What does GDPR say about supply chain transparency?
GDPR legislation brought about broad-reaching implications that spanned the globe. The law applies to all companies processing personal data for those residing within the European Union (EU) —regardless of the company’s location. If you are a data controller, you are required to protect the rights of individuals, including the secure processing of their data. This obligation entails passing compliance measures down to any external organizations that process or access your data via contractual conditions.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a privacy and security law drafted and passed by the EU. It imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The law levies harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros. Although it is a European law, its requirements apply to many companies, nonprofits, and universities in the United States.
The GDPR and Supply Chain Data
GDPR applies to any personal data collected, processed, transmitted or stored in the process of supply chain transparency. This includes the names and contact information of individuals employed at supplier facilities as well as information about smallholder farms, often the residence and workplace of the owner. Smallholder farms are prevalent across a number of key agricultural commodities including coffee, cocoa, palm oil, rubber, and many herbs and spices such as cinnamon, vanilla and mint. By collecting information from these suppliers, many companies expose themselves to GDPR risk.
Is Supply Chain Transparency possible with GDPR?
It’s never been more important for companies to know exactly where their goods are produced. Regulations to tackle problems from child labor to deforestation are either in force or are being developed across the world. Thanks to new transparency technology, it’s possible for companies to verify conditions in every farm, every mine, every factory and every warehouse in their supply chain. This often requires collecting sensitive information, including contracts, proofs of payment, payroll records, and other information.
“GDPR does not make it impossible to conduct supply chain due diligence. It just requires potentially some tweaking in the way in which organizations are, or have been conducting those exercises in the past,” said Tim Van Canneyt at Sourcemap’s second annual Supply Chain Transparency Conference. Van Canneyt is a GDPR expert and Partner at Fieldfisher law firm. “It’s important to assess or reassess whether you are collecting perhaps more data than you strictly need to achieve your objective of supply chain diligence.”
Businesses can and should work to implement management strategies that focus on incorporating compliance as a mandatory piece of the supply chain puzzle. And since GDPR does not point to the exact measures that should be included as part of this plan, companies must be diligent about assessing the policies needed and then getting as specific as possible with their policies.
How to implement Supply Chain Transparency in a way that complies with GDPR
There are a number of precautions companies can take to ensure that their supply chain transparency initiatives are compliant with GDPR.
Informed consent: No matter their size, suppliers need to provide informed consent of the ultimate use and destination of data contributed as part of supply chain transparency. If you’re using a GDPR-compliant supply chain transparency platform, informed consent is included in the terms of use for all users.
Anonymization and aggregation of data: It may be impossible to map a supply chain without collecting personal information, but sensitive data does not need to be shared with brands or regulators. Instead, the risks can be assessed and reported using anonymized, aggregated data that leaves personal information encrypted.
Limiting data transfers: Transparency across global supply chains might mean transferring personal information into jurisdictions with strict privacy regulations. Make certain that your supply chain transparency platform provider can locate data collection, processing and transmission in the jurisdictions that benefit your company – choosing an international provider with multi-region support for your supply chain transparency platform gives you the most flexibility.
The bottom line: Transparency plus GDPR is tricky but it can be done.
For more information about GDPR compliance and regulations, get in touch with us at info@sourcemap.com