GDPR: The Legal Side of the Equation (Part IX)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

As they used to say at the start of the Star Wars Movies, the saga continues. Having explored the physical options of minimisation and anonymisation, information security standards and certification –- we have the option of just, well … complying.

So, what has to be done? If you are a large global vendor in the analytics space -– binding rules is the key option as we have already suggested. For smaller, niche vendors, the regulations are a little more complex. However, not insurmountable. As we have highlighted in several posts, for US providers –- Privacy Shield is a great start.

It is illegal from 25th May to move personal data outside of Europe without the right data controls and contractual agreements in place. The UK based Information Commissioners Office (ICO) as the supervisory authority of the UK is a good place to start for detail. The ICO has written several key documents on how commercial relationships are supposed to work if personal data is moved outside of the EU. The most common arrangement is likely to be the Controller-Processor relationship. In effect, data is controlled within the EU — but processed externally. As we mentioned in a previous post, processors must have representation within the EU if they reside outside of the European Union. This is for notices from client — this contact must be published and available.

The second group of conditions relates to processor operations. The ICO documentation on this is clear. Processors must:

only act on the written instructions of the controller (unless required by law to act without such instructions). This means that controllers need to be clear what operations and processing will take place on the supplied data;
ensure that people processing the data are subject to a duty of confidence. This means that supplier organisations cannot simply state that staff “stole the data”. This means that data access in processor organisations needs to be contractually managed;
must take appropriate measures to ensure the security of processing. This is where the notion of certification and standards becomes prevalent.
must only engage a sub-processor with the prior consent of the data controller and a written contract.

None of these conditions are insurmountable –- many procurement practitioners within the European arena will have started to scrutinise a wide range of non-EU supplier contracts. Many vendors may have already been engaged on this process.

In the next post we will continue the controller-processor theme. There are several additional conditions that are required for processors.

We will post these in small doses — this keeps reading and understanding the changes a little more digestible.

We do need to warn you that from here, the GDPR starts to appear somewhat incomplete.

However, it’s a big change that has yet to be combat tested.

Thanks, Tony.

Sourcing Innovation is 100% GDPR Compliant!

How do we do it? No personal data!

That’s right, as of today (May 25, 2018), we have no personal data!^*

But you’re a blog, don’t you have subscription lists?

Nope!

Sourcing Innovation turned subscriptions off three (3) months ago and deleted any and all lists it had to allow sufficient time for all the regular backups at my host to overwrite all the old backups to make sure that even backups at the host didn’t have any personal data.

But doesn’t that hurt your traffic?

Nope!

1) If people get the posts, they don’t come to the blog.
(And it’s traffic stats that matter, right? At least that’s what marketers tell me since I would never, ever send anything to my lists on anyone’s behalf, not even paying clients of ToP KaTS!)

2) Subscriptions accounted for, like, at most 1% of traffic anyway (with generous rounding).
(Most people these days that don’t directly come to the blog come in through LinkedIn, Twitter, and Google. Bulk email gets relegated to spam or deleted by most mail clients [and sometimes mail servers] anyway. Even the few people who wanted the posts in their inbox often told me in the past they didn’t get the posts when I could check the logs and see they were sent out.)

But what if I want to subscribe?

Fear not! Subscriptions will be re-opened in the (near) future!

Yesterday, my host implemented the new version of WordPress that came with WordPress’ new GDPR Privacy and Security policies and the new WordPress tools to help remove, and ensure removal of, private user data on user request.

My host’s new GDPR privacy and security policy goes into effect today.

As soon as:

1) I can test and confirm that you can easily opt out when you want to opt out and your data goes bye-bye if you do opt-out and

2) I am sure that my host’s systems and procedures have been updated in line with their policies to ensure 100% compliance across all their clients (which includes backup erasures / overwrites on request to ensure expunging of personal data),

subscriptions will be cued to reopen!

In the mean time, keep doing what the 99%+ do — blog, LinkedIn, Twitter, and Google.

The Fail Whale rarely makes an appearance these days, so you can always start with Twitter!

^* This statement is valid only until such time as subscriptions re-open. At that point in time, SI may begin to collect personal data subject to our Privacy/PIPEDA/GDPR policy, so please bear this in mind if accessing this post after May 25, 2018.

Transformation, Transmogrification …. or business as usual?

The web is a fascinating place, your capacity to search, ponder and read is unlimited in reality. However, whilst rummaging around I happened to read an article in Forbes from 2015 entitled Why Business Transformation Fails and How to Ensure It Doesn’t.

There is little or no doubt that the “T” word has appeared in all functional areas of business life – Finance, Operations, Procurement, Human Resources and just about any type of business. Forbes suggests most transformations that fail are due to inefficient execution (41%), followed by resource and budget constraints (35%). It is likely that failure levels are much higher – but how do you define failure? Forbes also suggest that many failures are due to a “lack of buy-in”. Sadly, that phrase is largely overused — and meaningless if you think about it for a moment or two.

Many employees go to work for income — they may not see buying-in to changes as a high priority. The article also suggests that everyone needs to be “on the same page”. Again, there is a difference in understanding and interpretation by individuals of the reason why a change is occurring and what it means for them. As with many things — there is large scale charity, change and transformation fatigue – people just see inefficient execution as the same internal muddle repeated on a regular basis. Meanwhile, every day of the week the transformation word continues to bounce back. It is clearly a fad with some time to run.

Having been part of, and subject to, a considerable number of transformations over a number of years, the best performing companies (large and small) take changes in their markets and competitive environment as business as usual drivers. Change or die. There is no such thing as transformation. It’s simply good business management. No fanfare, just outcomes, jobs and profits.

In the procurement space in particular, social media articles exhort many large organisations who have managed to deliver “empowered staff within a learning organisation” and yet very little on “the net hard savings from this transformation were … $X”. In an analysis of some (as yet un-published) recent survey data, around 43% of Chief Procurement Officers in large companies had no analytics capability. However, many had advanced contract management, e-procurement and other sourcing capability. But no analytics numbers. One can assume the usual array of uncoordinated spreadsheets.

Whilst it is easy to accept the premise that executives inherit environments, the procurement focus should be on numbers and savings or realized value (if Procurement helped with an initiative that increased sales, that should be captured too). If you don’t have the numbers, get them. The issue may simply be that inefficient transformation execution means that little or no rigour is attached to the expected outcomes. It starts with a pre-change number and ends with a post-change number. What gets measured gets attended to. What people need to read are change strategies that they can emulate to drive down costs.

As will emerge shortly, the collapse of Carillion is likely to have been driven by managers who were transforming visionaries. They just needed to manage the business through market and competitive change. In effect, just get on with it.

Thanks, Tony.

Contract Compliance Trust But Verify: Part III Monitoring Demand

When you join transaction data to contract data in order to validate contract price compliance, it is possible to discover lots of interesting information. Some if it can be quite surprising.

For example, you might notice that off-contract items make up a surprisingly large proportion of the spending. This may be trending up with time, so it is worth doing a time-series analysis. You might also notice a pattern of overcharges on particular items, which could be an easily-corrected disconnect at the vendor side on contract terms.

In Excel, these analyses require new pivot tables and, concomitantly, more maintenance effort on refresh. But in a spend analysis system, the model can be augmented with additional pivot-table-equivalents in seconds, with just a few mouse clicks. And, refresh is not an issue, because the spend analysis system updates everything automatically upon loading new transactions. So, much more interesting analyses become real possibilities — including monitoring demand.

The Who

Suppose that we have from the vendor not only the item pricing, but also an idea of who within the organization is doing the purchasing. This then enables us not only to identify off-contract spending, but also find the source of the leakage within the organization, so that corrective action can be taken internally.

There are a number of ways that “Who bought the items” can find its way into PxQ data. Sometimes it is present as a matter of course; sometimes it requires effort.

If the item is a catalog buy or punch-out, invoice items likely already contain the cost center.
If a PO number was provided to the vendor, invoice items should contain the PO. The PO can be easily translated to cost center (well, “easily” if the PO data can be linked in, as it can be with a spend analysis system).
If there’s a useful delivery address on the invoice, that can be mapped to a cost center using the spend analysis system’s mapping tools (of course, you need access to the mapping tools, and they need to be simple to use).
Your contract with the vendor could require a cost center to be provided on the invoice as a prerequisite for payment. No cost center, no payment.
Corporate purchasing cards are by definition associated with a cost center, so these can be mapped to cost center using the spend analysis system’s mapping tools.
Consultants put project codes on invoices; lawyers put matter numbers. These can be mapped to cost centers as well. Any invoice without a project code or matter number shouldn’t be paid.
Some spend already has a fixed cost center, for example with copiers. Each copier is assigned a cost center, which shows up on the invoice.

In a nutshell, if you want to have a cost center attached to each row of an invoice, it is very doable, and very worthwhile.

Let’s revisit the dashboard from Part II.

We can see a breakdown of overcharge buys by cost center (blue). A similar breakdown of off-contract items helps identify who is buying off-contract. There may be very good reasons for this, of course; and those reasons need to be understood, so that we can either get those items onto the contract, or channel the buying to similar items that are on contract.
We can see a time-series analysis of item buys by class, with an associated chart (red). Over time, fewer items are being bought with the contract price, which is not a good trend.
We can see all the buys, showing both contract and overcharged prices (green). This is all we need to show to the vendor — just dump it to Excel, email the spreadsheet, done.

Click to enlarge

The basic pattern of this type of analysis doesn’t change with the commodity. Providing that the goods or services can be standardized with a fixed price, and that a contract price is available, the technique is always the same — and the analysis always worthwhile, if only to prove that the contract is in place and actually working.

Thanks, Eric!

Contract Compliance Trust But Verify Part II: Monitoring the Vendor

Today’s post is from Eric Strovink, the spend slayer of spendata. real savings. real simple. Eric was previously CEO of BIQ; before that, he led the implementation of Zeborg’s ExpenseMap, which was acquired by Emptoris and became its spend analysis solution.

If you have a contract with a vendor, you should be paying the contract price. But until you check, you don’t really know — and what you find out may surprise you.

In Part I of this series we discussed the two pieces of data required — transactions from the vendor, and contract prices for the items under contract. The next step is to join those two datasets together, in this case by Part Number.

Here is what that might look like if we do it in Excel:

This was done by:

Sorting the contract prices by Part Number so VLOOKUP will work
Building a helper column K which is the difference between invoice price and VLOOKUP’d contract price (hidden)
Building a VLOOKUP to compare contract price to invoice price (shown)
Building a Pivot Table to roll up column L

Lots more could be done. For example, we could:

Add a computation of the amount of overcharge.
Add year-month to the pivot table, giving us an idea as to the distribution of the overcharges. Have they all occurred recently, or just in the relatively distant past?
Produce a table of only the overcharged items, in order to send it to the vendor with a request for compensation.
Identify “who” is buying the excluded items (more on this in Part III).

However, as the model becomes more complex, it becomes more difficult to maintain. What happens next month, when a new tranche of transactions is available? Who updates the model? Each of the formulas and pivot tables needs to be updated carefully — a process that’s irritating and time-consuming at best, as well as highly error-prone.

Make it Easy, not Hard

A spend analysis tool can make this a lot easier. Load the two datasets, and link them by Product Number. Then build a price difference column, set up a range, and you’re done. This requires no advanced Excel knowledge, and produces a model that updates automatically when new data are added. This dashboard was put together using Spendata, but there are certainly other options.

Click to enlarge

And now, adding next month’s data to the analysis is anticlimactic — literally a couple of clicks, and everything auto-updates. So, even if you could “do it in Excel”, you won’t, because it’s just too painful. But if you use the right tools, you can produce compliance models quickly, and you can maintain them with near-zero effort.

We’ll conclude our discussion in Part III: Monitoring Demand. Thanks, Eric!

M	T	W	T	F	S	S
« Apr
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31