JM's journey to a live, compliant GDPR solution

Using the EPI-USE Labs’ Data Sync Manager (DSM) suite, along with the SAP Data Privacy suite, JM has developed an effective programme to scramble and redact sensitive data in their SAP Systems

Effective business processes
to comply with GDPR

Automatic removal of sensitive data outside retention period

Reduced risk: test systems
no longer have sensitive data

The key thing here has been that we can keep all our data but remove all the sensitive parts of it. The EPI-USE Labs solutions have brought us great benefits.

Richard Wenell
Head of IT department, JM

About JM

JM is one of the Nordic region’s leading developers of housing and residential areas. They produce new homes in attractive locations, with the main focus on expanding metropolitan areas and university towns in Sweden, Norway and Finland.

Data Sync Manager demo    Data Privacy demo      DOWNLOAD SUCCESS STORY

Challenges with protecting personal data

JM realised they had challenges from the perspective of personal data integrity, including in the following areas:



In 2015, the team at JM held workshops around the General Data Protection Regulation (GDPR) led by management consultants. Many of the sessions emphasised the threat of GDPR penalties. The team decided to turn the focus away from the negative to a forward-looking approach looking at opportunities for positive change. They took four key decisions to guide their GPDR compliance project:

  • Focus on business owners instead of IT systems
  • Add funds for improving information security
  • Provide helping tools instead of reviews
  • Make the improvement project a top priority for everyone.

We involved EPI-USE Labs early in the project, developing requirements and specification interactively.

Richard Wenell
Head of IT department, JM

A solution to copy and scramble data

JM bought Object Sync™ and Data Secure™, part of the Data Sync Manager™ (DSM) product suite, to copy and scramble subsets of data for testing and training purposes. By reducing their data footprint in non-productive environments, they could remove personal data from their test environments. Additionally, for GDPR it is important to show data protection by design and by default. By using DSM for refreshing data in the non-production system, JM can demonstrate this principle.

In November 2018, they went live with Data Disclose and Data Redact. Data Disclose is used for Subject Access Requests (to comply with GDPR Article 15). They are able to search the system and provide a branded PDF document detailing the individual’s data that is stored in their SAP systems.

JM also implemented Data Redact so they can redact the data that identifies an individual, thus complying with GDPR Article 17 and the right to erasure. As well as reactively responding to any removal requests, they wanted to proactively reduce the personal data stored in SAP that was outside their retention policies.

The initial mass clean-up was carried out across several data sets including Customers, Vendors, Employees and Accounting Documents, and used EPI-USE Labs’ SLO capabilities. This paved the way for smaller monthly or annual redactions and removals that can be done using APIs for Data Redact.

JM also partnered with EPI-USE Labs to be a ramp-up client for Data Retain which provides a visual UI for configuring and running retention rules, and then submissions to Data Redact for keys which are due for redaction.

Our business transactions can span over a long time – some over 30 years – and we wanted to keep the data, while removing the sensitive parts we didn’t need. EPI-USE Labs’ SAP Data Privacy suite allowed us to do this.

Richard Wenell
Head of IT department, JM

Effective compliance with GDPR

JM has been able to use the GDPR solutions from EPI-USE Labs to support their processes. The same suite of applications was used to handle customer information and transactions, vendor relations and transactions, and employee information in the SAP system landscape, enabling JM to comply with aspects of the regulation in a short period of time.

  • JM can now support business processes which were always required, but the need for them was heightened by GDPR.
  • A positive, proactive approach is now in place to automatically remove data which may be sensitive as soon as it is outside its retention period.
  • Test systems no longer contain sensitive data, lowering the risk of breaches from internal users or partners accessing non-production environments.

The next step in their GDPR journey is to implement information security routines in operations and working together with EPI-USE Labs to set up retention programs in the SAP system.

Data Sync Manager demo    Data Privacy demo      DOWNLOAD SUCCESS STORY

With the approach offered by EPI-USE Labs, we can anonymise and redact sensitive data rather than archive, meaning business transactions may stay in the system without being related to an identifiable individual.

Richard Wenell
Head of IT department, JM

GDPR compliance success stories

Service Provider Success-Story

Global Service Provider

View Success Story



View Success Story


VELUX group

View Success Story