Deleting data in SAP Cloud Platform applications
Just a personal disclaimer before we get started: I work as a product manager @ SAP with a focus on the subject of data protection and privacy and in no way a lawyer even with a 12-foot pole. The aim of this write-up is to not give any kind of legal advice but to bring forward my point of view. There is also no intentional correlation to persons/organizations here. If that happens to be the case … O MY, What a coincidence!
With that part cleared out, lets dive right in ?.
The concept of data protection is not new. Although, only recently with GDPR, did the subject start getting some well-deserved and long overdue attention. As more and more countries hop on the band wagon with their own versions of data protection regulations, and more and more fines (large enough to make an impact on your bottom line) are issued, it is only fair to say that data protection must be a top priority for organizations. The requirements for compliance get more stringent depending on the kind of business you do and the kind of data you use to do it. Nevertheless, in the end, this data must meet end of life. Most of the regulations explicitly mention the Right to be Forgotten (or variations of it) as a right that can be exercised by an individual or a consumer.
Deleting data could be as simple as pressing the delete button directly or could need a lot more thought. Organizations today are subjected to various regulations depending on the nature of their business and the geographical locations they touch, for instance labor laws, employment related laws, tax laws, advertisement and marketing laws, Various corporate laws, healthcare laws, intellectual property laws, finance laws and data protection laws to name only a few. These regulations could explicitly or implicitly impact the purpose and duration for which businesses might need to process and retain personal data.
SAP Cloud Platform Data Retention Manager (DRM) service can help tackle the deletion dilemma for applications that are built on SAP Cloud Platform (SCP) irrespective of the data model they use.
Let’s consider the following simple scenario: A hypothetical company – Good Products USA sells cosmetics, and to manage this business, Good Products USA use a homegrown app on SCP (Sales Management App) and use SAP Cloud Platform Data Retention Manager to manage data deletion. Extending this example let’s say Customer Carla purchases cosmetics from Good products (USA).
This may/may not be an ideal example because in reality the situation is a lot more complex with multiple legal entities involved and multiple products/services being offered in different parts of the world, but let’s please stick with this one for a while. In this example lies the fact that Good Products USA is the legal entity. Their purpose is to sell cosmetics. Carla (data subject/consumer) is the customer (data subject role) and is associated with Good Products USA (legal entity) because she bought cosmetics (Purpose). To fulfill Carla’s order, Good Products USA created a sales order, delivery, payment and invoice in the sales management application. Carla paid for the cosmetics and also received them. At this point Carla’s business with Good Products USA could be considered complete. But Good Products USA would like to report on taxes within one year. Good Products USA is also obliged to keep all this data for the next 2 years because the laws that apply to Good Products USA suggest so.
To help with data deletion, DRM has two apps: Manage Business Purposes app and Delete Data Subjects Information app. Using the Manage Business Purposes app we can link business purposes, respective legal entities, business Objects (which need to be checked before deleting personal data) and the retention and residence rules. Here’s what might help visualize the whole thing (sorry about the scratchy handwriting and the crooked boxes. I tried!)
It would also be helpful to look at the lifecycle of personal data that the DRM considers before deciding that an individual’s data is eligible to be blocked or deleted. It goes back and forth and interacts with the respective SCP app to do some calculations and also checks whether the data can actually be deleted and that it’s not being used in active transactions.
What happens next! Once individuals are marked for deletion by DRM, it adds them to a list. You can see this list in the Delete Data Subjects Information app. Here the privacy specialist can select them and request for deleting them. At this point, DRM sends a notification/event to the respective SCP app to act on it.
To get a deeper understanding of the DRM, please have a look at this SAP TechEd presentation.