Are You Ready for Supply Chain's GDPR?

The E.U. General Data Protection Regulation (GDPR) was passed into law in 2016 and represented the broadest approach to codifying individuals' rights to protect their personal data. Specifically, the legislation outlined the rights that individuals had concerning how business entities worldwide use, protect, and share personal information. The GDPR legislation brought about broad-reaching implications that spanned the globe, as the law made no exception for a business's location. If a company offered goods, services, or merely processed personal data of an E.U. citizen, those actions needed to conform to the law. The reach of GDPR was so widespread in fact, that you personally have likely participated in employer mandated GDPR compliance training.

While GDPR was concerned with managing and safeguarding personal data, new legislation is emerging within the E.U. that centers around human rights and transparency in the supply chain. We should expect that any new law that passes will have global repercussions and require end-to-end supply chain audits. There will be significant financial penalties for those who do not conform to the law and massive consumer backlash on reported violations.

Emerging E.U. Legislative Action

The E.U. legislation seeks to define corporations' obligations to address and remove human rights violations from their global supply chains. The E.U.'s pending legislation is not the first of its kind. There is a push to hold companies directly accountable for removing human rights violations, addressing destructive climate practices, and legislating processes regarding conflict minerals. Here are some sample legislations from E.U. member countries:

• E.U.'s 2013 Timber and 2017 Conflict Mineral regulations
• U.K.'s 2015 Modern Slavery legislation
• France's 2017 "duty of vigilance of parent and ordering companies" 
• Germany’s 2021 Supply Chain Act (Lieferkettengesetz)

The E.U. legislation stands to add n^th degree accountability with substantial penalties, regardless of where they occur within the global supply chain. C-suite leaders should take notice and start now to ensure that their supply chains are free of forced child labor and have a continuous, transparent processes related to how they secure conflict minerals — not convinced? The GDPR outlined a maximum fine of 4% of global revenues and demonstrated that it has teeth, too, as both Google and H&M received additional fines in 2020 that were on top of previous fines that started rolling out immediately in 2019.

While the E.U. is at the front of this push, last year, the United States Congress saw the introduction of the Slave-Free Business Certification Act legislation. While this stalled out in recesses, there is a strong indication that this topic will be picked back up in the current cycle, and we will see international commitment.

Supply Chains Lack Transparency

A few general themes have emerged, and they focus on the requirement of a company to be aware of supply chain compliance, transparency, and correction of the aforementioned areas in their suppliers and their supplier's suppliers. There has been criticism that German law has capped auditing at the first supplier, often an E.U. wholesaler, while poor behaviors that occur overseas lay beyond the law's scope. The minimum workforce size additionally creates an exemption for roughly 60% of German businesses. The E.U. law is expected to remove those exemptions and extend responsibility to the lowest components, even covering packaging and raw materials.

The E.U. corporation will ultimately be responsible for the goods and materials in their supply chains. Because international supply chains are complex, we will see delegated reporting requirements. Each tier will be responsible for the next tier in the supply chain and be required to maintain those audits. Agriculture and textile supply chains have rightly borne scrutiny over the years as their costs are disproportionately shouldered by poorer countries. Historically, these industries have had rampant abuses in both human rights as well environmental impacts. Fortunately, the earlier timber and conflict mineral regulations removed the defense of "out of sight, out of mind" ignorance on these practices in supply chain planning.

This legislation impacts companies regardless of where they are located — if they sell to or service E.U. corporations, they will need to comply with the laws. Much in the same way that non-E.U. entities were required to adhere to GDPR, international supply chains will be required to conform. Every supply chain can expect transparency to become the message of the day. "We didn't know" is not going to protect from a fine being levied.

First Mover Necessity

We are in the early days, and the E.U. is still actively researching how they want to craft their law. The consensus is that we will see an amalgamation of the previous approaches with the standard 3-year grace period. As this period will pass quickly, companies must act immediately, or even before the legislation is passed to add the reporting and transparency oversight outlined in earlier focused legislation.

Expect a "land grab" as companies seek to exit high-risk suppliers and secure capacity with partners that have demonstrated integrity and transparency. Inevitably, contractual commitments will rule the day — those that wait can find themselves having to take on higher degrees of vertical integration as compliant suppliers are capacity constrained. Some companies may even be forced to exit spaces entirely as they choose between risky business or no business. Conversely, early collaboration can help avoid price hikes as desirable suppliers either add additional compliance policies or charge a premium for their prior diligence. Moving slowly here can become a costly mistake to business continuity, brand reputation, and supply chain disruption with no expeditious solution.

One recent example highlights the ramifications and the need for this legislation. In Summer 2020, U.K. fashion producer Boohoo was accused of modern slavery. Its business has not recovered and even if they correct their unsavory business practices, the brand damage has been done. No corporation wants to find itself in the court of public opinion regarding human rights violations, ecological devastation, or the use of conflict minerals. Companies that are considering their next move should take note that studies have shown consumers willing to pay a 25% premium for brands that take positive, proactive actions regarding green and sustainable initiatives. While this regulation can be broad and intimidating, the rewards can be equally vast if leveraged strategically.

Coupa is Ready

Managing this alone is a complex lift for a company of any size. Partnering with a technology solution provider can immediately reduce the friction of complying with and maintaining these changes. Coupa delivers an integrated cloud solution with necessary features such as:

• Risk and Performance Management based on a combination of public information and Community Intelligence sourced from over $2T in annual spend managed on the platform.
• Supplier Information Management allowing for self-declaration as well as tying financial transactions to the maintenance and submission of compliance documents, so you always know who you are doing business with.
• Sourcing Optimization that allows you to strategically award your business based on a blend of non-financial and financial metrics ensuring a balance of cost and risk sensitivity.
• Supply Chain Design and Planning to perform continuous modeling of international supply chains, to create a digital supply chain twin and implement scenario planning, which then enable you to prescribe alternate flows when adding or removing suppliers from your portfolio.

Changing this from a procedurally cumbersome compliance process to a competitive advantage is attainable when you work with the recognized leader in business spend management.