53 days. That’s how long we have before the General Data Protection Regulation goes into effect, and many teams are still scrambling to tackle the final items on their GDPR to-do lists. At this point, most companies have the basics in place – appointing their Data Privacy Officer, identifying processes for handling personal data, and educating teams on new policies for handling that information. However, there are two big challenges that remain: measuring GDPR compliance for third-party vendors and getting updated contracts in place.
Why is this important? Not only does the GDPR hold companies directly accountable for data privacy practices, but it extends that responsibility to any third-party vendors who touch personal data. As a result, companies are now required to enforce, monitor, and document how their suppliers meet the standard.
That’s a lot of ground to cover, and without the right tools, it can quickly overwhelm even high-performing teams.
(For more about the GDPR’s impact on Sourcing and Procurement, check out our new whitepaper on the subject.)
Fortunately, with a little planning and the right tools, it’s possible to manage this process and build a repeatable framework for compliance today and into the future.
Measure Sourcing’s GDPR Compliance with Regular Assessments
To ensure GDPR compliance, organizations must understand how and where their vendors handle personal data. And, to meet the standards set out in the regulation, those processes and agreements must be well-documented, consistent, and kept up-to-date. Our customers have found that the best way to accomplish this is through a structured Performance Management process.
By formally surveying and capturing data on vendors, you can quickly identify risks in your supply chain and put plans in place to address any gaps. Perhaps most importantly, by documenting the process and results, you’ll always be prepared when questions come your way from the audit team.
Need some inspiration to get your questionnaire started? This is by no means exhaustive, but here are a few questions Scout customers have been asking their suppliers to measure GDPR compliance.
- Please identify your appointed Data Protection Officer and their specific responsibilities.
- Describe your schedule for reviewing and updating your policies for processing data on behalf of your data controllers.
- Where does your organization store the digital personal information you are managing on our behalf? If stored with a third-party subprocessor, please identify them and where data is stored.
- What processes and methods are you using to properly anonymize and encrypt personal data?
- Please describe your processes for detecting and communicating data breaches.
- What tools are in place to manage the identification, tracking, and destruction of personal data associated with an individual?
- Are there clear instructions in your contracts detailing what happens to the data at the end of the contract period?
- Explain the data privacy and security training employees in your organization receive, and on what schedule.
Get Updated Contracts in Place
The value of Contract Management to maintaining GDPR compliance is worth it’s own discussion. Certainly, this is one of the most important components of scoring and managing third-party compliance. And it’s a simple question: Has the vendor reviewed, approved, and signed the updated contracts, model clauses, and any changes to liability prepared by your legal team?
But, across a portfolio of hundreds or thousands of suppliers, managing this process can be a nightmare. The second step in this process is getting action items and tasks in place to ensure all of your vendors step up, and you have the paper trail to prove it. Here’s where a great Contract Management process really saves the day.
With Scout’s new Supplier Performance Management capabilities, you can send vendors structured questionnaires to assess their data collection and management processes. Scout collects their responses in one centralized, accessible location, and you’ll quickly see where all your vendors stand in terms of GDPR compliance. Even better, you can quickly flag any that may not be operating in line with the new regulations, and start the process to get them back on track.
Pair this with Contract Management, and you’ll be poised for successful, stress-free, and long-term GDPR compliance. Good luck out there, privacy protectors. For more on this topic, check out our on-demand webinar on accelerating GDPR compliance.
Find out how Scout helps you support your GDPR game plan. Scout’s eSourcing platform provides a simple, smart, and streamlined way to ensure GDPR compliance.