ERP In The Cloud: A Key Deciding Factor For GDPR Compliance

Ido Shamgar

The General Data Protection Regulation (GDPR) is sending shockwaves that go beyond its jurisdictional boundaries. It’s no secret that EU-based businesses will be profoundly impacted. But there’s still uncertainty among companies everywhere else in the world.

Will business outside the European Union find themselves subject to the regulation’s mandates – even if they do not have EU customers of their own? In theory, yes.

Your ERP system: Insurance or obstacle for compliant data protection?

Even if you do not have customers in the European Union, chances are good that your customers do. Any hint of noncompliance anywhere in the value chain can impact your company in ways that outweigh any monetary penalty – as any business that has experienced a breach knows. Reputational damage; loss of partner, employee, and customer confidence and trust; and canceled contracts and orders – the costs of these highly visible social downfalls are many times larger than GDPR’s maximum fine.

Two of the most significant aspects of GDPR are the rights to consent and to be forgotten. Organizations must now obtain explicit permission from all impacted individuals before the first data point is captured and delete the information as soon as the contact first submits the request. While this principle of providing and withdrawing consent may seem basic, its implications are far-reaching when considering how most businesses handle data.

During the rise of on-premise ERP systems in the 1990s, many companies implemented multiple ERP suites, each one belonging to a different division, region, or functional area. This architecture was further complicated when mergers and acquisitions brought never-before-adopted ERP applications.

Information silos became pervasive, knowledge-sharing required error-prone manual replication, and deep governance over the data inventory rarely existed.

Why a cloud-based ERP suite is your best GDPR policy

If your business is still tied to the less-than-ideal landscape of an on-premise ERP application, 100% compliance with the GDPR may seem nearly impossible. However, thanks to increasing adoption of cloud technology and software-as-a-service platforms, you may be able to fast-track your efforts after all.

Adopting a next-generation cloud-based ERP suite can help ease data-protection compliance by enabling six critical capabilities:

1. Data lifecycle and purpose

Processing of personal data is required to have a predefined purpose that is transparent to the individual from which the information originated. A cloud-based ERP platform allows differentiation across all data models. By separating data-related scenarios based on purpose, you can capture, process, analyze, and share data in a way that reflects organizational structures and business processes. Plus, the ERP system can take into account other special or more-specific legislation, such as industry-specific mandates in different countries.

2. Authorization of use

After defining your organization in the system and the purpose of each process, you can specify a highly granular authorization concept to restrict access to data as appropriate.

3. Erasure of personal data

 Through a data-controller rule framework, you can configure simplified blocking and deletion. This capability safeguards personal data from unauthorized access, and schedules regular erasure runs to fulfill initial data owners’ request for the right to be forgotten.

4. Personal information report

 Under the GDPR, people have the right to obtain confirmation that their personal data is processed and used based on instructions of consent. A simplified report automates this process, displaying all information stored about a specific individual without the intervention of IT or other lines of business. 

5. Read access logging

 Read access logging (RAL) helps monitor and log read access for inherently sensitive data. RAL is useful for customers who want to know who accessed their data within a specified time frame. Data covered by this feature include those under the legally defined “special categories” of personal data, as well as bank account information and credit card credentials.

6. Change log

Depending on the operational scenario, personal data in an IT system may be subject to frequent updates. Consequently, revisions may be necessary for legal purposes to track and reconstruct changes that have been made to the data. By logging every change, you can verify which user made which change, as well as when and where it was completed.

Seizing an opportunity to run better and do better

We’re all tired of data breaches. Consumers are always ready to go elsewhere if they no longer have a reason to believe their information is protected, and businesses are constantly on alert for the next hack that could threaten their existence.

Although the process of complying with GDPR seems onerous, nothing could be worse than having your data and IT systems used for malicious purposes. Rethinking existing approaches to protecting data, technology, and connectivity can set the foundation with a secure cloud-based ERP environment that can be trusted by not only executives and employees, but also partners and customers.

To learn how you can benefit today from a GDPR-enabled intelligent ERP, please download this document.

Follow SAP Finance online: @SAPFinance (Twitter) | LinkedIn | Facebook | YouTube

Ido Shamgar

About Ido Shamgar

Ido Shamgar is SAP’s global lead of Product Marketing for SAP S/4HANA, focusing on the Finance Line of Business. In his role, Ido develops compelling marketing programs, messaging, and content on the next-generation intelligent ERP. He is a seasoned business executive who works with companies around the world to market, sell, and deliver innovative technologies for pressing business needs.