Mass Data Removal services for data privacy compliance, using Data Secure and the Data Privacy Suite for SAP solutions
EPI-USE Labs offers a range of solutions to help you tackle compliance with global data privacy legislation such as the GDPR (General Data Protection Regulation), POPIA in South Africa, PDPL in Saudi Arabia and USA federal law.
GDPR has far-reaching consequences for companies across the world. All organisations world-wide collecting, storing and processing personal data from European Union (EU) citizens must be able to reveal the data they have on the individual and what purpose(s) it is being stored and used for. To hold and manage the data, irrespective of whether this data is held in the EU or not, each organisation needs to get informed consent from the data subject, and demonstrate compliance with the guiding principles of the regulation, including that data protection is at the heart of the system design. Compliance is non-negotiable, and organisations with data security breaches face potentially heavy fines, which could be as high as €20 million ($21m at the current exchange rate), or 4% of annual revenue – whichever is greater.
EPI-USE Labs offers the following solutions to help you tackle compliance with GDPR and other data privacy legislation in SAP systems:
The many and varied IT systems mean that a “one size fits all” approach isn’t possible, so let us share our expertise and experience to help you stay ahead of the game. EPI-USE Labs has spent over forty years in the SAP data space creating and developing advanced software solutions, and can also offer guidance and share expertise on GDPR and similar data privacy legislation for SAP.
For most organisations, a data retention policy has been seen as a minimum period of retention by the technical teams, not the point at which data must be proactively destroyed. With the GDPR in force, this has changed, and all organisations are sitting on some historical data they no longer have legal grounds for storing, whether this is former employees' family details, or former customers' bank account numbers, or one of the many other types of personal data interweaved in the fabric of their SAP systems.
EPI-USE Labs has a simple approach to clearing this old data, without the need for complex archiving projects. The technology used to support the Data Redact product for redacting or removing specific information for an individual data subject can be leveraged by an EPI-USE Labs System Landscape Optimisation (SLO) consultant with a specific license mode to allow mass record selections and parallel processing. The consultant will also assist with the exact definitions of the data that should be removed in the initial clean up and how to select those records.
Historical employee data is needed in most cases, but what if that part of the business was divested? 10 years later can we still keep those employees in the system at all? Even if we want to keep the main part of the employee record, what about more personal parts of the data? An initial mass clean up could take the form of one policy to clear a small amount of highly personal data, such as family information or bank account numbers, which is applied to anyone who left more than a year ago, and then a second policy for anyone that left the organisation seven years ago or more, which removes much more data, such as sickness absence information, performance reviews and pay details.
In this area, it's much more difficult to define legal grounds for keeping the data. There may be thousands of customers, business partners and addresses that have not traded with the organisation for more than five years. Rather than archiving all their transactions and then the master data, we can provide a mass clean-up to remove identifiers from the master data and any references on transactions which mean that person is no longer visible in the system. Alternatively, it may be desirable to remove credit card information and likely security question answers much sooner from former consumer records.
Contact us for an initial discussion on your requirements and how we can tailor our mass clean up services to help you with GDPR compliance.
Contact us for mass removalThe main emphasis of GDPR is on Personal Information. GDPR aims to protect personal data rights such as the right to be informed, the right of access, the right of rectification, the right to erasure (aka the right to be forgotten), the right to strict processing, the right to data portability, the right to object and rights to automated decision-making and profiling.
Organisations wishing to store data must have explicit consent from the subject of the data. The reason for storing it must be transparent, and the data subject has the authority to block processing while concerns are dealt with, as well as to request the removal of the information from the system. There is nothing to say that data must be anonymised – the law is not that prescriptive. However, the law does say that there must be documentation showing that data protection is by design, and that processes comply with the rights of the data subject.
The difficulties will start when someone requests the details of where their personal data is being kept in an IT system. Let’s complicate that: let’s say your organisation receives ten requests – or even one hundred – to locate sensitive, personal data. Imagine having to log into a number of SAP systems to download table entries, or take screenshots to show the data subject’s footprint. How many password resets will be required? Do you know all the places to look? And how long will this take?
It’s not easy for SAP systems to comply with the demands of GDPR because of its architecture. SAP stores information in an intricate and tangled way. Data is stored and replicated across the system in many places, such as customer master, business partner, change document tables, and so on. SAP is also highly configurable, so when it is implemented, the way in which this happens dictates which tables and fields the data will be stored in. An additional complication is that there are often multiple copies of systems. The data might be in Z-tables, and the only way this can be verified is to get into that system.
The requirements of GDPR go to the very core of your IT systems, because they need to be built into the design; a project like this can affect your CRM systems, your ERP systems and customer first line support. Entire new business processes have to be put into place. You will also need an auditor to scrutinise your security arrangements. Every organisation should have a plan to meet the requirements, and assign key roles and responsibilities to that plan.
EPI-USE Labs will help you deal with GDPR. Our knowledge, experience, expertise and products will help you sleep peacefully at night in the knowledge that everything is under control.
The main emphasis of GDPR is on Personal Information. GDPR aims to protect personal data rights such as the right to be informed, the right of access, the right of rectification, the right to erasure (aka the right to be forgotten), the right to strict processing, the right to data portability, the right to object and rights to automated decision-making and profiling.
It’s not easy for SAP systems to comply with the demands of GDPR because of its architecture. SAP stores information in an intricate and tangled way. Data is stored and replicated across the system in many places, such as customer master, business partner, change document tables, and so on. SAP is also highly configurable, so when it is implemented, the way in which this happens dictates which tables and fields the data will be stored in. An additional complication is that there are often multiple copies of systems. The data might be in Z-tables, and the only way this can be verified is to get into that system.
Organisations wishing to store data must have explicit consent from the subject of the data. The reason for storing it must be transparent, and the data subject has the authority to block processing while concerns are dealt with, as well as to request the removal of the information from the system. There is nothing to say that data must be anonymised – the law is not that prescriptive. However, the law does say that there must be documentation showing that data protection is by design, and that processes comply with the rights of the data subject.
The requirements of GDPR go to the very core of your IT systems, because they need to be built into the design; a project like this can affect your CRM systems, your ERP systems and customer first line support. Entire new business processes have to be put into place. You will also need an auditor to scrutinise your security arrangements. Every organisation should have a plan to meet the requirements, and assign key roles and responsibilities to that plan.
EPI-USE Labs will help you deal with GDPR. Our knowledge, experience, expertise and products will help you sleep peacefully at night in the knowledge that everything is under control.
The difficulties will start when someone requests the details of where their personal data is being kept in an IT system. Let’s complicate that: let’s say your organisation receives ten requests – or even one hundred – to locate sensitive, personal data. Imagine having to log into a number of SAP systems to download table entries, or take screenshots to show the data subject’s footprint. How many password resets will be required? Do you know all the places to look? And how long will this take?
Ian Naylor, Business Systems, Innogy
© 2024 EPI-USE Labs
Trafford House, 11th Floor, Chester Road, Stretford, Manchester, United Kingdom, M32 0RS •Other Office Locations