15 anos de Clicksign: 15% OFF para contratar seu plano agora.
Ver planos
Quer automatizar tarefas repetitivas e acelerar a gestão dos seus documentos?
Quer utilizar o WhatsApp para acelerar o envio e assinatura de documentos?
Quantos documentos você precisa enviar para assinatura mensalmente?
O plano ideal para você é o
Plano Start

documentos

Contratar
O plano ideal para você é o
Plano Plus

documentos

Contratar
O plano ideal para você é o
Plano Automação

documentos

Contratar
O plano ideal para você é o
Plano Avançado
Contato
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
The impacts of personal data protection on the procurement process

The impacts of personal data protection on the procurement process

Publicado em:
23
/
08
/
2023

The hiring of suppliers, whether for the provision of services, for outsourcing or outsourcing of certain activities within the company, it is a common and common activity in the daily life of the purchasing team. In these processes, it is important that the purchasing areas represent a profit center, not a cost center.

After all, the main objective of hiring suppliers to carry out certain activities or deliver certain products is to gain internal efficiency, increasing the value of the company, reducing costs and allowing employees to be fully focused on the main activities carried out by the business.

It is worth remembering that, to a greater or lesser degree, a possible problem with the suppliers of this ecosystem may impact the quality of the service or product contracted, and may even make its proper use unfeasible. According to a global survey of Security Attitude of CrowdStrike, supply chain attacks have become increasingly common.

The 2021 figures indicate that 77% of respondents experienced some form of attack on the supplier network, an increase of 16% compared to 2018 data. Likewise, the percentage of companies suffering cyberattacks in their supply ecosystem grew: from 32% in 2018 to 45% in 2021.

In view of these numbers, in fact, the expectation is that contracted digital tools may become the biggest security threats for companies.

Uma IBM research, together with the Ponemon agency, on the cost of data breaches, arrived at similar results: a fifth of all the leaks studied originated in the vendor ecosystem, with an average cost of USD 4.46 million.

In this context, the purchasing department must establish a careful process to select the composition of the companies' supply chain. More than avoiding risks and contingencies associated with possible attacks and cyberattacks that suppliers may suffer, the objective must be to establish cooperative and collaborative relationships between supplier and contracting company, so that both parties benefit. To this end, implementing solid hiring processes for these partners is essential.

Frame 2-2

What is procurement?

Procurement It's exactly that: a multi-step process aimed at observing the purchasing cycle as a whole, not just restricted to value negotiations and making payments. The process of Procurement, in fact, begins when the company's purchasing department identifies - even proactively - a need or advantage of hiring a supplier for some activity carried out by the company.

Once this need is understood, any necessary technical requirements for that product or service must be surveyed to select those suppliers that meet the needs of the contracting company. At this stage, considering all the risks associated with hiring tools and possible data leaks, it may be interesting to carry out a due diligence of suppliers, as a measure to mitigate security risks.

In this operation, compliance with specific applicable requirements, such as personal data protection, information security, tax and integrity, must be analyzed.

Once the supplier has been approved, the negotiation of feasible quotes is the next step in this process, followed by hiring. Finally, the billing, payment and follow-up stages arrive - either internal (I understand the degree of satisfaction achieved by the supplier) or external (verifying that the provision of services or products went as agreed between the parties).

This management of the process of Procurement you can use support tools to streamline each of these steps, such as a tool for opening tickets, supplier governance, and electronic document signing.

The impact of data protection on the procurement process

With the entry into force of the General Data Protection Act (LGPD), Procurement and specifically, the stage of due diligence gained an additional layer of complexity. This is because the data governance required by the LGPD requires that the responsibilities of the actors involved in the personal data processing chain be determined and informed to the owner.

In addition, in certain types of relationships, one of the agents may be responsible for actions committed by their suppliers. In other words, there are new risks associated with personal data to manage that involve the relationship with suppliers.

Therefore, it became essential to rethink the relationship with suppliers that deliver, receive, and store personal data. Since these privacy risks are potential costs for the company, their mitigation is also a way for the purchasing area, together with the privacy area, to deliver value to the company.

This management imposes three steps to the purchasing process:

  • understand how the processing operations between the parties will take place, to define the obligations applicable to the supplier;
  • assess the degree of maturity of the vendors' privacy program, in view of these obligations;
  • define contractually responsibilities, through a data processing agreement.

The three steps can be allocated in the process of Procurement, during the survey of essential technical requirements for suppliers and contracting, respectively.

Personal data flow in the supplier ecosystem

The starting point of this process is to understand, based on the operational activity of which the supplier will be part, the flow of personal data between the parties and the role played by each one. This analysis will allow us to identify the obligations applicable to the parties and the appropriate legal arrangement. That is, if the established relationship is between controller and operator; operator and sub-operator; joint or independent controllers.

The company begins the evaluation based on the criteria to identify the data controller, according to the Guidance for the Definitions of Processing Agents of the National Personal Data Protection Authority (ANPD):

  • Who determines the nature of the personal data processed?
  • Who will define the forms and purposes of personal data processing activities?
  • Who determines the duration of treatment?

In addition, it is important to understand how important that operational activity is for the company. For example, a supplier that processes personal data and directly participates in the products offered by a company may be considered more critical, in terms of privacy, than a legal consultancy, which deals with personal data only in specific transactions.

Due diligence and supplier approval

A due diligence of suppliers play a fundamental role in the process of Procurement. The analyzed requirements provide the contracting party with an X-ray of the maturity of the supplier's internal controls and, consequently, of the level of risk that this supplier may bring to the business.

In addition, the process itself is a way for the company to prove Accountability, that is, to create evidence that you sought to identify the supplier's possible flaws or gaps, before hiring. If the supplier meets the criteria considered minimum by the contractor, it may be considered approved after due diligence.

The first step in structuring a due diligence Effective is to define which Framework applicable - that is, the rules, laws, and good practices to which the company is subject. It must be determined which privacy laws are applicable to the business. If the company has activities in other countries, other legislation or data protection regulations may apply in addition to the LGPD.

Defined the Framework applicable and starting from Outputs From the previous stage, in which the arrangement of the positions of treatment agents was defined, the data protection obligations applicable to the provider in question may be established.

Predefined obligation templates can be created for operators and sub-operators, for joint controllers and independent controllers. From this list of applicable obligations, it is necessary to draw up a heat map and a risk matrix, which takes into account the potential harm (both for the company and for customers and owners) that non-compliance with the requirement generates, in terms of probability and impact.

For example, check on due diligence whether the provider carries out an international transfer of data and, if so, what is the possibility that authorizes it. If the supplier points out that there has been a transfer, but not based on one of the instruments of art. 33 of the LGPD, potential harm is created for the contracting company - that is, of non-compliance with a legal obligation.

The level of probability of harm can be considered average, since the ANPD has not yet established specific regulations on transfer, but even so, the impact of legal non-compliance can be high.

For each of the requirements analyzed, the exercise must be carried out to reflect on the potential damages, their probability of occurring and their impact, if it occurs.

It is worth saying that due diligence it does not have to, nor should it, be limited to privacy issues. The questionnaire may also contain tax, integrity and information security issues, for example. It is enough that the risk matrix of all areas is homogeneous, so that, in the end, the supplier's global risk is identified and considered.

Depending on the complexity of the supplier approval process - such as the number of active suppliers and the diversity of applicable issues - it is worth considering the use of a tool that automatically calculates the supplier's risk based on the questionnaire.

Regardless of the way it is due diligence will be carried out, the answers to these questionnaires must contribute, together with the budget raised, to choose the best supplier. A supplier that participates in a critical operating activity of the company and that is slightly more expensive than the others may be worth it if its risk is lower.

It is recommended that this assessment be redone periodically, depending on the level of criticism of that supplier for the contracting company. This allows the company to understand the evolution and updating of the supplier's controls over time, which may reflect the price of the service (for example, if the risk increases, the contractor could request a discount or renegotiate the price of the service) or, even, in the exchange of the supplier company.

The hiring of the supplier and the personal data protection clauses

The third stage of the process of Procurement impacted by privacy laws is the negotiation of the contract with the supplier. This is because the obligations and responsibilities of suppliers in relation to personal data must be formally established, both as a way of mitigating possible risks found in due diligence, how much as a form of Accountability and accountability.

These privacy clauses may be simpler or more complex, depending on the supplier's critical nature and the level of risk found. In addition, they may be in a standard contract model with suppliers or in a stand-alone contract, such as a Personal Data Processing Agreement.

In general, a good privacy contract has at least the following themes:

  • obligations of the parties (to comply with the agreement, the legislation and, possibly, any privacy policy of suppliers)
  • positions of treatment agents (following the guidelines of the ANPD itself);
  • whether or not the supplier can share personal data with third parties (i.e., with its own delivery ecosystem) and what are the requirements for this sharing;
  • international transfer of personal data and the need to define the hypothesis that justifies this activity, in accordance with art. 33 of the LGPD;
  • cases in which personal data must be deleted (such as termination of the contract or request from data subjects);
  • personal data security;
  • incidents involving personal data, determining a maximum period for notifying the contractor;
  • rights of the owners and which of the parties must comply with them, including defining a process for notifying the other party, if appropriate;
  • liability and compensation.

A Clicksign can help you optimize document processes and manage contracts. Get to know our Features and plans and try it free for 14 days, no credit card required!

Artigos relacionados

Juliana Costa
9/27/24

Eisenhower Matrix: How to set priorities at work?

9/27/24

Legal Design and Visual Law: the innovation of the judiciary!

Juliana Costa
9/27/24

3 Tips for Optimizing Customer Onboarding

Ver mais