Should procurement be ready for GDPR? Yes!

E-procurement in SME. Does it make sense?
7 March 2018
4 ways to convince your company board to invest in procurement software
19 April 2018

Source: Freepik

GDPR (General Data Protection Regulation) has been a hot topic in business news lately. We’ve been noticing warnings, announcements, training and audit adds. Yes, GDPR makes business life a bit more difficult, especially in terms of marketing, HR and sales activities. Most importantly, GDPR applies to all business areas, including procurement. The whole business must demonstrate compliance in this area. But let’s start from the scratch. What is actually GDPR? It’s the EU regulation which comes into force on May 25th 2018. So soon! It concerns personal data protection and processing. What does it mean in practice? Organizations which process personal data are directly responsible for any GDPR breaches and may be fined (up to 4% of annual global turnover or €20m). In case of GDPR breaches, Data Administrator is obliged to report the breach to the proper institution within 72 hours. Every person whose data is processed must be aware of the process (meaning agree on processing his/her personal data) what makes that people whose personal data is processed have bigger control over their personal data or they can even ask to remove the data immediately. More on GDPR you may find in Deloitte research.

Why should procurement executives also consider GDPR?

GDPR applies to both controllers and processers of data and business needs to present compliance in terms of GDPR regulations. That’s why procurement teams have to be ready as well. To make it at least a bit easier, we’ve prepared GDPR checklist for procurement teams! 

  1. Identify personal data you are processing in supply chain and purchasing processes. Map data, identify the recipients of personal data, where the data comes from, who has access to it and why.
  2. Check and analyze existing contracts with suppliers in terms of GDPR compliance. Probably some of them may not meet GDPR requirements.
  3. Look at the process of supplier selection. Make sure that suppliers you are working with cover all the GDPR regulations. Add questions regarding GDPR in RFx (BTW in NextBuy you can add any kind of question and save RFx form templates). Additionally, make sure that tender documents include relevant information concerning GDPR provisions.
  4. Think about long term approach to the GDPR compliance. It’s not just one point action, but rather long process which needs to be controlled and audited.
  5. Check internal systems, e-procurement tools and software and make sure that their providers are able to answer to the GDPR needs.

Don’t worry! If something goes wrong, you are not going to be punished on May 26th! The process of introducing the GDPR provisions needs to take some time. The most important thing is to have a plan and start implementing it. It is also essential for a business to make employees aware of the upcoming changes. It’s worth to take care of the GDPR, not only due to the financial penalties, but most importantly, to keep company good reputation. Showing that your company acts according to the GDPR regulations and work only with the suppliers who meet the data protection requirements, influence on the company image and helps to get a better negotiation positions.

Good luck!


If you want to check how NextBuy can support you, request NextBuy demo with one of our procurement experts.

Katarzyna Nitychoruk-Brzeska
Katarzyna Nitychoruk-Brzeska
I'm a Business Developer specializing in international markets. Experienced in launching new products on international markets (mainly US and UK), marketing (outbound campaigns, social selling, customer segmentation, event management) and customer success.