One of questions that I often get is: “Do I still need EPI-USE Labs’ Data Sync Manager (DSM)? I’m signing a RISE with SAP contract and they include ‘data refreshes’ as standard.” If you’re on RISE with SAP, you need to make sure that you don’t store any PII data in your non-production environments, or you are in direct conflict with both your Data Processing Agreement with SAP and the data privacy regulations. In this blog, I explore in more detail why you DO need DSM, and what this means for your data privacy and compliance in general.
One of the more frequent questions that I get these days is: “Do I still need EPI-USE Labs’ Data Sync Manager (DSM)? I’m signing a RISE with SAP contract and they include ‘data refreshes’ as standard.”
In this blog, I explore in more detail why you DO need DSM, and what this means for your data privacy and compliance in general.
SAP’s Data Processing Agreement (DPA): don’t store personal data in non-production systems
In 2019, my colleague Paul Hammersley wrote a blog about the changes in SAP’s Data Processing Agreement. Here’s a quick summary:
The blog discusses changes to SAP's terms and conditions, prohibiting the storage of personal data in non-production environments, as stated in the SAP Cloud Services Data Processing Agreement and similar support agreements. Traditionally, personal data often ends up in test systems through system copies or data loading processes, including methods like snapshots and database copies. This practice includes personal information such as employee and customer data.
With new data privacy laws like GDPR, SAP’s clearer guidelines require organisations to find ways to remove or mask personal data in non-production environments. The article suggests using solutions like EPI-USE Labs’ Data Sync Manager (DSM) Suite, with its components Client Sync, Object Sync and Data Secure, to create leaner test environments and mask data before it leaves the Production system, ensuring compliance with SAP’s updated terms. These solutions help manage the increasing complexity of data masking and protecting personal data, which is critical given the evolving data privacy regulations.
Why did SAP introduce this change?
Within the ever-evolving and complex world of global data privacy laws, one of the key tenets being adopted in all areas is ‘informed and explicit consent for the use case of the data’. What this means is that as a company, you need to have a legal justification not just for the data you gather, but also for each purpose you use that data for.
So, for example, you will have a justification for maintaining Personally Identifiable Information (PII ) to process invoices, payments and payroll, etc. in your Production environment; but do you have written informed consent from every Employee, Customer or Vendor to use their PII for testing? As such, the DPA update from SAP provides a liability shift away from themselves in the case of any breach or data privacy audit findings.
Fast forward to 2024: the DPA is still in place, but what has changed?
The number of SAP clients moving to the cloud with RISE for SAP, and adhering to these DPAs, has increased. If you’re on RISE with SAP, you need to make sure that you don’t store any PII data in your non-production environments, or you are in direct conflict with both your DPA with SAP and the data privacy regulations.
Data refreshes as part of RISE with SAP
That leads to the next point. As part of your RISE contract, SAP refreshes your non-production environment.
What does this mean in practice?
This means that the SAP support team will provide full system copies – so be prepared for downtime and lengthy procedures. It also means that if you don’t have a scrambling solution in place, you will have real PII data in your non-production environment! (Am I the only one who finds this ironic?)
So how do you solve this?
A solution like EPI-USE Labs’ Data Secure, part of the DSM Suite, can help you to be compliant with both your SAP DPA and data privacy regulations by scrambling sensitive PII data in your non-production system.
You also need to consider whether full system copies are how you want to manage your test data. With a solution such as DSM, you can reduce the footprint of the data you copy. This could also mean keeping your T-shirt sizes manageable in a cloud environment.
In this video, Paul explains how to keep your storage costs in check:
The refreshes you get with your RISE contract are full system copies; so wouldn’t give you the benefit of reducing your data footprint, nor data scrambling.
On top of this, many of our clients who are on RISE still need additional Basis capability to run the systems as they are used to. Take a look at what SAP includes in your RISE contract around Basis services, and where the gaps are for your company. And take a look at the complementary service we’ve developed to supplement SAP’s RISE Basis services.
Leave a Comment: