Supply Chains Stumble Through GDPR Compliance

The European Union (EU) General Data Protection Regulation (GDPR) came into effect in May, but most businesses in the region still aren’t compliant with the rules. The data security requirements have wide-reaching implications for businesses across sectors, but as companies expand globally and business partners connect on digital channels, supply chains’ GDPR compliance is an increasing focus of security and compliance initiatives in the enterprise.

As organizations are still not entirely compliant with GDPR requirements, supply chains are particularly vulnerable to security issues as a result, analysts have said.

“Enactment of [GDPR] marks a promising step forward for personal data privacy across Europe,” said Brad Bussie, managing principal of security strategy for Trace3, in an article for SupplyChainBrain in May. “However, it presents real concerns for tech managers who are responsible for storing and protecting their organizations’ information as it flows in and out of supplier networks.”

One of the largest challenges of GDPR and data security overall is the struggle to safeguard customer data that is shared with suppliers in the supply chain.

“The core problem is that most organizations do not fully understand what data they possess across their vast corporate databases, product catalogs, email systems, budget spreadsheets and HR records, not to mention countless Word documents, slide presentations and social media postings,” wrote Bussie. When much of this data is shared with suppliers, safeguarding information and adhering to individuals’ “right to be forgotten” is an especially tall hurdle to climb.

In a separate analysis by supply chain and logistics solutions provider ModusLink, the issue of GDPR was raised against the backdrop of rising Internet of Things (IoT) adoption down supply chains. Yet, IoT makes it easier than ever for organizations to develop data pools.

“Even if companies attempt to share this information, they are often only able to discover a subsect of the data that exists across several different pools disabling them from complying with the GDPR,” ModusLink stated.

Companies have to “organize and reconcile” data across those data pools, and across supplier and business partners, the company noted.

GDPR compliance must be a component of the supplier relationship management strategy, analysts said. Unfortunately, the latest data suggests that businesses are still struggling to comply with the data security rules.

According to reports from the Business Information Industry Association (BIIA) on Tuesday (Aug. 21), the latest research from Dimensional Research found 80 percent of businesses believe they are not yet GDPR-compliant. Fifty-three percent are in the process of achieving compliance, but 27 percent haven’t yet started that initiative.

The figures reflect a global lack of preparedness for GDPR as organizations not based in the EU, but dealing with European companies in their supply chain, stumble over GDPR requirements. Researchers highlighted EU companies’ slightly more successful rates of compliance, with 27 percent of EU firms reporting they are compliant (compared to 21 percent in the U.S. and U.K.).

The vast majority of companies expect to be fully compliant by the end of 2019.

Complexities of GDPR legislation emerged as the top barrier to compliance, researchers noted. Despite these challenges, most firms agree that GDPR will be beneficial to their business.

Separate research from cybersecurity firm CrowdStrike suggests that supply chains cannot afford to delay adherence to GDPR rules, as cyber incidents increasingly target the buyer-supplier relationship. According to CrowdStrike research released last month, 66 percent of companies have experienced a software supply chain attack, making data protection initiatives whether mandated by GDPR or not a paramount issue.

“Widespread incidents, such as the NotPetya attack and CCleaner outbreak in 2017, have combined with the European Union’s new [GDPR] to bring the risk of supply chain attacks to the forefront,” CrowdStrike concluded.