The key purpose of GDPR is to increase and protect the rights of European Union (EU) residents by creating clear channels of accountability regarding data processing. The new data protection law will extend to any organization that collects or processes the personal data of EU residents, regardless of whether the organization is based in the EU.
Until now (or at least until May 25, 2018), the learning industry was not under much pressure with the existing data protection laws, as a learner’s full name and email address is all that learning providers generally require. For vendor managers, engaging with third-party suppliers has been relatively straightforward, as they generally place suppliers into two categories: critical (“We need these suppliers to help us carry out services to the majority of our clients, so we ensure they are fully onboarded and contracted”) and niche (generally used on an ad hoc basis to assist with a specific contract). The latter category of supplier is where GDPR most comes into play.
Organizations will now need to review contracts with third-party suppliers that have access to learners’ personal data (a work email address is now considered personal data) to ensure they meet GDPR requirements. Otherwise, their organizations will risk paying substantial penalties of up to €20 million (about $24.6 million) or 4 percent of annual global turnover – whichever is higher. This penalty surely presents a real and present danger to many small (niche) providers, which don’t have a large team of people working across legal, compliance and IT departments. On the other side of the table, the larger organizations are tightening up their supplier contracts to ensure they’re watertight and compliant.
What does this mean for training companies? Broadly speaking, many small providers will probably decide these agreements are too risky and that their insurance and liability policies (assuming they have them) won’t cover them. But this isn’t the only aspect of GDPR that potentially prohibits these small suppliers from having a piece of the larger pie. Until now, it’s been very easy for businesses operating as vendor managers to procure training from small suppliers on an ad-hoc basis, without the need to set up a formal contract. In fact, the relationship worked very well for both parties and especially the customers, who have been able to access this niche training through their vendor manager’s procurement arm. Beginning May 25, this approach may no longer be possible, or it will be much more complicated, as instead there will be a requirement for all suppliers to be contracted in full.
We are already seeing GDPR as a potential challenge, as those intangible costs of onboarding a supplier and agreeing to the terms of a contract are considerable. The margins that providers, acting as vendor managers, are having to operate within are slim, which is why there needs to be a level of agility and flexibility in how we operate to keep our costs down. What we certainly don’t want to see is the reduction and potential removal of any niche supplier that is unable to sign these daunting agreements.
While we can all agree that GDPR is important to the protection of all of our data, I feel GDPR is quite draconian if you are a small training company (or any small business) that relies on part of your revenue from big businesses. I hope for everyone’s sake that we can identify potential solutions and workarounds to mitigate some of these challenges. I, for one, continue to work on finding them.