GDPR (the General Data Protection Regulation) may sound like just another confusing acronym, but this new law has far-reaching consequences for companies across the world. As from 25 May 2018, all organisations world-wide collecting, storing and processing personal data from European Union (EU) citizens must be ready to reveal the data they have on the individual and what purpose(s) it is being stored and used for.
To hold and manage the data, irrespective of whether this data is held in the EU or not, each organisation needs to get informed consent from the data subject, and demonstrate compliance with the guiding principles of the regulation, including that data protection is at the heart of the system design. Compliance will be non-negotiable, and organisations with data security breaches will face potentially heavy fines, which could be as high as €20 million ($21m at the current exchange rate), or 4% of annual revenue – whichever is greater.
How EPI-USE Labs can help you
Although this can all seem daunting, EPI-USE Labs offers the following solutions to help you tackle compliance:
- EPI-USE Labs has developed Data Secure™ and a GDPR Compliance Suite for SAP
- Guidance and best practice:
- Knowledge and direction on where data is stored in SAP®
- Understanding the affected data types, and choices and processes to meet requirements
- Mass data removal services
- GDPR Awareness workshops
The many and varied IT systems mean that a “one size fits all” approach isn’t possible, so let us share our expertise and experience to help you stay ahead of the game. EPI-USE Labs has spent over thirty years in the SAP data space creating and developing advanced software solutions, and can also offer guidance and share expertise on GDPR.
Mass data removal services
For most organisations, a data retention policy has been seen as a minimum period of retention by the technical teams, not the point at which data must be proactively destroyed. With the GDPR in force, this has changed, and all organisations are sitting on some historical data they no longer have legal grounds for storing, whether this is former employees' family details, or former customers' bank account numbers, or one of the many other types of personal data interweaved in the fabric of their SAP systems.
EPI-USE Labs has a simple approach to clearing this old data, without the need for complex archiving projects. The technology used to support the Data Redact product for redacting or removing specific information for an individual data subject can be leveraged by an EPI-USE Labs System Landscape Optimisation (SLO) consultant with a specific license mode to allow mass record selections and parallel processing. The consultant will also assist with the exact definitions of the data that should be removed in the initial clean up and how to select those records.
Historical employee data is needed in most cases, but what if that part of the business was divested? 10 years later can we still keep those employees in the system at all? Even if we want to keep the main part of the employee record, what about more personal parts of the data? An initial mass clean up could take the form of one policy to clear a small amount of highly personal data, such as family information or bank account numbers, which is applied to anyone who left more than a year ago, and then a second policy for anyone that left the organisation seven years ago or more, which removes much more data, such as sickness absence information, performance reviews and pay details.
Business to Consumer data
In this area, it's much more difficult to define legal grounds for keeping the data. There may be thousands of customer, business partners and addresses that have not traded with the organisation for more than five years. Rather than archiving all their transactions and then the master data, we can provide a mass clean-up to remove identifiers from the master data and any references on transactions which mean that person is no longer visible in the system. Alternatively, it may be desirable to remove credit card information and likely security question answers much sooner from former consumer records.
Contact us for an initial discussion on your requirements and how we can tailor our mass clean up services to help you with GDPR compliance.
GDPR Compliance Suite for SAP: Data Disclose solution
The short demo below provides an overview of the workings of our Data Disclose product:
Data Disclose is a unique software application which allows you to locate and display data across your SAP systems in seconds, with APIs to also connect non-SAP systems. It’s built on a solid foundation of existing technology and Intellectual Property (IP) by leveraging our well-established software product Data Secure (part of the Data Sync Manager (DSM) suite), and can present the data in a flexible, encrypted company-branded PDF output.
Because people have the right to ask for details about their data, organisations need to know which personal data is stored where, and for what purpose. This can be hugely time-consuming; the ability to find this data quickly and efficiently becomes crucial.
With Data Disclose, we can help you shine a light on the dark dusty corners of your SAP system so you can see exactly where the data resides across systems. The application finds, retrieves and presents a subject’s data footprint across SAP systems – and as an added benefit, across non-SAP systems as well, if integrated with the former’s API. It does this in seconds across SAP ERP, CRM, SRM, BW and any other ABAP stack systems. This is no mean achievement, when you consider that SAP systems store data in an intricate way; SAP is highly configurable, with data replicated across the system in many different places.
Data Disclose can bring considerable peace of mind, especially when weighed-up against the stringent requirements of the new laws.
Two other EPI-USE Labs products, Data Redact and Data Retain, can help you with an individual’s rights to have personal data erased, and our XML Object Extractor can ensure the right to portability (article 20 of the GDPR).
Contact us for more information today.
Tackling GDPR in detail: the importance of privacy, transparency and technology
Personal Data Rights
The main emphasis of GDPR is on Personal Information. GDPR aims to protect personal data rights such as the right to be informed, the right of access, the right of rectification, the right to erasure (aka the right to be forgotten), the right to strict processing, the right to data portability, the right to object and rights to automated decision-making and profiling.
Key requirements for GDPR
- Consent for storage must be given by the data subject
- Consent must be explicit
- Each individual has “the right to be forgotten”, although this comes with several caveats
- Compliance must be demonstrated
- Notification of data breaches must be provided
Data privacy must be by design
Organisations wishing to store data must have explicit consent from the subject of the data. The reason for storing it must be transparent, and the data subject has the authority to block processing while concerns are dealt with, as well as to request the removal of the information from the system. There is nothing to say that data must be anonymised – the law is not that prescriptive. However, the law does say that there must be documentation showing that data protection is by design, and that processes comply with the rights of the data subject.
Overwhelming data requests
The difficulties will start when someone requests the details of where their personal data is being kept in an IT system. Let’s complicate that: let’s say your organisation receives ten requests – or even one hundred – to locate sensitive, personal data. Imagine having to log into a number of SAP systems to download table entries, or take screenshots to show the data subject’s footprint. How many password resets will be required? Do you know all the places to look? And how long will this take?
Your challenges include
- The complexity, volume and sheer scale of GDPR
- Lack of consistency: Every GDPR compliance project is different, depending on the industry, existing IT systems, usage of data, etc.
- Ambiguity: While the GDPR is comprehensive, there are many areas that are neither detailed or prescriptive. It doesn't specifically tell organisations what to do; it’s up to them to analyse their systems, processes and data and work out what to do for themselves.
How GDPR affects SAP systems
It’s not easy for SAP systems to comply with the demands of GDPR because of its architecture. SAP stores information in an intricate and tangled way. Data is stored and replicated across the system in many places, such as customer master, business partner, change document tables, and so on. SAP is also highly configurable, so when it is implemented, the way in which this happens dictates which tables and fields the data will be stored in. An additional complication is that there are often multiple copies of systems. The data might be in Z-tables, and the only way this can be verified is to get into that system.
“The time to repair the roof is while the sun is still shining.”
The requirements of GDPR go to the very core of your IT systems, because they need to be built into the design; a project like this can affect your CRM systems, your ERP systems and customer first line support. Entire new business processes have to be put into place. You will also need an auditor to scrutinise your security arrangements. Every organisation should have a plan to meet the requirements, and assign key roles and responsibilities to that plan.
EPI-USE Labs will help you deal with GDPR. Our knowledge, experience, expertise and products will help you sleep peacefully at night in the knowledge that everything is under control.