The increasing protections afforded to citizens by the newly enacted data protection laws from both Europe and the UK continue to cause headaches for SAP centric business. As companies continue on their journey towards compliance they discover pockets of problems within their SAP systems.
One such area is HR
HR data, is by its very nature Personal and Sensitive. It must be process with care under Article 6 and Article 9 of the General Data Protection act and UK Data Protection Act 2018. The laws mandate stricter safeguards for sensitive data, meaning that should the regulator have cause to audit a business, they will pay increased attention to HR data stores and processes using HR data.
The Information Commissioners Office recently published its regulatory priorities for the coming year. There is a general theme which pervades the document; that of the desire to increase the public trust in and transparency of businesses use of data. The ICO state that they will reserve their most severe penalties for breaches involving technology, where an individuals privacy is impacted and they will take into account the psychological harm that may be caused to the affected individual.
Of their 8 listed priorities numbers 1 and 8 are particularly pertinent for SAP systems and the HR data they contain:
1) Large scale data and cyber security breaches involving financial or sensitive information.
8) Right to be forgotten/erasure applications.
This statement on the part of the regulator highlights the need to effectively managing HR data. There are regulatory requirements to keep some pertinent data and there is a legal obligation under data protection law to keep only pertinent data and minimise un-needed records. Organisations that are unwilling or unable to effectively manage their legacy HR data are in a dangerous position should they receive a request for erasure and/or subject access request.
And this presents a problem for business. HR data stored within SAP systems is by its very nature comprehensive. It is stored within numerous disparate tables and utilised within a number of business processes, from Employee Self Service to Salary, to Business Partner. Managing the effective minimisation, blocking and storage of this data is difficult, even using the functionality of SAP’s own Information Lifecycle Management (ILM) software and the services of a skilled consultancy.
Black Light is a product developed by the Proceed Group which utilises the inbuilt SAP ILM objects to manage, archive and minimise HR data in a manner which is transparent to the organisation. Employee data is trimmed when the employee leaves the business with data which should not be retained e.g. performance reviews, being blocked and then removed from the system. Data which is required to be kept for legal reasons, is blocked archived and retained for the required legal time period before being deleted from the system. The transparency of operation and preconfigured nature of the product means that business can get up, running and move towards compliance within their SAP HR Systems quickly and efficiently, reducing risk and cost and increasing trust and transparency.
Black Light is one of a number of data protection products and services developed by the Proceed Group for use within SAP environments. For more information on Black Light click here or for more information on our data protection services click here.