In Part 5 of our six-part series on cloud-based ERP Projects, our specialist team of lawyers look at the key data protection considerations for a cloud-based ERP system.
The procurement of Enterprise Resource Planning (ERP) systems is often a high priority and intensive task given the nature of the system and its strategic importance to a public sector body.
Embedding Data Protection into your Procurement
Data protection should be a key consideration of your ERP procurement, as personal data is likely to willbe a key component of the data stored on the ERP system. You may also be migrating from an on-premise solution to a cloud-based solution which means you will be considering where that data will be hosted and the safeguards that will need to be in place to ensure that the transfer of personal data is permitted under the General Data Protection Regulation (GDPR).
Privacy by design is a concept that has been around for a while but the GDPR codified the principles of data protection by design and by default and enshrined them into law. Article 25 of the GDPR requires data controllers to implement appropriate technical and organisational measures to protect personal data both at the time of processing and at the time of the determination of the means of processing.
Data protection should therefore be at the forefront of the procurement process when determining the solution that is right for your organisation. Colleagues in your security and information assurance teams, including your data protection officer, should be consulted on the requirements of the organisation and the procurement process so that they can provide their input and ensure that privacy by design is being implemented right from the start. One way to encourage this, is to conduct a Data Protection Impact Assessment (DPIA) before you commence your procurement – see below for more details.
When appointing a processor (which is likely to be the role of the ERP supplier), the GDPR requires controllers to only use processors providing sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the GDPR and ensure the protection of individuals’ data protection rights. It is therefore important when procuring an ERP system that those guarantees are obtained through the procurement process itself, and that these issues are considered upfront. For example, data protection requirements could form part of your specification and mandatory requirements. You may also decide to add in data protection questions as part of the Selection Questionnaire (SQ), but procurement advice should be taken as to whether the additional questions are permissible for the procurement.
Many authorities may have requirements about where in the world their personal data can be processed. This is particularly relevant if you are moving to a cloud-based solution as the personal data could therefore be hosted anywhere globally. If personal data is being hosted outside of the UK and EU, you need an appropriate safeguard in place to ensure the transfer of personal data is permitted under the GDPR, or the personal data may be processed in a country which has an adequacy decision from the EU. This should also be reviewed in light of Brexit because after the end of the current transition period the UK will be a third country outside of the EU for the purposes of the GDPR.
You must ensure you have suitable data protection clauses in your contract. Where the supplier is acting as a processor, ensure that the data processing clauses reflect the requirements of the GDPR in particular ensuring the contract reflects the legal position in Article 28 of the GDPR. Any requirements about the international processing of personal data should be accurately captured in the contract drafting too.
You should also consider whether you want to request indemnities and warranties from the supplier and the impact of the data protection risk on the limits of liability you set in your contract. Limits of liability may impact on the commercial deal (i.e. a higher cap, or unlimited liability, is likely to be risk-priced into the tender response by some bidders, whilst others may be discouraged from bidding at all.
Data Protection Impact Assessments
The GDPR requires DPIAs to be carried out when processing is likely to result in a high risk to the rights and freedoms of individuals, in particular when using new technologies. It should be considered whether such assessment is needed for your ERP system. When determining if a DPIA is required you should take account of the Information Commissioner’s Office published list of circumstances setting out when a DPIA should be carried out. This should also be read in conjunction with the guidelines on DPIAs published by the European Data Protection Board setting out criteria for determining whether processing is likely to result in a high risk.
A DPIA may be undertaken at the start of the procurement and kept under review rather than only carrying out the assessment once a system has been selected so that risks can be identified early, privacy by design built into the solution, and the issues then continuously reviewed.
Some of the key data protection considerations that should be considered for an ERP procurement are:
- If you are wanting a cloud hosted system, where is it hosted? Where is it backed-up to? Where is the customer support team based?
- What are your specific requirements in respect of accreditations and certifications? What security accreditations and certifications does the system and the supplier have?
- Will the system allow data subject rights to be exercised easily?
- How will you be able to implement your data retention policies? Is there any ability for that to be automated within the system?
- Does your contract meet the GDPR requirements for data processing? Do you require any warranties and/or indemnities from the supplier?
- Have you carried out a DPIA? Did the DPIA highlight any risks that need to be addressed and mitigated?
Regardless of the procurement route you choose, from a mini competition under a framework agreement to a competitive dialogue process, the purchase of an ERP system will be an important strategic procurement which will have an impact across the authority.
By working across multi-disciplinary teams, you will be able to consider the data protection needs of your organisation and determine what is needed from your specific solution, building in data protection by design and by default from the beginning.
Join us for Part 6 of our six-part series: Part 6 looks at the steps you should take in the event your ERP Project runs into delays or difficulties.
This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published. If you would like further advice and assistance in relation to any of the issues raised in this blog, please contact us today by telephone or email firstname.lastname@example.org.