Approaching SAP HCM data in the shadow of GDPR

11 July 2018
Written by Paul Hammersley

As Senior Vice-President of the ALM Products at EPI-USE Labs, Paul Hammersley's portfolio includes test data management, landscape optimisation, and archiving. He has been a remarkable technical force in the SAP arena for over 20 years, and has extensive hands-on experience of implementing Data Sync Manager (DSM) and helping clients to manage data across the breadth of their SAP landscapes.

Approaching HCM data in the shadow of GDPR
After my last piece about data removal, I’ve had a lot of conversations about HCM data removal, and so I decided to delve a little deeper into SAP HCM data and what the GDPR may mean there.

Current, previous and potential future employee data is a really interesting area for data privacy.

Although one of the main drivers for GDPR was consumer marketing and protecting individuals from the power of social media for fear of the credit bubble it could create, HR data seems to have been almost as affected by the law. This is partly because the text really isn’t specific, and is open to interpretation. For some organisations that have very little B2C contact, marketing and customer data isn’t a massive challenge. However, employee data is sensitive for every organisation. There is a further complication though; it’s quite easy to make decisions on when marketing contact data should be removed, or former customer data discarded, but with HR data I believe it's a little more challenging. Yes, there is extremely sensitive data – appraisals, salary information, sickness, disability, religion etc. – but there are also much more clear legal grounds for storing the information for longer periods. This includes tax information for governments, both for the employer and the employee, pension details, and for many companies information they want to retain in case someone comes back to work for the organisation. 

 

What to keep and what to discard

All the organisations I’m working with are keeping the employee’s identity, and looking at what data they would remove if a data subject made an access request and then asked for the right to be forgotten or to have some parts removed. So, they would all be declaring that the right to be forgotten does not apply, because they have a legitimate reason to keep the person’s identity. But if someone had left an organisation ten years ago, it would be hard to justify still having their children’s names in infotype 21 – and keep in mind minors’ data does have other stricter controls in GDPR.

 

Some organisations will only remove this data on request, whereas others are proactively acting to remove historical data. What they choose to remove does vary quite a bit. We normally use workshops to give technical guidance, but of course the decision rests with the DPO or legal department. Sometimes what people store surprises you – for example, there is an organisation that keeps a record of individual shirt sizes! And for some organisations what they can’t remove is surprising. In some territories, there are legal requirements to keep statistics on religion – which would have been one of the first things I’d have expected organisations to remove from historical data. Of course we can define rules to handle those data types differently for different country groupings. 

 

HR data in the winds of change

In some cases, there are bigger changes happening for the IT landscape. We are also working with organisations that are moving to Success Factors or other HR systems and want to only extract some parts of the employee data (the parts they have legal grounds for holding, and need to keep), and then either delete the pernr or turn the systems off completely. For those cases, our XML extractor is an excellent way to specify exactly what data should be taken out of the system to place securely, and we can assist with removal of employees or partial removal of parts of the data. In other examples, there may be data that must be given back to another organisation in a machine-readable format before the system or data can be deleted.

 

SAP® SuccessFactors® Human Capital Management solutions can support the requirements of GDPR to keep your critical employee data protected. There may be excellent GDPR functionality inside Successfactors however, similar to cloud CRM systems; the functionality keeps its limits very strictly to what is in that cloud system and not anything that interfaces to it. Getting visibility across multiple systems or removing data across them is more challenging but not impossible.

 

Find out more about our SAP GDPR services and our flexible Archive Central solution.

Data Removal Services Webinar

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act SAP data privacy and compliance POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Client Sync Data Protection Day Data Sync Manager (DSM) Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP RISE SAP S/4HANA SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Proportional Data Protect personal employee data RISE BRIDGE Managed Services Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP Data Processing Agreement SAP SuccessFactors SAP access risk simulations SAP data SAP data encryption SAP system refresh SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security for SAP. Live Sensitive HCM data South African data privacy legislation Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: