GDPR: Fast Facts for Procurement Organizations

sourcing technology cookiecutter/Adobe Stock

On the home site for the EU’s General Data Protection Regulation (GDPR), a countdown advances toward May 25, 2018. Just over 200 days away, the enforcement date is marked on the calendar of every global organization, because the consequences are clear: non-compliance means heavy fines.

As the clock continues ticking, we’ve assembled what you need to know about GDPR — its background, the changes that come with it and the repercussions of non-compliance.

RELATED WEBINAR: Jason Busch and economist Ahmad Sadeddin discuss GDPR, natural disasters and other risks facing procurement organizations in Economics, Environment and Regulations — Oh My! on Thursday at 12 p.m. CDT.


“The EU General Data Protection Regulation is the most important change in data privacy regulation in 20 years.” This comes straight from the GDPR website. Twenty years refers to GPDR’s precursor, Data Protection Directive 95/46/EC, which the European Union passed in 1995. GDPR is needed not only due to today’s rapidly evolving data landscape but also because the previous policy is a directive. As a regulation, GDPR will become immediately enforceable.


A much larger piece of legislation, GPDR has more teeth than its predecessor. While the underlying privacy principles remain the same, the new policy is meant to update standards to fit today’s technology and tendencies:

  • Increased Territorial Scope: Regardless of the company’s location, the policy applies to all companies processing the data of EU subjects. If a non-EU business processes EU citizens’ data, it will need to appoint a representative in the EU
  • Consent: Requests for consent must be clear and easily accessible, and withdrawing consent must be as easy as giving it
  • Data Breaches: Breach notification is mandatory within 72 hours of a breach
  • Privacy by Design: Data protection has to be included from the onset of system design rather than added later
  • Data Erasure: A data subject may have the data controller erase and cease distribution of personal data

Note: This list of changes is not exhaustive. A full list of updates can be found on the EU’s website for GPDR.


Organizations that fail to comply with GDPR can be fined up to 4% of annual global turnover or €20 million, whichever is greater. This is the maximum possible penalty for serious violations but there are tiered fines for lesser offenses. Rules apply to both controllers and processors.

If you’re looking to learn more about GDPR and risk compliance in today’s turbulent landscape, stop by Spend Matters’ webinar Economics, Environment and Regulations — Oh My! on Thursday at 12 p.m. CDT. Jason Busch and Coupa’s foremost risk expert Ahmad Sadeddin will share real life examples and anecdotes on how to handle risk.

The countdown continues: Will your business be ready for GDPR come 2018?

Share on Procurious

Discuss this:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.