Gartner, Inc. said many organizations are still not compliant with GDPR legislation even though it has been in force since May 2018. This is because they have not properly audited data handling within their supplier relationships. Sourcing and vendor management (SVM) leaders should, therefore, review all IT contracts to minimise potential financial and reputation risks.
"SVM leaders are the first line of defense for organizations whose partners and suppliers process the data of EU residents on their behalf," said Yanni Karalis, research director at Gartner. "If you don't have clarity on your organization's role with regards to personal data handling, you have to urgently address this."
There are two key roles identified in the GDPR: data controllers and data processors. With GDPR already in force, SVM leaders should already have identified any vendor-supported businesses processes that result in either the vendor or the organization operating as a controller or processor of EU citizen or resident data.
"Data controllers are the customers of data processors in any specific activity handling the personal data of EU citizens, and these roles can change depending on the activity," said Mr. Karalis. "If the controller has chosen processors that are not compliant with the GDPR, they are risking penalties for their organization of up to four percent of annual revenue or €20 million."
GDPR imposes many requirements on data processors. These requirements include obligations to process personal data only on instructions from the controller, to inform the controller if it believes said instruction infringes on the GDPR, to notify data controllers of data breaches without undue delay, and to restrict personal data transfer to a third country unless legal safeguards are obtained.
"If you aren't sure your suppliers meet all GDPR requirements, you need to rectify the situation immediately," said Mr. Karalis. "Once existing relationships have been secured, you need to begin updating procurement processes to ensure GDPR requirements are built in for the future."
The following nonexhaustive list is a great starting point for SVM leaders to set out expectations and requirements around GDPR in new contract negotiations:
"Being explicit about what you need from vendors is critical," said Mr. Karalis. "Moreover, it's important to explain the implications of key GDPR clauses to your stakeholders as well as to your suppliers."
Gartner clients can read more in "Adjust Your Technology Procurement and Contracting Process to Avoid Stiff GDPR Noncompliance Fines."
Gartner IT Sourcing, Procurement, Vendor & Asset Management Summits
Gartner analysts will provide additional analysis and information on sourcing & asset management trends at the Gartner IT Sourcing, Procurement, Vendor & Asset Management Summits 2018 taking place September 5-7 in Orlando and September 26-28 in London. Follow news and updates from the events on Twitter using #GartnerITSV.
Gartner, Inc. (NYSE: IT), is the world's leading research and advisory company and a member of the S&P 500. We equip business leaders with indispensable insights, advice and tools to achieve their mission-critical priorities and build the successful organizations of tomorrow.
Our unmatched combination of expert-led, practitioner-sourced and data-driven research steers clients toward the right decisions on the issues that matter most. We're trusted as an objective resource and critical partner by more than 15,000 organizations in more than 100 countries—across all major functions, in every industry and enterprise size.
To learn more about how we help decision makers fuel the future of business, visit www.gartner.com.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.