GDPR and Procurement: 9 Things You Should Know

Data protection has been a growing concern worldwide as more of our personal information moves online. In Australia, this concern has become acute recently after the hacking debacles at Optus and Medibank. Many have wondered, ‘How can this happen?’. Many are now asking, ‘How could this have been prevented?’.

On May 25th, 2018, the European Union implemented the General Data Protection Regulation (GDPR), the strictest data protection law in the world. The GDPR gives individuals more control over their personal data, including the right to know what data is being collected about them, the right to have that data erased, and the right to object to its use.

The recent hacking scandals in our own country have highlighted the importance of the GDPR. At Optus alone, the personal information of two million customers was exposed by hackers – not just names, addresses and phone numbers, but – in some cases – Medicare details and passport numbers.

The reality is, if Optus had been subject to the GDPR, it may have been required to take steps to secure its customer data against such attacks.

These recent data breaches highlight the importance of the GDPR for companies doing business in Europe. By implementing strong data protection measures, the GDPR will help ensure that companies are better equipped to deal with cyberattacks and protect the privacy of their customer’s personal data.

To know more about GDPR and its implications for your procurement, here are 9 things you should know:

9 Essential Things You Need to Know About GDPR and Procurement

1. All businesses that process the personal data of EU citizens must comply with GDPR regardless of business location.

Under the GDPR, all businesses that process the personal data of EU citizens must comply with the GDPR, regardless of where the business is located. This applies to both online and offline data processing activities.

Also, businesses that process personal data for their own purposes or on behalf of others are included. The GDPR requires companies to take steps to protect personal data from unauthorized access, use, or disclosure. Businesses must also ensure that individuals have a right to information about their personal data rights and how their data is processed.

2. Businesses must appoint a Data Protection Officer.

The GDPR requires businesses to appoint a Data Protection Officer (DPO) if they engage in large-scale processing of sensitive personal data or if their core activities involve regular or systematic monitoring of individuals on a large scale.

The DPO is responsible for ensuring compliance with GDPR and can be a contact point for individuals who have questions or concerns about how their personal data is processed. For most businesses, appointing a DPO is not mandatory. However, it’s good practice to appoint someone responsible for overseeing GDPR compliance within the organization.

3. The GDPR requires businesses to get explicit consent from individuals before collecting, using, or sharing their personal data.

One of the key principles of GDPR is that businesses must get explicit consent from individuals before collecting, using, or sharing their personal data. This means that companies must have a process in place to obtain permission from individuals and demonstrate that they have done so.

Businesses must also provide individuals with clear and concise information about their rights under GDPR and ensure that individuals can withdraw their consent at any time.

4. Individuals have the right to access their personal data that is held by businesses.

This includes the right to request a copy of the personal data that is being processed, as well as information about the purposes of the processing, the categories of personal data that are being processed, and the recipients of the personal data.

GDPR also gives individuals the right to request rectification of inaccurate or incomplete personal data and to have their personal data erased (also known as the “right to be forgotten”).

5. Businesses protect the personal data they collect from individuals against unauthorized access, use, or disclosure.

This includes implementing physical security measures (e.g., locked filing cabinets) and technical security actions (e.g., password protection).

6. GDPR requires businesses to notify individuals without undue delay if there has been a breach of their personal data.

Even if the personal data is encrypted, businesses must still notify individuals if there has been a breach of their personal data. The GDPR checklist also requires businesses to inform the supervisory authority (e.g., the Information Commissioner’s Office in the UK) of any data breaches that pose a risk to the rights and freedoms of individuals.

7. The maximum fine for non-compliance with GDPR is 4% of annual global turnover or €20 million (whichever is greater).

GDPR sets out strict penalties for businesses that breach the regulation, with a maximum fine of 4% of annual global turnover or €20 million (whichever is greater). This is in addition to any other remedies that may be available to individuals under GDPR, such as the right to have their personal data erased or the right to receive compensation for damages.

8. Child-specific provisions under GDPR apply when companies offer online services directly to children under 16.

For instance, businesses need parental or guardian consent before collecting, using, or sharing personal data relating to children under 16. In addition, children under 13 years old require additional safeguards when consenting to the processing of their personal data because they are not legally able to give consent themselves.

9. There are certain circumstances where businesses can process personal data without needing consent from individuals.

For example, if the processing is necessary for the performance of a contract with the individual carrying out a legal obligation or protecting the vital interests of the individual. However, these exceptions must be applied carefully and should not be used as a way to bypass obtaining consent from individuals. 


As a business owner, it’s important to know how GDPR affects your procurement processes. By understanding these nine facts about GDPR and procurement, you can ensure that your business remains compliant with the law and protects the personal data of your customers.