The Enterprise spread of personal data

27 October 2016
Written by Paul Hammersley

As Senior Vice-President of the ALM Products at EPI-USE Labs, Paul Hammersley's portfolio includes test data management, landscape optimisation, and archiving. He has been a remarkable technical force in the SAP arena for over 20 years, and has extensive hands-on experience of implementing Data Sync Manager (DSM) and helping clients to manage data across the breadth of their SAP landscapes.

Data across your landscape

The accumulation of data today defies most minds. The amount is staggering… and it has been estimated that 90% of the world’s data has been captured in the last three years! In the enterprise data world, it isn’t just more data being captured, it’s also the same data being stored in multiple places. A company running 'wall-to-wall' SAP could be storing the same name, address or even bank account number in lots of places.

For example, a customer name might also be visible on a vendor master in ERP and a Business Partner master. Each of these three can have their data pulled into a transaction when it is created. Fortunately, sales orders dynamically read the customer master data, although it can be modified and stored directly, but not all transactions do. And that’s just the main Enterprise Resource Planning system.

SAP and CRM - managing personal data

A company running ‘wall-to-wall’ SAP might also have CRM, so the customer master is replicated as a Business Partner in CRM, and the sales order is replicated to or from CRM. There is also the analytics data. The same customer record may also partially appear in the SAP BW system, with some or all of the personal data visible.

For many organisations, SAP is the main repository, but it’s not the only vendor of enterprise software. In the early days of the SAP system offering, many companies chose non-SAP systems for CRM because SAP’s CRM solution was deemed to be very much behind the ‘best-of-breed’ solutions. Importantly, whichever systems are used, it is guaranteed that personal data will be present, and this will need to be managed in line with GDPR (the General Data Protection Regulation).

Personal data can be sensitive or non-sensitive, and the latter is the data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymising anonymous data may be considered as personal. 

Thus, one name could exist in multiple production systems and in more than one table. But due to the nature of SAP, organisations often copy some or all of the production systems down to test systems. Often those test systems are less tightly managed in terms of authorisations, and may also be accessed by third-party support consultants or programmers.

Extended scope of removal

One talking point during the GDPR discussions was ‘pseudonymised versus anonymised data’. Pseudonymised data remains personal data because it can be re-associated with a specific consumer. The regulation does not apply to fully-anonymised data. This means that the scope of any removal will need to go beyond just the name. It may need to include address, bank account number, tax reference numbers and so on.

This, then, is the scope of the challenge in our sights.

Need help with SAP GDPR? 

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act POPIA SAP Data Security SAP GDPR SAP data privacy and compliance Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data encryption SIEM SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: