JM is one of the Nordic region’s leading developers of housing and residential areas. They produce new homes in attractive locations, with the main focus on expanding metropolitan areas and university towns in Sweden, Norway and Finland.
JM realised they had challenges from the perspective of personal data integrity, including in the following areas:
In 2015, the team at JM held workshops around the General Data Protection Regulation (GDPR) led by management consultants. Many of the sessions emphasised the threat of GDPR penalties. The team decided to turn the focus away from the negative to a forward-looking approach looking at opportunities for positive change. They took four key decisions to guide their GPDR compliance project:
We involved EPI-USE Labs early in the project, developing requirements and specification interactively.
JM bought Object Sync™ and Data Secure™, part of the Data Sync Manager™ (DSM) product suite, to copy and scramble subsets of data for testing and training purposes. By reducing their data footprint in non-productive environments, they could remove personal data from their test environments. Additionally, for GDPR it is important to show data protection by design and by default. By using DSM for refreshing data in the non-production system, JM can demonstrate this principle.
In November 2018, they went live with Data Disclose and Data Redact. Data Disclose is used for Subject Access Requests (to comply with GDPR Article 15). They are able to search the system and provide a branded PDF document detailing the individual’s data that is stored in their SAP systems.
JM also implemented Data Redact so they can redact the data that identifies an individual, thus complying with GDPR Article 17 and the right to erasure. As well as reactively responding to any removal requests, they wanted to proactively reduce the personal data stored in SAP that was outside their retention policies.
The initial mass clean-up was carried out across several data sets including Customers, Vendors, Employees and Accounting Documents, and used EPI-USE Labs’ SLO capabilities. This paved the way for smaller monthly or annual redactions and removals that can be done using APIs for Data Redact.
JM also partnered with EPI-USE Labs to be a ramp-up client for Data Retain which provides a visual UI for configuring and running retention rules, and then submissions to Data Redact for keys which are due for redaction.
Our business transactions can span over a long time – some over 30 years – and we wanted to keep the data, while removing the sensitive parts we didn’t need. EPI-USE Labs’ SAP Data Privacy suite allowed us to do this.
JM has been able to use the GDPR solutions from EPI-USE Labs to support their processes. The same suite of applications was used to handle customer information and transactions, vendor relations and transactions, and employee information in the SAP system landscape, enabling JM to comply with aspects of the regulation in a short period of time.
The next step in their GDPR journey is to implement information security routines in operations and working together with EPI-USE Labs to set up retention programs in the SAP system.
With the approach offered by EPI-USE Labs, we can anonymise and redact sensitive data rather than archive, meaning business transactions may stay in the system without being related to an identifiable individual.