'GDPR will be hard for large suppliers like Salesforce' warns expert panel
Large vendors used to handing out boilerplate terms and unused to negotiating contract details will struggle with GDPR, warn CIOs
Large suppliers will find problems once the EU's General Data Protection Regulation (GDPR) comes into force in May 2018, as they are used to using standard terms and conditions with the majority of customers, and not negotating terms with each customer.
That's the opinion of Kevin Flood, information risk and security consultant for Prudential Assurance, speaking at a recent Computing event.
"It's been easy for us to bring GDPR in," Flood began. "But it's not easy for big suppliers like Salesforce, they have this big boilerplate contract and they say they won't customise it for you. We say they have to.
"They say they won't, but if you're big enough and stubborn enough they will. Because if they start losing all their small fry customers, they'll lose a lot of business overall, so even small firms can negotiate."
The GDPR will bring with it a host of new corporate responsibilities in terms of managing individuals' personal data, including the need to delete certain types of data after certain periods of time. Flood explained that suppliers need to ensure that their terms match up to their customers' responsibilities under the legislation.
Jonathan Kidd, CISO at Hargreaves Lansdown, also speaking as part of the panel, agreed with Flood.
"If firms can't tailor terms to us we won't work with them. We've done that in the past and we'll do it again. We've already started to go out to suppliers and renegotiate contracts, in order to insert terms around GDPR. That can be a shock to some organisations," he said.
Kidd added that his firm already conducts regular, extensive audits of its data and processes, but will need to perform even more after GDPR comes into effect.
He also explained that if he is unable to find satisfactory terms among suppliers, he'll bring the work in-house.
"We're fortunate to have in-house development and support, and we will do whatever's needed internally if we're not getting the right responses from third parties. We have no choice if they won't flex for GDPR," said Kidd.
A member of the audience then asked the panel if larger suppliers have an advantage in terms of the manpower needed to rewrite contractual terms to suit GDPR. Flood said that he believes smaller suppliers are just as likely to be able to comply.
"The size of the supplier is not relevant, lots of smaller suppliers are already prepared. The larger ones are arrogant and think they don't need to worry too much, for what reason I've no idea."
Earlier at the event, Peter Agathangelou, associate director at Hamilton Fraser Insurance, described the need to comply with GDPR as a "pain in the bum".
Computing's IT Leaders Forum 2017 is coming on 24 May 2017. The theme this year is "Going Digital: Why your most difficult customer is your best friend".
Attendence is free, but strictly limited to IT Leaders. To find out more and to apply for your place, check out the IT Leaders Forum website.