GDPR Just Made The Best Argument for Making Your Data — And Applications — Available Online 24/7 Even Better!

Seven years ago SI published a short article that stated <i>if your data isn’t immediately accessible online, either behind your firewall or behind someone else’s firewall or in the cloud, when your employees need it, then they are going to download it to their machines. If their machine is a laptop, and the data is not securely encrypted, and the laptop is stolen then … it could cost your organization 1 million (or more)</i> based upon research conducted by ZoneAlarm. There were a host of reasons for this including fraud costs (if financial information was stolen), lawsuits (if personal data was stolen), market loss (if trade secret data was stolen and sold to your competitor who then got a jump start on a competing product), and so on.

However, GDPR has upped the cost of a breach. Given that a single violation could result in a fine equal to 4% of your organization’s annual revenue, that could be a 4 Million, 40 Million, or even a 400 Million fine. And it’s not unreasonable to think that the EU could slap that size of a fine on you if you didn’t have any controls or policies around personal data and didn’t even notice when a junior HR employee decided to download your entire corporate directory to his laptop to do “statistical processing” on the weekend, didn’t bother to even encrypt the data, left the laptop at the bar where he stopped for a drink on the way home, where it got stolen, and the entire corporate directory, complete with SIN numbers and banking information, ended up on the dark web Saturday morning.

But if your data is online 24/7, and all of your applications your employees need to process that data is online 24/7, then they have no need to download the data, and if it’s easier to do it online than download, they won’t even try.

And don’t say its insecure to put your data and applications online. Don’t forget that as long as you have an internet connection coming in (and you do), your data is online whether you like it or not, and if the appropriate security precautions aren’t in place, any script kiddie who wants it can get it.

And unless you are an IT SaaS solutions provider, chances are your internal security controls are not as strong as the security controls the provider has put in place. Offering data and application security is part of their core business, it’s not part of yours. You can be sure they have strong encryption in place, multiple firewalls, DDoS detection capability, deep logging capability, penetration attempt detection, and other security controls that you likely don’t have.

Also, modern SaaS providers support private database instances (so if someone hacks your competitor, you don’t get hacked), private application instances (on your own private virtual machine that can be configured to only be access through your own private VPN), and deep security controls around users and roles.

So unless you plan on going 100% offline, and keeping all your data on machines only accessible on servers in highly secure facilities surrounded by Faraday cages, it’s probably safer for your organization to go 100% online.

Sourcing Innovation is Proud to be part of a “Special Place in Hell”

No one wins a trade war.

Progress stagnates when borders close.

Freedom is jeopardized when dictators are praised.

Human Rights suffer when power is abused.

… and the world goes to hell.

So, if the world is going to hell, Sourcing Innovation is proud to be part of that “special place” where fairness is sought, openness is an ideal, multi-party cooperation is a way of life, and human rights are always upheld as the Charter of Rights and Freedoms trumps any law or power.

GDPR: The Dreaded DPIA (Part XV)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at

One of the key changes in the GDPR legislation involves the creation of DPIAs or Data Protection Impact Assessments.

At first glance this appears to be what can only be termed as a “mindless piece of bureaucracy”.

However, perhaps not.

Historically, it may be hypothesised that many personal data breaches have been the result of “mindless planning” neatly followed by badly managed execution.    It has been incredibly easy to obtain data, endlessly spam individuals — and share that data around.   Often, little or no thought, planning or impact assessment has been conducted in the process of managing this type of data.

Conceptually, the DPIA is a very good idea.   However, like many EU regulations the “how” is more obtuse and intricate.

The United Kingdoms ICO site (Information Commissioners Office) states that:

“You must do a DPIA for processing that is likely to result in a high risk to individuals”.

High risk is hard to define in the procurement world.   Many hosted procurement technologies contain considerable volumes of personal data as we are all aware – both controllers and processors need to stop and carefully assess any new data management proposals.   A DPIA creates a structured approach and framework that can be used to help define if the targeted processing could breach the regulation.

A DPIA is effectively a combined project brief and risk assessment of any new data processing activity that an organisation intends to conduct.   The DPIA contains a variety of what appears to be simple requirements.   The DPIA must:

  • describe the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals; and;
  • identify any additional measures to mitigate those risks.

If you think about it carefully, it is eminently sensible in its approach.

However, deductively there are several core organisational processes that need to be in place to achieve the outcome.   In many respects, this is the point at which the DPIA becomes a little more complex in the implementation and management.   If the organisational processes do not currently exist – then these are likely to add to the complexity.

In response to this, supervisory authorities have attempted to provide guidance and checklists that can help organisations manage this process and reduce risk.   We have left the discussion on DPIAs until this stage as there are options to use the process to overcome some of the risks with personal data in this domain.  However, there may be some good news.

In our next post we will start to evaluate how procurement data could be managed through the DPIA process.

Thanks, Tony!

Zycus – Expending their Horizons in the EU

Zycus recently held their inaugural event in Europe — the last three days in Prague, to be precise. the doctor was there and he has to say he was impressed with

  • the conference organization
    (less snafus or lack of organization then a few conferences he’s been to recently organized by larger peers),
  • the content
    (they did a great job blending content from them, their partners, their customers, and leading analysts),
  • the progress
    both on the customer front and the product front

Recently we’ve seen a number of companies break out of Europe and into North America — like Ivalua and Synertrade — but we rarely see companies, even those from North America (and definitely those from India), break in, especially in a short time-frame. In the last two years Zycus has went from almost no presence in Europe to a known provider of S2P services with dozens of local customers among its 300+ worldwide deployments supported by local partners.  That’s quite impressive.

This last fact is key — Zycus understands fully that Europe is not India or America. It is dozens of countries with dozens of languages and dozens of local cultures that need to be supported by a provider that wants to effectively support its customers and the continent in, and on, which they do business. And Zycus understands that there are local implementation partners and providers in Europe that understands these needs. So while some providers try to sell locally with their own staff that they hire in Europe (who can’t know everything as they are few), others try to sell exclusively through partners (who are better equipped for local support, but if not well trained, can’t accurately represent the provider), they sell as a partnership with the local implementation partner, provider of software and provider of service (but take all the responsibility for ensuring the customer receives a successful deployment).

And a successful deployment is something they are quite capable of achieving. Not only do they have 300+ people to support implementations, but they have a history of working with partners to ensure that any localizations that need to happen, happen. We expect that as long as all parties go in with a solid understanding of what needs to happen, and what the true effort is, deployments will be appropriately planned and be successfully realized. And customer progress will continue.

Then we have the product front. Zycus continues to develop and have made good progress on a couple of modules, and their iRequest module in particular. While this may seem the least sophisticated from a sourcing perspective, it is the most important from a success perspective.

When one thinks about why most mavericks try to bypass the Procurement department, it’s typically because they see the Procurement department as a bottleneck. Too long to get approvals. No visibility into the sourcing event. Etc. Etc. With iRequest, anyone in the business can make any sort of request or requisition to Procurement and follow it through to the conclusion, with visibility not just into the status, but into the sourcing event, contracting process, or anything else that is relevant. It links into almost all of their other modules and allows a buyer to kick off events, approval chains, and information request processes with relative ease. It makes Procurement look like an enabler and that is key to organizational acceptance and success. It’s definitely worth checking out.

More coverage on Zycus, here and in depth on Spend Matters Pro (membership required), is coming, so stay tuned.