Independence is an attitude that is firmly entrenched in the commerce culture of the United States. The U.S. thrives on the idea that it can pave its own way economically without paying much attention to its ties to or rules originated by other nations. Despite France laying down its claim for full ownership of méthode champenoise, for example, American winemakers have been merrily calling sparkling wine Champagne for years, due to legal loopholes left open since the Treaty of Versailles at the end of World War I.
But the fact is, technology has allowed nations all over the world to become virtual neighbors, if not physical ones, with all the digital entanglements that go hand in hand with those relationships. And a new European Union (EU) ruling comes into effect on May 25, 2018 that could bring painful consequences to North American firms that maintain even the smallest amount of data on European customers. That’s if they don’t become aware and prepare now.
What on Earth is the GDPR?
The General Data Protection Regulation (GDPR) replaces the EU Data Protection Directive 95/46 laws for all EU countries. Essentially, it sets formal rules to make sure that companies respect an individual’s rights to protect their personal data.
Yet its aim is far more sweeping than a mandate that companies should clean up or delete customers’ personal data. It’s a call to weave data protection practices throughout the entire approach to data governance. In the words of the EU, “Compliance should not be an afterthought to ensure one is within the confines of the law, but instead be baked into core product and operational design in the first place.”
How is North America Affected by the GDPR?
So, let’s deal with the burning question: Should North American companies be concerned about the GDPR? The short answer is yes. Now if you’re a small business with no e-commerce offerings or a customer base that doesn’t extend outside of your country, state, province, or city, then the GDPR may not apply to you.
In general, most companies that use SAP technologies will likely be firms that are global enough to have some connections to people or entities based on European soil, inside the European Union. (For additional context, it’s worth noting that the United Kingdom is leaving the EU, so it will eventually face a similar situation as North America.)
The Costly Devil Hiding in the Data Detail
If your company has even one customer in the EU, then you have a data connection to Europe, because that customer’s information will exist as a record on a North American database. This means you must follow the rules of the GDPR in how you treat that customer’s data. That customer could be an individual, a virtual web startup, a satellite business unit, or a global enterprise. GDPR will apply in every case.
What if it comes down to something as small as an email from an EU entity, or an old customer record, or some other ”microdata”? This is where it is cloudier at this stage, but industry thinking indicates that the rule will still apply in these scenarios. For example, North American gaming companies have raised concerns about GDPR in terms of simply having user-player profile names stored on their servers.
Painful Penalties Up the Risk
If a company harbors any kind of personally specific data and it wants to continue to be globally connected to EU information, then it will need to provide evidence of data protection compliance up to (and hopefully beyond) levels defined by European Union legislation.
The penalty for non-compliance with GDPR are potential fines as high as $25 million or four percent of worldwide annual revenue for the previous year, whichever is greater.
The Silver Lining in the GDPR Cloud
Although it all may sound like bad news, there are some positives here. This is an unparalleled opportunity for North American companies to perform internal data protection compliance audits. Now there’s a legitimate, risk-driven rationale for spending company resources on this project. And the wider call that GDPR sends out for us to now clean up our data and how we maintain it can be a positive thing for ASUG members, many of whom may be sitting on stale or duplicated data that would benefit from a housecleaning.
What GDPR Means for SAP Customers
GDPR will have a direct impact on currently deployed SAP technologies. By their very nature, we know that ERP, CRM, and HR repositories typically hold a great deal of sensitive personal information. All companies with personal data for citizens and businesses within the EU are now responsible for protecting this information from any threat of data breach.
In terms of its application, GDPR gives data protection and control rights back to individuals. This entire development has arisen due to the growing number of international security breaches that have exposed personal information to malicious hackers. Although SAP has not been identified as a specific source of blame for any real or perceived fragility in SAP HANA or any other product, now is a better time than ever to lock down your data protection compliance.
A Slow Race to the GDPR Compliance Finish Line
As many as 40% of organizations have been estimated to have no mechanisms in place to determine which elements of data should be saved or deleted because of GDPR. Within Europe, the U.K. is lagging countries like Norway and Sweden, which have been preparing more conscientiously. Even the uber-efficient Germans are said to be playing catch up with their Nordic cousins. Put simply, it’s somewhat of a last-minute race to build compliance layers around enterprise data.
It’s worth remembering that under GDPR, North American companies can retain personal data, but only if it is being used for the original purpose communicated to the individual when they opted in to share their data. Companies are responsible for deleting this personal data when it is no longer needed for that stated purpose. For companies of any size, it will be no small task to create and implement processes to manage these kinds of regular data updates.
SAP’s GDPR Guidelines
SAP has said that GDPR best practice starts with an audit and assessment of your current processes and organizational design. The company also points out that all immediate changes made should “reflect the purpose” of respective data processing activities, according to relevant legal requirements. The difficult and inconvenient truth is that there is no single way to approach GDPR compliance.
According to SAP guidelines, “In SAP Business Suite and SAP S/4HANA, any business object has a corresponding Information Lifecycle Management object. Once you have identified all business objects and all retention requirements, check that the process design matches the retention requirements.”
SAP continues, “For example, if you need to separate sales orders according to different retention requirements, you may need to implement a second sales order process. After you adapt your processes and your organizational setup accordingly, you can continue with implementing GDPR compliance features, such as blocking and deletion rules, or the authorizations concept.”
SAP Steps on the Road to GDPR
SAP offers supporting solutions including SAP Hybris Consent (formerly known as Gigya Enterprise Preference Manager) and SAP governance, risk, and compliance solutions to help customers work toward the required documentation and auditing. The company is also saying that an upgrade of SAP Business Suite to the most recent version will bring ASUG members closer to getting their ERP system ready for the regulation.
ASUG members can also look to SAP tools including the Data Controller Rule Framework, SAP Read Accessing Logging, and SAP Test Data Migration Server to configure access rules, keep track of data retrievals, and migrate data securely.
As SAP GDPR expert Volker Lehnert, Product Owner of Data Protection and Privacy for SAP Business Suite and SAP S/4HANA, has advised, “[SAP users need to] learn to block and delete data, implement purpose-based processing, and determine who can access what information in your SAP system. Use the Information Retrieval Framework, SAP MDG, SAP Read Accessing Logging, and other tools to support your data privacy efforts. Get compliant before it’s too late.”
New Data Leaders Needed
One first step for many will be appointing a data protection officer. Smaller companies could consider forming a dedicated data protection team. Either way, the hard facts on GDPR will be tough to swallow for many. SAP has said that a thorough analysis may take months. For some companies with less-organized data and unmapped processes, the process could take years.
The time to start strategically planning and executing change for GDPR in North America is now. Once you’re on the road to comprehensive compliance, then and only then, can you pop open the Champagne, or in reality, the Californian sparkling wine.
Have more questions or concerns about GDPR? Join us for ASUG’s GDPR webcast week.