GDPR and SAP Information Steward
With the advent of GDPR in Europe / UK from 25th May 2018 have been receiving many questions as to how we can achieve compliance. In fact from my perspective there is no simple straight forward answer to this. It has to be an organizational push + a set of application which will help us to achieve the same. We still have to wait and watch as to how many articles which are yet to be defined properly.
Still one of the very essential and well defined article within GDPR is the personal data should be properly tagged and an enterprise should be aware as to where all it is storing user personal information.
This brings us to the importance of storing business metadata as part of our study / analysis phase to determine where are data needs to be anonymized and pseudonymized. Among the limited number of tools available in the market to document metadata across the enterprise application landscape, SAP Information Steward (IS) stands out in its capability, flexibility and possibility to connect to multiple SAP / Non SAP systems.
In this blog we will see how SAP IS could be connected to a SAP Data Services repository and a SAP Business Warehouse system, technical metadata from these 2 systems can be exported from the repository in SAP IS, GDPR relevant tagging can be done and conversion of this technical metadata from multiple source systems can be categorized in a single business metadata.
- Connecting SAP Data Services to Information Steward. From SAP Central Management Console > Information Steward > Metadata Management > Integrator Sources > Manage > New > Integrator Source. Here you will see a list of all source systems that could be connected to SAP IS to extract Metadata.Here one can see a master list of all source systems that can be connected with SAP IS.
- Once the above connection is established one can see the SAP DS repo as below
- To import technical metadata structures we can right click on the connection name, select schedule if we want to extract the metadata regularly or click on run now in case only one time import is required.
- Once the import metadata job is completed login to Information Steward and click on Metadata Management tab. The connection which we created in the SAP CMC console will start appearing here. All the above steps needs to be repeated for all the source systems (BW in this case)
- SAP IS does not have a out of the box capability to tag GDPR relevant attributes, and the same has to be custom built in the system. This could be built using the custom attribute functionality given under Manage drop down
- I have created a GDPR attribute which will signify if the object in question is GDPR relevant of not. Similarly one can create N number of custom attributes like GDPR Dependency details, Data Owner etc but here I have just taken one attribute to keep it simple. Once we have created the custom attribute we can assign access levels also so that for e.g this attribute will only be visible to BW source systems or data services source systems or all systems etc.
- Once the custom attributes are defined they will start appearing in the object description view and could be marked during the system analysis / study phase. In the below depiction we can see that the GDPR attribute has been marked at 2 levels. The below is showing that the table that is present in this imported repository is GDPR relevant as well as the attributes within this table are also GDPR relevant. This tagging needs to be done across all objects of a source system and also across multiple systems
- Once the above technical metadata is consolidated we will now move to creating business metadata. In this case we will see how all the GDPR relevant objects across multiple source systems can be consolidated under single business relevant common headings. For that Go to Metapedia > Click on New Category and create a GDPR category. This master category can further be categorized into sub categories like Bank Details, Employee Details etc.
- Go to All Terms create a new term let us say Bank Account Number fill in the details as exhaustive as you like, assign it to a category (save it before assigning it to be category) and submit for admin approval.
- Once the admin approves it will start appearing under the sub category which we created earlier. After approval one can search and assign GDPR relevant attributes across multiple source systems.
- A normal business user with read only access will be seeing the below view wherein enterprise data steward team has tagged, categorized and mapped enterprise wide GDPR relevant attributes under a single business term.
I hope the blog will be useful for you to simplify the GDPR relevant documentation in your enterprise. In case of any queries / suggestions please do not hesitate to reach out to me.
Keep reading and keep learning.