7 Steps to GDPR Compliance for Procurement (5 MINUTE READ)

International business team over modern urban background

GDPR compliance becomes compulsory on 25th May 2018 in EUROPE (for all companies headquartered in Europe and any business that collects and processes personal data from the EU, regardless of company location(s).  This is good news for consumers who have seen spam grow by the minute.  Nuisance calls are at a peak and data breaches are commonplace. Change is most certainly on the way, in the form of the impending General Data Protection Regulation (GDPR).

GDPR is an EU regulation but it affects any business that collects and processes personal data from the EU, regardless of company location(s). Put simply, the goal is to make it easier for consumers to have control over how their data is collected, used, shared and stored.

What are the implications for the Procurement Function?

Post  25th May 2018, if your organisation is not compliant you stand to lose a lot of money and trust. The Information Commissioner’s Office says that companies who do not take GDPR seriously and end up non-compliant could be looking at fines of up to €20m or 4% of global annual turnover, whichever is higher. For Procurement it is critical to realize that if a supplier or third-party you work with is found to be non-compliant for failing to adhere to GDPR requirements and as a result your customers’ personal data gets compromised – you are liable.

So, what should Procurement do? Here is a short guide, taken from advice given by the Chartered Institute of Procurement & Supply, to help you get started:


  1. Audit your existing supplier/third-party contracts (those that have access to EU personal data)  to ensure they are GDPR compliant.
  2. For those that are not compliant, engage to agree new terms and conditions. Suppliers may address the new risks by suggesting changes to clauses, limits of liability and more.
  3. Stick rigidly to the new requirements when onboarding  new suppliers. Ensure new supplier contracts have the right language in place and that there is a process to evaluate data security and privacy for relevant suppliers.
  4. Make sure you understand where personal data sits, who has access through the entire journey of that data from when it enters your organisation. If suppliers handle this data, re-assess risk profile.  If you end up in breach you will only have 72 hours to do this
  5. Make sure you have insurance in place to cover breaches and if possible to cover you in cases of non-compliance
  6. Make sure you have a plan to deal with the 72 hour non-compliance window
  7. View this as an opportunity to show to your customers and suppliers that you run a reputable business that does not play fast and loose with data and you will find more benefits in the long run

source: https://www.cips.org/supply-management/opinion/2017/august/six-steps-for-procurement-to-prepare-for-gdpr/

How Ivalua can help.

The Ivalua Platform offers a complete, connected set of source-to-pay solutions. Allowing Procurement groups to manage everything from sourcing activities, contracts, procure-to-pay transactions and supplier information, risk and performance.

When it comes to ensuring compliance to regulations, Ivalua empowers Procurement with a very simple process to solicit information and survey responses from your supplier base and use that to inform activities throughout the source-to-pay process (and keep that information for audit purposes). As an example, you may want to pause transactions/activity with a certain supplier that you know handles EU personal data until you are satisfied with their adherence to GDPR regulation.

The steps a customer could take to prepare for GDPR compliance using Ivalua:

  • Launch a compliance questionnaire (e.g., GDPR Compliance Campaign) and within select the suppliers you would like to participate using existing supplier groups or segment based on category, location, etc.
  • Edit a pre-defined compliance questionnaire or collaborate with your legal and IT teams to easily create a new set of questions using a configurable tool.
    • The survey capability is quite flexible and powerful. For example, customizable labels, conditional questions, applying weights to questions/answers, overall scoring, etc
  • As part of  this “GDPR compliance” campaign, you can also create invitations that suppliers receive (via email and upon login to Ivalua), track progress, send reminders, etc.
  • As Ivalua is a complete source-to-pay platform, you are able to put in place blocking alerts that can be very useful in this case. It enables Procurement to pause any transactions with a suppliers that is part of this campaign, until they respond and are ok’d.
  • The answers to the questionnaire are fed into each supplier’s profile. To ensure the information is up-to-date, Procurement can schedule recurring annual surveys.
  • The information can also be reported upon, documents can be collected and workflows can be triggered based on responses.

For more guidance and events on GDPR for Procurement and Spend Management from CIPS please visit – https://www.cips.org/

For more information on GDPR please visit – https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

Discover how Ivalua can help you manage Supplier information in a transparent and compliant manner, by visiting our website –  http://www.ivalua.com/solution/supplier-management-software

Bernadette Fitton, Global Digital Marketing Manager, Ivalua
Prior to joining the Ivalua team she held various marketing roles first at Oracle, where she worked for 13 years, focusing on Public Sector and Cloud CRM. After leaving Oracle she joined SAP Ariba, where she worked as Field Marketing Manager for Northern Europe and subsequently at SAP, in the Campaign Team focusing on Digital Transformation. She has a Degree from the University of Surrey in French and English and the University Laval in Quebec, Canada, in French. She is leading Ivalua’s Social Media Marketing initiatives from a global perspective during a period of great innovation and growth.

Post new comment

Your email address will not be published. Required fields are marked *