This article was originally published in June 2019 by Spend Matters. It has been republished with permission.
Spend Matters and parent company Azul Partners make up the largest and most influential media and knowledge source in the procurement sector—and together have the largest and broadest range of practitioners and advisors consuming their content than any other analyst, blog, media, or subscription service.
As more businesses collect personal data, the concerns over privacy and protection continue to deepen. Social media outlets are failing to protect sensitive personal information, and hackers seem to easily find their way into retail and financial databases.
In 2018, Marriott announced a data breach from its Starwood hotels affecting more than 500 million customer records. Personal information—including names, phone numbers, email addresses, and passport numbers—was stolen. Perhaps the most shocking element was that the breach started in 2014 and went undiscovered for years.
In response, governments are instituting policies to protect personal data. Some individual states in the U.S. are passing legislation, but the most sweeping effort to date is the General Data Protection Regulation (GDPR), which went into effect in the European Union May 2018.
GDPR affects all businesses in the EU and any company doing business with customers or clients in the EU. It also covers exporting personal data from there.
Security and Its Evolution
Security around data has always been something companies included in their operations, but standards were open to interpretation. Common practices include physical and logical separation of data and various levels of encryption.
GDPR has expanded those safeguards, requiring companies to have a plan in place to protect, delete, and anonymize personal identifying information. And there are no exceptions to compliance with GDPR. (Some U.S. websites were dark for months in Europe because the sites weren’t compliant. More than 1,000 news sites, including the L.A. Times and New York Daily News, were affected.)
So, how are companies handling the collection of data and protecting that information?
Take freelancer websites, for example. Those companies collect candidate information for use in their contingent worker programs, and that data is especially sensitive. Every person applying for work is required to submit personal information during their application process, so companies impacted by GDPR must now more closely manage that.
Companies have to monitor who has access, determine what data can be shared, establish proper channels for sharing, have a plan to erase data, and set a specific storage term.
What Can Companies Do?
Understanding the particulars of GDPR, with all of its legal jargon, unfamiliar processes, and specific definitions of data types can feel daunting.
One of the best ways for companies with contingent programs to comply is by taking better advantage of the existing VMS technology they’re already using. Using a vendor management system to its fullest potential allows companies to process their data in a controlled framework, easing the strain.
For more than 20 years, VMS technologies have been evolving to become robust tools that can perform an array of functions, allowing users to manage all elements related to contracting workers and services including cost controls, invoicing, compliance, time-to-fill, and candidate and vendor performance.
VMS providers have implemented both technological process changes to help clients manage many new data security requirements, including GDPR. New functionality allows clients to generate messages upon login that require users to agree to certain parameters; there are also opt-out choices when clients do not need or agree with GDPR statements.
Some systems require agreeing to terms before entering any personal information. When selecting a VMS or reviewing existing technology, companies may need direction. Using a resource guide like the one offered by VectorVMS can be a useful starting point.
Read more on selecting a VMS: 13 Questions to Get the Most out of a Vendor Management Software Demo
Since anonymization of data and removal are key factors, VMS providers have implemented those functions. By giving users the option to select certain functions, the VMS can be used at global companies where some data sets may not be regulated by GDPR while others are.
When clients stop using a VMS, there should be measures in place to remove their data on a predefined timeline with sign-off from clients to reduce risk for both parties.
Companies can ensure their VMS provider can support GDPR compliance by asking if a VMS provider has changed its own internal processes, ensuring they are compliant and can then pass that on to clients. Whenever new data-entry functionalities or policy updates are added, VMS providers should show clients that the matter has been fully vetted with their legal team.
Companies should view GDPR compliance as a policy and process issue that will require some retooling, and security should be found at every data-entry point so there is a dramatically lessened risk. Many VMS technology providers have implemented the GDPR security measures for all clients, regardless of their immediate need.
As the business world becomes more global, having compliance functionality makes it easy for clients to expand operations without needing to replace or upgrade their technology—they can merely turn on the correct features.