SAP systems hold extensive sensitive PII. In this blog, EPI-USE Labs' data privacy expert James Watson responds to frequently asked questions about SAP data. He explains that although risks vary by industry and business models, including B2C and B2B, in general HR or HCM data is the most vulnerable across all industries. It depends on your business, how you operate and integrate with the market, where you come into contact with an individual person, and where you're storing that information. Data privacy compliance means that visibility of all PII is essential for all businesses.
SUMMARY: SAP systems hold extensive sensitive PII. In this blog, EPI-USE Labs' data privacy expert James Watson responds to frequently asked questions about SAP data. He explains that although risks vary by industry and business models, including B2C and B2B, in general HR or HCM data is the most vulnerable across all industries. It depends on your business, how you operate and integrate with the market, where you come into contact with an individual person, and where you're storing that information. Data privacy compliance means that visibility of all PII is essential for all businesses.
We spoke to James Watson to get his insights into which SAP data he considers the most vulnerable, and how it differs across industries, including B2B and B2C companies, and suppliers to large retailers; and the impact of GDPR in reality.
With a functional and business background of over 20 years, James is responsible for the global line of business for EPI-USE Labs' data privacy and SAP IS-* Solutions, supporting all regions and key accounts running Data Sync Manager (DSM) for these complex requirements. His history includes SAP specialisms in non-production data management and anonymisation, Production data removal or redactions, System Landscape Optimisation (SLO) and SAP industry solutions.
“This is very dependent on the industry that you're in. There isn't really a one-size-fits-all response; it absolutely depends on your business, and how you operate and integrate with the market, and where you come into contact with an individual person. And where you're storing that information.
In general, though, the common answer spanning all industries is HR. Your HCM data is probably the place that you keep the most depth of information about an individual, and even about other individuals, such as family members, or emergency contact information. You have a legal duty and use case as to why you're holding that information, especially in your Production environments.
Because without enough history, enough understanding, you can't do payroll. It's just that simple. And no business wants to be without payroll because they're not without people. I guarantee it. Nobody's going work for free. So the HCM data is always a priority.
But then for each individual industry, you're going to have very specific challenges.”
“If you're in a retail industry and you've got a consumer benefit card scheme or membership program, you could be keeping millions of customers' individual real data within your SAP platform.
So rather than a few thousand employees or even tens of thousands, depending on the size of your business, you may have tens of millions of individual data, at which point your customer data – or Business Partner data in SAP terms – is going to be far higher.”
Similarly, in the utilities industries for gas, water, and electric, it's the same thing. Any business that's a B2C company, all of your customers are going to be real people and are therefore covered by the privacy laws.”
“An interesting area is within suppliers to large retail organizations. So companies, for example, that will sell through Amazon. We've recently been working with a United States client for exactly this problem; Amazon have instilled on them a thirty-day retention period for any delivery that has been made to an Amazon customer.
But in their SAP system, they're not actually set up as a customer as master data. They're just a one-time sales process with that personal data held against it. So in their case, there was zero master data with Personally Identifiable Information (PII), but all of their transactions were actually being delivered to real people through an Amazon relationship. So they had a very different sort of storage location where this personal data was.”
“In terms of their core data, it's always related to how much of an individual you can identify. There are a lot of businesses that have made the decision that they can manage their customer data because it's a B2B (business to business) enterprise, so they don't have to worry too much about their customers. However, even there, what about contact persons that are associated? The business customer may well not be a personal individual; but in terms of the contact people that you're dealing with, you still have emails, contact numbers, names held against them, and you need to make sure that you're prioritising that.
So even in the most remote B2B company with only a few hundred employees, you can still have some very significant data privacy challenges depending on that relationship.”
“With the global privacy laws coming through, it's important for people to understand that if they're doing business in Europe, they already have to comply with GDPR, because GDPR covers the European citizen, not the database where the data is stored.
We have had some extreme examples of this, such as the $1,3 billion fine that was leveraged against Meta, and that was leveraged by Ireland. Those sort of fines have already been leveraged across country borders against European citizens' data. So although the new privacy laws bring a focus to the individuals, there's always been a problem in maintaining this where it is B2C. And obviously for the largest organizations, they also have that problem from an HR point of view.”
“I’d say the first step is to understand exactly where your PII is located, so you know what you’re dealing with. Your SAP system holds extensive sensitive data about your customers, vendors, and employees, and it’s critical to take the SAP data model into consideration is critical. Also, many long-term SAP business users have developed customized functions, including custom tables storing data and facilitating processing, which expands the target for sensitive data.
At EPI-USE Labs, we offer a SAP data privacy assessment service which can help you to understand and identify your PII, and assess your access risks.”