GDPR (the General Data Protection Regulation) may sound like just another confusing acronym, but this new law will have far-reaching consequences for companies across the world. The deadline for compliance is getting closer, and it’s an extremely brief period to implement major system changes. By 25 May 2018, all organisations world-wide collecting, storing and processing personal data from European Union (EU) citizens must be ready to reveal the data they have on the individual and what purpose(s) it is being stored and used for.
To hold and manage the data, irrespective of whether this data is held in the EU or not, each organisation needs to get explicit, informed consent from the data subject, and demonstrate compliance with the guiding principles of the regulation, including that data protection is at the heart of the system design. Compliance will be non-negotiable, and organisations with data security breaches will face potentially heavy fines, which could be as high as €20 million ($21m at the current exchange rate), or 4% of annual revenue – whichever is greater.
Are businesses prepared?
The move towards implementation is gathering momentum, and there’s a lot of information out there. However, according to research commissioned by Veritas Technologies on GDPR (2017 report), only 7% of businesses interviewed advised that they had no concerns as they would be compliant by the deadline. Almost half (47%) of organisations fear they won’t meet the requirements of the legislation; they are also worried about the impact non-compliance could have on their brand image. 86% of organisations worldwide are concerned that a failure to adhere to the regulations could have a major negative impact on their business.
Lack of technology hindering compliance
The research also highlights that almost a third (32%) of respondents are worried that their organisation doesn’t have the necessary technology to manage data effectively, and nearly forty percent (39%) that their organisation isn’t able to accurately identify and locate data.
How EPI-USE Labs can help you
Although this can all seem daunting, EPI-USE Labs offers the following solutions to help you tackle compliance:
- EPI-USE Labs has developed a GDPR Compliance Suite for SAP and Data Secure™
- Guidance and best practice:
- Knowledge and direction on where data is stored in SAP®
- Understanding the affected data types, and choices and processes to meet requirements
- Data removal services (using our software on your behalf)
- GDPR Awareness workshops
The many and varied IT systems mean that a “one size fits all” approach isn’t possible, so let us share our expertise and experience to help you stay ahead of the game. EPI-USE Labs has spent over twenty years in the SAP data space creating and developing advanced software solutions, and can also offer guidance and share expertise on GDPR.
Data Disclose solution
The short demo below provides an overview of the workings of our Data Disclose product:
Data Disclose is a unique software application which allows you to locate and display data across your SAP systems in seconds, with APIs to also connect non-SAP systems. It’s built on a solid foundation of existing technology and Intellectual Property (IP) by leveraging our well-established software product Data Secure (part of the Data Sync Manager (DSM) suite), and can present the data in a flexible, encrypted company-branded PDF output.
Because people have the right to ask for details about their data, organisations need to know which personal data is stored where, and for what purpose. This can be hugely time-consuming; the ability to find this data quickly and efficiently becomes crucial.
With Data Disclose, we can help you shine a light on the dark dusty corners of your SAP system so you can see exactly where the data resides across systems. The application finds, retrieves and presents a subject’s data footprint across SAP systems – and as an added benefit, across non-SAP systems as well, if integrated with the former’s API. It does this in seconds across SAP ERP, CRM, SRM, BW and any other ABAP stack systems. This is no mean achievement, when you consider that SAP systems store data in an intricate way; SAP is highly configurable, with data replicated across the system in many different places.
Data Disclose can bring considerable peace of mind, especially when weighed-up against the stringent requirements of the new laws.
Two other new EPI-USE Labs products, Data Redact and Data Retain, can help you with an individual’s rights to have personal data erased, and our XML Object Extractor can ensure the right to portability (article 20 of the GDPR).
Contact us for more information today.
Tackling GDPR in detail: the importance of privacy, transparency and technology
Personal Data Rights
The main emphasis of GDPR is on Personal Information. GDPR aims to protect personal data rights such as the right to be informed, the right of access, the right of rectification, the right to erasure (aka the right to be forgotten), the right to strict processing, the right to data portability, the right to object and rights to automated decision-making and profiling.
Key requirements for GDPR
- Consent for storage must be given by the data subject
- Consent must be explicit
- Each individual has “the right to be forgotten”, although this comes with several caveats
- Compliance must be demonstrated
- Notification of data breaches must be provided
Data privacy must be by design
Organisations wishing to store data must have explicit consent from the subject of the data. The reason for storing it must be transparent, and the data subject has the authority to block processing while concerns are dealt with, as well as to request the removal of the information from the system. There is nothing to say that data must be anonymised – the law is not that prescriptive. However, the law does say that there must be documentation showing that data protection is by design, and that processes comply with the rights of the data subject.
Overwhelming data requests
The difficulties will start when someone requests the details of where their personal data is being kept in an IT system. Let’s complicate that: let’s say your organisation receives ten requests – or even one hundred – to locate sensitive, personal data. Imagine having to log into a number of SAP systems to download table entries, or take screenshots to show the data subject’s footprint. How many password resets will be required? Do you know all the places to look? And how long will this take?
Your challenges include
- The complexity, volume and sheer scale of GDPR
- Lack of consistency: Every GDPR compliance project is different, depending on the industry, existing IT systems, usage of data, etc.
- Ambiguity: While the GDPR is comprehensive, there are many areas that are neither detailed or prescriptive. It doesn't specifically tell organisations what to do; it’s up to them to analyse their systems, processes and data and work out what to do for themselves.
How GDPR affects SAP systems
It’s not easy for SAP systems to comply with the demands of GDPR because of its architecture. SAP stores information in an intricate and tangled way. Data is stored and replicated across the system in many places, such as customer master, business partner, change document tables, and so on. SAP is also highly configurable, so when it is implemented, the way in which this happens dictates which tables and fields the data will be stored in. An additional complication is that there are often multiple copies of systems. The data might be in Z-tables, and the only way this can be verified is to get into that system.
“The time to repair the roof is while the sun is still shining.”
The deadline for compliance with GDPR is looming. The requirements of GDPR go to the very core of your IT systems, because they need to be built into the design. From now until 25 May 2018 isn’t a long time to undertake a project that will affect your CRM systems, your ERP systems and customer first line support. Entire new business processes will need to be put into place. You will also need an auditor to scrutinise your security arrangements - and the closer we get to the deadline, the less likely you are to find an auditor! Every organisation should be devising a plan to meet the requirements, and assigning key roles and responsibilities to that plan.
EPI-USE Labs will help you deal with GDPR. Our knowledge, experience, expertise and products will help you sleep peacefully at night in the knowledge that everything is under control.
Contact us today.