What is GDPR & How can SAP Hybris Cloud for Customer help you comply with GDPR
In this digital age , personal data about customers , contacts and other business partners(like employees) is one of the most valuable asset for an organization.
In the midst of this digital revolution , data protection regulations have entered a period of unprecedented change .
It is now imperative for any organization to seriously evaluate data protection & privacy relevant processes and tools .
One of the most talked about data protection regulations, which will come into effect in 2018, is GDPR . Let us understand more about GDPR and how SAP Hybris Cloud for Customer can help you comply with GDPR.
What is GDPR :
- The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulationby which the European Parliament, the European Counciland the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU Data Privacy Solution.[Source : Wikipedia]
- The regulation applies if the data controller (organization that collects data from EU residents) or data processor ( organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
What are the implications of Non – compliance :- Penalties up to 4% of annual global revenue or €20 million whichever is greater.
Who must Comply :- Organizations that offer goods or services to, or monitor the behavior of, EU data subjects and those that process or hold the personal data of EU residents.
In the context of this blog data controller will be the organization implementing SAP Hybris Cloud for Customer and data processor will be the solution ,which in the current context, i.e. SAP Hybris Cloud for Customer.
Some points to keep in mind regarding the key roles of Data controller and Data Processor .
Data Controller :-
- In general no personal data must be stored without purpose and/or explicit consent. Therefore data controller will have to decide on questions like which data is needed? how to capture consent? what are the retention periods for data and more.
- It is the data controller’s responsibility to adopt measures that the controller deems appropriate to achieve GDPR compliance.
- Data processor or SAP Hybris Cloud for Customer offers a wide range of tools to support the organizational rules defined by data controller to enable them to comply with regulation such as GDPR . Data controller has to decide and define these rules.
- Data processor manages & controls access to data privacy relevant master and transactions data for individual customers, contacts and employees and make it accessible.
Now let us better understand how SAP Hybris Cloud for Customer can help you as a data controller to comply with GDPR .
SAP Hybris Cloud for Customer provides the following tool since many releases to help you configure and execute on your data privacy related policies .
With Cloud for customer your data privacy protection and privacy office will be able to use the following tools :-
- User Authorization using business role configuration:- Ensure that only those sales and service representatives have access to the personal or sensitive personal data of your customers & business partners, which is needed for relevant & justifiable business processes .
you can explore more about business role definition by watching this video
Cloud for customer also offers the possibility to create page layouts to help you define and configure which attributes and entities of a customer record should a business user visualize.
Please watch the video to know more about page layout
- Change Log : Access and analyse change logs for data especially for individual customers , contacts and employees.
- Dedicated Data Privacy application : A dedicated data privacy work center provides you an overview of the data stored about natural persons (e.g. employee, individual customers ) and the deletion of personal data across business scenarios and documents.
- Configurable Data Retention policies : You can configure minimum retention periods per country in order to block data deletion of business partners .This is crucial due to regularity reasons for example in some countries it is mandatory that all the details of an individual should be retained by the data controller if a sale was made in the past “N” years .
Please refer to this video to explore more about Data Disclosure and Data Removal
With SAP Hybris Cloud for Customer 1711 release it will also be possible for custom BOs linked to individual customer , employee and contacts to participate in data disclosure and deletion process.
please refer to the link for more details Data Privacy Workcenter view
We will be updating this blog post with details & links on more innovations planned for this topic in upcoming releases.
With 1711 , we have also enabled data disclosure and deletion for custom object . Enable Custom Objects in Data Disclosure and Data Deletion views of Data Privacy Management
Other useful links from SAP on this topic
Great blog, thanks a lot Ajitabh!
Great blog, Thanks Ajitabh!
In fine tuning, where we maintain retention periods, there is a current restriction where system doesn't let you set it lesser than 4 years. This means, we will not be able to delete Accounts or Employees before their retention period is reached.
Is SAP looking at reducing this retention period?
Great blog, Ajitabh!
A really good read this blog, thanks!
Thanks Ajitabh! GDPR will be enforced by 25 May 2018 - at which time those organizations in non-compliance will face heavy fines. So good timing to create awareness and explain our solution to it.
Thanks for presenting the SAP efforts on this area.
I want to point you to an issue present in C4C currently. If a contact which has been linked to an opportunity is removed using the Data Privacy Workcenter then the opportunity itself gets anonymized and actually rendered useless by the system.
This makes no sense, contacts come and go and opportunities may be in process even if one of the contacts involved in it leaves our client.
When a contact is removed only its links to opportunities should be removed, the opportunity itself must remain usable.
Hope this message finds a way to your product management.
We will take this feedback and evaluate for a future release.
Thank you Ajitabh!
great! Here is what the CloudERP SAP Business ByDesign can offer : https://blogs.sap.com/2017/09/05/what-is-gdpr-eu-dsgvo-and-how-does-sap-business-bydesign-manage-data-privacy/
Great blog, thanks a lot Ajitabh!
But i´ve got one question to this:
Now how do i submit the data do an client? If he/she wants to know what kind of data we have got from him/her in our SAP C4C. For me, who has got access to the system and the user rights to access the WC – i can view the data via “Personal Data Disclosure” – but how do i show the applicant what data we have from him/her?
Thanks for the great blog and help!
We are evaluating an enhancement to offer an export mechanism as well .
I have a question regarding GDPR and C4C: is there any possibility to send emails to all the contacts in C4C and asking for their continuing subscription to our newsletters/campaigns and link their answers directly with their account ID in C4C?
does the deletion work in the same way for contacts of accounts?
I only seem to be able to set retention periods for private accounts so when I try and delete a contact with old sales quotes against them it veto's the deletion.