In accordance with latest information available as of September 2023
The global privacy landscape is changing rapidly, in line with how data is used and shared in our modern world. Across all recent (and forthcoming) privacy acts/regulations, there are consistent rules dealing with:
These changes are complex for any company using larger ERP platforms like SAP, because of the integrated data model used to provide ERP solutions. As experts in the SAP data model, we provide targeted solutions for the challenges faced in complying with data privacy laws.
The aim of any privacy project is to increase compliance with the required data privacy laws within the company’s jurisdiction. And SAP’s structure makes addressing data privacy compliance particularly tricky. One of the most compelling reasons for data privacy compliance is the enforcement fines; the new laws provide for high financial sanctions to be applied by legal bodies.
We have been implementing privacy projects around the globe in multiple industries for over 20 years, and have identified essential steps in a common project approach:
Whether you’re adhering to PDPA in Thailand, one of the state laws in the USA, or GDPR in Europe, you are required to provide a response to the Right to Access and deletion of personal data from your environment.
The Right to Removal does not overrule any of your other legal and compliance requirements, such as keeping records for tax audit. You now need to find a way to validate if data is required for any other legal reason, and if not, remove sensitive data from your system.
SAP presents a challenge in data removal; as a relational database, the sensitive data is intrinsically linked with your business transactions. So traditional ways of archiving or deleting mean you need to remove your transactions and master data completely.
EPI-USE Labs provides an alternative in Data Redact, removing the PII from records but leaving the referential integrity of the solution. And Data Disclose provides effective PII mapping in a PDF output, allowing an efficient process to respond to the Right to Access.
Every business needs to test their processes, whether it’s the annual payroll taxation updates, service pack upgrade or new customizations. You don’t want to find out you have an issue with the new processes in Production; so most businesses will take a copy of their Production systems and create test environments.
The number of testing environments varies depending on the business, but a typical set-up would be to have
The new privacy laws state that you must have informed and explicit consent for the use of the data relating to data subjects. In our experience, most businesses do not have this consent for using data for testing purposes. Even if you did have a consent process there is an additional challenge in understanding what to do for a no-consent response from a data subject.
To solve a problem, you first need to understand the problem. For both data privacy and security, you need to understand the risks you hold in your business process and your IT estate.
Consider your business processes and security risks. For example, do your front office or HR colleagues take notes during calls? If so, what is the security process for those notes? Are you following best practice for data security throughout your business?
Regarding your IT estate, three primary considerations are:
Governance, Risk and Compliance (GRC) solutions take many aspects of access risk into account. We are partnered with Soterion, offering a fast, efficient analysis of your GRC risks with standard delivered rulesets to cover:
These solutions can integrate between SAP and cloud applications (such as SAP SuccessFactors) to provide a holistic view of your access risk.
Soterion also offers assessment of your system licences, firefighter access processes and more.
Our Data Privacy Suite for SAP solutions leverages our industry-leading Data Sync Manager™ Suite which offers a semantic understanding of your SAP environment and provides data sub-setting and secure rule-based masking capabilities. Data Disclose, Data Redact and Data Retain are built on a solid foundation of existing technology and Intellectual Property to help you comply with global data privacy legislation like GDPR, CCPA and POPIA.
SAP is one of the most robust systems in the world, but also one of the most complex, as SAP has purchased and integrated many diverse components and solutions over the years. SAP’s structure makes addressing data privacy compliance particularly tricky. Detailed domain knowledge is required to map and understand the cross-functional integration of multiple SAP objects and systems.
EPI-USE Labs has been an SAP partner for over 30 years, and has an in-depth understanding of how SAP data is structured. We have developed detailed knowledge of the different versions of SAP, including their uses and intricacies, and our integrity mapping is defined both on the individual field level and between systems. Since 2000, we have helped our clients comply with data privacy laws, scrambling non-production data copied out of Production systems. We also address the de-sensitisation of data in Production with our redaction technology.
Our Data Privacy Suite for SAP solutions leverages our industry-leading Data Sync Manager™ Suite, which is certified by SAP for 'Integration with SAP S/4HANA®' and 'Integration with SAP S/4HANA Cloud®'. Our global Professional Services team has certifications in CISSP, CIPPT and CIPPM. Combined with extensive project experience across multiple countries and industries, we can give you expert guidance on your data privacy challenges.
Why not get a free assessment on your data today?
Nordic company JM adopts EPI-USE Labs’ Data Sync Manager and Data Privacy Suite to develop an efficient programme to scramble and redact sensitive data in their SAP systems, for complying with GDPR regulations.
"In addition to the key scrambling requirement, using Data Sync Manager has resulted in a disk space saving of 5TB in total, and we also save more than ten hours per refresh."