Let's Talk Data Security

Approaching SAP HCM data in the shadow of GDPR

Written by Paul Hammersley | Jul 11, 2018 5:09:40 PM
After my last piece about data removal, I’ve had a lot of conversations about HCM data removal, and so I decided to delve a little deeper into SAP HCM data and what the GDPR may mean there.

Current, previous and potential future employee data is a really interesting area for data privacy.

Although one of the main drivers for GDPR was consumer marketing and protecting individuals from the power of social media for fear of the credit bubble it could create, HR data seems to have been almost as affected by the law. This is partly because the text really isn’t specific, and is open to interpretation. For some organisations that have very little B2C contact, marketing and customer data isn’t a massive challenge. However, employee data is sensitive for every organisation. There is a further complication though; it’s quite easy to make decisions on when marketing contact data should be removed, or former customer data discarded, but with HR data I believe it's a little more challenging. Yes, there is extremely sensitive data – appraisals, salary information, sickness, disability, religion etc. – but there are also much more clear legal grounds for storing the information for longer periods. This includes tax information for governments, both for the employer and the employee, pension details, and for many companies information they want to retain in case someone comes back to work for the organisation. 

 

What to keep and what to discard

All the organisations I’m working with are keeping the employee’s identity, and looking at what data they would remove if a data subject made an access request and then asked for the right to be forgotten or to have some parts removed. So, they would all be declaring that the right to be forgotten does not apply, because they have a legitimate reason to keep the person’s identity. But if someone had left an organisation ten years ago, it would be hard to justify still having their children’s names in infotype 21 – and keep in mind minors’ data does have other stricter controls in GDPR.

 

Some organisations will only remove this data on request, whereas others are proactively acting to remove historical data. What they choose to remove does vary quite a bit. We normally use workshops to give technical guidance, but of course the decision rests with the DPO or legal department. Sometimes what people store surprises you – for example, there is an organisation that keeps a record of individual shirt sizes! And for some organisations what they can’t remove is surprising. In some territories, there are legal requirements to keep statistics on religion – which would have been one of the first things I’d have expected organisations to remove from historical data. Of course we can define rules to handle those data types differently for different country groupings. 

 

HR data in the winds of change

In some cases, there are bigger changes happening for the IT landscape. We are also working with organisations that are moving to Success Factors or other HR systems and want to only extract some parts of the employee data (the parts they have legal grounds for holding, and need to keep), and then either delete the pernr or turn the systems off completely. For those cases, our XML extractor is an excellent way to specify exactly what data should be taken out of the system to place securely, and we can assist with removal of employees or partial removal of parts of the data. In other examples, there may be data that must be given back to another organisation in a machine-readable format before the system or data can be deleted.

 

SAP® SuccessFactors® Human Capital Management solutions can support the requirements of GDPR to keep your critical employee data protected. There may be excellent GDPR functionality inside Successfactors however, similar to cloud CRM systems; the functionality keeps its limits very strictly to what is in that cloud system and not anything that interfaces to it. Getting visibility across multiple systems or removing data across them is more challenging but not impossible.

 

Find out more about our SAP GDPR services and our flexible Archive Central solution.