Spend Matters UK/Europe – What does the US surveillance programme mean for procurement systems and people?

October 31, 2013

PETER SMITH – October 31, 2013

We’re delighted to welcome a guest post from Jessica Warren of Hubwoo, eProcurement and b2B business network providers. A French company, we should point out given the subject matter here…

With a vast amount of coverage recently around NSA, the US government surveillance programme, data protection is not an isolated concern. Any organisation dealing with a vast amount of sensitive data, as any procurement or accounts payable organisation does, is now tasked with asking some serious questions around data security.

European companies, especially those requiring highest levels of security such as financial institutions, run extensive risks and possible penalties by hosting customer and supplier-related transaction data outside the borders of the EU, or more specifically, by having such data hosted on US soil.

The requirements of the European Data Protection Directive (95/46/EC) state that “specific rules for the transfer of personal data outside the EU have been established to ensure the best possible protection of your data when it is exported abroad.”

A “different” approach to privacy

As per this US government site, the US takes a bit of a “different” approach to data security: “The European Commission’s Directive on Data Protection went into effect in October of 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU.”

This unfortunately means that European companies using software providers for their procurement activities now are tasked with further due diligence during the selection process to ensure their transactions will be processed and their data will reside on servers that are not hosted in the US.

As the US Patriot Act in theory gives the US government the right to not only look in to but even interfere with transactions and data hosted in the US, companies must ensure their solution providers have taken the necessary precautions to ensure compliance with the European Data Protection Directive and curb exposure to heightened risk.

Data security however should not be a roadblock for procurement professionals (even those working in the most sensitive sectors) to be able to take advantage of today’s advanced technologies. It just means that some additional checks and balances need to be implemented in order to avoid data exposure while still being able to enjoy the full benefits of cloud-based procure to pay solutions.

Businesses using a procure-to-pay solution should ask themselves:
1. Where is all the data around my transactions being hosted?
2. Can my solution provider ensure that the U.S. Patriot Act won’t apply to my purchasing data?
3. By using my current solution provider am I complying with the requirements of the EU Data Protection Directive?

If your procure-to-pay solution provider hosts data in the US you are at risk of:
1. Competitive information such as source of supply, award decisions, volume and unit price information being exposed
2. Being in breach of the requirements under the EU Data Protection Directive

Curb Exposure of Procurement and Finance Data

To sum up, in the case of P2P solutions in particular, with extensive data flowing through them, it is highly advisable as a first step to check with your provider where they will host your data. And for more information on data security you can refer to these articles (from Hubwoo and Spend Matters):

Why Procurement Practitioners Need a New Provider Bill of Rights – Have your mission critical B2B data be secure

Curb Exposure of Procurement and Invoice Data

Why Procurement Practitioners Need a New Provider Bill of Rights: Ariba, SAP, and Data Security

Share this article: