Given you are talking about actually processing personal data (suppliers' reps details), if this falls under the GDPR then it would be prudent to update the contracts to that effect (See Art 3 of the GDPR for full territorial scope, but this could mean a company based in the EU or processing data from EU individuals or companies). I believe the first step is reaching out to your Legal team and DPO and get an assessment specific to your business operations and identify the cases where you qualify as a data processor or controller. As a general approach, according to Art. 5 of the GDPR, you need to inform the individuals about collecting and processing their data, as well as the purpose of the data processing. Direct consent could also be required (see Art 7). If your organisation has already implemented the processes to comply with the GDPR, it would only be a matter of including it in the contracts or working with localised templates (i.e. include it only for your company's OUs or suppliers based in the EU).
Hi there. I have submitted and forwarded your question to Daniela Badescu, who is the practitioner in charge of the IACCM Community of Interest "Data Privacy and Data protection", and who has recently delivered a webinar on GDPR. Daniela will be back to you on this. Thanks
• Willis Towers Watson
This is a very interesting point. Thank you for raising the question.
As all is still new with GDPR, it's hard to say what the actual practice is.
One aspect to consider is that the administrative fines are tiered, with the first being up to 2% of the turnover or 10M Eur (whichever is higher) and the second tier up to 4% or 20M Eur (whichever is higher).
Let's assume a consultant provides a set of recommendations and implementation guidelines. GDPR consultants could argue that following that advice is the company's business decision and that applying and maintaining the processes to remain compliant is the company's responsibility.
Also, holding a consultant liable for up to 4% of their customer's turnover may be more than what they can/are willing to cover. Ie. assume an organisation has 10M EUR turnover - this mean the consultant's liability would be up to 400,000 EUR. How does this measure against the consulting fee?
To set up a liability coverage, I believe it may make sense to look at fines in the context of specific contractual obligations and see if based on that, the fines qualify as direct or consequential damages.
It may be different for contracts where there is a continuous service to design, maintain and review the GDPR related processes. Still, the level of liability remains subject to negotiation and I would rather expect it to be tied to the actual contract value and not on fines or other operational costs that may result from non-compliance.
What type of contracts are you looking at? It would be great if you can share what you have seen.
thank you for your kind response!
It seems it is becoming practice for companies seeking GDPR consultants to require liability for administrative fines and related costs incurred.
You have asked about the contracts, these are service/consulting contracts between GDPR consultant and SME company (client) which intends to source out the GDPR management/compliance to an external consultant. The services would typically include investigation of readiness for GDPR, preparation of guidelines the company should comply with with regards to GDPR, impact assessment and gap analysis.. The value of such contracts is a fraction of the administrative fines which might be implied upon the client by the authorities in case of GDPR breach. GDPR consultants who refuse to accept full liability for the administrative fines often loose their opportunities and clients.
I do not fully understand your paragraph on direct and consequential damages. Could you please kindly explain?
Thank you again for your time and help.
• NISSAN Europe (Alliance Renault)
Please share any market trends regarding "super caps" instead of unlimited liability in case of data and/or security breaches for SAAS, PAAS and IAAS contracts, Thanking you in advance, Hubert
Hubert - this wasn't SaaS, PaaS, IaaS specific - but on most recent contracts relating to ICT managed services I've worked on (network and apps support) customer took an approach of requesting unlimited liability, then relaxing back to super cap between £15 - £25m (depending on bargaining power).
This is an interesting question; we will circulate to the public sector community of interest and ask for input.
USA Department of Homeland Security (DHS) and the Scottish Government shared their experiences with IACCM:
DHS uses wiki as their social media vehicle. It is only used for pre-award activities and not post award contract communications. Some specifics:
• The wiki page will contain the entire history of an acquisition prior to award.
• Vendors can post questions or concerns on the wiki page.
• All communications for the acquisition will use the page but the government issues written communications as a follow-up as well.
• The page is centrally controlled by the acquisition program manager.
• Feedback from the vendor community is very positive.
• It is optional for use - not mandatory; currently being piloted.
• Platform was built by GSA for GWAC vehicles.
• DHS does not use linked in, twitter or Facebook.
DHS also blogs on their own IT platform (the DHS connect page) but this is at a much higher level - more for high level strategy and organization direction for their mission; not for specific acquisitions.
Response from the Scottish Government:
We use Twitter (@scotprocurement) to put out news, as well as our regular newsfeed and my monthly e-bulletin on the Scottish Government website www.scotland.gov.uk/Topics/Government/Procurement
The e-bulletin goes to just over 8000 subscribers, and we have just over 900 followers on Twitter, being regularly retweeted by linked organisations like the Supplier Development Programme. Feedback's pretty rare - the tweets tend to be announcements conveying information rather than seeking input, although we did use social media to encourage contributions to the consultation exercise on the Procurement Reform Bill. We don't know, though, how many of the consultation responses were as a result of the tweets. Within the Scottish Government, we use Yammer as a social media forum, although we've not yet developed a procurement section on that.
Sabine, a very interesting question! I am sending this to a few members who will certainly know the answer. I also wonder how much this provision differs from requirements by other regulatory authorities - for example in US or UK - and will research that point as well - plus how the banks are then handling it.
Many thanks, Tim. Looking forward to your and others' feedback on this point. Best, Sabine
Sabine, here is a reply from Jihong Chen at Zhong Lun law firm:
It is really a hottest topic among multinational IT companies. The story is very long. One latest update is China Banking Regulatory Commission released a new circular on Feb, 12, 2015, which clarifies that:
1) The implementing rules for recording of source code is still under research. CBRC will solicit comments from all sides and then implements;
2) As to the requirement for independent IP for pre-installed software, it only requires IP certificate or legitimate source document;
3) There is no country difference.
Escrow of source code might be acceptable by CSRC as the final solution.
And another ....
Look at the link below for some background and additional context on the issue.
Also- according to UK Financial Times report on 25 Feb, companies in Europe and US have gathered together requesting government taking actions against the CBRC guideline on secured and controllable technology.
And to add to the series, this excellent outline of issues and status has been provided to us by law firm Baker & McKenzie:
The following notices on "secure and controllable" technology has been issued thus far:
1. Notice Concerning the Use of Secure and Controllable Information Technology to Strengthen Internet Security and Informatization in Relation to Banks (Yinjianfa No. 39 of 2014 ((2014) 39 ) ("CBRC Notice No. 39")
2. The China Banking Regulatory Commission ("CBRC"), National Development and Reform Commission ("NDRC"), Ministry of Science and Technology ("MOST") and Ministry of Industry and Information Technology ("MIIT") jointly issued CBRC Notice No. 39 on 3 September 2014. Although the scope of addresses does not expressly include Chinese branches of foreign banks, the document is required to be delivered to banks and financial institutions which are independent legal persons. We are of the view that if the foreign invested bank is a registered legal person in China, it is likely to be subject to CBRC Notice No. 39.
CBRC Notice No. 39 sets out policy statements by the CBRC, concerning the use of "secure and controllable" information technology in the banking industry. The key points in CBRC Notice No. 39 pertaining to cyber-security are as follows:
* CBRC Notice No. 39 requires that from 2015, the proportion of "secure and controllable" information technology over the total information technology products and software used by each bank should increase at least 15% each year, and reach a minimum of 75% in 2019. The "secure and controllable" information technology products and technologies newly added in 2014 may be included in the calculations for the increase used in 2015.
* CBRC Notice No. 39 appears to suggest that in the selection of information technology products and technologies by banks, at least one "secure and controllable" domestic product or technology has to be considered in the selection and testing process where one exists.
3. Guideline on Advancing the Application of Secure and Controllable Information Technology in Banking Industry (Yinjianbanfa No. 317 of 2014 ( (2014) 317 )) ("CBRC Notice No. 317")
CBRC Notice No. 317 was jointly prepared by the General Administrative Offices of the CBRC and MIIT and circulated on 29 December 2014. As with CBRC Notice No. 39, this document is likely to apply to any foreign invested bank which is a registered legal person in China.
The document contains, inter alia, an annex which sets out the scope of the requirements for "secure and controllable" information technology products and technologies across various product categories, as follows:
* Computer equipment
* Network equipment
* Storage equipment
* Security equipment
* Common software
* Specialized software
* Automated equipment
* Terminal equipment; and
It appears that similar requirements for "secure and controllable" information technology have been introduced to banks in the past. However, these requirements were not closely adhered to due to the lack of implementation details. Given that CBRC Notice No. 39 sets forth formal requirements and CBRC Notice No. 317 provides for implementation details and procedures, banks may now feel more compelled to take the necessary actions to comply with the "secure and controllable" requirement.
With regard to enforcement measures, the CBRC conducts annual audits on banks (at least to the level of State-owned banks and joint-equity commercial banks) to evaluate all aspects of the banks' operation and risk control, and issues audit reports requesting a written response from banks addressing each issue and indicating correctional measures. In addition, the CBRC conducts a larger scale audit on banks every 3 or 4 years. The banks' implementation of the requirements for "secure and controllable" information technology will now be included in such audits for review and assessment.
On 12 February 2015, the CBRC issued a clarification document which provides that the research on how to proceed with the recordal of source code is still ongoing. The mode and process of recordal will only be implemented after the opinions of relevant stakeholders have been sought.
We understand that there have been discussions regarding the promulgation of umbrella laws or regulations relating to internet verification and testing. It is unclear when these umbrella laws or regulations will be issued. However, if it is to be issued as a law, this will require promulgation by the National People's Congress ("NPC") or its standing committee.
If however the umbrella rules will be issued by way of regulations by the State Council or a Ministry, the amount of time required to promulgate the new rules will take a shorter period of time, as it will not need to undergo the legislative process required in the case of passing of laws by the NPC.
It is unclear what these umbrella rules will encompass. However, we expect the umbrella rules to provide more details as to the (a) scope of products subject to the "secure and controllable" requirements; (b) nature of the testing and recordal requirements; (c) type of entities that will be required to purchase "secure and controllable" products and technologies.
Based on the CBRC Notices above as well as the press articles, we anticipate that the umbrella rules are likely to include encryption testing requirements as well as recordal requirements for source codes. We expect these rules will apply to banks (since these are already covered by the CBRC Notices discussed above). However, it is also not beyond the realm of possibility that the "secure and controllable" requirement will also apply to products and technologies purchased by government bodies, the army, key State-owned enterprises, and potentially academic and research institutes in sensitive areas.
Please note that there is no draft regulation at this time available to the public and our views above are based on the ongoing discussions in the press and from our review of the CBRC Notices, as well as our understanding of the cyber-security regulatory environment in China.
China's impending cyber-security measures have not been well-received by U.S. businesses. In a letter addressed to Chinese cybersecurity officials and signed by U.S. associations including the U.S. Chamber of Commerce, these standards were described as overly broad and discriminatory. The stricter cyber-security standards could thereby limit the range of US products available to Chinese businesses. The groups have implored the Chinese authorities to delay the implementation of the measures and grant an opportunity for discussion between interested stakeholders and the agencies responsible for the initiatives.
Additionally, the business lobbies have also sent a letter to American officials, including Secretary of State John Kerry, requesting the White House to work with Chinese officials to reverse China's new cyber-security regulations. In response, President Obama has pledged in the National Security Strategy to take necessary actions to protect U.S. businesses and defend U.S. networks against cyber- theft of trade secrets for commercial gain by the Chinese government.
Great question. You have certainly come to the right place for some expert advice. I hope others jump in as well. You can find an array of resources at your fingertips (including case studies).. if you go into the resource library (Resources > Resource Library) and search by category = Negotiation. I would particularly recommend:
IACCM Dubai Member Meeting April 2019 Presentations
Ask The Expert: Negotiating and Contracting in the Middle East
The Power of Intent Workshop - IACCM APAC Conference 2019
Do Procurement practices cause dishonesty?
Negotiating in a time of coronavirus
In Negotiations, Givers Are Smarter Than Takers
In addition, you may wish to consider our new Managing Contracts Virtually training program (which is currently included as a member benefit) .. Training > Managing Contracts Virtually.
If you need help accessing any of these materials, please contact me at email@example.com.
Greetings, thanks for the question. I look forward to the responses from other practitioners in this space too. In the meantime, I suggest you take a look at our contract standards clause library here: www.contractstandards.com/public/contracts/statement-of-work. While this provides a framework, the key is in the level of detail that you apply to the "Supplier Tasks and Responsibilities" section - the detail required is application-specific, so there are no hard and fast rules. I have used detailed project plans and, in some instances, references to operational collateral (handbooks, processes, and procedures, referenced but not included) to get to the level of detail necessary to define what is required. This works fine for transactional engagements but cannot cope with more complex requirements - where there is uncertainty in delivery or deliverable (or both!). Then, you'll need an agile approach to the SOW. Hope that helps.
Hi - thank you for raising this important point and sorry that you are missing out on active participation. In your user profile, you can actually make use of two email addresses - the primary one (that is used in the login process) and a secondary one, that is used if the primary one has issues. You can change these at any time, from your profile page: www.iaccm.com/members/, but clearly you will need to be able to log on to make the change. If you cannot log on for whatever reason, please contact the membership team (firstname.lastname@example.org) and we will happily make any changes for you, once we have verified your identity.
If you don't have a secondary email saved, perhaps now is the time to think about adding that. If you are currently associated with a Corporate membership and things have changed, you can always elect to leave the corporate membership and become an individual member. You can do that here: www.iaccm.com/members/. That way, you will continue to enjoy all the great benefits of IACCM membership.
I am in the situation where I am in between jobs, having finished in my last role at the end of March. The CoVID situation will most likely delay me getting new employment for some time. During this time I am focusing on catching up with IACCM events such as Webinars, AsktheExpert, etc, but find I am excluded from any Sponsors' webinar as I no longer have a work based email address.
Will this continue throughout the CoVID period? I feel it is a little short sighted of the Sponsors to exclude those not currently in employment from their webinars, it is exactly this time when I will have most opportunity to join and expand my knowledge and understanding of the marketplace.
Hi, Thank you for your response. Great to meet you - virtually that is.
I am very sorry to hear you are experiencing an issue registering for the IACCM sponsored webinars.
We continuously contact sponsors asking them to be sensitive to this issue. However, as the registrations are done on their websites, it is a challenge to get them to change their policies.
In any case, the webinar presentations and recordings are typically posted in the IACCM Member Library within 24 hours of all sponsored webinars, so they are available to you to review at your convenience.
Here is the link to the latest content on our resource library. www.iaccm.com/resources/contract-management-resources/
In the meantime, let us know if you need any additional information.
Jennifer Jarrard MEI SRMP
Director, Corporate Member Operations, IACCM Council and Networks
+61 (0)407 541 497 | email@example.com
God day Sedef - well, again, I hate to see a good question like this sitting there all along unanswered, so here goes my contribution.
Firstly, if you get to create your own KPI's, I think that this is an awesome opportunity for you. It's a great opportunity for you to pick some criteria on which to have your performance judged by.
I think it's an opportunity though for you to think about whether or not you want these KPI's to relate to your performance alone, or contribute to or align directly with organisational performance. This could be a factor of where you feel you are as a team with procurement maturity, as well as your ability to influence the organisation's plans. Let me explain by way of example.
Four years ago, for our team, it was all about how quickly we could turn around tenders, time to contract, and the number of complaints (which thankfully were none) about the conduct of our tenders. So for us then, the KPI's were team focussed and didn't really track well into organisational plans.
Fast forward to the present day, the team has pushed back into the business to be engaging with them at a much earlier stage. The KPI's we are moving to are around developing category plans with the business and presenting them to the senior leadership team, monitoring and reporting on the significant contracts in their portfolio and working with the teams on meaningful social procurement outcomes that are relevant to their categories. As you can see, these are less about the team, and track really well into where we want to be as an organisation.
Oh, and like all KPI's, it perhaps goes without saying, but make sure that they're SMART (Specific, Measurable, Attainable, Relevant, and Time-Bound) or SMARTER (adding Explainable and Relative to the mix).
So Sedef, my advice would be to jump the opportunity to set your KPI's, and make them relevant to where you are and where you want to be. I think you are the best person to work that out, rather than me just telling you what you need based upon your one paragraph question.
Have fun with making them - and it would be great learning for others within the forum for you to tell everyone what you ended up with !
• Ngamuru Advisory
Following on from Darren's excellent points, I wanted to find out how you went? Did you find the missing one? I started my Performance Based Contracting (PBC) journey in 2004 designing, implementing and managing performance measures (not just KPIs!). Over this time I have seen many, many performance measure that can be used depending on what you are trying to achieve. Indeed, over the years we have actually formed the opinion that there are more than simply KPIs, since most humans can only handle 3 - 5. Therefore, having dashboards of 20 it too much information. So while there are a number of websites that can give you a variety of performance measures, can I suggest you have a look at why you want to measure; what is the outcome you are trying to achieve? Is it the standard project ones (scope, schedule and cost), or are there other things such as the health of the relationship, the culture of safety, etc. And if you think you can't measure the last ones, you can! Just takes a bit more work to set-up. So best to work that out first.
To help, as an IACCM Fellow I write on blog where I write about this (www.performancebasedcontracting.com), which sometimes become articles for IACCM (part of the role of an IACCM Fellow). Therefore, I'd suggest you have a look here and see if this helps. There is probably a lot of content (all free!), but hopefully it helps.
Anyway, I hope this helps you on your journey. And don't be afraid to ask for help!