May 22, 2018      3 min read

Regardless of the industry you operate in or whether you are trading in raw materials, work in progress or finished items of inventory stock, your supply chain is what moves your product or service from supplier to consumer.

The supply chain is a complex system of businesses, service providers, people, information and activities. Its multifaceted nature, combined with the sheer volume of data processed within them, potentially makes supply chains one of the areas to be the most scrutinised under the GDPR.

Organisations outsourcing their data processing will need to ensure GDPR compliance throughout their supply chain and demonstrate how they will handle their data securely and responsibly.

Data breaches in one area could be detrimental to all other business within the supply chain, from both a financial and a reputation perspective. Consequently, organisations will need to carry out the appropriate due diligence and monitor suppliers to ensure they are GDPR compliant.

Preparation

In preparing for GDPR, companies need to know exactly what their supply chain looks like by undertaking a risk-based audit, focusing efforts where it matters most from a privacy perspective. Although this is easier said than done, there are a few simple steps businesses can take to ensure compliance.

  • Record the flows of personal data throughout your supply chain, including third party suppliers and distributors to identify where personal data is being received and stored. This should include sub-processors and anywhere that personal data is shared from inwards receipt of goods to the shipping and dispatch of inventory stock.
  • Examine internal practices to ensure that processes are in place which enable your company to satisfy the 72-hour breach notification requirement. Investigate whether your current insurance policies will cover data protection and security breaches, including any breaches made by suppliers
  • Review existing supplier contracts that involve the processing of personal data to ensure they cover all the data protection provisions necessary under the GDPR. Many existing supply contracts may need to be updated to reflect the new laws.
  • If you are taking on a new supplier, the contract with that supplier must state exactly what data will be shared, how long the data is kept and what happens to the data once the contract expires. Do you have a right within the contract to conduct an audit?

Contracts should expressly define retention periods and what happens beyond the contract completion, detailing how the personal data will be returned or destroyed at the end of the contract period.

Carry out robust checks on new suppliers to assure they are GDPR compliant and seek guarantees concerning any the measures suppliers have in place, along with any other certified data processing stipulations.

Data in the cloud

The GDPR also applies to cloud software and online inventory management solutions used within your company. Any platform in your supply chain that collects and analyses information deemed to be personal data, must comply. This includes information pertaining to the types and quantities of products from inventory stock that your customers purchase.

The regulations impact all customer specific data and precise methods such as reporting analytics and data encryption within purchased services, to ensure data integrity, security and confidentiality.

It is anticipated that machine learning will play a vital role in automating data tracking and the management of personal data, becoming a necessary part of supply chain risk management.

Transparency

Any actual or suspected data breaches, regardless of size, must be recorded in a breach register. Stating exactly when a breach took place, how it occurred, the response to the breach and who approved this decision. In addition, businesses should also record any strategies of actions to prevent further data breaches.

Members of your supply chain located outside of the EU are not exempt from GDPR laws. If they hold any personal data relating to residents of the EU, they need to comply with the same regulations. However, the business responsible for the data has a duty to ensure that any contracted suppliers meet these standards.

Topics: , , ,