Do you have a Black Friday data hangover?

November 27, 2020
Written by Paul Hammersley

Paul has for many years been a remarkable technical force at EPI-USE Labs. As SVP of the ALM Products, his portfolio includes System Landscape Optimization, and his hands-on experience of implementing Data Sync Manager and helping clients to manage data across the breadth of their SAP landscapes is unique. He has specialised knowledge about data security and how GDPR (the General Data Protection Regulation) impacts companies running SAP.

Blog-Image-New-3
The rise in online shopping reaches a crescendo

If anything can be said to have thrived in 2020, it must surely be online shopping. They say a major disruptive crisis accelerates changes that would in any case have happened, albeit less quickly. The ease with which we now search, click and pay for goods from phones, tablets, and occasionally now laptops or desktops, has prepared us perfectly for this year's Black Friday sales.

(Black Friday also now seems to have taken over as the longest day of the year – since it seems to last for about four weeks). As our plastic heats up more and more over the coming days and weeks in the lead up to Christmas, we are all likely to revisit this same thought process:

Create an account or continue as a Guest?

  • Am I likely to shop here again? Is this just a once-off impulse purchase?

  • Would I want my friends to know I shop with this company? Are they ethical, do they respect the environment?

  • Where is this company actually based?

  • Can I trust this company with my personal data, AND my credit card?

‘Guest’. Well, that sounds reassuring – what do I get with that?

When you think about it, there must be a spectrum of responses to this. There are those of us who would not share our data online with our own government and will not be signing up for anything; but then it's probably quite rare for those people to shop online at all. But I am sure many people sign up for accounts with very very few websites, and mainly continue as a ‘Guest’. Then, some people in the middle who mix and match, and then some serious ‘in da club’ fanatics at the other end of the spectrum who would join anything on offer and gladly save their details for future. 

 

But what do we actually expect from companies in either case? If I sign up, am I signed up forever?

 

Will my password be stored:

 

  • In plain text, meaning any breach of that site could put me at risk for other sites where I’ve used the same password? (don’t say you don’t do that, we know you do, we all do to some degree!)

  • Encrypted, but with the key stored on the same server, so someone taking control of the server could get to the plain text version?

  • As a hashed value so the password is never actually stored, just turned into a hash at runtime and compared to the value that is stored? (Incidentally, this is how your SAP password is stored).

And what are their privacy terms? Who will they share my details with?

Will they be tracking what I buy and offering me deals on 600ml when I only usually buy 450ml? Or using other analytics on my online and purchasing behaviour, what content they send to me, and how responsive I am to certain campaigns?

 

These questions often prompt me to simply choose ‘Guest’ over and over. Often on the same online store, promising myself that next time, I’ll think through every angle, and perhaps sign up.

Guests outstaying their welcome

So, having handed over my address and credit card details for the transaction, I relax back, safe in the knowledge that the moment the goods leave their warehouse, my details vanish until next time I type them all in again.

 

But do they really vanish? Well, of course not. The website might link to another order fulfillment system, and then there’s a finance system, and the courier that delivery is outsourced to. How many systems and databases will actually have just had my data? And how many of them will still have my address and/or credit card details in a month? A year? A decade? And what if…they’re running SAP?

We don’t have Guests in SAP…do we?

BF screen

Ok, so it's highly unlikely that your SAP system has a SAP GUI screen like this. But that doesn’t mean you don’t have Guest data in your backend ERP or S4 system. Some organisations running SAP use SAP CRM to process ‘One-time orders’, which then generate an order in ERP with a single ‘dummy’ customer and ‘9000*’ address on the ‘Ship-to’ partner function. So there is no trace of our guests in ERP Customer or Business Partner master data, but the address is in ADRC etc. and linked directly in VBPA. And I suspect many more retail organisations leverage other non-SAP webshop technologies, and interface back to SAP ERP or S/4 in a similar way. At the end of the day, if the delivery is processed in an ERP system, then the person’s name and address must be there.

The Black Friday hangover: backlog data privacy debt

If your SAP system has this type of data, you’ve probably seen a fair growth in the number of ADRC entries of this type during the global pandemic, but the Black Friday period will certainly add many more. So although it can be a welcome boost to our struggling retail sectors, it does come at a cost in terms of data privacy and our ‘backlog privacy debt’. There will be more and more data being accumulated. If someone executes a Data Subject Access Request, would you even find them? Or would you only search Customers and Business partners? If they ask you to remove their data, can you do this?

 

Over the next few months I am going to be focusing on Data Minimisation and some capabilities we have developed for removing ‘backlog privacy debt’, without the need for expensive, complex projects. This could be as part of a mass clean up, or allowing the business users to address ad-hoc requests, or implementing periodic removal of data as it falls outside of a retention period.

How to satisfy historical data minimisation requirements for compliance

Find out how EPI-USE Labs can help your organisation address their ‘backlog privacy debt’ as part of a data minimisation initiative, and provide ongoing Privacy by Design. This includes a unique, simple alternative to archiving or full removal of records.

See our SAP Data Privacy Suite in action-1

 

 

 

Explore Popular Tags

GDPR Data Privacy data security data secure GDPR compliance data scrambling POPI Act POPIA Data Redaction Data Sync Manager General Data Protection Regulation SAP GDPR Right to be forgotten Data Archiving Data Redact GDPR readiness GDPR deadline SAP data privacy and compliance sap Data privacy compliance SAP Data Security personal data SAP security SAP systems Access risk controls COVID-19 Data privacy regulations SAR Subject Access Request compliance CCPA Data minimisation Data privacy by design European operations Federal Law GRC for SAP Governance, Risk Management and Compliance (GRC) ICO May 2018 Reducing risk Right to Erasure Risk monitoring SAP data anonymised data security breach test data management Access Risk management Australian Privacy Act 1988 Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti Cenoti, connecting SAP with Splunk Client Sync Cloud migrations Confidentiality Consent DSM Data Portability Data integrity Data masking Data security breaches Documentation Employee data Europe Friday 25 May 2018 GDPR fine GDPR-type legislation Guest order HCM HR Information Commissioner’s Office Information transfer Infotype 41 New Zealand Privacy Act Object Sync Online shopping Penalties Phantom Privacy by Design Proportional Data Right to Access Risk management S/4HANA Migrations SAP S/4HANA SAP data encryption SAP data privacy and security SIEM Secure scrambled production data for testing Security Security Information and Event Management Security for SAP. Live Soterion South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government Virtual conference What does the European GDPR mean for Australia? masking rules one-time customer quality of test data system copy
+ See More

Get Instant Updates


Leave a Comment: