GDPR and Procurement
While General Data Protection Regulation (GDPR) compliance is not mandatory for companies conducting business outside of the European Union (EU), it is almost impossible to guarantee for any business conducting some business online to not have, at some point, a person from the EU submitting information to them. A simple email submission that is stored on a company server (cloud or otherwise) is enough to make compliance mandatory. An EU phone number in a corporate contact database will also mandate GDPR compliance. In our field of procurement, the trend is to reach further and wider than some other departments as global sourcing has become a norm rather than an exception. Naturally, buyers will connect with entire supply chains to purchase the goods and services which could and often does involve someone residing in the EU. So, with that in mind, here is brief GDPR review.
GDPR is effective as of 25th May 2018, and it has changed the way businesses handle and process data. It is now the world’s strongest data protection rule that covers Europe. This rule was designed to protect the personal information of individuals and to modernize laws.
Before GDPR, there were data protection rules that were first created in the 1990s. However, these rules struggled to keep pace with the technological changes. The introduction of GDPR now gives more power to the individuals about their information. If you are an individual, organization or a company that is either a controller or processor of personal data, you will be covered under GDPR.
Protection of individual rights by access, penalties, responsibilities
In the entire GDPR, there are 99 articles which explain the rights of individuals and the obligations under which the organizations will be. Among these, there are 8 rights for individuals. Some of them are:
- Easier access to the data that companies hold about individuals
- New (and steep) fines regime
- Organization’s are responsible while obtaining information about individuals and should always ask for consent
Under GDPR, the companies holding data (not the individuals submitting them) are accountable for handling people’s personal information. In recent times, there have been multiple cases where the data has been breached and confidential information of individuals has been compromised. For instance, under GDPR, as per Article 33, in an event of a serious breach, companies must notify the EU authorities as well as the individuals that have been affected, within 72 hours of the breach discovery.
Repercussions of non-compliance
Another most talked about topic after the introduction of GDPR is the fines associated with non-compliance. The organizations who do not comply with the GDPR regulations can be fined heavily by the regulators. Some instances of where an organization can get fined are:
- If the data of an individual is not processed in a correct way
- If the organization is one which deals with humongous data but does not have a data protection officer
- If there is a security breach
GDPR is a must… and Eyvo is compliant
In conclusion, ignoring GDPR is not an option for any size company / organization, especially those who deal with clients in the EU. Strict data regulation is set to become the norm and hence, it is advisable if the world is prepared for it.
We at Eyvo understand the importance of data privacy and as such our eprocurement solution is GDPR compliant. We protect all user and personal information on our systems at the native database level and, quite naturally, our transportation layer is encrypted with industry standard protocols.
Contact us to discuss what we can do for you.