SAP data redaction for GDPR: it’s scary!

07 August 2019
Written by James Watson

James is responsible for the global line of business for EPI-USE Labs' data privacy and SAP IS-* Solutions, supporting all regions and key accounts running Data Sync Manager (DSM) for these complex requirements. With a functional and business background of over 20 years, James provides the bridge between Development, Basis, Test/Competency Centres and leadership teams to provide guidance and advise on the route to data privacy compliance. His history includes SAP specialisms in non-production data management and anonymisation, Production data removal or redactions, System Landscape Optimisation (SLO) and SAP industry solutions.

Artboard 1 copy-9

Controlling the risk

As we all know now, GDPR (the General Data Privacy Regulation) has brought in the requirement that every company has to be able to remove data both proactively, against retention criteria, and reactively, in response to an individual’s request, where no legal reason to hold the data remains. Similar requirements are apparent in other global data privacy legislation. For the last two years, I have been running implementations throughout Europe of the EPI-USE Labs’ solution to this challenge.

One of the options I introduce to my clients is the ability to surgically remove data from their SAP systems through the EPI-USE Labs’ software called Data Redact. This allows you to delete sensitive information directly from the system while retaining the key and referential integrity of data in the environment.

I have found it very interesting to note that although the idea of technically completing this task is appealing to businesses, we have then seen a nervousness to actually press the button.

So…what’s the worry with pressing the big red button?

I’ve observed that there are so many internal stakeholders involved in defining a company’s retention policy that these often become very complicated. As such, it’s very challenging to create a business process with sufficient controls to ensure that only those items which should be removed, are removed.

Simply put, by design, Redaction is final and irreversible. The process required to ensure a person should be redacted is complicated, and therefore a high-risk process.

At EPI-USE Labs, we have taken this as a challenge: to overcome the barrier and anxiousness that is data deletion, and present a solution which not only adds value to the business process but also provides an extra layer of protection and peace of mind.

What did our clients ask for?

As with many EPI-USE Labs developments, it all started out with a client’s idea:
“We need to be able to block any person from being Redacted if another process is ongoing, and also check that an Employee, Customer or Vendor is no longer active. If the person doesn’t meet these criteria, then you shouldn’t be able to submit them to the Redaction process.”

So, translating that into a requirement, we built the functionality into our submission routine to be able to define certain checks. These must be valid, or the submission is rejected. Among these was a new table which could be populated to confirm a list of “Do not Redact” fields, which could be used for a wide variety of reasons, ranging from ongoing legal proceedings to post-redundancy activities.

With all the pieces of the puzzle in place, development started, and a couple of weeks later the proof of concept was completed. This has now been thoroughly tested with different case scenarios of Legal Person types and check criteria. On completion of testing, this solution has moved to production.

"We now have a solution that helps companies control
the finality of the data deletion process."

A client-centric approach

We never stop developing our solutions to meet our client’s requirements. The Data Privacy suite is at the cutting edge of this process, with improvements and enhancements continuing to come through. Combined with our experienced Services team, we can greatly improve the simplicity of an SAP GDPR or data privacy project, and provide expert advice and planning throughout the journey to compliance with GDPR (or other relevant data privacy legislation).

The example above describes a company which wants to completely remove the person’s identity from the system. It’s also worth noting that other organisations are using the same approach to extricate only the parts of the data they no longer have legal grounds to hold, such as private email addresses or family information, while retaining the identity of the record.

BOOK  A GDPR SYSTEM ANALYSIS

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act SAP data privacy and compliance POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Client Sync Data Protection Day Data Sync Manager (DSM) Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP RISE SAP S/4HANA SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Proportional Data Protect personal employee data RISE BRIDGE Managed Services Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP Data Processing Agreement SAP SuccessFactors SAP access risk simulations SAP data SAP data encryption SAP system refresh SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security for SAP. Live Sensitive HCM data South African data privacy legislation Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: