Many organizations are concerned about how the European data
privacy regulation known as GDPR or EU-DSGVO might impact
their day-to-day business especially if they are using cloud business
See the video below to get in two minutes an idea on what GDPR is
and what you need to consider for your business latest until
May 25th 2018 (more links can be found below):
The powerful capabilities which SAP’s Cloud ERP Business ByDesign provides already since a couple of releases will help you to execute the GDPR related data privacy policies your organization might setup. With ByDesign your data privacy officers will be enabled to:
- Ensure that user authorization allows access to data only to users which need the data for business processes
- Configure minimal retention periods for key business documents in order to block deletion if they are still needed e.g. for accounting.
- Access and analyze change logs for data especially for accounts, contacts and employees.
- Most important: Centrally work on data privacy requests with a dedicated data privacy work center which provides an overview on the data stored about natural persons (e.g. employee, private account) and the deletion of personal data across business scenarios and documents.
- Build custom add-ons using PDI which flag usage of personal data to make it available for central disclosure or deletion
The demo video below gives you an impression on how this works in our 1708 release:
As you have seen in the demo the data privacy expert can use the data privacy work center to easily find employees, service agents (i.e. external employees) or private accounts (1) and to trigger the deletion (3). Additionally he can generate a synopsis for master and transactional data which is stored for a natural person in the system (2) as you can see in the screenshots below.
Data disclosure and deletion of personal data coming from custom add-ons is also supported by using the cloud application development studio (PDI). With 1711 customers and partners are enabled to identify all the personal data stored in add-on BO’s using ABSL coding and to include it for disclosure, anonymization or deletion. Here you find a good tutorial on how this works.
Furthermore you can define in the business configuration the data retention periods for multiple business areas and countries which control that data cannot be deleted within the minimal retention period.
Administrators, sales and marketing employees can according to their authorization access change logs:
- See changes per date and user
- See changed attribute with old / new value and modification type
- Export changes
Finally ByDesign does not only control what happens inside the system but also how data is being consumed in external applications with the standard web-services and interfaces.
- Communication scenarios and arrangements allow to control external access (via the Application and User Management work center).
- Valid certificates are required to allow access ByDesign Web services.
- Communication Monitoring for e.g. failed web service calls. Customers still need to assess which integration scenarios are exposed to whom.
- Full video and demo on SAP Business ByDesign GDPR and data privacy
- SAP overview on GDPR
- How to develop partner or customer specific applications which are included in data disclosure & deletion?
- Four steps to get started with GDPR
- 12 tips to prepare for GDPR
- GDPR: Company stakeholders and obligations
- SAP Data Protection & Privacy overview
- SAP Compliance & Certificates
- Which other tools does SAP offer for managing data privacy (e.g. GRC, ILM)?
- GDPR regulation with links to all details in multiple languages
- EU Commission on protection of personal data
- Data Privacy Management in Business ByDesign
- Quick Guide for data disclosure of personal data
- Disclose: Employee, Service Agent
- Data Removal: Business Partner, Employee, Service Agent, Documents
- What’s new in SAP Cloud Application Studio 1711 for data privacy?
- Data privacy management in Cloud for Customer Administration Guide
The information provided in this blog should not be considered as legal advice or replace legal counsel for your specific needs.