EU GDPR-compliant remote work for SAP users

The switch to remote work in 2020 caused disruption for many companies. To quickly provide employees access to documents and SAP data, they created ad hoc workarounds. While this might have solved immediate issues, it likely also put employees, and thereby the company itself, at risk of violating data privacy laws such as the EU GDPR and other regulations. Now is the time to start closing these compliance gaps. By integrating an enterprise content management solution with SAP, companies can establish a secure and efficient digital workplace both in and outside of the office.

Last year was filled with many new challenges: almost overnight, social distancing became commonplace, and working from home went from an exception to the norm. One positive effect of this change has been that many workers report that their stress levels have decreased. However, this applies only to those who are properly equipped to work remotely. Employees working from home who do not have access to SAP data and documents cannot process transactions, handle customer concerns, or complete their tasks the way they used to. It’s clear that to work remotely – and maintain social distancing rules – more than a few new laptops and a work-from-home policy are needed. It is critical that companies are able to manage their information regardless of location and that employees can continue to access information and actively take part in business processes. At companies where this hasn’t been the case, employees had to become creative. Some took home or emailed copies of data and documents. Some even had business mail sent to their home address. The problem is that while these workarounds allow businesses to continue to operate externally, they do not ensure compliance with privacy laws or internal governance policies. For example, when personal data from customers is copied, access rights are no longer valid, and information cannot be found and deleted entirely.

How to ensure data privacy while working from home

Companies with a high level of digital maturity have been able to ensure the safety of their employees as well as their information. Feedback from our customers has confirmed this. With an ECM platform, they were able to continue working compliantly from home: “Our teleworkers currently work 100 percent from home and many other workplaces were switched to remote work at short notice. This minimizes the risk of infection for all employees, and we are still able to continue our work for people with disabilities,” states Susanne Eiter, HR manager at the LWL Inclusion Office for Social Participation, and adds: "If every employee were to take the physical case files that he or she planned to work on, it would be impossible logistically and in terms of data privacy law. We simply would not be able to operate."

Another example of the successful transition to location-independent and secure work is the bank M.M. Warburg & CO, whose IT Director and Chief Information Officer, Andreas Büttner, sums up the essentials: “From our point of view, working remotely is now inconceivable without a good document management system, even in medium-sized companies. A simple collaboration solution is no longer enough for many legal and regulatory reasons."

SAP alone does not provide complete security

Digital information provides the basis for security when working remotely. Information that exists only on paper can quickly disappear or fall into the wrong hands. Companies that work with SAP might wave off concerns at this point: all the information is digital in the ERP system and protected there. Really all information? Every SAP transaction includes not only data but also numerous documents. Offers, order confirmations, invoices and contracts are not all in SAP. In the best case, they are available digitally already – but then mostly scattered in local file directories, in email inboxes even on USB sticks. But that's a no-go when working from home. On the one hand, not all employees can access the information they need; on the other hand, no authorization concepts apply here, and changes or deletions cannot be tracked. The situation is also problematic for employees who do not have SAP access. A standardized and secure basis of information has to be created for them.

Closing gaps in information governance and compliance

An ECM platform can help to make all the information available in and outside of SAP and provide uniform protection. This is why the SER Group has developed the Doxis SmartBridge for SAP connector, specially designed and certified for SAP. It takes data and documents from SAP and updates them automatically when changes are made. The connector uses SAP ArchiveLink technology and enhances it with functions that enable the ECM to be integrated with SAP ERP and SAP S/4HANA, as well as SAP Cloud Platform. As a result, companies do not have to worry about transferring information when switching to the new SAP generation. Non-SAP users can also find SAP information in the ECM – as long as they are authorized to do so. Users can set and adjust the relevant parameters for this centrally via the ECM, such as access rights but also retention and deletion locks. Through centralized rights management, the authorizations apply to all information available in the ECM as well as to information transferred from SAP. This prevents gaps in meeting compliance requirements, such as protecting personal data in accordance with EU GDPR regulations.

Conversely, through the integration with the ECM, authorized SAP users have access to information that is not stored in SAP, but still relevant to their work. Contracts and invoices, customer emails and data from other systems such as Salesforce or Microsoft Teams are made available via the ECM in the form of electronic files. All information is provided in the context of a business case or business partner. The information transfer itself could, of course, also be solved with a simple archive solution. However, such systems do not have important functions such as differentiated access rights, do not have real files, and are also restricted severely when it comes to searches. Nevertheless, if a customer demands that all of his or her data be deleted, a company must find this data across all systems without delay. The intelligent functionality required for this type of search is not found in simple archiving solutions.

Smart compliance

To ensure data privacy the start, the ECM deployed should include artificial intelligence and process management as part of its core applications. An ECM platform such as Doxis not only includes content services but also provides cognitive and process services. This allows for the intelligent capture of incoming documents. In this process, applications and service requests from customers or order confirmations from suppliers and their invoices can be read and classified automatically. The ECM identifies the content and automatically assigns the correct metadata, access rights, and retention and deletion periods. Additionally, processes can be triggered automatically, such as creating a new customer file in the ECM when a new business partner is added in SAP. The ECM automatically assigns new information such as incoming documents and SAP data to these files and can also assign them to the correct processors and processes. Such a centralized solution is essential for employees working from home to facilitate digital business process management without delays and compliance gaps. At the same time, intelligent information management combined with SAP enables processes to be automated fully across system boundaries, e.g. when posting invoices, and also provides greater efficiency and reduces effort for employees. This holistic approach makes it possible to provide secure and intelligent information and process management everywhere: For all documents, SAP data, transactions and processes, personal information can be identified immediately, protected from the start, and deleted verifiably at any time.

Audit security and data privacy in a remote work environment

The EU GDPR regulations are not the only compliance hurdle that companies have to take into account when working remotely. Information must continue to be stored and fully documented in accordance with records management standards and statutory retention periods. When it comes to access control, an ECM can help you kill two birds with one stone by archiving and protecting information in line with EU GDPR and audit requirements, as well as providing version management to track modifications, deletions, etc. It gets trickier when deleting, because regulations can clash. A good rule of thumb in this case is: what needs to be retained has to be retained. For reasons of data privacy, deletion is only permitted if the reason for retention is no longer valid. This applies to data and documents from SAP, as well as to information from other systems. None of this can be accomplished with an outdated archive, because older archiving software is not designed for deletion management; additionally, retention periods have to be maintained manually, which is time-consuming, and there are no interfaces to the new SAP generation. With a state-of-the-art ECM certified to meet these compliance requirements and designed to manage all information centrally and without redundancy, compliance can be maintained and verified at all levels. To do so, the system has to manage deletion and retention periods in a differentiated manner and control them automatically; it also has to enable unlimited deletion locks, be able to differentiate between logical and physical deletion, and track all accesses, changes and deletions so that audit security, legal retention periods and data privacy are all ensured.

Automated compliance for employees

To ensure employees meet compliance requirements wherever they are, companies should make compliance as easy and automated as possible. An ECM solution such as Doxis accomplishes this: it makes all information and processes from SAP and other LOB applications accessible regardless of location, provides uniform protection, and logs all access, changes and deletion activities. This reduces the organizational effort and error rate for employees . Risky workarounds such as copying or sharing documents and data by email are no longer necessary. For companies, this can help to ensure business continuity and service in the new normal without risk of violating data privacy and audit security. Safety first!

The article appeared first in German in s@pport, issue 12/2020.