ProcureCon IT 2020

17 - 18 November, 2020

+44 (0)207 368 9451

Here’s How P&G Has Adapted To GDPR

We sat down with Panos Anastasiou, Group Manager Infosec & GDPR Vendor Compliance at Procter & Gamble to find out how P&G’s IT Procurement department has been responding to GDPR.

Panos will be speaking at ProcureCon IT this year, download the agenda to see his session and many more.

How has GDPR affected your supplier relationships and what opportunities does it represent?

One of several good things that GDPR has done internally in the organisation has been helping us raise awareness and visibility of our compliance efforts. We have much better visibility across relevant stakeholders who manage and deal with supplier relationships in our data processing ecosystem, even with the small suppliers. Similarly, GDPR has also created much more awareness externally around how privacy and information security risks needs to be managed. As a result, we have strengthened our contract controls and management capabilities for our inventory of vendors and suppliers, and personal information assets.

P&G has implemented several new processes to strengthen our compliance efforts to protect us now and in the future. This has created a lot more internal awareness for non-procurement people AND has raised visibility on risk management for every new vendor that processes personal information that we intend to introduce into the ecosystem. This in turn can also enable us to avoid unnecessary vendor proliferation and perform active risk management on the portfolio of existing vendors.

A lot of internal business functions are on an active mission to better understand their vendor ecosystem. Having more vendors, by default, means more risk to manage. We recently disabled thousands of vendors that we have in the system which weren’t being used.

What measures are you taking to protect your company's data?

P&G has done some very intensive work preparing for GDPR by strengthening our compliance efforts. We have gone into a lot of detail to create our data asset inventories and understand our processing activities. We’ve revaluated how we keep our inventory of data assets up to date, and how we continue monitoring the inventory of suppliers that are managing these assets.

There have been a number of teams that have been set up internally in Europe across Legal, Procurement, Finance, Internal Audit, and a few other functions – including Brand – to ensure both awareness of inventory update and compliance. We are also utilising new external software solutions to help us manage compliance.

The majority of the respondents to our IT procurement survey this year said that the responsibility for vendor management should be shared by IT and IT Procurement. How do you split that responsibility, and how do you take that responsibility on once you've decided whose that is?

Procurement’s individual Supplier Relationship Owners (SROs) take care of each major supplier that we consider important for P&G’s success. The SRO actively manages the relationship and is responsible for many things, including understanding the total spend that we have with that supplier, across which IT areas, what synergies exists where, and what competition can be brought in.

Often the Supplier Relationship Owner is responsible for negotiating with the supplier on existing spend and sometimes we bring specialist Procurement people to negotiate deals on specific areas such as Cloud, network, mobility services or information security.

We're a matrix organisation, so depending on the project and the item, sometimes the SRO manages the discussion and sometimes a procurement specialist does that.

The IT department is responsible for defining their business needs, evaluating vendor performance against specific KPI’s and SLA’s, and performing ongoing governance and oversight of the services the vendor provides.

Our IT department is supplier agnostic and every IT function should be that way. They are best at defining the business need. Procurement is best at discovering externally the right supplier to best meet that need and then bringing that supplier into the company’s ecosystem.

What advice would you give someone about to take on a similar role to yours?

You need to really have a passion for tackling the difficult conversations both internally and externally. First off, third party risk is an uneasy conversation to have both with internal business functions and with external suppliers – not everybody is comfortable with having the conversation to begin with. Relatively few people today have enough depth and breadth of knowledge to fully understand the risks that are inherent to a supplier relationship. This goes way beyond just InfoSec or Privacy and also beyond financial risks.

A company’s Corporate Social Responsibility approach may be supported or hindered depending on the suppliers used and their own CSR efforts (or lack thereof!). And some suppliers still today are not mature enough to discuss their own third-party risk management and capabilities and how these can affect parties across the supply chain. So you need to make sure you have the right people around the table – and they're not always easy to find.

Panos will be speaking at ProcureCon IT this year, download the agenda to see his session and many more.