Ensuring GDPR Compliance Across the Supply Chain

Moving Forward Through Ambiguity

Companies trying to find their way to compliance with the General Data Protection Regulation are struggling to ensure that their supply chains are compliant as well. The GDPR readiness of suppliers typically remains a black box, but it’s not due to willful resistance. Matan Or-El, co-Founder and CEO of Panorays, explains and spotlights a path ahead.

In order for organizations to be GDPR-compliant, they must also ensure that their vendors adhere to the same set of regulations. Enforcing GDPR standards on suppliers is no easy task, especially when some of the rules are still open to interpretation. Still, businesses must take action to ensure that each vendor is aligned with the new regulations.

As companies grow, so do their supply chains. And while this sudden surge in team members, partners and vendors can be a boon for business, it also comes with significant risk. The European Union’s recent General Data Protection Regulation (GDPR) that took effect in May aims to help keep this risk in check. But it also means ensuring that each and every supplier is held to the same standard, because in order for companies to be GDPR-compliant, their suppliers must be as well.

Of course, enforcing GDPR standards on suppliers is much easier said than done. In theory, it should be as simple as learning whether or not each vendor adheres to GDPR as part of the vetting process, but it’s not as easy as that. Steps must be taken, such as a full audit of the supply chain, to pinpoint suppliers and key areas that aren’t yet aligned. Working with several vendors simultaneously makes this task an even greater challenge, but it’s one that can’t be overlooked, as the responsibility of complying with regulations falls squarely on the shoulders of the umbrella organization.

Getting Suppliers to Comply With GDPR

According to reports from the Business Information Industry Association (BIIA), 80 percent of businesses believe they are not yet GDPR-compliant. While 53 percent are in the process of achieving compliance, a staggering 27 percent haven’t even begun to move forward with the initiative. That’s a lot of vendors that aren’t yet up to snuff with their cybersecurity posture.

However, GDPR compliance isn’t an issue because companies are willfully resistant, but because the regulations themselves are still a bit fuzzy. In other words, companies aren’t quite sure where to draw lines around the issues, because certain aspects are still open to interpretation. For example, there is limited information on the exact processes that companies should implement, along with the best framework to use, among other issues. Take a moment to consider this in contrast with other standards like the Payment Card Industry (PCI), which is far more prescriptive, explicitly stating what companies need, and thus making it easier to follow.

Despite the complexities and questions surrounding GDPR regulations, companies cannot afford to sit back and do nothing. Supply chains, while essential to most businesses, are already susceptible to cyberattacks, and this will only get worse if companies do not begin bolstering third-party accountability with GDPR compliance for each and every vendor.

Creating Better Accountability

While it can certainly be a challenge, organizations must ensure that GDPR compliance is non-negotiable for every supplier. Businesses should work to implement management strategies that focus on incorporating compliance as a mandatory piece of the supply chain puzzle. And since GDPR does not point to the exact measures that should be included as part of this plan, companies must be diligent about assessing the policies needed and then getting as specific as possible with their policies. Performing a full audit of the supply chain is a good place to start, along with increasing visibility to better monitor for vulnerabilities and flag when a supplier’s cyber posture is weak. Suppliers should be transparent with their breach logs, allowing organizations to access them at any point.

Along with increasing accountability and visibility, there are options that can help immensely when it comes to keeping suppliers in line with security best practices. Many companies, particularly those that have already experienced this thorny issue, are now adopting automated solutions to provide them with that necessary visibility in their supply chain. Companies that take this route have demonstrated that they were able to reach the necessary level of supplier GDPR-readiness within just a few weeks.