sent to China) may alleviate China’s concerns, and help move the scrap industry back on track.
  4. Further develop and strengthen alternative markets.
    Local organizations may also benefit from building some diversity into their strategies. China put a very fine point on the issue with this waste ban, but their intentions aren’t new, either. China has been increasing their scrutiny of imported scrap bales for the last several years, leading to the rejection and return shipment of subpar bales – Some American exporters have used these intervening years to plan alternative outlets for their scrap. This may include finding other countries to export to, or finding local customers for this scrap material.

The Institute of Scrap Recycling Industries (ISRI) is a US-based trade association made up of organizations from 30 countries that represent the lifecycle of recycled materials; from processing to brokerage, to industrial consumers. ISRI released a nine page response to China’s ban, which provides a few key talking points – Essentially, ISRI’s opening response combines items two and three above.

The response opens by challenging the language of China’s ban, arguing that clarification is required on China’s end to better outline how the band will be enacted (ISRI suggests, of course, that China should follow guidelines developed by ISRI to achieve this goal. Simultaneously, the response calls China’s own capabilities into question in comparison to the United States’ recycling industry: “where it takes 1,150 tons of recyclable fiber to make 1,000 tons of new paper in the United States, it takes 1,300 tons of recyclable fiber to make the same 1,000 tons of new paper in China. As a result, Chinese manufacturers have come to rely on the supply of high‐quality scrap from abroad in order to stay competitive.”

Moving forward

It is too early to say what the true impact will be moving into 2018. The American scrap industry has set wheels in motion to fight the ban politically, as well as ramp up efforts to either improve scrap exports to China or find alternative destinations for the material.

One thing is certain, however. Moving forward, Procurement teams in markets that rely on recycled materials should keep their eyes open and attention focused on China’s next moves.

Thanks, Brian.

Put an (Enormous) Bow on It: The Dual-Sourcing Strategies Behind Holiday Car Commercials

Today’s guest post is from Jennifer Ulrich, an Associate Director and Category Planning Subject Matter Expert at Source One Management Services as well as a contributing author of Wiley & Sons“Managing Indirect Spend: Enhancing Profitability”.

The holiday season is upon us, and you know what that means.  Procurement professionals aren’t the only folks stressing over purchases. All over the world, people are going to market in search of suppliers that’ll provide the gift from the commercial. They want to source a product worthy of jingles and voice-over narration. Maybe it’s a car they’re looking for. In that case, they’re embroiled in procurement campaigns with one big, red goal in mind.

The commercials make the process look easy.

Holiday advertising campaigns paint a wildly simplistic picture of purchasing decision-making process. Viewers are not only expected to believe such enormous bows exist, but also forced to ignore the complexities of purchasing initiatives. They focus exclusively on immediate outcomes.  Favouring hugs and hand holding to the hard work of market research and implementation, they depict a world that can only exist in 30-second pieces.

In a Procurement context, every commercial implies that its amateur Supply Management unit has settled on a single-source solution.  The product – whatever it is – solves a problem, fills a gap, or answers a question instantly.  We’re meant to understand that the supplier (in this case, a vehicle manufacturer) will always meet service expectations.  New cars are never shown replacing a predecessor. Instead, they sit alone in the driveway waiting for the happy family to ‘unwrap’ them and drive into the New Year.

But what really happens as December turns to January and February?  More likely than not, the happy family will employ something like a dual-source strategy. Let’s take a look behind-the-scenes.

Our family has enjoyed a long relationship with the incumbent vehicle. So far, it’s provided value adds in the form of great fuel economy statistics and a comfortable interior.  They’ve also upheld their end of the ‘supplier relationship’ by changing the oil and bringing the car in for regular inspections.  Recently, however, the car’s performance has shown room for improvement.  Maybe the transmission is making a strange sound, or perhaps the family has children on the way and needs something bigger. Whatever their reasoning, this impossibly photogenic family has begun to survey the market.

After months of careful consideration, they’ve located a cost-effective, environmentally-responsible option that promises years of happy driving.  Now, they’re all set for its dramatic unveiling.  That doesn’t mean they’re selling the old car for scraps.  After all, it’s still the supplier they’re most comfortable with, and there’s no guarantee the new car will work as planned.  Retaining the old stand-by as a secondary option greatly reduces the risks associated with such a large purchase.  The old car will enable them to slowly familiarize themselves with the new one’s features and functionality while providing a fall-back plan if something unexpected should occur.  Though they’ll gradually drive the old car less and less, it should prove essential as they transition to an exclusive relationship with their new vehicle.

For companies, employing a dual-sourcing strategy can prove similarly effective for minimizing risk and easing into a new supplier relationship.  Like trusted automobiles, supplier relationships sometimes suffer as years of wear and tear accumulate.  Savvy Procurement professionals are always scanning the market in search of more competitive options, but making a switch is rarely simple.

Long-time suppliers tend to ingrain themselves within a company’s operations and culture.  New vendors can’t hope to equal the trust they’ve established, the value they’ve provided, or the solutions they’ve implemented overnight.  Sending the supplier to the junkyard might prove as short-sighted as scrapping a perfectly good car.  The most responsible and cost-effective option might be to gradually cut ties with the incumbent provider.  That way, companies can enjoy the dependability they’ve grown accustomed to as they begin to establish and optimize their new relationship.  With consistent communications throughout the implementation process, companies should enjoy smooth transitions that satisfy their needs without inviting undue risk or putting too much strain on either supplier.

A dual-sourcing strategy won’t get your company on a commercial.  Responsible behaviour rarely winds up on television.  Still, as a low-risk, cost-effective plan your dual-sourcing system should set you up to more confidently make bold purchasing decisions in the future.  Procurement might never present your company with a big, red bow, but it should annually provide the gift that keeps on giving: sustainable cost savings.

Thanks, Jennifer.