SAP data compliance, did you get it right?

Thursday, November 23rd, 2023

Proceed team

In an episode of the Proceed podcast, we had the pleasure of sitting down with Proceed’s data compliance expert, Chris Burfitt, to discuss SAP data compliance. Together, we explore what it really means to be compliant, how to handle different kinds of data through its lifecycle, and the essential tools available. You can enjoy the entire episode by watching the video above or review the key highlights below.

What is data compliance?

Compliance, when it comes to data, is defined as a set of rules that define how we handle, secure, and discard data in order to protect it. GDPR for personal data, industry regulations, and internal organisational rules are a few examples.

What does ‘being compliant’ entail?

Being compliant means safeguarding data. Initially, it’s about ensuring specific individuals have controlled access to the data, as over time, reducing access becomes crucial to prevent misuse. There is also a time-sensitive aspect where, at a certain point, data removal is necessary for legal compliance and organisational efficiency.

Ultimately, compliance is a balance between legal requirements and optimising data usage.

Why should businesses prioritise compliance?

Non-compliance can lead to license revocation, which has as severe financial consequences as any fine. This is alongside the reputational damage, eroding trust for both commercial and government entities.

Potential blockers and challenges

The primary barrier is often a lack of understanding. Organisations usually struggle with the actual application, despite having a clear set of rules.

Ultimately, the key is understanding the rules and knowing where data resides.

Compliance within the SAP environment

Compliance in SAP goes beyond deleting data – it’s about controlling access, and ensuring only authorised users can extract and manipulate data. Protecting data is as crucial as removing it.

Ultimately, compliance is a balance between legal requirements and optimising data usage.

Christopher Burfitt, GDPR & Data Compliance Expert

SAP’s product expansion

Expanding into Cloud products, SAP introduces a range of individual tools and mechanisms to manage data effectively. In this discussion, the focus lies on what many consider traditional SAP systems, such as ECC and CRM, existing on the SA Business Suite platform. It’s crucial not to overlook other SAP products like SuccessFactors, Concur, or Ariba, each demanding its own compliance solutions.

The lifecycle of data

The temperature of the data determines where the data is in its lifecycle.

Hot data is actively used for daily business operations, heavily queried and indispensable. As transactions conclude, the data cools into a phase where it’s not accessed as frequently but remains crucial for reporting – this is known as warm data. Eventually, data temperature decreases further, reaching a point where, according to business rules or regulations, it’s no longer needed – commonly known as cold data.

Compliance involves understanding when to retain data for legal or business purposes and when to discard it, which aligns with GDPR’s notion of “end of purpose,” emphasising the significance of removing data when its intended purpose concludes.

Approaching different types of data for compliance

Compliance rules vary based on the nature of the data:

For employee data, the primary requirement often involves data removal. Access control is typically well-established in SAP HR Systems, with known and approved individuals having access. The approach here is a data purge or destruction method.

Dealing with customers, vendors, and business partners is different. Data removal is complex, requiring the closure of all associated business transactions. Given the difficulty, the focus shifts to blocking data. After completing transactions, data access is limited by introducing special indicators. This means only authorised individuals can access and view blocked data, ensuring a controlled approach.

Essential considerations to avoid common pitfalls

Ensuring effective compliance requires engaging key stakeholders such as IT, business, and legal representatives, shaping a pivotal understanding and strategy. It’s crucial to comprehend data usage across diverse environments, including testing and training systems. SAP emphasises controlling data beyond its system and guiding users in responsible data handling.

Essential tools for data compliance

Tools like data masking, blocking, archiving, and redacting play vital roles in compliance. They protect data, control access, and help in flagging when data is due for destruction.

The accessibility and challenges of SAP standard tools

SAP standard tools are accessible, but their implementation can be challenging. Experience is key, and engaging the specialists is advised, particularly within more complex scenarios.

Share this page