Many organizations are concerned about how the European data
privacy law known as GDPR or EU-DSGVO might impact
their day-to-day business especially if they are using cloud business
software. See the video below to get in two minutes an idea on what GDPR is and what you need to consider for your business latest until
May 25th 2018.
Please be aware that the information provided in this blog should not be considered as legal advice or replace legal counsel for your specific needs.
The powerful capabilities which SAP’s Cloud ERP Business ByDesign provides with 1802 will help you to execute the GDPR-related data privacy policies your organization might setup. Here is quick overview on what ByDesign offers to support data privacy:
- Data Protection & Privacy Work Center for Data Privacy Officers: Allows to disclose and delete personal data across business scenarios including custom add-ons by partners (PDI). Support for all natural persons like private accounts, contacts, internal and external employees and for leads without reference to account master data.
- Data Retention Periods: Configure minimal retention periods for key business documents in order to control deletion.
- Logging: Change logs and read access logs for special categories of personal data like religion, bank etc.
- Marketing permissions: Manage the natural persons consent for marketing communication.
- Authorization: Grant and revoke access to data only to users which need the data.
- More information: Most important links on GDPR, Business ByDesign, SAP and it’s data centers, certifications, security measures and privacy by design.
The demo video below gives you an impression on how this works in our 1802 release:
As you have seen in the demo the data privacy expert can use the data privacy work center to easily find employees, service agents (i.e. external employees) or private accounts (1) and to trigger the deletion (3). Additionally he can generate a synopsis for master and transactional data which is stored for a natural person in the system (2) as you can see in the screenshots below.
Data disclosure and deletion of personal data coming from custom add-ons is also supported by using the cloud application development studio (PDI). Since 1711 customers and partners are enabled to identify all the personal data stored in add-on BO’s using ABSL coding and to include it for disclosure, anonymization or deletion. Here you find a good tutorial on how this works.
Data privacy experts are able to disallow the deletion of natural persons data e.g. due to a legal hold or other reasons.
Furthermore you can define in the business configuration the data retention periods for multiple business areas and countries which control that data cannot be deleted within the minimal retention period.
Data privacy experts can configure which predefined business partner attributes are to be treated as special category of data and activate read access logging for sensitive data of natural persons.
- Activate or deactivate predefined field groups for read access logging including change log.
- Extension fields can be marked as special category either by key user or PDI. Field group configuration can be extended by PDI.
- PDI allows to mark partner created BO fields as special.
- Download daily read access logs by webservice or UI within 14 days. Log is provided as XML files to be archived with external applications.
- Here you can find more details on read access logging and how to automatically download logs by webservice
Administrators, sales and marketing employees can according to their authorization access change logs:
- See changes per date and user
- See changed attribute with old / new value and modification type
- Export changes
Sales and marketing employees can manage marketing permission for contacts to be excluded from outbound marketing campaigns.
- Mark contacts to be included or excluded from marketing campaigns
- Mark contacts to be verified before being included in campaigns
- Include Permission as criteria for marketing target groups
Finally ByDesign does not only control what happens inside the system but also how data is being consumed in external applications with the standard web-services and interfaces.
- Communication scenarios and arrangements allow to control external access (via the Application and User Management work center).
- Valid certificates are required to allow access ByDesign Web services.
- Communication Monitoring for e.g. failed web service calls. Customers still need to assess which integration scenarios are exposed to whom.
Here you get general overview material on GDPR, the SAP GDPR policies and especially the SAP data center data privacy measures and it’s certifications which are continuously being audited:
- General information on GDPR and SAP
- SAP overview on GDPR
- GDPR regulation with links to all details in multiple languages
- Four steps to get started with GDPR
- GDPR: Company stakeholders and obligations
- SAP Data Protection & Privacy overview
- SAP Data Processing Agreement in all languages
- SAP security and privacy by design
- SAP Compliance & Certificates
- Which other tools does SAP offer for managing data privacy (e.g. GRC, ILM)?
- Documentation & enablement for SAP Business ByDesign:
- Factsheet on ByDesign and GDPR
- What’s new for GDPR in 1802 (incl. sample code for read access log webservice)?
- ByDesign Enablement slides on GDPR (login for SAP PartnerEdge required)
- Data Privacy Management in Business ByDesign
- Quick Guide for data disclosure of personal data
- Quick Guide for data removal of personal data
- Read access logging for sensitive data
- What’s new in SAP Cloud Application Studio 1711 for data privacy?
- How to develop partner or customer specific applications which are included in data disclosure & deletion?
The information provided in this blog should not be considered as legal advice or replace legal counsel for your specific needs. Readers are cautioned not to place undue reliance on these statements and they should not be relied upon in making purchasing decisions or for achieving compliancy to legal regulations.