Comply with data privacy legislation in SAP systems

Mass Data Removal services for data privacy compliance, using Data Secure and the Data Privacy Suite for SAP solutions

    WEBINAR: CLEAN YOUR SAP DATA    DATA CLEAN-UP SERVICES

Data privacy services for SAP systems, including compliance with GDPR

EPI-USE Labs offers a range of solutions to help you tackle compliance with global data privacy legislation such as the GDPR (General Data Protection Regulation), POPIA in South Africa, PDPL in Saudi Arabia and USA federal law.

GDPR has far-reaching consequences for companies across the world. All organisations world-wide collecting, storing and processing personal data from European Union (EU) citizens must be able to reveal the data they have on the individual and what purpose(s) it is being stored and used for. To hold and manage the data, irrespective of whether this data is held in the EU or not, each organisation needs to get informed consent from the data subject, and demonstrate compliance with the guiding principles of the regulation, including that data protection is at the heart of the system design. Compliance is non-negotiable, and organisations with data security breaches face potentially heavy fines, which could be as high as €20 million ($21m at the current exchange rate), or 4% of annual revenue – whichever is greater.

  CONTACT US FOR A SYSTEM ANALYSIS

 
Data_Privacy_Suite_Thumbnail_2
 


How can you comply with data privacy legislation like GDPR?

EPI-USE Labs offers the following solutions to help you tackle compliance with GDPR and other data privacy legislation in SAP systems:

  • Data Secure™ and the Data Privacy Suite for SAP solutions
  • Guidance and best practice:
    • Knowledge and direction on where data is stored in SAP®
    • Understanding the affected data types, and choices and processes to meet requirements
    • Mass data removal services
    • Data Privacy/GDPR Awareness workshops

The many and varied IT systems mean that a “one size fits all” approach isn’t possible, so let us share our expertise and experience to help you stay ahead of the game. EPI-USE Labs has spent over forty years in the SAP data space creating and developing advanced software solutions, and can also offer guidance and share expertise on GDPR and similar data privacy legislation for SAP.

  ON-DEMAND WEBINARS      Data privacy suite for SAP

Mass Data Removal services

For most organisations, a data retention policy has been seen as a minimum period of retention by the technical teams, not the point at which data must be proactively destroyed. With the GDPR in force, this has changed, and all organisations are sitting on some historical data they no longer have legal grounds for storing, whether this is former employees' family details, or former customers' bank account numbers, or one of the many other types of personal data interweaved in the fabric of their SAP systems.

EPI-USE Labs has a simple approach to clearing this old data, without the need for complex archiving projects. The technology used to support the Data Redact product for redacting or removing specific information for an individual data subject can be leveraged by an EPI-USE Labs System Landscape Optimisation (SLO) consultant with a specific license mode to allow mass record selections and parallel processing. The consultant will also assist with the exact definitions of the data that should be removed in the initial clean up and how to select those records.

 GDPR compliance: Clean your SAP data and reduce risk



Mass Data Removal Services

Employee data

Employee data

Historical employee data is needed in most cases, but what if that part of the business was divested? 10 years later can we still keep those employees in the system at all? Even if we want to keep the main part of the employee record, what about more personal parts of the data? An initial mass clean up could take the form of one policy to clear a small amount of highly personal data, such as family information or bank account numbers, which is applied to anyone who left more than a year ago, and then a second policy for anyone that left the organisation seven years ago or more, which removes much more data, such as sickness absence information, performance reviews and pay details.

Business to Consumer data

In this area, it's much more difficult to define legal grounds for keeping the data. There may be thousands of customers, business partners and addresses that have not traded with the organisation for more than five years. Rather than archiving all their transactions and then the master data, we can provide a mass clean-up to remove identifiers from the master data and any references on transactions which mean that person is no longer visible in the system. Alternatively, it may be desirable to remove credit card information and likely security question answers much sooner from former consumer records.

Contact us for an initial discussion on your requirements and how we can tailor our mass clean up services to help you with GDPR compliance.

Contact us for mass removal
Business to Consumer data
[fa icon="plus-square"] Tackling GDPR in detail: the importance of privacy, transparency and technology

Personal Data Rights

The main emphasis of GDPR is on Personal Information. GDPR aims to protect personal data rights such as the right to be informed, the right of access, the right of rectification, the right to erasure (aka the right to be forgotten), the right to strict processing, the right to data portability, the right to object and rights to automated decision-making and profiling.

Key requirements for GDPR

  • Consent for storage must be given by the data subject
  • Consent must be explicit
  • Each individual has “the right to be forgotten”, although this comes with several caveats
  • Compliance must be demonstrated
  • Notification of data breaches must be provided

Data privacy must be by design

Organisations wishing to store data must have explicit consent from the subject of the data. The reason for storing it must be transparent, and the data subject has the authority to block processing while concerns are dealt with, as well as to request the removal of the information from the system. There is nothing to say that data must be anonymised – the law is not that prescriptive. However, the law does say that there must be documentation showing that data protection is by design, and that processes comply with the rights of the data subject.

Overwhelming data requests

The difficulties will start when someone requests the details of where their personal data is being kept in an IT system. Let’s complicate that: let’s say your organisation receives ten requests – or even one hundred – to locate sensitive, personal data. Imagine having to log into a number of SAP systems to download table entries, or take screenshots to show the data subject’s footprint. How many password resets will be required? Do you know all the places to look? And how long will this take?

.

Your challenges include

  • The complexity, volume and sheer scale of GDPR
  • Lack of consistency: Every GDPR compliance project is different, depending on the industry, existing IT systems, usage of data, etc.
  • Ambiguity: While the GDPR is comprehensive, there are many areas that are neither detailed or prescriptive. It doesn't specifically tell organisations what to do; it’s up to them to analyse their systems, processes and data and work out what to do for themselves.

How GDPR affects SAP systems

It’s not easy for SAP systems to comply with the demands of GDPR because of its architecture. SAP stores information in an intricate and tangled way. Data is stored and replicated across the system in many places, such as customer master, business partner, change document tables, and so on. SAP is also highly configurable, so when it is implemented, the way in which this happens dictates which tables and fields the data will be stored in. An additional complication is that there are often multiple copies of systems. The data might be in Z-tables, and the only way this can be verified is to get into that system.

Don’t delay!

The requirements of GDPR go to the very core of your IT systems, because they need to be built into the design; a project like this can affect your CRM systems, your ERP systems and customer first line support. Entire new business processes have to be put into place. You will also need an auditor to scrutinise your security arrangements. Every organisation should have a plan to meet the requirements, and assign key roles and responsibilities to that plan.

EPI-USE Labs will help you deal with GDPR. Our knowledge, experience, expertise and products will help you sleep peacefully at night in the knowledge that everything is under control.

Tackling GDPR in detail

The importance of privacy, transparency and technology

 

Precise selection to avoid downtime
Personal Data Rights

The main emphasis of GDPR is on Personal Information. GDPR aims to protect personal data rights such as the right to be informed, the right of access, the right of rectification, the right to erasure (aka the right to be forgotten), the right to strict processing, the right to data portability, the right to object and rights to automated decision-making and profiling.

Precise selection to avoid downtime
Your challenges include

  • The complexity, volume and sheer scale of GDPR
  • Lack of consistency: Every GDPR compliance project is different, depending on the industry, existing IT systems, usage of data, etc.
  • Ambiguity: While the GDPR is comprehensive, there are many areas that are neither detailed or prescriptive. It doesn't specifically tell organisations what to do; it’s up to them to analyse their systems, processes and data and work out what to do for themselves.

Precise selection to avoid downtime
Key requirements for GDPR

  • Consent for storage must be given by the data subject
  • Consent must be explicit
  • Each individual has “the right to be forgotten”, although this comes with several caveats
  • Compliance must be demonstrated
  • Notification of data breaches must be provided

Precise selection to avoid downtime
How GDPR affects SAP systems

It’s not easy for SAP systems to comply with the demands of GDPR because of its architecture. SAP stores information in an intricate and tangled way. Data is stored and replicated across the system in many places, such as customer master, business partner, change document tables, and so on. SAP is also highly configurable, so when it is implemented, the way in which this happens dictates which tables and fields the data will be stored in. An additional complication is that there are often multiple copies of systems. The data might be in Z-tables, and the only way this can be verified is to get into that system.

Precise selection to avoid downtime
Data privacy must be by design

Organisations wishing to store data must have explicit consent from the subject of the data. The reason for storing it must be transparent, and the data subject has the authority to block processing while concerns are dealt with, as well as to request the removal of the information from the system. There is nothing to say that data must be anonymised – the law is not that prescriptive. However, the law does say that there must be documentation showing that data protection is by design, and that processes comply with the rights of the data subject.

Precise selection to avoid downtime
Don’t delay!

The requirements of GDPR go to the very core of your IT systems, because they need to be built into the design; a project like this can affect your CRM systems, your ERP systems and customer first line support. Entire new business processes have to be put into place. You will also need an auditor to scrutinise your security arrangements. Every organisation should have a plan to meet the requirements, and assign key roles and responsibilities to that plan.

EPI-USE Labs will help you deal with GDPR. Our knowledge, experience, expertise and products will help you sleep peacefully at night in the knowledge that everything is under control.

Precise selection to avoid downtime
Overwhelming data requests

The difficulties will start when someone requests the details of where their personal data is being kept in an IT system. Let’s complicate that: let’s say your organisation receives ten requests – or even one hundred – to locate sensitive, personal data. Imagine having to log into a number of SAP systems to download table entries, or take screenshots to show the data subject’s footprint. How many password resets will be required? Do you know all the places to look? And how long will this take?

Who we have helped

The challenges we had before we implemented Data Sync Manager were around the reliability and quality of our test data - it had not been refreshed for several years and had been manually manipulated to suit certain scenarios.


See how DSM helped Innogy

Ian Naylor, Business Systems, Innogy

EPI-USE Labs’ DSM came through with flying colours and was a clear leader. One key differentiator was the EPI-USE Labs’ team we worked with locally who were able to respond in real time to any issues we raised.


Shaun Code, Head of Enterprise IT Operations, AGL