Key requirements for GDPR
- Consent for storage must be given by the data subject
- Consent must be explicit
- Each individual has “the right to be forgotten”
- Compliance must be demonstrated
- Notification of data breaches must be provided
Data privacy must be by design
Organisations wishing to store data must have explicit consent from the subject of the data. The reason for storing it must be transparent and the data subject has the authority to block processing while concerns are dealt with, as well as to request the removal of the information from the system. There is nothing to say that data must be anonymised - the law is not that prescriptive - which is causing some confusion - however, the law does say that there must be documentation showing that data protection is by design and that processes comply with the rights of the data subject.
From 25th May, 2018 the new law takes effect with far-reaching consequences for any organisation storing personal data. Compliance will be non-negotiable and organisations that experience data security breaches will face fines .
Don´t become a data target
The difficulties will start when someone requests to see where their personal data is being kept in an IT system. Let’s complicate that; let’s say your organisation receives ten requests or even 100 requests to locate sensitive, personal data. Imagine having to log into a number of SAP systems systems to download table entries or take screenshots to show the data subject’s footprint. How many password resets will be required? Do you know all the places to look? And how long will this take?
- The complexity, volume and sheer scale of GDPR.
- Every GDPR compliance project is different, depending on the industry, existing IT systems, usages of data, etc.
- While the GDPR is comprehensive, there are many areas that are neither detailed or prescriptive. It doesn't specifically tell organisations what to do. It is up to organisations to analyse their systems, processes and data and work out what to do for themselves.
How GDPR affects SAP systems
It’s not easy for SAP systems to comply with the demands of GDPR because of its architecture. SAP stores information in an intricate and tangled way. Data is stored and replicated across the system in many places, such as customer master, business partner, change document tables, and so on. SAP is also highly configurable, so when it is implemented, the way in which this happens dictates which tables and fields the data will be stored in. An additional complication is that there are often multiple copies of systems. The data might be in z-tables and the only way this can be verified is to get into that system.
Become the GDPR hero
We can give you the ammunition to get buy-in internally. Why not ask your boss or your boss’s boss to come see their own footprint report. Did you know your home address is in our development system?
We’ll help you shine a light on the dark dusty corners of your SAP system so they see exactly where the data resides across systems. We also offer guidance and best practice. The many and varied IT systems mean that a “one size fits all” approach is not possible so let us share our expertise and experience to help you stay ahead of the game.
Introducing Data Disclose
Locate and display data across your SAP systems in seconds!
Data Disclose is a unique product from EPI-USE Labs that finds, retrieves and presents a data subject’s footprint across SAP systems, (as well as non-SAP systems, if integrated with the latter’s API - this can be covered by EPI-USE Labs as part of their service).
It is able to do this in a matter of seconds across SAP ERP, CRM, BW systems. You have much more to take care of so let EPI-USE Labs take this off your plate. The peace of mind Data Disclose brings is beyond value, especially when weighed-up against the stringent requirements of the new laws.
EPI-USE Labs’ GDPR guidance
Right now we offer the following:
- - Data Disclose
- - Data Secure
- - Knowledge and direction on where data is stored in SAP
- - Understanding the affected data types
- - Guidance on choices and processes to meet GDPR requirements
- - Data removal services
- - GDPR Awareness workshops
“The time to repair the roof is while the sun is still shining.” – J.F. Kennedy
The deadline for compliance with GDPR is 25th May 2018.
The requirements of GDPR go to the very core of your IT systems, because they need to be built into the design. Between now and the 25th May is not a long time to undertake a project that will affect your CRM systems, your ERP systems and customer first line support. Whole, new business processes will need to be put into place. Importantly, you will need an auditor to scrutinise your security arrangements and the closer we get to the deadline, the less likely you are to find an auditor. Every organisation should be devising a plan to meet the requirements and they should already be assigning key roles and responsibilities to that plan.
EPI-USE Labs will take the hassle out of GDPR. Our knowledge, experience, expertise and products will help you sleep peacefully at night in the knowledge that everything is under control. Contact us today.