How are you dealing with data privacy at your company? The General Data Protection Regulation (GDPR), the sweeping law that governs the treatment of personal data of European Union (EU) citizens by any entity around the world, poses important considerations and presents considerable risk for sourcing organizations. Recently, Silicon Valley Sourcing Leaders (SVSL) held an in-depth discussion to examine some of the issues and investigate solutions.
Founded by some of the most influential companies in Silicon Valley, SVSL is a professional network of strategic sourcing and procurement leaders dedicated to elevating the profession through knowledge sharing and collaboration. SVSL attracts innovators and fast-paced companies in Silicon Valley, the greater Bay Area and beyond with the aim of delivering greater value and education to organizations, industries, and the larger community.
Read on for important insights covered at the latest SVSL event:
Violations of GDPR requirements expose organizations to fines of up to 4% of a company’s global annual revenue or €20 million, whichever is greater. Regardless of where a company is physically located, if they engage with EU citizens and gather and use their personal information, they are subject to the requirements and face the penalties for violations.
Companies are responsible not just for their own actions but also those of vendors and suppliers they may use that interact with data of EU citizens on their behalf. Sourcing organizations must have proactive processes and policies to ensure compliance with GDPR and other data privacy laws that are rapidly coming into existence.
Examining the Issues
SVSL met at Anaplan headquarters in San Francisco to hear from data protection expert, Debra Chong, and Linda Chaun, sourcing and procurement leader and SVSL co-founder, and join in a group discussion.
During the event, Sarah Toomey from Anaplan described their concept of Connected Planning which integrates the company’s marketing, technology, and procurement groups as a virtual team and uses the Scout platform to set and evaluate milestones.
Some Data Protection Questions to Consider
- Does your company have policies regarding suppliers or vendors sharing your data with third parties, including Data Mart?
- Do you require suppliers to encrypt data while stored or in transit? Do you require de-anonymizing data?
- What is your policy for single and ongoing data treatment and privacy violations by suppliers?
- Do your vendor’s privacy policies influence your selection criteria?
Stepping Up to New Requirements
Attendees discussed the effect of dealing with data privacy in their own companies. About half reported an increase in the number of privacy enforcers—specific individuals charged with compliance of privacy and data laws—at their companies. Some said that ensuring data protection has required an intentional slow-down in sourcing events to spend more time in the contracting phase and understanding and assessing policies and practices. Sometimes this adds an extra week or more. At least one admitted that non-compliance will “auto kill a deal.”
One attendee shared how their company was affected by a data breach of a supplier. Although the damage is done at that point, and the past cannot be changed, the important aspects are remediation for affected customers and ensuring that such a breach is protected against in the future. For them, remediation included providing lifetime subscriptions to data protection services for their customers. Clear, prompt communication from the suppliers “coming clean” is critical and the mark of a worthy relationship.
Debra Chong pointed out that one great area of vulnerability is with cookies commonly used for tracking, personalization, processing, and analytics on company websites. Data kept in cookies is considered personal. Since most companies use numerous third parties as part of their websites, exposure and mistreatment can come from many entities. Your company has overall responsibility. Debra called cookies “the biggest challenger to privacy.” Cookies are “all or nothing,” she said, since many sites will not work or provide visitors access without them. Sourcing organizations should consider vendors and suppliers involved with their company’s website and associated sites, including registration services for events. One organization built their own registration service for events because they felt they could not trust a third party.
We’d like to thank the subject matter experts who made this insightful discussion possible. Thanks to everyone who came out and participated in the lively and engaging conversation.
Join Further Discussions and Gain Insight and Knowledge
We hope you’ll consider joining SVSL to participate in future discussions. Go to the group’s LinkedIn page for more information or to request membership.