David Brindle | 26 April 2018
As a provider of managed learning services, which to some extent comprise a significant amount of vendor management, we are quickly seeing how GDPR is having an impact on us and the market which we work within. Here are the facts……..the key purpose of GDPR is to increase and protect the rights of EU data subjects by creating clear channels of accountability over data processing. The new data protection laws will extend to any organisation that collects or processes the personal data of EU residents – regardless of whether the organisation is based in the EU.
Up until now (or at least 25th May 2018), the learning industry has not really been under much pressure with the existing Data Protection Laws, as a learner’s full name and email address (the latter having been technically owned by their employer) is all that we as learning providers generally require. Acting as a Vendor Manager within a learning contract, engaging with third party suppliers has been relatively straight forward, as we generally place suppliers into two categories; (i) critical: we need these suppliers to help us carry out the services to the majority of our clients, so we ensure they are fully on-boarded and contracted, and we then have (ii) niche: generally used on an ad-hoc basis to assist with a specific contract. The latter category of supplier is where there should be concern over.
Contracts with third-party suppliers that have access to this personal data (a work email address is now considered personal data), will need to be reviewed and addressed to ensure they meet GDPR requirements, or organisations risk paying substantial penalties for non-compliance of up to €20 million or 4% of annual global turnover – whichever is the higher. This surely presents a real and present danger to many of those small (niche) providers, who don’t have a huge team of people working across Legal/Compliance/IT to ensure that their business remains compliant and within GDPR. On the other side of the table, the larger organisations who in this case could act as the Vendor Manager, are tightening up their supplier contracts to ensure they’re watertight and compliant.
So what does this mean? Broadly speaking, many small providers will have to sign these agreements in order to get the business and if they have any small degree of legal acumen, they will probably decide it’s too risky and their insurance and liability policies (assuming they have them) won’t cover them. But this isn’t the only aspect of GDPR that potentially prohibits these small suppliers having a piece of the larger pie. Up until now, it’s been very easy for a business operating as a Vendor Manager to procure training from small suppliers on an ad-hoc basis, without the need to set up a formal contract. In fact, the relationship worked very well for both parties and specifically the customers, who have been able to access this niche training through their vendor manager’s procurement arm. From 25th May, it seems this will no longer be possible or certainly much more complicated, as instead there will be a requirement for all suppliers to be contracted in full.
We are already seeing this as a potential challenge, as those intangible costs of on-boarding a supplier and agreeing the terms of a contract are considerable. The margins that we as providers (acting as a Vendor Manager) are having to operate within are slim, which is why there needs to be a level of agility and flexibility in how we operate to keep our costs down. What we certainly don’t want to see, is the reduction and potential removal of any niche supplier who is unable sign this daunting supplier agreements. Whilst we all agree that GDPR is very important to the protection of all of our data, as there is certainly a media storm in this area of Facebook and other parties breaking data privacy laws and guidelines, but I do feel GDPR is very challenging if you are a small training company (or any small business in many other industries) who rely on part of their revenue from big businesses. I just hope for everyone’s sake, potential solutions and workarounds can be identified to mitigate some of these challenges. I for one, continue to work on finding them.