When the European Union (EU) adopted a new data protection law back in May of 2016, it didn’t exactly introduce any substantially new concepts. Data protection has always been a top priority in the EU for organizations who store or process personal data. But what the General Data Protection Regulation (GDPR) did do, is put firm deadlines and penalties in place to ensure that any use or storage of personal data (whether active or passive) can be protected. Personal data applies to things like name, phone, email address, IP address and also pertains to more sensitive data like genetic data, health records, etc.
As the May 25, 2018 deadline approaches, organizations are looking to outside agencies, data protection experts and legal counsels to determine what needs to be done. Penalties for non-compliance can range from 2% annual revenue (or €10 million) to 4% annual revenue (or €20 million) depending on the severity of the violation, which are large enough to gain the attention of almost any organization.
Under GDPR, individuals are granted the right to see that their data is being processed lawfully and companies must demonstrate that accountability on an on-going basis. This process of GDPR compliance requires organizations to manage all elements of the data lifecycle including a long-term data governance strategy and deletion of personal data at the end of purpose (EoP). This means that if there is no longer a legitimate purpose that requires the use of personal data, it must be deleted. When deleting data, all objects related to that data set must be deleted as well.
For personal data processed in the SAP Master Data Governance (MDG) solution, you can use SAP Information Lifecycle Management (ILM) to control the blocking and deletion of personal data. But because Utopia’s software solutions for SAP MDG leverage the standard SAP framework, which may process customer or vendor data, we also needed to ensure that the underlying standard features for data protections applies to our products. This implies that the sensitive data used in MDG Change Requests, a core functionality in our SAP MDG extensions, can only be accessed by users with required authorization and personal data accessibility is controlled based on the auditor/non- auditor roles to provide better data protection. You can also configure MDG classes to scan through the open Change Requests for the usage of Customer or Vendor while running the report for blocking customer/vendor master data.
Typically, GDPR compliance involves significant effort, and cost, for your organization, and not just for implementation, but there can also be concerns around resources needed to sustain it throughout the years. As you are preparing for GDPR, the challenges to becoming truly compliant can be daunting… but we encourage you to embrace the opportunity it creates to build a new framework for data processes and improve the long-term governance of your data assets.