How to ensure your SAP complies with the EU GDPR
Personal data is everywhere. Many companies learned this quickly when they checked their IT systems for EU GDPR compliance. Especially ERP, HR and CRM systems are practically full of personal data. Secure solutions exist for SAP users who need to access to, lock, and even delete personal data.
"If you think compliance is expensive, try non-compliance." While we assume the suggestion to try non-compliance was not exactly meant literally, this advice from US Deputy Attorney General Paul McNulty very well could have also originated from the writers of the EU GDPR. Anyone who has considered the possible sanctions for violations of the General Data Protection Regulation knows that non-compliance can be expensive. Very expensive. Since the EU GDPR took effect a little over a year ago, companies are putting additional efforts into managing the issue.
Just a reminder: The EU GDPR especially strengthened the rights of EU citizens in three categories: the right of access by the data subject, the right "to be forgotten", and the right to data portability. Excerpts:
• Art. 15 – EU GDPR: Right of access by the data subject
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data [...].
• Art. 17 – EU GDPR: Right to erasure ('right to be forgotten')
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay [...].
• Art. 20 – EU GDPR: Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, conly used and machine-readable format [...].
The right "to be forgotten" alone is no small task. It requires that personal data be deleted when the affected person retracts consent for processing the data or when the data is no longer required for the purpose for which it was originally collected or processed. Of course, this can contradict statutory retention periods that forbid the immediate deletion of, for example, business documents. A deletion lock exists for such cases. The deletion lock prevents access to data and documents that are no longer needed. While companies have become accustomed to the phrase "the right to be forgotten", the application of this concept is still problematic for some.
Personal data everywhere you look
In which IT systems is personal data lurking? It can definitely be found in the master data in SAP systems and in ERP, HR and CRM modules, such as the central business partner, the customer, the supplier and the employee. For the purposes of the EU GDPR, personal data can be found in all types of documents – for example, in contracts, offers, invoices, and emails. While these documents might not be stored in the SAP system, they might be found in, e.g., an electronic archive like SER's Doxis4.
Every point of contact between your company and a person can be noted and land in an archive; every recipient of an offer probably has a record in the CRM system. This equates to high volumes of hidden data in many companies. Case in point: insurance providers. Just look at all the handwritten claims reports or accident reports that mention witnesses – in other words, people who have no business with the insurance provider and who, under these circumstances, could take advantage of the right to erasure. In the healthcare sector, the right to erasure conflicts with lengthy statutory retention periods, which can last 30 years or more. The topic of data processing in the context of employment is an especially tricky topic that affects HR departments. It is also a part of the EU GDPR. Employees can likewise request information about which of their personal data is currently stored and how it is processed. After an employee leaves a company, the employee can request that his or her stored data be deleted from or locked in the HR system.
EU GDPR-compliant information lifecycle management for SAP
What do companies have to do to get their SAP systems in shape for the EU GDPR? And what about all those unstructured transaction-specific documents stored in eArchives? We give you the answers and suitable methods and tools.Read More
"Privacy by default" and "privacy by design"
The EU GDPR does not make any concrete suggestions as to the technical implementation of its requirements. It "merely" describes the criteria that the selected technology must meet with regard to the acquisition, management and protection of personal data. After this, requirements on companies and organizations that process data are put forth, stating that personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed" (EU GDPR Art. 5). This essentially means that personal data must be automatically deleted (or at the very least locked) the second it is no longer required for its original purpose. This automation must be handled by the system.
The very title of Article 25 of the EU GDPR says it all: "Data protection by design and by default." In other words, the implemented technologies must be developed based on the concepts of "privacy by design" and "privacy by default" so that data privacy requirements are implemented from the very beginning in the design phase of a product and can be easily modified by users. As to the decision of which technologies are used, this is left of to the data controllers in the company. Article 25 of the EU GDPR makes it crystal clear: "The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility." In other words, companies have a legal responsibility to ensure that their software systems comply with the requirements of the EU GDPR with regard to the acquisition, management and protection of personal data.
How SAP users can comply with the EU GDPR
Personal data related to customers, suppliers, jobs, orders, etc. can be found in more places than in the structured datasets of the SAP system. The accompanying documents of the business cases also contain this data. Because of this, it is not sufficient to take only the SAP system itself into consideration. The more difficult task is identifying, labeling and (as needed) deleting or locking the transaction-specific, unstructured documents that contain data that falls under the EU GDPR. These tasks take on a Sisyphean character if the documents are merely saved in file directories.
If these documents are stored in an electronic archive that is part of an ECM platform, such as Doxis4, companies can conveniently manage their business processes and all of the associated documents. An archive of this sort would also give you the necessary tools to manage these unstructured documents in an EU GDPR-compliant manner. SER offers an ILM solution that contains a certified interface which docks itself on the SAP system to create a comprehensive EU GDPR solution.
The first step is to identify personal data in the enterprise applications of SAP and assigning rules for retention, locking and deletion after defined periods of time. SAP has added the SAP ILM module to its enterprise solutions for this purpose. In addition to statutory retention periods, legal holds can also be placed on documents. For this data to still conform with the EU GDPR right "to be forgotten", it can be locked so that it cannot be accessed or further processed.
How to protect personal data in an electronic archive
SER users can deploy an information lifecycle management add-on to handle archived data and documents in a manner that is EU GDPR-compliant. The Doxis4 WebDAV Connector for ILM adopts the ILM rules defined in SAP and applies them to the archived content. In accordance with the requirement of "privacy by default", the SER solution contains rules that handle the assignment of retention periods to, the locking or the deletion of data that is no longer required by current business cases, as needed. Furthermore, deletion locks can be set for indefinite periods of time for individual documents, for example, if the retention period is not yet known. The deletion lock can be removed if, for instance, a customer or employee demands deletion according to the EU GDPR. Documents can be deleted automatically, completely, and physically in a traceable manner.
In other words, to be well-positioned to comply with the General Data Protection Regulation, focusing solely on the SAP system isn’t enough. Companies that incorporate an electronic archive in their information lifecycle management solution have control over all personal data, not just SAP data. The SER solution handles all the relevant documents – regardless of the system from which they originate. The suitable technical solutions are available, they just have to be utilized!
► For more information about combined SAP and SER solutions for managing personal data, we recommend the whitepaper, "EU GDPR-compliant information lifecycle management for SAP".