GEP and the General Data Protection Regulation — What Our Clients Should Know

Fulfilling Our Obligation

It is our intention to be fully in compliance with all current laws and regulations regarding the collection, sharing and use of all data, including personal data. With the introduction of the General Data Protection Regulation (GDPR) in the European Union, GEP renews its pledge to its customers — particularly those using our unified source-to-pay platform, GEP SMART — to be a full partner in the realization of the digital future, not just in Europe but across the globe.

We also intend to work with our customers and all their GEP SMART users to help them understand how we, as processors of data, achieve data privacy compliance, and how the GEP SMART platform enables our customers to be in compliance as controllers of data.

This page provides the GEP perspective and approach to compliance with GDPR.

GDPR, GEP and You

In January 2012, the European Commission announced its plan to reform the data protection process across the EU so as to make Europe “fit for the digital age.” After a four-year effort, agreement was reached on how to make that intention a reality, via the GDPR.

 

On May 25, 2018, the GDPR will become enforceable, replacing the current EU Data Protection Directive. The GDPR differs from the Data Protection Directive in that it will have direct effect in all EU member states, which will not need to create any local legislation; the GDPR will override any country-specific privacy laws that were already in place.

 

The GDPR applies to any organization or corporate entity operating within the EU, as well as those outside the EU that offer goods or services to businesses or customers in the EU. This means that every organization, regardless of location, that works with the personal data of EU citizens (as defined by the GDPR) will be under obligation to comply with GDPR requirements.

 

Under the GDPR framework, GEP’s customers are designated as “controllers” of the personal data contained within the GEP SMART platform, and GEP is designated as a “processor.” Therefore, GEP and its customers are both required to comply with certain obligations under this new data protection directive. One set of obligations is specific to the controller-processor relationship; the other set concerns the controller’s responsibilities for handling personal data — in this case, mainly from users of GEP SMART, such as employees and business associates.

 

GEP expects that its customers and GEP SMART users will be mindful of the legal requirements that are going into effect under the GDPR. In particular, we ask our clients to make certain that they have obtained consents and permissions that GEP must have in order to function as a processor of business-related personal data.

 

As a business partner with our clients, GEP has made the commitment to support their compliance-related efforts. These include activities related to the GDPR criteria in Chapter III (Rights of the Data Subject), especially the rights of access and rectification (Articles 15 & 16), right to erasure or “right to be forgotten” (Article 17), right to data portability (Article 20), and right to not be subject to automated decision-making, including profiling (Article 22).

 

How GEP Is Getting Ready for GDPR

Data privacy is at the heart of GEP’s operating model. Our existing GEP Privacy program is comprehensive and based on globally accepted standards, including compliance certifications in accordance with SOC1 and SOC2 standards. In light of the upcoming GDPR, our Legal, Information Security, Cloud Infrastructure, Product, and Privacy teams have initiated a GDPR readiness project in which a dedicated group of internal and external compliance experts are working diligently toward the May 25, 2018 deadline.

Preparing for GDPR: Five Critical Steps

Recently, the Gartner blog, “Smarter with Gartner,” published its top 5 priorities for organizations seeking to be fully compliant with the GDPR. GEP’s interpretation and response to these priorities is as follows:

Determine Your Role Under the GDPR

As a cloud-native, unified source-to-pay procurement platform, GEP SMART is processing personal data on behalf of its customers; therefore, GEP SMART is designated by the GDPR as a data processor. Mindful of the expected compliance with existing data privacy laws and data security measures from a global cloud service provider like GEP SMART, we have already implemented an information security program with policies and procedures that help ensure that we conform to current and new compliance requirements when providing our services.

Appoint a Data Protection Officer

The GDPR will require many organizations to create a Data Protection Officer (DPO) position. Such organizations include public authorities, except for courts acting in their judicial capacity, or those in the private sector where a) a controller is processing operations that require regular and systematic monitoring of the data subjects, or b) where certain special categories of data are being processed on a large scale (see Articles 9 and 10). GEP is appointing a DPO to monitor internal compliance with this regulation. 

Demonstrate Accountability in All Processing Activities

GEP’s compliance program is already thoroughly defined and based on globally accepted standards. Its effectiveness is periodically affirmed by third parties under various compliance certifications, including SOC1 and SOC2. GEP has implemented an information security program consisting of policies and procedures that define how system information is entered, managed, and protected. Our current information security program is further specified in GEP SMART’s Master Services Agreement (MSA) and SaaS Agreement. Specifically, GEP commits to monitor and respond to security incidents in a timely manner in accordance with our standard operating procedures, which define the steps that GEP employees must take in response to a threat or security breach. GEP has dedicated an ongoing effort to creating a growing and well-trained global security team, with industry expertise that includes technical, policy and legal, augmented by a strong complement of external specialists.

Check Cross-Border Data Flows

Like its predecessor Data Protection Directive, the GDPR permits personal data to be transferred outside of the EU subject to compliance with certain restrictions, including restrictions on onward transfer. GEP can enter into a Master Services Agreement (MSA) with applicable clients using GEP SMART. The MSA brings GEP and the customer to agreement on the terms for the proper processing of customer personal data, including the language in our security and data privacy policy and the EU’s standard contractual clauses.

Prepare for Data Subjects Exercising Their Rights

GEP SMART customers collect the personal data of their users to interact with them for purposes of managing their spend. These individual users are the data subjects, and our clients — in their role as data controllers — are obligated to respond to certain requests as permitted under the GDPR. Our clients will expect GEP, as a service provider and data processor, to provide functionality within GEP SMART that enables them to comply with GDPR requirements. GEP SMART is precision-engineered software that uses intelligent, intuitive design to bring about a radical upgrade in user satisfaction and productivity. With the advent of the GDPR, GEP has continued regular internal reviews of GEP SMART platform features to reconfirm that the platform provides the needed features to our customers.

Going Forward Under GDPR

GEP has committed to a continual, ongoing responsibility to ensure the privacy and security of clients’ data. This page will be updated as needed, before and after the GDPR goes into effect, to be completely current with GDPR-related developments. If you have any questions, please contact us at info@gep.com.

Additional Resources

Legal Disclaimer

This web page is provided for informational purposes only, should not be considered as a contractual commitment or legal advice, and does not discuss other privacy-related laws or regulations that may also be relevant to our customers and prospects, including any industry-specific requirements. You should not act upon this information without seeking your own advice in your own state or country. The relevant privacy and data protection laws and regulations applicable to individual companies will depend on several factors, including but not limited to where a company conducts its business, the industry in which it operates, the type of content it wishes to store, where or from whom the content originates, and where the content will be stored.