GDPR 1 Year On - How's Your SAP Data Looking?

Happy Birthday to GDPR!

 

It has been 1 year since the General Data Protection Regulation was brought into EU law, bringing with it the biggest shake up to data autonomy since the 1990s.

 

It has been a huge hot topic across the tech space this year and I'm sure at times it has felt like we can't escape it! 12 months on and my conversations with clients on the best ways to manage data, as an individual and a business, continue. Throughout this period Absoft have learned a lot and each project we have undertaken has added to this knowledge, which we would like to share with you.

 

So what are the main take-aways we have learned over the last year about the best ways to ensure GDPR compliance in your SAP system?

 

 

Obfuscation

 

Not only have I had a new word added to my vocabulary this year, but we at Absoft have also learned the importance of data obfuscation in your SAP system and the various ways to manage this. A lot of the time in SAP it is not possible to simply delete data from your system therefore you have to find ways around this. We have worked with a number of customers this year to anonymise data in a way that works for them and have worked on 3 ways to effectively anonymise your data:

 

1)    Text fields and no specified format fields e.g. John Smith - XXXX XXXXX

 

2)    Fields that do have a specific format e.g. National Insurance

 

3)    Anonymising in a way that keeps data in a way that works for testing, using algorithms to change one letter for another - e.g. John Smith becomes Hrsn Pxcrl.

 

GDPR is for your whole SAP landscape - not just for HR!

 

The most obvious place to look for potential GDPR breaches is your SAP HR & Payroll system, where all your employee data is held. However, have you considered where else Personal Identifiable Information (PII), in other words any data which can uniquely identify a person, is held in your SAP system?

 

Examples we have seen this year include employees who are set up as vendors in the FI system, information held in PDF documents and information that is shared across interfaces in an IT landscape. We have assisted several customers to ensure they have considered all the places where PII is held – one customer originally thought they only held PII data in HR, but on further investigation there turned out to be data kept in their finance and projects tables too. Therefore, we have learned that a thorough exercise needs to take place before embarking on a GDPR anonymisation exercise.

 

Retention

 

Managing data to comply with GDPR is not a one-off exercise - it is a constant requirement. Therefore companies should ensure that they have robust retention strategies for how they manage data in the system going forward. Once the retention rules are defined, jobs can be set up to run in your system to ensure that any data which falls out of the retention period is obfuscated or deleted. This gives you the reassurance that you continue to be compliant beyond the initial exercise to manage your data.

 

The Law (and Fines!) Applies to Everyone

 

This may seem an obvious one, however we continue to come across SAP organisations who have buried their head in sand about GDPR law for their SAP data and who are keeping data in their system that they shouldn't be - please don't let yourself fall into this category!

 

The GDPR regulating body (ICO) have already fined multiple companies for not complying with GDPR law, from giants like Google to small local authorities in the UK. The law has hit the ground running. Get your compliance journey going too and avoid the fine from ICO.

 

GDPR System Heatmap

 

Getting your SAP GDPR compliant may seem daunting, however taking a few steps to ensure that your data is compliant will pay off in the long run and will ensure you avoid any fines from the ICO.

Absoft recommends undertaking an exercise to identify all the PII data in your SAP system that is to be anonymised.

  •  Unsure where to start with this? Or want to make sure you have all your tables, landscape and interfaces covered? Get in touch with me to ask about our GDPR System Heatmap - jbrown@absoft.co.uk


At Absoft, we have worked with a variety of different customers and understand that each business is unique in their SAP use - that's why we offer SAP consulting tailored to your needs.

 

 

 

GDPR System Heatmap

 

Getting your SAP GDPR compliant may seem daunting, however taking a few steps to ensure that your data is compliant will pay off in the long run and will ensure you avoid any fines from the ICO.

Absoft recommends undertaking an exercise to identify all the PII data in your SAP system that is to be anonymised.

  •  Unsure where to start with this? Or want to make sure you have all your tables, landscape and interfaces covered? Get in touch with me to ask about our GDPR System Heatmap - jbrown@absoft.co.uk


At Absoft, we have worked with a variety of different customers and understand that each business is unique in their SAP use - that's why we offer SAP consulting tailored to your needs.

 


 

UK Compliance Health Check

If you are suffering issues with RTI, PAE, Pensions or have other compliance related concerns drop our expert team a line today. Absoft's HR/Payroll team is fully UK based and has been assisting clients since 1991 to stay on the right side of HMRC and away from the hefty fines.

 

Worried about whether or not you're compliant with UK legislation?

Get in touch and we can arrange for a payroll specialist health check for your peace of mind.