Impact of the GDPR regulation

GDPR's impact on vendor management and small learning providers

Will GDPR significantly change how Vendor Management contracts operate moving forward and will those small learning providers be the biggest casualties?

David Brindle | 26 April 2018

As a provider of managed learning services, which to some extent comprise a significant amount of vendor management, we are quickly seeing how GDPR is having an impact on us and the market which we work within. Here are the facts……..the key purpose of GDPR is to increase and protect the rights of EU data subjects by creating clear channels of accountability over data processing. The new data protection laws will extend to any organisation that collects or processes the personal data of EU residents – regardless of whether the organisation is based in the EU.

Up until now (or at least 25th May 2018), the learning industry has not really been under much pressure with the existing Data Protection Laws, as a learner’s full name and email address (the latter having been technically owned by their employer) is all that we as learning providers generally require. Acting as a Vendor Manager within a learning contract, engaging with third party suppliers has been relatively straight forward, as we generally place suppliers into two categories; (i) critical: we need these suppliers to help us carry out the services to the majority of our clients, so we ensure they are fully on-boarded and contracted, and we then have (ii) niche: generally used on an ad-hoc basis to assist with a specific contract. The latter category of supplier is where there should be concern over.

Contracts with third-party suppliers that have access to this personal data (a work email address is now considered personal data), will need to be reviewed and addressed to ensure they meet GDPR requirements, or organisations risk paying substantial penalties for non-compliance of up to €20 million or 4% of annual global turnover – whichever is the higher. This surely presents a real and present danger to many of those small (niche) providers, who don’t have a huge team of people working across Legal/Compliance/IT to ensure that their business remains compliant and within GDPR. On the other side of the table, the larger organisations who in this case could act as the Vendor Manager, are tightening up their supplier contracts to ensure they’re watertight and compliant.

So what does this mean? Broadly speaking, many small providers will have to sign these agreements in order to get the business and if they have any small degree of legal acumen, they will probably decide it’s too risky and their insurance and liability policies (assuming they have them) won’t cover them. But this isn’t the only aspect of GDPR that potentially prohibits these small suppliers having a piece of the larger pie. Up until now, it’s been very easy for a business operating as a Vendor Manager to procure training from small suppliers on an ad-hoc basis, without the need to set up a formal contract. In fact, the relationship worked very well for both parties and specifically the customers, who have been able to access this niche training through their vendor manager’s procurement arm. From 25th May, it seems this will no longer be possible or certainly much more complicated, as instead there will be a requirement for all suppliers to be contracted in full.

We are already seeing this as a potential challenge, as those intangible costs of on-boarding a supplier and agreeing the terms of a contract are considerable. The margins that we as providers (acting as a Vendor Manager) are having to operate within are slim, which is why there needs to be a level of agility and flexibility in how we operate to keep our costs down. What we certainly don’t want to see, is the reduction and potential removal of any niche supplier who is unable sign this daunting supplier agreements. Whilst we all agree that GDPR is very important to the protection of all of our data, as there is certainly a media storm in this area of Facebook and other parties breaking data privacy laws and guidelines, but I do feel GDPR is very challenging if you are a small training company (or any small business in many other industries) who rely on part of their revenue from big businesses. I just hope for everyone’s sake, potential solutions and workarounds can be identified to mitigate some of these challenges. I for one, continue to work on finding them.


David Brindle

David Brindle

Head of Service Delivery

As Head of Service Delivery within QA, David helps support customers in the design and delivery of bespoke learning service solutions. This could range from a part-outsourced solution to a full managed learning service, with both new customers starting out on their journey, as well as existing customers looking at developing the maturity of their current service provision. David has been with QA since 2000, helping the business grow whilst taking on roles in Operations, Customer Services and Managed Learning Services, so has a wide understanding of both the QA organisation and the learning industry as a whole.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.