GDPR is an EU regulation and was enforced across the EU from 25 May 2018. It will replace the Data Protection Directive 95/46/etc. Although the UK is  planning to leave the EU, Brexit will have no impact on the implementation of this Regulation. GDPR is being introduced to keep pace with the modern technology landscape.

GDPR is more extensive in scope and application than the current Data Protection Act (DPA). The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures.
Processes (and systems) must be built on the principle of privacy by design. The GDPR separates responsibilities and duties of data controllers and processors, obligating controllers to engage only those processors that provide sufficient guarantees to implement appropriate technical and organisational measures to meet the GDPR’s requirements and protect data subjects’ rights.

In scope material for GDPR includes:

  • Personal data that is processed wholly or partly by automated means.
  • Personal data that is part of a filing system, or intended to be (this includes paper based records).

GDPR includes the following rights for individuals:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object;
  • the right not to be subject to automated decision-making including profiling.


The right to data portability is new and only applies:

  • to personal data an individual has provided to a controller;
  • where the processing is based on the individual’s consent or for the  performance of a contract; and
  • when processing is carried out by automated means.


Nprocure will work with your organisation and your suppliers to ensure GDPR compliance within your contracted agreements and supply chain procedures. Through deploying the relevant tools, we can:

Nprocure can provide support to assist an organisation run tenders for new systems or implement contract variations. Nprocure brings the perspective of buy and sell side, deploying experienced commercial resources that have a deep understanding of supplier margin and sales processes combined with the practical experience of what works well in client organisations. Through this we can deliver robust contracts that enable both parties to achieve sustainable value from the relationship. Working primarily in regulated industries we also bring significant experience of OJEU and Utilities Directives from our MCIPS certified team.

Using our risk tools and methodology, Nprocure can identify the high-risk organisations and countries where GDRP risk is greatest. Following our methodology Nprocure will;

  • map the flow of personal data through the supply chains, including sub-processors and where the personal data is processed.
  • identify existing supplier contracts impacted and review the data protection provisions with consideration to the organisation’s approach to risk in existing and new contracts in light of the GDPR.
  • check supplier insurance provisions cover data protection and security breaches.
  • check supplier systems ensure that processes are in place to enable the organisation to satisfy the 72-hour breach notification requirement.
  • With the risks identified, suppliers can be categorised and we can tailor the strategy to ensure compliance in your supply chain, effectively and efficiently.

Using the Nprocure Supplier Relationship Management Platform, we will work with suppliers to achieve compliance with your organisation’s policies to increase transparency and reduce liabilities. This will create a gap analysis report that we can then use to maximise the effectiveness of your approach to GDPR through a targeted supplier engagement.

We will work with your suppliers to ensure contracted clauses policies and controls are embedded within your suppliers’ ways of working. We can provide advice on the additional policies or clauses that need to be implemented into your supply chain contracts to protect your organisation. The implementation of these clauses and polices helps demonstrate compliance through the implementation of appropriate information security and privacy clauses.

Audits are a one way check compliance to GDPR throughout the various tiers of your supply chain. We can make sure your suppliers have the right procedures in place to ensure adherence to GDPR and GDPR principles within their business model.