-
SOFTWARE
SOFTWARESAP HCM & PayrollQuery Manager Query Manager Add-ons Document Builder Variance Monitor DSM for HCM HCM Productivity Suite FLOW GeoClockSAP Landscape & Test Data ManagementData Sync Manager (DSM) suite - System Builder/Shell Sync - Object Sync - Client Sync - Data Secure Archive CentralSupport & TrainingClient Central E-learning & trainingSAP Data Privacy & SecurityData Privacy suite - Data Secure - Data Disclose - Data Redact - Data Retain Soterion (GRC)
-
SERVICES
SERVICESSAP HCM & PayrollPRISM for HR & Payroll SAP SuccessFactors Integration monitoring Payroll reporting Report writingClient-specific DevelopmentCustom development SAP BTPSAP Landscape & Test Data ManagementPRISM Migrations to S/4HANA System Landscape Optimization (SLO) Managed data refresh servicesSAP Data Privacy & SecuritySAP data privacy assessment serviceMass data removal services Data privacy consultingCloud and Application Managed ServicesFunctional AMS Cloud management services Cloud migrations Basis managed services Private cloud hosting SAP on AWS SAP on Azure Premium Support Services RISE BRIDGE Managed Services
- All Solutions
- Request Estimate
-
Resources
Resources Blogs Read the latest updates on SAP SLO, SAP HCM, Data & Privacy, and Cloud Webinars Access expert insights in live and recorded webinars Video library Watch videos and improve your SAP knowledge
- About
SAP GDPR compliance: An interview with MAPA
One of EPI-USE Labs' most prestigious clients, MAPA, is a leading company in the market segments of contraception (BILLY BOY, Fromms and Blausiegel), household items (SPONTEX)
and baby care (NUK). We recently interviewed a MAPA representative about the challenges they faced around compliance with GDPR (the General Data Protection Regulation) for their SAP systems, and why they chose to implement our SAP Data Privacy Suite.
Answer:
From a technical point of view, our biggest concern was around our SAP system that is our ERP system. To ensure our data consistency, we generally avoid deleting data from the system. With SAP standard functions, sensitive data records cannot be deleted without further processing. This data is simply stored in a different location by means of archiving. The problem is that it can be restored there. The redaction of individual fields within the data records was also not an option we had available.
The SAP solution for solving the GDPR challenge was presented during a meeting at the DSAG (German SAP User Group). This confirmed the problem for us, but the SAP solution seemed unsuitable, not least because of the costs and the implementation effort. In the end, we came to the conclusion that it would not be possible with existing standard SAP tools to delete data from the SAP system according to the requirements of GDPR.
We had to find out in detail which personal data was stored, and where it was stored within the SAP landscape. Within the process documentation, initially, we were only able to demonstrate which data records needed to be potentially redacted: this document was prepared for the technical conversion and extended to the detail level of individual fields.
Answer:
We have been anonymizing SAP test data quickly and easily for years with EPI-USE Labs’ Data Secure, part of their Data Sync Manager product suite, in our non-productive environments. That's why we trusted the technical accuracy of anonymization even for critical and complex data structures, such as the SAP HCM module. To implement the data privacy regulation (GDPR), however, individual data records must be redacted in Production systems. The approach EPI-USE Labs took with their SAP Data Privacy Suite fitted our approach:
With Data Disclose, the entire SAP systems are searched and sensitive data located. A person’s data footprint of a person is found, retrieved and made available. For further automation, it also searches in non-SAP systems as soon as they are integrated through APIs.
Answer:
A first milestone was the general preparation of the SAP system. Before the installation of the provided transports, minimum technical requirements had to be met. Our system was initially not fully prepared for the use of the GDPR Compliance Suite. Since EPI-USE Labs relies on the modern FIORI surface technology, we took this as an opportunity to prepare our Basis for the future and to import the necessary support packages. The general technical requirements for the SAP Data Privacy Suite are NetWeaver 7.0 and Fiori Gateway.
Data Disclose could then be activated immediately. On the basis of the delivered template, the relevant personal data was refined and the foundation was laid for the requirements of GDPR Article 15 (right of access) for the SAP system.
In the next project phase, the right to deletion according to GDPR Article 17 will be implemented. EPI-USE Labs also offers the appropriate solution to redact data. As part of the SAP Data Privacy Suite, Data Redact can quickly and seamlessly redact sensitive or personal data without deleting entire data records. This means that the data can no longer be related to a specific person (or data subject), but reports can be created as usual without affecting the referential integrity of the data.
Before Data Redact was introduced, we had to define which fields should be anonymized in the area of conflict between retention policies and data economy. Customer-specific extensions to the data structures also had to be taken into account. The effort required in addition to the template generally depends on how closely the system's own data structure is kept with the SAP standard.
Answer:
The biggest advantage is that data integrity is still guaranteed. Thus, for example, customer orders are still traceable since only the sensitive customer data is redacted while all orders and sold items can still be viewed. It is only the assignment to the Customer that is no longer possible. This means that all test systems remain fully functional and Test orders can still be processed. If entire data areas have to be archived, the data integrity would suffer.
Answer:
The proportionate processing of personal data in accordance with Article 5 of GDPR is another key element in complying with the Data Protection Regulation. When we introduced Data Secure, we discussed using the EPI-USE Labs’ Client Sync solution to copy SAP data selectively. This is a time slice of the production system on test and training systems to create test data. This selective client copy replaces the system copy and supports compliance with Article 5.
We also assume that the legislation will become stricter in the future. We plan to use the SAP Data Privacy Suite in all areas of the company. The use of the Suite should not remain a central task of IT, but be decentralised to give each department the ability to track down the right data and make it anonymous.
Personalised gifts for MAPA: customising SAP using DSM and our SAP Data Privacy Suite
MAPA has a bespoke ordering process for babies’ dummies (known as pacifiers in the US). This allows someone to go online and choose bespoke images and colours, or even upload images to be printed on the dummy, potentially along with the baby’s name and or/date of birth. Although the data is stored in SAP, it's not a standard customer master. We were quickly able to build a new Legal Person Type and link it to a new custom business object for the ‘One time orders’, and make this available for Data Disclose (part of our SAP Data Privacy Suite). We were also able to use Data Redact for sensitive data including names, email addresses, dates of birth and more. Find out more in this short video from Paul Hammersley.
