GDPR – avoiding the problem? (GDPR Part IV)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at

For those with extensive risk management experience, avoidance is a key strategy for risk minimisation.

For those analytics suppliers outside of the European Union, this may well be a very feasible option. If we assume that spend data could contain P Card holder names, personal data in staff reimbursements and personal details in invoices – what are the avoidance options?

A myriad of options exist that analytics providers can deploy to avoid the personal data problem in risk terms. The first, and most obvious option (and least acceptable) is to refuse to take data from clients that that may contain personal data. However, the old adage applies that “some will always take the business, and someone will always do it cheaper”. Its also not a tenable under the GDPR, the fact that the client says the data is “personal data free” may not stand up if a breach occurs.

There is an old English adage that simply states that “you can’t eat a horse at one sitting”. If we start to break the problem up in to manageable components the potential issues become less intimidating.

One of the major areas of concern is P Card data. In the UK, many local councils and authorities publish their P card data for public access (in Excel files) on their websites – but with no personal cardholder data. It really focuses on the core question – does the client really need the name of the cardholder/Card number – or is the supplier spend the key focus? If the card data is extracted post reconciliation (if an Expense Manager is used for card management), the data will contain a cost centre. If the cost centre structure is loaded as a hierarchy it can be relatively easy to see where spend is occurring within the organisation – but not who incurred the cost.

The second key area is staff reimbursements. Many companies still set staff up as vendors to pay reimbursements. This spend too is quite insightful and may deliver several sourcing opportunities. However, it still leaves the personal data in the file that may be extracted from the ERP. For this element of the data, it may be far simpler to create a data mechanism that identifies those vendor master entries on the client ERP with a data flag of some kind. For statutory tax reporting purposes, many corporate clients are required to account for reimbursements for staff (for taxation purposes e.g. Fringe Benefits). So, if the client can remove staff names or attributable identifiers– then that will eliminate or avoid the data issue. In effect, there is the possibility that the problem can be eliminated on the client extract, but you must ask the client more about how they are extracting their data and guide them as to how they can better manage their data for GDPR compliance to prevent getting data you don’t want. .

In many respects, spend analysis providers have had it really easy up until now. They simply give the client a data extract request, the client provides what they can, and the provider builds the dataset. GDPR for EU clients makes this process less simple from 25th May. Why?

To be continued!

Thanks, Tony.

One Hundred and Fourteen Years Ago

The United States took over, and began, construction of the Panama Canal. Then, a little over ten years later, it was completed and for the first time ships could travel between the mid-Atlantic and mid-Pacific from at least 10 days, and typically two to three weeks (depending on how fast the ship was and the weather) to less than a day, as it saves ships a 7,872 mile voyage.

It revolutionized ocean freight and although we now take it for granted, it was a historic achievement.

IS TCO a No Go Without Optimization?

At this point in time, very few people are still in the stone ages of Supply Management and buy on price per unit (PPU) alone, the first level of sourcing value. However, there are still a number of buyers in a number of organizations that still buy on landed cost or total cost of acquisition (TCA) and buy solely on the sum of price per unit, transportation, duty, tariff, temporary storage, and other costs that are incurred from the time an order is placed until the time the product is received. These organizations are still in the dark ages of Supply Management and need to find the light very, very quickly (especially with Trump Nation and Brexit on the way). And while most modern Supply Management organizations attempt to buy on total cost of ownership (TCO), the third level of sourcing value, not all succeed.

TCO is the most commonly used metric today by analysts, consultants, vendors, and (I’m sorry to say) bloggers alike. It is designed to be a comparative cost metric that quantifies the overall cost of each acquired unit from a direct, indirect, and quantifiable market perspective that takes a broader look at the cost of a product from an acquisition, utilization, and delivery perspective. In addition to the landed costs, it typically also considers indirect utilization, supplier switching, and transaction costs as well as cost adjustments for quality, waste, and brand power (if your supplier has a brand that increases the selling price of the product you create with the component).

TCO is designed to capture the ‘true cost’ of a product (or service) from a supplier and does a much better job of helping you to compare apples-to-apples when determining the best buy for your organization. And even though it’s not the ultimate metric, as that’s total value management (TVM), the next level (and pinnacle) of sourcing value measurement, you cannot apply TVM until you have mastered TCO (which is a big component of TVM just like total cost of acquisition is a big component of TCO), and you can’t master TCO until you can model it.

But most sourcing solutions don’t let you model TCO. And the few that do don’t let you optimize it. That’s why it’s important when selecting a strategic sourcing solution you get an optimization-backed solution with support for deep cost models and, preferably, bills of material. They might still be few and far between, but a few more hit the market in the past year, and we expect more will be coming due to the power, and utility, of such solutions.

So is TCO a no-go without optimization? Not necessarily, but it sure is a lot harder to do without optimization.

GDPR and non-EU Spend Analytics Providers … Mortal Peril? (GDPR Part III)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at

While there has been much debate within EU countries around the preparation for GDPR on the 25th of May, the level of knowledge and preparation for those suppliers of analytics platforms and services outside of the EU remains largely an unknown. Controversially, our assessment is that many customers/suppliers will have ignored it and assumed that it doesn’t apply.

If your spend analysis provider is a large, well-known brand name with a global presence, it is highly likely that they will have opted for the binding corporate rules option. This is a complex and intricate process but is essentially a means of larger data service/analytics providers applying to the EU to establish the provision. The supplier applies a BCR to one of the EU Supervisory bodies (one of the 27 EU members). These are termed Lead Authorities. Once the checks have been completed and the Lead Authority is satisfied with the adequacy of the data privacy safeguards in place, the Lead Authority decision is binding across all Supervisory authorities in other European states. However, as in much European Legislation member states may have additional requirements.

Once Binding Corporate Rules (BCR) status has been achieved:

Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA in compliance with the 8th data protection principle and Article 25 of Directive 95/46/EC.

However, what of smaller providers? No so easy – and it can become rapidly more complex.

The EU has two other provisions for managing data that contains personal information – the rule of adequacy and safeguarding.

Not surprisingly (shock) all 27 EU members meet the rule of adequacy. Adequacy is simply defined around the level of protection at national level.

For other countries who are non-EU, the EU will judge this on the national rule of law; respect for human rights, fundamental freedoms and relevant legislation, both general and sectoral, including public security, Defence; National security and Criminal law. Simple enough …

Now the bad news. There are only some 11 countries globally that are deemed to meet this level of adequacy. These include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. If your spend analysis provider lives in any of these countries – that’s fine. Happy days.

However, what if they don’t? The new Regulation is simple in objectivity. The GDPR change removes a controller’s (or data owner, we will explain controller and processor in the next few posts) previous ability to transfer personal data outside the EU where this is based only on your own assessment of the adequacy of the protection afforded to personal data. More work to do.

This brings us to the last option – safeguarding.

Safeguarding means just that – can the supplier offer sufficient safeguards with data containing personal information?

However – can the problem be eradicated and avoid GDPR regulations?

We will cover these areas in the next post. Our advice as always – find a lawyer who understands the regulations and can guide you either as a customer or supplier. If you are in doubt, get advice.

If you breach the regulations – it could get expensive.

Thanks, Tony.

Maybe You Can Be a Procurement Hero!

Everyone wants to be the corporate hero, but at the end of the day, very few people in a company get to be society’s hero, and fewer still without blowing the whistle on criminal activity (and being made the target of a well paid hitman).

But if your company is big enough, and the spend you’re responsible for is large enough, you can sometimes do the right thing for the company and the right thing for society (even if it’s a bit tough at first).

How? You get corporate buy in to use your corporate spending power for good. You get commitment that it’s not just the lowest cost, it’s the lowest sustainable cost that meets minimum ethical guidelines. You get a commitment from the C-Suite to not only do your best to follow what is becoming the law in many jurisdictions and eliminate slave, forced, and child labour from your supply chain but to do it because it’s the right thing. Then, you can also get a commitment to shift at least some supply to suppliers that are making efforts to be more sustainable (and not polluting the local water table) or corporately responsible (and making efforts to improve the quality of life of their workers or the local community). In certain categories (primarily sourced from low-cost countries), each of these options will generally be a bit more expensive in the short term than going with the lowest cost supplier, who likely underpays the workforce or destroys the local environment, but well worth the temporary cost increase.

First of all, your C-Suite won’t have to worry about criminal charges or jail. Secondly, sustainable suppliers tend to be around for the long haul and get more leaner, more productive, and more cost effective over time — especially with your investment (and work with you to contain costs when they start to rise). Third, you can market the heck out of your commitment to sustainability and corporate responsibility. While not all consumers will pay more, some will, and those that are willing are those that will stick with you. Plus, when your competition stocks out because their supplier is finally shut down for its poor practices, you won’t have any disruptions.

Now, you’re probably saying one buyer can’t make a difference, but if you are buying a multi-million, or hundred million, category for a Fortune 500 / Global 3000, that’s a lot of money and you can use it to make a huge difference. No supplier wants to lose out on that amount of money, and even current suppliers can be changed.

Plus, if you band together with peers that are part of a trading network (like the Ariba Network that does more commerce annually than Alibaba, Amazon, and eBay combined) and all make a commitment to stop buying from a certain supplier until they adopt certain minimum corporate responsibility and sustainability requirements, you can bet that supplier will turn on a dime.

The reality is that if Procurement gets a Purpose in the Global 3000, and practitioners can garner the resolve to stick to their guns, they are one of the few people who can make a difference in this corporate driven world. It won’t be easy, but is anything worth doing?

For a slightly deeper dive into Procurement With Purpose, check out the doctor‘s two-part series over on Spend Matters (Part I) and for a much deeper dive, check out the public defender‘s new paper on Procurement with a Purpose — Making a Positive Impact on Organisations, Human Rights and Communities, sponsored by Ariba.