Ready for GDPR: Proportional data usage

July 26, 2017
Written by James Watson

James is responsible for the global line of business for EPI-USE Labs' data privacy and SAP IS-* Solutions, supporting all regions and key accounts running Data Sync Manager (DSM) for these complex requirements. With a functional and business background of over 20 years, James provides the bridge between Development, Basis, Test/Competency Centres and leadership teams to provide guidance and advise on the route to data privacy compliance. His history includes SAP specialisms in non-production data management and anonymisation, Production data removal or redactions, System Landscape Optimisation (SLO) and SAP industry solutions.

As per my previous post, the deadline for GDPR compliance is looming - and it will affect any company which holds data for a European Union citizen. In this post, I highlight how EPI-USE Labs can help you prepare your non-productive SAP landscape to hold only a “proportional amount of data” for the use case of each system.

What is proportional data?

Under GDPR, a clear use case for the processing of data will be required. In its simplest form, the use case for production would be that real customer data needs to be maintained in order to service that customer.

Proportionality will come into play when you have to prove that you need to keep all data in production, for example:

  • In the UK utilities industry, there are other regulations which govern how long customer information is kept for history of invoicing, customer contact and complaint management etc. So, in the production system, holding only live customer data would not be proportional to the use case (which requires at least seven years history in this case). However, if as a company you then retained that data past the seven-year use case, you could be deemed in breach.

However, a typical SAP landscape is made up of a Development, Quality, Pre-Production and Production environment, with some customers also supporting a Training environment. Each of these systems has a requirement for real production data (use case) in order to maximise the efficiency of new developments and changes, testing and training. But, you need to ask yourself:

“Can I prove to the auditor that all production data is required for this?”

I have always found the standard SAP SWPM tools to complete a client copy and refresh your system are both system and human-resource intensive activities, but also only allow you to complete a full copy of all data. With EPI-USE Labs’ Data Sync Manager™ (DSM) product suite, you can select the amount and type of data you need, to copy data between systems. The two products I want to discuss in more detail are Client Sync™ and Object Sync™.

Client Sync

With this product, our services team can consult with you and train you to ensure each system only contains the data required. You can choose to copy:

  1. Client Dependant Customising only
  2. Client Dependant Customising and Master Data only
  3. Client Dependant Customising, Master Data and None HCM Transactional data only
  4. Client Dependant Customising, Master Data and HCM Transactional data only
  5. Client Dependant Customising, Master Data and all Transactional data.

Therefore, you can prove your proportional aspect by only copying the data which is required for your specific need in the non-production environment. You can present clear evidence, down to a table level, of what data has and hasn’t been copied for auditors to review and sign off. For example, if you are testing new Materials but also manage HR, then using Copy 3 above would bring all your material data, but no HR data. The software reporting will then demonstrate that no data was selected from the PA* tables.

In addition, with Client Sync you can select individual tables to protect, delete or replace on refresh, allowing for example all Change Documents to be removed from your non-productive systems and any Protected Data held within. You can also configure the Logical Systems in your environments, and the BDLS conversions will be completed as part of the process, or protect the users in the client to be refreshed ensuring the least amount of effort per refresh.

When copying Transactional Data, you can also apply a time-slice so that only data records since DD/MM/YYYY will be selected. Built into the selection process is the ability to identify any current SAP documents which have documents attached which precede the specified date, and it automatically includes these to ensure a consistent database is created. Again, this speaks to proportionality; if you don’t need all ten years’ worth of production data, then only copy the last year.

With these selections, you can copy real production data back into your landscape while maintaining a proportionate data size and evidence to your auditors as to what selections have been made.

Object Sync

Object Sync allows on-demand copying where you can select both Master and Transactional Data according to individual objects. So if you need the Material Master Data for a certain set of materials for testing, you can select and copy this from a list of Material numbers. Our object model ensures that all related data is also copied to ensure a consistent cut of your system. This gives you the ability to be highly selective in the data you move out of your production environment, and to demonstrate how you use this to achieve a proportionate data set.

Reduce your data footprint

With the combination of Client Sync Customising only and Object Sync, this allows you to be very selective of the data you move outside of production, down to taking individual objects and their corresponding data to exactly meet your use case for the data. This is just one element of GDPR, however it may prove to be a difficult one to adjust to. With Client Sync and Object Sync, you can reduce the data footprint of your non-production system, thus enhancing your compliance position under Article 5 of GDPR.

If you want any further information, please contact our GDPR specialist team at gdpr@labs.epiuse.com

Don't know where to start with GDPR and SAP? We do!

 

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling General Data Protection Regulation Data Redact POPI Act POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager SAP data privacy and compliance Right to be forgotten Data privacy compliance Data privacy regulations GDPR readiness GDPR deadline Personal data SAP SAP security GRC for SAP SAP systems Access Risk management Access risk controls Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) SAP data privacy and security compliance COVID-19 Data Privacy suite Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day Data masking European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data processor versus controller Data retention rules Documentation EPI-USE Labs’ solutions Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act Online shopping Penalties Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data encryption SIEM SOX Sarbanes-Oxley (SOX) legislation Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: