Let's Talk Data Security

GDPR for SAP: What’s the impact two years on?

Written by Paul Hammersley | Jun 12, 2020 5:32:42 PM

Early movers

It’s hard to believe it's only been two years since the General Data Protection Regulation (GDPR) came into force. This is partly because there was a long sunrise period during which we were extremely busy with clients who were being very proactive around their SAP compliance, in advance of the ‘deadline’.

 

We introduced some features in double-quick time to enable specific use cases that these clients needed, such as being able to exit the process of submitting someone for redaction, so that other processes could be embedded. We also enabled exits to adapt the output of data, and even provide charts of information as part of a Subject Access Request. For the most part, those early adopters implemented the scope agreed before GDPR came into force, and that’s how their solutions have remained.

More recent implementations

I was surprised at how we actually had so many more clients sign up for our solutions after May 2018. This included organisations who had identified processes they needed to support, and had been looking for vendors, or weighing up the level of effort to try to do something themselves. Many of those had more systems in scope, and complex relationships between groups of systems. This required more consideration around how we implement, rather than many new feature requests. The things we’d envisaged and discovered early on at clients seemed to cover most of what the later clients also wanted to do. We had some unexpected needs to support complex language characters in the PDF output, and some capability to allow multiple brands to be supported from one SAP system, which meant introducing a ‘company’ concept with Data Disclose™ to control the logo and free text for output. But apart from that, it was interesting new data types, but using the same extensible model.

Partial removal of data

One of the big benefits of Data Redact™ has proved to be the laser-like focus you can apply to defining what to redact or even remove. For example, keeping a record of employees who have left seems to be something many companies do for a long time, but removing their family members’ details needs to happen very soon after they have left.

 

Another good example is removing contact persons at a Customer or on a Sales Order, without the need to archive the entire customer master and its order history. This capability to redact or remove just parts of the data is much harder to achieve, or completely impossible in some cases, with standard SAP archiving and ILM.

New functionality

In the latest release (build 148) of Data Sync Manager 5, the base for our Data Privacy/GDPR Compliance suite, there are some nice new features:

 

  •  PII Type and LP Type editors, which make configuration of extensions much easier
  •  A dedicated launchpad within the SAP GUI version
  •  A Monitor Desk for Data Redact™ to allow more detailed visibility of run information

We do have a few more things currently in the pipeline too, so watch this space!