The General Data Protection Regulation (GDPR) is an extensive law covering data security and privacy. It’s important to have a good understanding of the GDPR, and there are multiple ways this law can affect the telecom procurement process as well. Read this GDPR and telecom procurement guide to have a good understanding of it, and also learn how this law affects your telecom procurement process.
Read on to learn about:
- What GDPR is
- How to ensure GDPR compliance
- GDPR Requirements for Procurement Professionals
Looking for guidance regarding GDPR and the telecom procurement process? The experts at Technology Procurement Group will be happy to work with you to ensure success, both in GDPR compliance and in procuring the best possible telecom or IT contract for your organization. It’s easy to get in touch: Just give us a call at 1-888-449-1580, send us an email at info@TPG-llc.com, or complete the form at the bottom of the page.
|What Is GDPR?|
|What Is GDPR Compliance?|
|Key Things to Know About the GDPR as a Procurement Professional|
|How Procurement Relates to GDPR Compliance|
|Main GDPR Requirements for Procurement Professionals|
|Key Steps in GDPR Compliance|
|Ensuring Suppliers Are GDPR-Compliant|
What Is GDPR?
The GDPR is Europe’s new law regarding data privacy and security, made effective on May 25, 2018. It stands for General Data Protection Regulation and spans hundreds of pages that cover new requirements for organizations around the world. Although the GDPR was passed by the European Union, it affects all organizations that target or collect data that pertains to people in the European Union.
Violators of the GDPR’s privacy and security standards must pay harsh fines. The penalties max out at 20 million euros (nearly 22.7 million dollars) or 4% of global revenue, whichever is higher. In addition, data subjects are permitted to seek compensation for damages.
Europe’s goal in passing the GDPR was to show its firm stance on data privacy and security as personal data is increasingly entrusted to cloud services, and breaches are occurring daily. The regulation (which can be read in its entirety here) is broad and far-reaching. It contains few specifics, making compliance particularly daunting for small and mid-size businesses.
It’s highly recommended that all organizations affected by the GDPR have a team member read it thoroughly and consult a lawyer to ensure the company is GDPR-compliant.
What Is GDPR Compliance?
Under the GDPR’s terms, businesses must ensure that all personal data is gathered legally, under very specific conditions. Those responsible for collecting and managing this personal data must protect it from exploitation and misuse while respecting data owners’ rights. Otherwise, they’ll inevitably face penalties for non-compliance.
Key Things to Know About the GDPR as a Procurement Professional
Here are the main things that procurement professionals must keep in mind to make your telecom procurement strategy GDPR-compliant.
Personal Data: Within the GDPR, personal data is defined as any information relating to an individual who can be identified (directly or indirectly). This includes names, email addresses, location information, gender, ethnicity, religious beliefs, web cookies, biometric data, and political opinions. It’s important to note that pseudonymous data can also qualify as personal data if it’s easy to identify the person using the data.
Data Processing: Data processing consists of any manual or automated action performed on data, such as using, storing, erasing, organizing, structuring, recording, and collecting.
Data Subject: This is the person whose data is being processed, usually a company’s site visitors and customers.
Data Controller: Data controllers are people who make decisions regarding how and why personal data will be processed. Anyone in the organization who handles data, whether that be an owner or an employee, is considered a data controller.
Data Processor: A data processor is a third party that processes personal data for data controllers. There are specific rules within the GDPR for the organizations and individuals who are data processors.
How Procurement Relates to GDPR Compliance
Since procurement teams exchange large amounts of data with vendors, the role of procurement organizations in ensuring GDPR compliance is vital. It’s essential for procurement professionals to pay particular attention to information flow and contract management.
Even if the company’s supplier is GDPR non-compliant, the company is not safe by default. This is because the GDPR has an accountability clause that states that organizations must not only comply, but also demonstrate their compliance. Therefore, it’s necessary to have written contracts with suppliers regarding GDPR compliance. Periodic reviews are also recommended.
Main GDPR Requirements for Procurement Professionals
- All stakeholders that are part of the supply chain must give their explicit consent for their personal data to be collected and processed.
- Companies must implement security measures for data security, and they need to ask vendors (considered to be third-party data processors) to do the same. Any security incidents or breaches must be monitored, analyzed, and responded to within 72 hours of being discovered.
- There must be explicit clauses in contracts to ensure that all vendors using and processing the data shared by the company are GDPR-compliant.
- All contracts with data processors must be updated with the scope of data processing and clear written guidelines.
- If the company monitors or processes data internally on a large scale regularly or systematically, it must appoint a Data Protection Officer (DPO). If a third-party vendor is a large-scale data processor, then the third party will need to appoint the DPO.
Key Steps in GDPR Compliance
First, the company needs to ensure that no crucial data is overlooked by managing all personal data of supply chain participants and vendors. It must categorize all suppliers based on their access to information and prioritize these supplier categories using volume and sensitivity of personal data.
In addition, organizations must find a balance between encryption and removing information from the system. They always need to check which information must be deleted, retained, and encrypted.
Ensuring Suppliers Are GDPR-Compliant
Procurement teams must ensure that potential suppliers are compliant with the GDPR. There are several ways to do this, starting with conducting supplier surveys to help the company understand the suppliers’ readiness and level of compliance.
Another strategy is to set clauses in existing contracts to reduce liability and avoid non-compliance risk. These clauses should hold vendors accountable for non-compliance based on the scope of data processing, data security requirements, and their GDPR risk score. These clauses should be included in the company’s contract template as well.
It is also vital to run on-site audits for critical suppliers (based on the products and services they provide and the spend value). Many third-party specialized firms can conduct data audits focusing on the GDPR.
Technology Procurement Group Can Help
GDPR and telecom procurement altogether is a lot more tasks to do. TPG is here to reduce the stress and maximize the success of your company’s procurement process. Our experts have worked in the industry for decades and have the knowledge and experience necessary to help you achieve your business objectives and maximize cost savings.
Not only do we offer telecom procurement strategy consulting and IT procurement services, but we can also provide telecom and wireless expense management, RFP management, wireless expense reduction, and telecom contract negotiation.
Interested in working with us, or want to get more information? Call us at 1-888-449-1580, email us at info@TPG-llc.com, or fill out the simple form at the bottom of the page. We look forward to hearing from you!