SAP is committed to ensuring our HR Solution supports compliance and allows companies to meet all of their local and international statutory obligations. One such law that we responded to with rapid pace was the Russia Data Privacy Legislation (RPDL), which came into effect in September 2015.
Here is all you need to know about the Legislation and our solution
What is the Russia Data Privacy Law?
Russia Data Privacy Legislation requires companies with employees in Russia to manage master personal information related to their employees in a Russian Data Center.
The Legislation creates a new obligation to manage master personal data of Russian citizens in Russia. This means that companies located outside of Russia, processing data of Russian citizens “will be forced to place their servers within Russia if they plan to continue making business in the market.” The exact purview of the localization law is somewhat ambiguous, but RPDL data operators to ensure that the recording, systemization, accumulation, storage, revision (updating and amending), and extraction of personal data of Russian employees is stored on servers located in Russia.
What is the SAP SuccessFactors Solution?
SAP has established a data center in Russia to enable customers to be compliant with this law. Customers who wants to use our Russia Data Privacy solution will each have their own private database schema created in the Russian Data Center (RDC). This instance will house the personally identifiable information (PII) of their Russian employees. This can be reported on using an MDF record called ‘Person Data Residency Log’ that resides in the same Global Data Center (GDC) as the customer’s production Employee Central instance. This log stores a date and time stamp showing when the information was written to the Russia Data Center and to the Global Data Center. It also includes other information like employee ID, type of action performed, and object modified so organizations can report on type and time of action performed on PII of Russian employee.
When an entry/update is made to PII for employees whose legal entity country = ‘RUS’, all of their PII is first written to the Russian Data Center (DC) and then it is written to the global data center and an entry is made in the Person Data Residency Log Record. This solution has been available to customers since Q4 2015.
The following Employee Central entities are supported as of Q1 2017:
• Person (Date of Birth, Country of Birth)
• Personal (Marital Status, Gender, Nationality)
• Global Information
• Email Information
• Phone Information
• Social Account Information
• National ID Card Information
• Address Information
• Work Permit Information
• Emergency Contact Information
• Dependents Information
• EC Workflow Entity
• Payment Information
• Background Information (Employee Profile on Metadata Framework)
• Person Data Workflow
• Attachment Support
The date and time of updates made in the Russia Data Center and global data center are recorded in the Metadata Framework (MDF) object Person Data Residency Log Record and can be reported on using our advanced reporting tool. This solution provides transparency to the administrator and end user and enables organizations to be compliant with the Russian Privacy Data Law (RPDL).
Implementing the Solution
Our solution not only provides you with the framework that allow you to be compliant with the law, but implementing it is also a breeze and can be achieved in 4 easy steps. Here are the steps to implement the solution:
Step 1: Enable Provisioning Settings
Have your implementation partner or SAP SuccessFactors Support activate the “Reside PII in Russia” flag in Provisioning and select “Enable API Based Solution” flag.
Following are the URLs for preview and production environments:
Preview Instances: https://drspreviewdc18int.dc18.saas.sap.corp
Production Instances: https://drsproddc18-int.dc18.saas.sap.corp
The API Secret key should be provided during the Provisioning setup. It is used for validating the API call specific to the company instance.
Enable the attachment sync, if your customer plans on capturing attachments for personal Information.
Starting with the Q2 2017 release, a schema will automatically be created in Russian DC when you enable the switch in provisioning. If you encounter an error, please raise an SRSD ticket to create a schema in the Russian Data Center.
Step 2: Granting Security Permissions
Once you have enabled the Provisioning settings you can secure the Person Data Residency Log using the Configure Object Definition, and grant permission for the object to the required roles using the Miscellaneous Permissions section of the security role.
Step 3: Schedule the sync job in Provisioning to run daily in the customer’s environment.
The job will create or update the PII data in the Russia Data Center by reading PII data from the Global Data Center for the scenarios mentioned below:
1. Transfer of an Employee to Russia.
2. Concurrent/Global Assignment to Russia.
3. Future dated transaction where the legal entity is set to Russian Legal entity in future.
Step 4: Create a custom report using Advanced Reporting Tool
The data can be reported on by configuring and generating a custom ODS report using the Person Data Residency Log record.
The log captures following information.
• Person ID
• Date of Change
• Legal Entity of the Employee
• Timestamp of change in Russian data center
• Timestamp of change in global data center
• Information whether it was an insert or update or delete
• Changed entity (EC object level)
• Entity Identifiers to uniquely identify record that was changed
The report can be generated by applying one or more selection criteria:
• Date range of change date
• Legal entity of the employee.
• One or multiple employee IDs
• Object type changed, etc.
New Hire via the User Interface:
If the Russian Legal Entity (country=RUS) is chosen from job info during a new hire, then all of the person-related entities will be synced to the Russian Data Center.
New Hire via Imports and API:
Customers have to follow a specific import sequence to retrieve the company country to ensure the PII data of Russian employees is written to the Russia Data Center. The legal entity is determined with Job Info imports, which must be completed prior to importing any PII data. Here is the new order of imports that should be followed:
• Basic User Import (no personal data is synced to the Russian Data Center).
• Employment Import
• Job Info Imports (this provides the country of company).
• Any of the person-related entities imports will be synced to the Russian Data Center.
If a customer fails to follow this sequence, they will have to perform a full purge for all person-related entities. The same process has to be followed for API upserts via Boomi or any other interface. Zip Upload is not applicable here as the order of imports is hard coded in the system.
If the legal entity from Job info is Russia, then all person-related entities will be synced to Russian Data Center upon approval of the new hire workflow.
ESS/MSS on Person-Related Entities:
If an ESS/MSS action is taken for any of the person-related entities after a hire, and if the job info Legal Entity is Russia, then data will be synced to the Russian Data Center (Insert/Update/Delete).
Legal Entity Change/ Global Assignment/ Concurrent Job:
If a global assignment/concurrent job or an international transfer is added for an employee in Russia then the PII record for the employee will be synced using the PII Job Sync that can be run on a daily basis.
Future Dated Records:
Future-dated changes are also synced to the Russian Data Center
No insert/update/delete happens on person-related entities for an employee when that employee is terminated. This means no special handling is required for terminations. If any personal information is changed for a rehire where the job info country is Russia, then then it will be synced to the Russian Data Center.
This makes our solution very robust to provide a framework to secure all personal information that we capture for employees in Russia in our SAP SuccessFactors solutions.
Data Residency feature is not required to be enabled for the customers who have their global instance in Russia(DC18). Because the personal data of the Russian employees will be directly stored in the global instance which is located in Russia that makes compliant with Russian data privacy law”.
Please refer to the following guides for implementing the solution