Data Privacy Management in SAP C4C
With regard to data privacy management of customers, each and every organization should identify and control the statutory and regulatory requirements of the geographies that they are operating in. Some of the examples are FDA in US, DPA in UK and Consumer Protection Laws in Japan. In particular industries like healthcare, sensitive customer data removal could be one of the regulatory or statutory compliance that the organizations needs to adhere while dealing with the sensitive data of their customers.
Possible scenarios for data privacy management could be
1. On customer request – Customer may request the organization to anonymise their personal identifiable information or remove from organizational database.
2. Organization Decision – After certain retention period, organizations may decide to remove the customer data from the system.
There are two ways of dealing with the consumer data in SAP C4C
1. Anonymising the customer data
2. Removing the customer data
Anonymising the consumer data: Anonymization is the process of turning personal data in to anonymised information which does not identify an individual. Typically this data includes first name, last name, phone number, email and address details. This could be achieved in SAP C4C by replacing the actual customer data with anonymous data like XXXX or empty.
Let us take individual customer as an example
Steps in C4C:
1. Login to C4C in HTML5 mode
2. Search for the individual customers
3. Select the individual customers and replace the header data with XXXX for mandatory fields and empty all other data and Save.
4. Testing: Open the transactions for that consumer/individual customer and ensure that the personal data is removed/changed accordingly.
Removing the customer data: SAP C4C provides a standard functionality to remove customer data from C4C system post expiration of retention period. This retention period depends on the organization’s policy or as per the country’s regulatory authority. This functionality enables organizations to control their business partners, employees, individual customers and contacts data.
Steps in C4C:
1. Login to C4C in admin mode
2. Go to Personal Data Removal under Data Privacy Management work centre as shown below
3. Select the records that you want to delete > Select Remove Data> Confirm deletion in the pop up
In case, if the organization has a requirement to remove documents data with expired retention periods, the same can be done using document removal under data privacy management as shown below.
Same way, we can also deal with the access of business partners (employees/customer/individual customers/contacts) personal data by selecting Personal data disclosure under data privacy management.
Hi Srinivasa, maybe you could clarify some point I have? Could you maybe advise when the retention period starts, i.e. is it on first contact of the customer as in the creation date in the C4C? I can see that I can set months and years, but what is the criteria for inactivity to determine if a customer should be removed or not. Does inactivity mean no activities at all (emails, meetings etc) for that period? I am also not sure how to use the 'Relative End Date' of the retention period? Is this used instead of months and years?
The check will be done against the Validity dates and the retention period configuration, which is similar to private accounts, sales orders and quotes that raise vetoes. It also checks if any sales order or sales quote exists against the retention period configuration, and then proceeds with the data removal process.
Does remove data simply just set all fields within contact empty or can you actually remove the account/contact from the system?
No. As mentioned in the blog the account data will be removed from the system. Of course, we can remove all the personal data of the selected account when the relevant data retention period is expired for all data and documents associated with the account.
Nice article, what has happened to "Document Removal" ?
We can leverage document removal if the organization has a requirement to remove documents data with expired retention periods.