The information provided in this blog should not be considered as legal advice or replace legal counsel for your specific needs. Readers are cautioned not to place undue reliance on these statements and they should not be relied upon in making purchasing decisions or for achieving compliance to legal regulations.
The EU Data Privacy regulation’s compliance deadline is nearing and every organization that stores and processes personal data of individuals must comply with the new regulations.
To comply with the law, SAP Hybris Cloud for Customer and SAP Business ByDesign provides extensive out of the box capabilities. You can find details of the standard capabilities for both these products in the following blogs.
In addition to the standard capabilities, you can use SAP Cloud Applications Studio to make sure that the extensions built on top of standard features and functions also comply with the regulation. Here are a list of tutorials, that will help customers implement data privacy compliance for the custom business objects and extension objects in their solutions.
Since the 1711 release, it’s possible for customers to identify personal data stored in custom business objects as well as extension business objects, and include those in the data disclosure and deletion/anonymization process. You can find a how-to guide in this blog.
With the 1802 release, it’s possible to define sensitive personal data and personal data fields in an add-on solution. A read access log is created whenever a user views or access data stored in the fields marked as sensitive personal. Similarly, fields defined as personal data are anonymized whenever the business partner (Individual Customer, Employee, Contact Person) records are removed by the Data Privacy Officer. You can find more details on how to achieve this in your add-on solution in this blog.
Depersonalization after End of Purpose is reached
With 1805, customers can implement a BADI to remove the data of business partners (Employees, Individual Customer, Contact Person) stored in custom objects, extension objects and extension nodes when the end of purpose of storing the data is reached. The BADI is triggered when the relevant standard business transactions participate in the de-personalization or deletion process on reaching end-of-purpose.