The law is the law! And the clock is ticking. Is your business ready to fulfill all the requirements of GDPR?
European Union focuses on protecting personal data with the GDPR
The European Commissions’ regulation for data protection rules (GDPR – General Data Protection Regulation – 2016/679) in the EU shall apply as of 25 May 2018. This directive gives individuals more control over their personal data and imposes stricter rules on organizations. It also ensures that new technologies will be ready for proper handling of sensitive data within the European Union.
All private and public subjects must ensure to be compliant with GDPR it in order to avoid sanctions which can amount up to 20 million Euro or up to 4% of their annual worldwide turnover of the preceding financial year, whichever is greater.
GDPR impacts SAP landscapes
The GDPR has huge impact on SAP systems, where a large amount of personal and sensitive data are stored. As an example, just think about all personal data of your employees or customers and vendors, which are spread all over the database.
One of the main requirement of GDPR is to produce a so-called Data Protection Impact Assessment (DPIA):
“In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk.”
Article 35 paragraph 7 identifies the main DPIA outcomes:
The assessment shall contain at least:
(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
As indicated in point (a), it is fundamental for a correct definition of a DPIA, to identify the processing operations that legitimate the collection, storage and processing of personal data.
There are two main reasons for operating personal information legitimately (Article 6 paragraph 1):
- Business requirements: I need to process personal data for the performance of a contract to which the data subject is party (e.g. to fulfill a sales contract or maintenance contract)
- Legal requirements: Processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. the controller must keep legal documents, like billing documents or contracts, for the required time by the EU member State law to which the controller is subject)
From a data management perspective, we need to take into account two main thresholds or deadlines:
- Residence Time: The time required for processing and closing a business process that can involve the usage of personal data.
- Retention Time: The required time for adhering to legal requirements and product liability purposes
It’s important to note down that – as soon as some pieces of data are moved from residence to retention time frame – all personal related data also change their “nature” and purpose, therefore the Data Protection Officer must ensure a stricter access to them, since all the business needs which kept sensitive data “visible” are not valid any longer.
How to get your SAP ERP compliant with GDPR
Coming to SAP and how to build a DPIA that involves also the assessment of SAP ERP systems, it is a good practice to define an archiving model where residence time and retention time are defined in a way 100% compliant with business and legal requirement.
With the help of Datavard ERP Fitness Test, SAP Customers can start to define an archiving practice that will comply with the GDPR requirements.
Unlike other SAP archiving analysis, ERP Fitness Test simulates all the archiving prevention rules that will stop an archiving process (as general example it is not possible to archive FI items that have not been cleared). In this way, it is possible to identify business processes that have not been designed in way that keeps the protection of personal data as fundamental requirement.
After the execution of ERP Fitness Test, customer can identify even very old documents that still are not eligible to be archived (e.g. open documents that never come to a close state that let them to be archived) and in this way, they can focus on those processes that do not comply with the main GDPR principle: Data protection by design and by default (Article 25 of the regulation).
If you want to have a first contact with ERP Fitness Test outcome, go to our demo and check chapter “Archiving analysis”.
Need help with getting you SAP system compliant with GDPR? Get in touch with our experts: