Since GDPR legislation took effect on 25 May 2018, over 160,000 breach notifications have been made, with that number rising month on month according to DLA Piper’s recently released GDPR Data Breach Survey. It hasn’t yet been the fine armageddon most companies were fearing with the biggest fines so far being doled out to British Airways (204.6m euros), Marriot International Hotels (110.3m euros), and Google (50m euros). Both British Airways and Marriot received these notices of intent to fine as a result of data breaches – in the case of Marriot, they did not realise they had a breach dating back to 2014. 

However, whilst major companies have been getting the lion’s share of fines, the respite for everyone else is likely to be short-lived according to Ross McKean, a DLA Piper partner, who says “regulators have been busy road-testing their new powers to sanction and fine organisations”. So, essentially, this is the wrong time to be lulled into a false sense of security. 

cybersecurity tender process risk gdprWhat does GDPR have to say about cybersecurity?

Whilst cybersecurity is not the full focus of GDPR, there are still a number of clauses which, if not followed, can severely penalise a business:

  • 5. How are you protecting against unauthorised and unlawful access, loss or damage?
  • 24. How are you ensuring and demonstrating data protection?
  • 32 (2). What steps have you taken to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed?
  • 32 (4). What steps have you taken to protect against insider data abuse?
  • 33. Can you notify a breach within 72 hours with detailed disclosure?

The cybersecurity risks of procurement

Procurement, as it is traditionally carried out, is a high cybersecurity risk. Typically, it is carried out through a mixture of emails, Whatsapp messages, and excel spreadsheets, shared out to a large number of intermediaries, brokers, and colleagues.

Procurement, as it is traditionally carried out, is a high #cybersecurity risk. Click To Tweet

In these scenarios, who is the data controller and processor of the individuals on file? Often no one.

How do procurement officers keep visibility and control of the data they share? They simply do not. 

This puts all of the companies using these methods at high risk of a GDPR fine. As a quick reminder of the costs of GDPR fines they can be up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher. Maybe you have that money to waste? If so, keep doing what you’re doing! 

manual tender process deepstreamLet’s break the GDPR clauses down as to how they pertain to a tender process:

How are you protecting your business against unauthorised and unlawful access, loss or damage?

The key focus of this clause is ensuring that you have control over your data. Who is in charge of it? Is it firmly in your control? 

The first step here is to ditch fractured methods of conducting a tender process, in particular emails. We’ve discussed before why emails are such a security risk. In essence: your emails can be forwarded to anyone without your knowledge, and those people may have less secure servers, ripe for hacking. If that information goes out, you’re still the one at fault, and you probably won’t even know it.

Instead, we recommend you use a platform like DeepStream which is centralised, with ISO 27001 accreditation – the global standard in information asset security. Not only is it easier to securely communicate and keep track of your tenders, but you’re also significantly reducing the likelihood of a GDPR fine.

complex multi-sided procurement gdpr

24. How are you ensuring and demonstrating data protection?

There are many measures you can take to fulfill this clause, including but not limited to:

  • Ensuring. Having a data protection policy is a logical first step – the more data you handle the more comprehensive this will need to be
  • Demonstrating. Training, awareness building, monitoring, auditing, the list goes on. Which of these will you be doing to make sure your data is kept safe?

Using software with a clear security record is another way you can demonstrate your commitment to data protection. DeepStream is compliant with all relevant legal, customer and other third-party requirements relating to the processing of personal information including the Data Protection Act 2018 and GDPR.

32 (2) & (4). What steps have you taken to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed? What steps have you taken to protect against insider data abuse?

Information security is an ever-growing business problem. Taking a risk-based approach is fundamental in ensuring modern information security measures remain effective.

As with clause 5, complying with these two clauses requires a level of visibility and control that is still often too lacking in organisations. This is where DeepStream’s centralised system comes with obvious benefits and an audit trail that can be downloaded at a click of a button. 

user-friendly compliance33. Can you notify a breach within 72 hours with detailed disclosure?

Whether the breach is the type that requires notifying, GDPR specifies that you still need to keep a record of it. If you have laid the groundwork of the clauses above, the task of preventing, being aware of a breach, and learning from those mistakes, will all be vastly improved. 

Why are high-risk processes still used in procurement?

We know that security and compliance aren’t everything – for a system to be effective, it has to be easy to use! We’ve all been stuck with enterprise software before that requires a manual of 300 pages and a PhD on the topic to be understood – no one wants to use it unless they absolutely have to. It’s no surprise that so many companies have fallen back on high-risk manual tendering processes using intuitive tools (Excel, email, and so forth). 

This is why user-friendliness is a major priority at DeepStream, we want a system that takes days, if not hours, to implement, not months. 

So yes, we are GDPR-compliant, and we take your security seriously, but we also want you to enjoy using our network over any other manual process. 

Deepstream eprocurement supply chain oil and gasFind out more about our Information Security Policy here.