The General Data Protection Regulation or GDPR is often seen as a constraint on enterprises, rather than an opportunity. Yet much of what it obliges enterprises to do can be leveraged for their advantage. For supply chains, higher efficiency, lower costs, and better customer relationship management are just some of the possibilities. The dust is settling after enforcement of GDPR officially started in May 2018. Now could be a good time to assess the upside.
The goal of the GDPR is to give people greater control over their personal data. Although it originates from the European Union, the GDPR applies to enterprises across the globe, as in the following examples.
- Your package holiday company in Australia sells vacations to tourists from Portugal.
- Your US based fashion firm works with a French chain of retail outlets that collects customer loyalty information on your behalf.
- Your Japanese automotive company supplies customized versions of its cars through its dealers to fans across the world, including European countries.
- You sell electronics products over the web from Brazil using different suppliers to drop-ship to consumers in Europe.
These are relatively straightforward cases. However, personal data can be any data relating to an identified or identifiable person. The data can be structured, as in shipping and payment systems. It can also be unstructured, like video surveillance footage.
Both B2C and B2B organisations can be affected. To complicate matters, supply chains often involve multiple organisations across national borders. The amount of information they hold can be considerable and dispersed. Identifying and managing the personal data in all of this is a challenge. There are hefty fines for non-compliance, but business benefits for getting it right.
A Quick View of the General Data Protection Regulation
You can only get the benefits if you know what GDPR compliance means. Let’s follow supply chain best practices and start from the customer’s point of view. EU citizens have the following rights for personal information they provide of their own free will.
- Access to information. A person has the right to know what data has been collected on him or her and how it has been processed. Data can include identity, payment details, loyalty information, shipping addresses, health details, photos, and any other information allowing the person to be identified.
- Information correction (rectification). If the data is wrong, the person has the right to change it or have it changed.
- Data portability. A person can require the transfer of his or her personal data from one organisation’s database into another organisation’s database.
- Scope of consent. If information is requested of a person, the request must be in clear, plain language. The person may refuse certain elements of processing of that information. He or she may also withdraw consent completely.
- The right to be forgotten (erasure). In addition to withdrawing consent, a person may also ask for his or her personal data to be deleted.
We should also mention the parties involved in compliance, as defined by the GDPR.
- Data subject. The person whose personal data is being collected or processed. An organisation may then have to respond to a ‘data subject request’ for access, correction, transfer, restriction on processing, deletion, or other action.
- Data controller. The entity that decides how personal data will be processed and to what end.
- Data processor. The entity that processes the personal data for the data controller.
The data controller and data processor may be the same entity or different ones. GDPR compliance applies to both. Data controllers are also accountable for data processors. For example, if a manufacturer collects customer data and provides it to a 3PL for transport and delivery, both the manufacturer and the 3PL must be compliant, and the manufacturer is also responsible for checking that the 3PL is compliant. The full version of GDPR goes into more detail and professional advice is recommended for all aspects of GDPR compliance.
Turning the GDPR into an Opportunity
It pays to compare GDPR requirements with supply chain goals like customer satisfaction, efficiency, and cost reduction. Much of GDPR compliance is what a supply chain would want to do anyway.
- Collection of personal data for specified, legitimate purposes only
- Legitimate, fair processing of personal data that is transparent to the person concerned
- Limiting data collected to the purposes for which it is processed
- Keeping data accurate and up to date
- Limiting identification of data subjects to what is necessary for the goal of the processing
- Ensuring the security of the personal data (includes data on data controller and data processor sites, and in transit between them).
These compliance obligations can become advantages as shown below.
- Improved customer satisfaction. Consumers will know why they are giving their information and what they can expect. This can become a virtuous circle. As trust is built through proper dealing with personal data, customers will be more likely to share more data for more added value (targeted offers, product customization, for example).
- Increased efficiency. Minimum data for maximum effect helps efficiency. So too does organising data to be faster and easier to retrieve. Accurate data enables better understanding of customer needs, demand trends, and production and inventory requirements.
- Cost reduction. Minimising data collected saves on processing effort and storage expenses. Accurate data avoids errors and waste. Deleting data after it has served its purpose saves further on storage.
Additional positive leverage includes:
- Risk reduction. Information security for personal data lessens exposure to threats of theft and sabotage. It helps avoid losses and damage to reputation. If a breach occurs, good data organisation will allow faster identification, containment, and resolution.
- Supplier base rationalisation. Supply chains often battle against the proliferation of suppliers. GDPR compliance can be a filter to choose those that are already compliant and more likely to contribute to efficiency, cost reduction, and risk reduction.
- Better innovation. Quality data that accurately reflects consumer wants and needs is a key factor in designing and supplying better products and services.
GDPR, Meet Master Data
Besides knowing what customers can require of you and how you might also develop the positive aspects of GDPR, you need to understand your data. Few if any enterprises or organisations will be in a greenfield situation. Most will have existing data and data flows both in and out. Creating a data map of your entire organisation will help you to see how data moves through your supply chain. Note also that the GDPR applies to personal information in any form, including paper-based as well as electronic information. To streamline operations, it makes sense to digitise data where possible.
Master data management brings together the different strands of data into one data collection to enhance uniformity, accuracy, and accountability. This helps organisations achieve GDPR compliance. It also reduces the time taken to locate data and to resolve inconsistencies and errors. Creating master data often works better when there are clear goals of business benefit. The same might be said of achieving GDPR compliance by keeping in mind the advantages of customer satisfaction, efficiency, cost savings, risk reduction, and potential for innovation.
Master data management and GDPR compliance also have something else in common. Just as master data harmonises data to produce one ‘go-to’ version, the GDPR harmonises the previous data privacy regulations of all the European Union member states. Organisations now have just one law and one authority to work with.
Extending GDPR Compliance Internally
Making a comprehensive data map may entail some data discovery work. Internally, your supply chain may have several systems. Popular ones are customer relationship management (CRM), supply chain management (SCM), and enterprise resource planning (ERP). Others, which may have been added over the years in an ad hoc way, include specific applications for procurement, production, packaging, inventory, and transport management.
Personal data flowing into your supply chain may first appear in a CRM system. Here, sales and service representatives record exchanges such as sales conversations and support calls with individuals who are customers or who represent customers. Personal data may also be recorded in shipping and billing systems. Some of these systems may be installed on your premises. Others may live in the cloud. However, they must all be included in your compliance programme.
It is easy to assume that other systems such as ERP systems are isolated from personal data flows. However, remember that personal data includes any data that can be used to identify an individual, whether directly or indirectly. In an enterprise offering mass customisation of its products, product configurations handled in an ERP system may be unique, corresponding to one specific and individual customer. The automotive company described at the start of this article is an example.
In addition, new sources of information now exist such as data from devices connected via the Internet of Things. Personal fitness trackers are one example. Smart car sensors are another. This information may be processed by applications that are outside the sphere of conventional CRM, SCM or ERP systems. Meanwhile, personal data may also be transferred to or generated within email systems, which are also sometimes used as informal information repositories as well as a means of communication.
Data maps and GDPR compliance must consider all such possibilities. That means digging into the furthest reaches of your supply chain and organisation. It can also require some lateral thinking and awareness of corner cases. For example, a travel company holding seemingly anonymous data for a specific flight and date could effectively be holding personal data if there was only one passenger on that flight. In another case, data such as the IP address used for establishing an Internet connection will be personal data if it can be used to identify a person.
Managing GDPR Compliance Externally
Supply chains frequently extend beyond the boundaries of one enterprise. Even if you are in overall control of the supply chain, personal data you have collected may be used upstream and downstream. Suppliers, 3PLs, business partners, and others may need such data to perform tasks that are vital to the success of your supply chain. However, as the data controller, your enterprise will be accountable not only for its own handling of personal data, but also for the handling by the data processors to whom you vouchsafe the data.
For existing suppliers, GDPR compliance will mean review of all contractual agreements. Starting with the highest risk cases is likely to be best, as is proceeding contract by contract, rather than enterprise by enterprise. Contracts may need to be updated. Suppliers and partners may need to be audited or receive training to ensure compliance. New suppliers should already be able to demonstrate GDPR compliance and guarantee that they will not misuse or improperly expose personal data either at rest or in transit.
In more complex data management situations, your data map may need further work. It is critical to define who has which responsibility for data and the procedures for an entity to erase data once the entity’s role has finished. In the pharmaceutical sector for instance, data is shared between laboratories, businesses, and other entities in different scenarios such as medical trials and production. Controllers and processors can vary. So too can the legitimate purposes for using the data.
While the General Data Protection Regulation may look like a stick, it can also be a carrot. The GDPR pushes supply chains and other organisations to achieve what most of them should be aiming for anyway. GDPR compliance encourages enhanced control and visibility of data for supply chains to improve the customer experience and perform better while cutting costs.
Other regions and states are also beefing up their data privacy rules. The California Consumer Privacy Act of 2018, although not the same as the GDPR, shares several of the GDPR’s features, including application to organisations outside its national borders. While respecting these data privacy laws is mandatory, supply chains that also consider them as investments in digital transformation can reap significant benefits in return for the efforts required.