Like many businesses, vendors have been scrambling to adjust the software in their ERP system to be compliant with the European Union’s General Data Protection Regulations (GDPR) which came into force in late May. Senior managers and executives have been so consumed with rewriting and testing code that many haven’t had the time – if it even occurred to them – of ensuring that their sales people can help customers who have basic questions such as “I’m in the States, why do I need to worry about GDPR?”
And questions they have plenty of. As an ERP attorney, I am hearing from clients who are users as well as from contacts that are considering an ERP system for the first time. They are asking variations of the “Does our company need to worry?” question.
The answer is a simple “Yes.” If you have customers whose system holds identifiable information about people residing in the E.U., even if the data is housed in the States or the cloud, you are affected. It’s become obvious to me that too few sales people are equipped to answer even some basic questions.
As a practical matter, it makes little difference who in the company had responsibility for creating the data protection required by GDPR, the sales force must be aware of what GDPR mandates. They don’t need to be experts but they have to grasp the essentials.
The reason is that customers – current and prospective – will and should have concerns. The sales rep or account manager has to be ready to explain ways GDPR will have an impact on their business. They also need to be able to assure them of the steps taken to ensure compliance. Users want to know how they are protected.
At the same time, the sales people need to have in their briefcase a Data Processing Agreement (DPA, a complicated document that an attorney or in-house counsel should draft. When I am negotiating an ERP contract on behalf of a user, I always insist on inserting a DPA into the contract. Too often, the vendor’s sales person does not have ready access to one, or even know why it’s necessary. Granted, negotiating the DPA might slow the overall sales process which can be frustrating to someone trying to earn a quarterly bonus and the clock is winding down on the opportunity to do so.
But smart, savvy vendors know that users as well as the developer are protected by including a DPA.
Finally, the vendor’s sales person should understand that even though raising GDPR can slow the buying process, it’s in the best long-term interest of both the vendor and customer. As importantly, doing so is a way to build the trust needed to help ensure a long-term relationship with the user.
To many U.S. executives, GDPR seems like a remote concern that does not affect them or their business. It’s the duty and responsibility of an ERP vendor to determine if it does and explain the basics of what they – and their system – must do to be compliant.
By Marcus Harris