Category Archives: Training

GDPR: Are you a Controller or a Processor (Part VI)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

It was Glen Hoddle (English Soccer player) that wrote:

“I have a number of alternatives, and each one gives me something different”.

For many spend analysis providers (or other procurement tools providers) and their clients that manage personal data, the alternative may be simply to change nothing technically – and keep going with the status quo. In effect, implement the requirements of the GDPR regulations.

Like most alternatives there are trade-offs. If eliminating personal data is practicable – then that may be the first viable alternative for suppliers. However, leaving the process as-is and implementing the EU required controls may be the better option longer term.

However, there are several key changes required by 25th May. To be GDPR compliant requires those controls to be in place prior to that date.

The key concept in this article is ensuring that analytics suppliers understand the difference between a controller and processor. For commercial data that contains no personal data, this concept is inapplicable and no further action is required.

Under GDPR, the controller means:

“ … the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

In most cases, the controller will simply be the client.

After all, they will supply the data and direct what they want to happen with those transactions.

The processor is defined as:

“ … a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

To all intents and purposes, most spend analytics providers within (and external) to the EU may be either a controller or provider (or both).

For companies that use serviced systems outside of the EU, providers are therefore processors. Being outside of the EU creates a number of key criteria that need to be met for compliance.

There is also a very clear definition in the Regulation about what constitutes processing:

“ … It means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

Therefore, by default, any serviced analytics provider generically meets the definition.

So, what does this mean? Come back tomorrow for out next installment!

Thanks, Tony.

GDPR – still avoiding the problem? (Part V)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

In our last post we noted that those with extensive risk management experience know that avoidance is a key strategy for risk minimisation.

We also noted that this may well be a very feasible option f-or those analytics suppliers outside of the European Union.

The GDPR actively supports the anonymisation approach:

The principles of data protection should …. not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”

By removing or replacing data elements this satisfies another element of the Regulation – pseudonymisation:

the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” (Article 4).

Credit card or card account numbers can be used to identify a person – many card systems encrypt or hash the card number if expense managers are used. Once again, it pays to do the data homework.

The salvation for many spend analytics providers is to encourage the client to set data extract routines that eliminate these types personal data.

However, that still leaves us with the less easily manageable data component of personal data buried within invoice line descriptions or other ERP free text fields.

Once GDPR becomes recognised as the “new paradigm”, analytics providers are likely to claim that they have all sorts of (chargeable) capability to remove this data or anonymise it. This is more likely to revert to a line by line manual check as opposed to anything technically complex or ground breaking.

There is nothing intrinsically wrong with this approach. It may be time consuming but will follow the usual pattern of spend analytics data management. The first stage of the dataset build is historical data construction. If all historical spend data is checked and anonymised, then monthly refresh data is much lower volume – and patterns where personal data may exist may have already made their presence known – a pattern.

Vendors and clients are therefore taking all reasonable precautions with the data. If the data can have all personal elements removed, then GDPR does not apply. The “shotgun approach” for web providers is to use full access encryption…but this could be prohibitive in cost terms.

So, what is the risk? Spend data with personal data content has to align with the Regulation both within the EU — and transferring data outside of the EU. The use of surgical data techniques can reduce the risk and perhaps even reduce the data to non-personal in nature.

The alternative option is to leave the personal data and adhere to the range of controls that are required to manage that information. We have yet to cover these controls in any detail.

As we will discuss later in a later post, staff, employee data and personal data may also be subject to consents. A considerably more complex issue under GDPR. With new elements like right to be forgotten it may be simpler just to remove the data components.

No one said this was going to be easy.

Thanks, Tony.

GDPR – avoiding the problem? (GDPR Part IV)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

For those with extensive risk management experience, avoidance is a key strategy for risk minimisation.

For those analytics suppliers outside of the European Union, this may well be a very feasible option. If we assume that spend data could contain P Card holder names, personal data in staff reimbursements and personal details in invoices – what are the avoidance options?

A myriad of options exist that analytics providers can deploy to avoid the personal data problem in risk terms. The first, and most obvious option (and least acceptable) is to refuse to take data from clients that that may contain personal data. However, the old adage applies that “some will always take the business, and someone will always do it cheaper”. Its also not a tenable under the GDPR, the fact that the client says the data is “personal data free” may not stand up if a breach occurs.

There is an old English adage that simply states that “you can’t eat a horse at one sitting”. If we start to break the problem up in to manageable components the potential issues become less intimidating.

One of the major areas of concern is P Card data. In the UK, many local councils and authorities publish their P card data for public access (in Excel files) on their websites – but with no personal cardholder data. It really focuses on the core question – does the client really need the name of the cardholder/Card number – or is the supplier spend the key focus? If the card data is extracted post reconciliation (if an Expense Manager is used for card management), the data will contain a cost centre. If the cost centre structure is loaded as a hierarchy it can be relatively easy to see where spend is occurring within the organisation – but not who incurred the cost.

The second key area is staff reimbursements. Many companies still set staff up as vendors to pay reimbursements. This spend too is quite insightful and may deliver several sourcing opportunities. However, it still leaves the personal data in the file that may be extracted from the ERP. For this element of the data, it may be far simpler to create a data mechanism that identifies those vendor master entries on the client ERP with a data flag of some kind. For statutory tax reporting purposes, many corporate clients are required to account for reimbursements for staff (for taxation purposes e.g. Fringe Benefits). So, if the client can remove staff names or attributable identifiers– then that will eliminate or avoid the data issue. In effect, there is the possibility that the problem can be eliminated on the client extract, but you must ask the client more about how they are extracting their data and guide them as to how they can better manage their data for GDPR compliance to prevent getting data you don’t want. .

In many respects, spend analysis providers have had it really easy up until now. They simply give the client a data extract request, the client provides what they can, and the provider builds the dataset. GDPR for EU clients makes this process less simple from 25th May. Why?

To be continued!

Thanks, Tony.

GDPR and non-EU Spend Analytics Providers … Mortal Peril? (GDPR Part III)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

While there has been much debate within EU countries around the preparation for GDPR on the 25th of May, the level of knowledge and preparation for those suppliers of analytics platforms and services outside of the EU remains largely an unknown. Controversially, our assessment is that many customers/suppliers will have ignored it and assumed that it doesn’t apply.

If your spend analysis provider is a large, well-known brand name with a global presence, it is highly likely that they will have opted for the binding corporate rules option. This is a complex and intricate process but is essentially a means of larger data service/analytics providers applying to the EU to establish the provision. The supplier applies a BCR to one of the EU Supervisory bodies (one of the 27 EU members). These are termed Lead Authorities. Once the checks have been completed and the Lead Authority is satisfied with the adequacy of the data privacy safeguards in place, the Lead Authority decision is binding across all Supervisory authorities in other European states. However, as in much European Legislation member states may have additional requirements.

Once Binding Corporate Rules (BCR) status has been achieved:

Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA in compliance with the 8th data protection principle and Article 25 of Directive 95/46/EC.

However, what of smaller providers? No so easy – and it can become rapidly more complex.

The EU has two other provisions for managing data that contains personal information – the rule of adequacy and safeguarding.

Not surprisingly (shock) all 27 EU members meet the rule of adequacy. Adequacy is simply defined around the level of protection at national level.

For other countries who are non-EU, the EU will judge this on the national rule of law; respect for human rights, fundamental freedoms and relevant legislation, both general and sectoral, including public security, Defence; National security and Criminal law. Simple enough …

Now the bad news. There are only some 11 countries globally that are deemed to meet this level of adequacy. These include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. If your spend analysis provider lives in any of these countries – that’s fine. Happy days.

However, what if they don’t? The new Regulation is simple in objectivity. The GDPR change removes a controller’s (or data owner, we will explain controller and processor in the next few posts) previous ability to transfer personal data outside the EU where this is based only on your own assessment of the adequacy of the protection afforded to personal data. More work to do.

This brings us to the last option – safeguarding.

Safeguarding means just that – can the supplier offer sufficient safeguards with data containing personal information?

However – can the problem be eradicated and avoid GDPR regulations?

We will cover these areas in the next post. Our advice as always – find a lawyer who understands the regulations and can guide you either as a customer or supplier. If you are in doubt, get advice.

If you breach the regulations – it could get expensive.

Thanks, Tony.

GDPR and Procurement Spend (GDPR Part II)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

It’s interesting that the more companies you speak to, the less certain you become about whether organizations have truly readied themselves for GDPR.

There are statistics around how companies in general are prepared for GDPR. The focus in most organizations is on the most obvious areas of a business – marketing and customer data. The Regulation is very specific around what is meant by personal data:

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Well, spend doesn’t contain personal data … does it?

Be afraid, very afraid — spend data can be packed with personal data.

The Regulation states that in-scope data is:

Personal data that is processed wholly or partly by automated means. – Personal data that is part of a filing system or intended to be.

The only exclusions are things like immigration checks, police investigation, personal activity and personal data generated by an activity outside of EU Law.

So, should sourcing and procurement be worried? I would say yes.

In most company data sets within the EU there may be:

  • Staff reimbursement data – many companies still pay staff by setting them up as vendors;
  • Purchasing or corporate card data – many companies use an expense manager. Each card will have a name associated with it;
  • Many invoices will have line descriptions with components like consultant names, “James Smith, managing consultant”;
  • Temporary labour – the name of the person, rate and other details may be included in the invoice text.

There may be a lot more personal data across e-procurement and other data sources. Data inventory analysis is designed to identify those elements … assuming that someone has realized that spend data may contain personal information.

However, does it matter? We would say yes. A name in this type of data identifies a person very quickly. We even know who James Smith, our consultant, works for. Vendor name of course.

If you are not moving the data outside of your own environment (within the EU), the risk is reduced – but there are several elements to consider. However, if you have a spend analysis provider outside of the EU then the problems are suddenly more acute. Our guess is that many of the larger analytics providers will have scrutinized the Regulation and accommodated the required changes already.

For many smaller providers that service European clients from outside of the EU, recognition of the legislation complexities may not have even started.

The Regulation goes live in under a month. The question is – do European clients and analytics providers both inside and external to Europe have the right level of compliance – and understanding of the obligations? They aren’t optional either.

Perhaps it’s time you asked your provider if you are an EU company.

In the next article we will look at some of the complexities of spend data that sits in the GDPR domain. Part of the reason the GDPR legislation has been introduced is to fundamentally change how personal data is managed.

This isn’t a “nodding dog” legislative change – of that there is little or no doubt.

Thanks, Tony.