Powered by high quality data

Powered by high quality data Local supplier data validation coupled with one of the largest global audit & assessment providers

Supporting SMEs

Supporting SMEs Helping to support equal opportunities, value and development for small and local businesses

Protecting your back

Protecting your back Compliance with supplier legislation, corporate governance standards and EC Procurement Law

Technology in the cloud

Technology in the cloud World-class Silicon Valley cloud technology provides access to supplier data, anytime, anywhere

Information at your fingertips

Information at your fingertips Access to accurate, up-to-date and verified supplier data and risk awareness for informed decisions

How compliant are your suppliers with legislation, regulation and corporate governance requirements? What unknown supply chain risks could cause operational and reputational impacts?


How is compliance with bribery and corruption legislation being effectively managed within your supply chain? Is your business exposed to potential legal action or reputational risk?


Slavery, servitude, forced labour and human trafficking, or ‘Modern Slavery’, is a growing global issue and exists in many industries in every region in the world.


The General Data Protection Regulation (GDPR) is the new EU regulation that will replace the 1998 Data Protection Act (DPA), coming into effect on 25thMay 2018. The UK Information Commissioner, Elizabeth Denham, has called it ‘the biggest change to data


How do suppliers comply with your CSR policies across labour standards, ethical sourcing, equality and diversity, SMEs, use of natural resources or conflict minerals?


How easy is it to access high quality, accurate and up-to-date information on suppliers? Is information instantly available online in a single system capable of alerting any key changes?


General Data Protection Regulation - What is it?

17 Oct 2017

The EU is set to introduce new legislation on data protection in 2018, with the aim of improving security and trust in the digital economy.

What is the GDPR?

The General Data Protection Regulation (GDPR) is the new EU regulation that will replace the 1998 Data Protection Act (DPA), coming into effect on 25th May 2018. The UK Information Commissioner, Elizabeth Denham, has called it ‘the biggest change to data protection law for a generation’1. It is intended to update and unify data protection laws across Europe, and will be enforced across all EU member states, including the UK. This will continue to apply after the UK leaves the EU; the government has confirmed that they will adopt almost identical legislation, and has already started the process of transferring these guidelines into the current UK legal framework2. This legislation is crucial in order to maintain the necessary level of data security required to remain a ‘whitelisted’ country and allow data to continue to be transferred to and from the EU.

This change in data protection legislation will apply to all organisations processing or holding the personal data of any EU citizens regardless of the organisation’s location, even if it is outside the EU. This covers both ‘controllers’, who decide how and why the data is collected, and the ‘processor’, who collects the data on the controller’s behalf. Although the GDPR will most obviously affect companies dealing with sensitive data such as in the financial, retail and healthcare sectors.  Every organisation that offers services to or handles the data of individuals in the EU, which includes data an organisation holds on its staff, will need to make sure they are prepared for the regulation, including SMEs, who often have less secure IT systems so may be vulnerable to security breaches. This legislation also affects both on-line and off-line information held.

Why is the GDPR needed?

With the rising use of internet and social media sites, data protection is becoming increasingly important in the modern world. Data legislation gives people control over the information stored about them, preventing unauthorised access to confidential data including bank details, medical records and contact information. It is also essential in the prevention of cybercrimes such as identity theft and fraud. Since the DPA was devised in 1998 there have been extensive changes in the way that data is used, particularly in personal and commercial situations. Additionally, many devices such as smartphones, cloud technology, and interconnected multi-device systems were not around 20 years ago. As a result, the updates on data protection legislation that are present in the GDPR are imperative.  

With this new directive, the EU intends to give people more rights over how their personal data is used, with the aim of increasing trust in the digital economy whilst also providing a simpler, more efficient legal environment for businesses by making data protection laws consistent across the single market. They estimate that this will save businesses €2.3 billion a year3.  Significantly, individuals will have the right to know what data is held on them and in many circumstances to require that the data is deleted.

There will be stricter guidelines on many aspects of data protection, including obtaining consent, transparency on how and why companies are collecting the data, how long it is stored for, reporting data breaches, and more accountability for failures to comply. The EU has also considerably expanded what is considered as personal data.  This can be any data that can identify an individual, including genetic, economic or cultural information, and even IP addresses and social media profiles. This means that the GDPR will affect significantly more organisations than the DPA. Failure to meet the requirements can be costly. With GDPR, the penalties for non-compliance are significantly increased and fines can be up to 4% of an organisation’s annual global turnover or €20 million, whichever is greater.

How can companies prepare for GDPR?

With less than a year to go before the implementation of the GDPR, companies should already be in the process of ensuring that they will be compliant. Understanding the requirements of the GDPR is the first step in preparing for this. Companies will need to look at their current policies on data handling, particularly consent, and have clear guidelines on how and why they are collecting the information. Procedures for data storage, shared networks, and proper destruction of information will need to be reviewed and a system must be in place in the event of a data security breach; companies will incur large penalties if incidents are not reported in time to the relevant data protection authority, which is the Information Commissioner’s Office for the UK. Companies must also look at getting sufficient assurances that any third party suppliers, or ‘processors’, are compliant as well, as with the GDPR more responsibility will be placed on the controller to ensure that their processor is handling the data correctly.

This is where the compliance industry can be extremely useful. Hellios’ supplier qualification systems can assist companies in selecting compliant suppliers thus reducing supply chain risk. Working with our buyer communities, we have carried out an in-depth review of our existing data protection questions to assess what needs adding to be covered for the GDPR. The updated questions will assist our customers in ensuring they remain compliant when working with third party organisations.

Companies should also consider hiring a Data Protection Officer, or at least ensure this is a clear role within the company. This will become mandatory for all organisations that are a public authority or if their core activity involves data processing or monitoring of individuals on a large scale. The Data Protection Officer is there to advise the organisation about data security and to monitor compliance. They will also be the main point of contact between the organisation and the data protection authority. 

Companies that have been proactive and already begun to address the requirements of the GDPR will be in the strongest position to be ready in time for the legislation.  However, the main concepts in the GDPR are not new, so as long as companies are currently complying with the DPA, preparing and maintaining good data security practices in line with the new regulation should not be difficult. The questions being added to Hellios’ supplier qualification systems will help guide suppliers on what they need to have in place to demonstrate compliance to their customers. By demonstrating that they have strong data protection procedures in place, companies will not only be less at risk of security breaches, but will also be more trustworthy and therefore attractive to consumers.  

Lauren Darby, BSc Economics

17th October 2017

1 Link

2 Link

3 Link


Linked In Twitter
We use cookies to help improve this website. Accept and close Find out more