Do you have a Black Friday data hangover?

27 November 2020
Written by Paul Hammersley

As Senior Vice-President of the ALM Products at EPI-USE Labs, Paul Hammersley's portfolio includes test data management, landscape optimisation, and archiving. He has been a remarkable technical force in the SAP arena for over 20 years, and has extensive hands-on experience of implementing Data Sync Manager (DSM) and helping clients to manage data across the breadth of their SAP landscapes.

Blog-Image-New-3
The rise in online shopping reaches a crescendo

If anything can be said to have thrived in 2020, it must surely be online shopping. They say a major disruptive crisis accelerates changes that would in any case have happened, albeit less quickly. The ease with which we now search, click and pay for goods from phones, tablets, and occasionally now laptops or desktops, has prepared us perfectly for this year's Black Friday sales.

(Black Friday also now seems to have taken over as the longest day of the year – since it seems to last for about four weeks). As our plastic heats up more and more over the coming days and weeks in the lead up to Christmas, we are all likely to revisit this same thought process:

Create an account or continue as a Guest?

  • Am I likely to shop here again? Is this just a once-off impulse purchase?

  • Would I want my friends to know I shop with this company? Are they ethical, do they respect the environment?

  • Where is this company actually based?

  • Can I trust this company with my personal data, AND my credit card?

‘Guest’. Well, that sounds reassuring – what do I get with that?

When you think about it, there must be a spectrum of responses to this. There are those of us who would not share our data online with our own government and will not be signing up for anything; but then it's probably quite rare for those people to shop online at all. But I am sure many people sign up for accounts with very very few websites, and mainly continue as a ‘Guest’. Then, some people in the middle who mix and match, and then some serious ‘in da club’ fanatics at the other end of the spectrum who would join anything on offer and gladly save their details for future. 

 

But what do we actually expect from companies in either case? If I sign up, am I signed up forever?

 

Will my password be stored:

 

  • In plain text, meaning any breach of that site could put me at risk for other sites where I’ve used the same password? (don’t say you don’t do that, we know you do, we all do to some degree!)

  • Encrypted, but with the key stored on the same server, so someone taking control of the server could get to the plain text version?

  • As a hashed value so the password is never actually stored, just turned into a hash at runtime and compared to the value that is stored? (Incidentally, this is how your SAP password is stored).

And what are their privacy terms? Who will they share my details with?

Will they be tracking what I buy and offering me deals on 600ml when I only usually buy 450ml? Or using other analytics on my online and purchasing behaviour, what content they send to me, and how responsive I am to certain campaigns?

 

These questions often prompt me to simply choose ‘Guest’ over and over. Often on the same online store, promising myself that next time, I’ll think through every angle, and perhaps sign up.

Guests outstaying their welcome

So, having handed over my address and credit card details for the transaction, I relax back, safe in the knowledge that the moment the goods leave their warehouse, my details vanish until next time I type them all in again.

 

But do they really vanish? Well, of course not. The website might link to another order fulfillment system, and then there’s a finance system, and the courier that delivery is outsourced to. How many systems and databases will actually have just had my data? And how many of them will still have my address and/or credit card details in a month? A year? A decade? And what if…they’re running SAP?

We don’t have Guests in SAP…do we?

BF screen

Ok, so it's highly unlikely that your SAP system has a SAP GUI screen like this. But that doesn’t mean you don’t have Guest data in your backend ERP or S4 system. Some organisations running SAP use SAP CRM to process ‘One-time orders’, which then generate an order in ERP with a single ‘dummy’ customer and ‘9000*’ address on the ‘Ship-to’ partner function. So there is no trace of our guests in ERP Customer or Business Partner master data, but the address is in ADRC etc. and linked directly in VBPA. And I suspect many more retail organisations leverage other non-SAP webshop technologies, and interface back to SAP ERP or S/4 in a similar way. At the end of the day, if the delivery is processed in an ERP system, then the person’s name and address must be there.

The Black Friday hangover: backlog data privacy debt

If your SAP system has this type of data, you’ve probably seen a fair growth in the number of ADRC entries of this type during the global pandemic, but the Black Friday period will certainly add many more. So although it can be a welcome boost to our struggling retail sectors, it does come at a cost in terms of data privacy and our ‘backlog privacy debt’. There will be more and more data being accumulated. If someone executes a Data Subject Access Request, would you even find them? Or would you only search Customers and Business partners? If they ask you to remove their data, can you do this?

 

Over the next few months I am going to be focusing on Data Minimisation and some capabilities we have developed for removing ‘backlog privacy debt’, without the need for expensive, complex projects. This could be as part of a mass clean up, or allowing the business users to address ad-hoc requests, or implementing periodic removal of data as it falls outside of a retention period.

How to satisfy historical data minimisation requirements for compliance

Find out how EPI-USE Labs can help your organisation address their ‘backlog privacy debt’ as part of a data minimisation initiative, and provide ongoing Privacy by Design. This includes a unique, simple alternative to archiving or full removal of records.

See our SAP Data Privacy Suite in action-1

 

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act POPIA SAP Data Security SAP GDPR SAP data privacy and compliance Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Client Sync Data Protection Day Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data SAP data encryption SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security for SAP. Live Sensitive HCM data South African data privacy legislation Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: