Let's Talk Data Security

The Enterprise spread of personal data

Written by Paul Hammersley | Oct 27, 2016 5:53:00 AM

Data across your landscape

The accumulation of data today defies most minds. The amount is staggering… and it has been estimated that 90% of the world’s data has been captured in the last three years! In the enterprise data world, it isn’t just more data being captured, it’s also the same data being stored in multiple places. A company running 'wall-to-wall' SAP could be storing the same name, address or even bank account number in lots of places.

For example, a customer name might also be visible on a vendor master in ERP and a Business Partner master. Each of these three can have their data pulled into a transaction when it is created. Fortunately, sales orders dynamically read the customer master data, although it can be modified and stored directly, but not all transactions do. And that’s just the main Enterprise Resource Planning system.

SAP and CRM - managing personal data

A company running ‘wall-to-wall’ SAP might also have CRM, so the customer master is replicated as a Business Partner in CRM, and the sales order is replicated to or from CRM. There is also the analytics data. The same customer record may also partially appear in the SAP BW system, with some or all of the personal data visible.

For many organisations, SAP is the main repository, but it’s not the only vendor of enterprise software. In the early days of the SAP system offering, many companies chose non-SAP systems for CRM because SAP’s CRM solution was deemed to be very much behind the ‘best-of-breed’ solutions. Importantly, whichever systems are used, it is guaranteed that personal data will be present, and this will need to be managed in line with GDPR (the General Data Protection Regulation).

Personal data can be sensitive or non-sensitive, and the latter is the data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymising anonymous data may be considered as personal. 

Thus, one name could exist in multiple production systems and in more than one table. But due to the nature of SAP, organisations often copy some or all of the production systems down to test systems. Often those test systems are less tightly managed in terms of authorisations, and may also be accessed by third-party support consultants or programmers.

Extended scope of removal

One talking point during the GDPR discussions was ‘pseudonymised versus anonymised data’. Pseudonymised data remains personal data because it can be re-associated with a specific consumer. The regulation does not apply to fully-anonymised data. This means that the scope of any removal will need to go beyond just the name. It may need to include address, bank account number, tax reference numbers and so on.

This, then, is the scope of the challenge in our sights.