Personal Data Rights
The main emphasis of GDPR is on Personal Information. GDPR aims to protect personal data rights such as the right to be informed, the right of access, the right of rectification, the right to erasure (aka the right to be forgotten), the right to strict processing, the right to data portability, the right to object and rights to automated decision-making and profiling.
Key requirements for GDPR
- Consent for storage must be given by the data subject
- Consent must be explicit
- Each individual has “the right to be forgotten”, although this comes with several caveats
- Compliance must be demonstrated
- Notification of data breaches must be provided
Data privacy must be by design
Organisations wishing to store data must have explicit consent from the subject of the data. The reason for storing it must be transparent, and the data subject has the authority to block processing while concerns are dealt with, as well as to request the removal of the information from the system. There is nothing to say that data must be anonymised – the law is not that prescriptive. However, the law does say that there must be documentation showing that data protection is by design, and that processes comply with the rights of the data subject.
Overwhelming data requests
The difficulties will start when someone requests the details of where their personal data is being kept in an IT system. Let’s complicate that: let’s say your organisation receives ten requests – or even one hundred – to locate sensitive, personal data. Imagine having to log into a number of SAP systems to download table entries, or take screenshots to show the data subject’s footprint. How many password resets will be required? Do you know all the places to look? And how long will this take?
.
Your challenges include
- The complexity, volume and sheer scale of GDPR
- Lack of consistency: Every GDPR compliance project is different, depending on the industry, existing IT systems, usage of data, etc.
- Ambiguity: While the GDPR is comprehensive, there are many areas that are neither detailed or prescriptive. It doesn't specifically tell organisations what to do; it’s up to them to analyse their systems, processes and data and work out what to do for themselves.
How GDPR affects SAP systems
It’s not easy for SAP systems to comply with the demands of GDPR because of its architecture. SAP stores information in an intricate and tangled way. Data is stored and replicated across the system in many places, such as customer master, business partner, change document tables, and so on. SAP is also highly configurable, so when it is implemented, the way in which this happens dictates which tables and fields the data will be stored in. An additional complication is that there are often multiple copies of systems. The data might be in Z-tables, and the only way this can be verified is to get into that system.
Don’t delay!
The requirements of GDPR go to the very core of your IT systems, because they need to be built into the design; a project like this can affect your CRM systems, your ERP systems and customer first line support. Entire new business processes have to be put into place. You will also need an auditor to scrutinise your security arrangements. Every organisation should have a plan to meet the requirements, and assign key roles and responsibilities to that plan.
EPI-USE Labs will help you deal with GDPR. Our knowledge, experience, expertise and products will help you sleep peacefully at night in the knowledge that everything is under control.
