If you are involved with data management or data governance, I am guessing you have read, or at least heard about the new European Union General Data Protection Regulations (GDPR). GDPR comes into force in May, 2018.
It’s aim is to protect EU citizens by giving them more control over their Personal Data.
As the summary on the EU site states:
“The GDPR strengthens existing rights, provides for new rights and gives citizens more control over their personal data. These include:
- easier access to their data — including providing more information on how that data is processed and ensuring that that information is available in a clear and understandable way;
- a new right to data portability — making it easier to transmit personal data between service providers;
- a clearer right to erasure (‘right to be forgotten’) — when an individual no longer wants their data processed and there is no legitimate reason to keep it, the data will be deleted;
- right to know when their personal data has been hacked — companies and organisations will have to inform individuals promptly of serious data breaches. They will also have to notify the relevant data protection supervisory authority.”
The rules also extend the scope of the data which is covered: “..‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”
Chapter IV, Article 24 states that the “controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” This means knowing where the Personal Data is and what is being done with it.
In contrast to previous legislation, these new rules apply to any company that stores and processes EU citizen data regardless of where the processing or data storage takes place.
In addition and very importantly, the potential penalties for non compliance or not reporting a data breach are significantly higher than under the previous rules.
So what has all this to do with CRM and ERP systems? Well if your organisation collects, stores or does anything else with data of a personal nature, for example relating to your customers, then it is important that you are able to meet these requirements. Also many organisations use CRM and ERP packages as their systems of record and therefore the individual’s Personal Data is there.
Do you know what data your Customer Relationship Management (CRM) or Enterprise Resource Planning (ERP) systems have about your customers? If so can you explain why you store it and what you do with it? Will you need to erase some of it?
Of course it is likely that you will not solely be storing Personal Data in systems of this type. It will often be found in web applications such as online stores, home-grown systems, spreadsheets and many many more. Usually finding Personal Data here is not a huge challenge and there are some tools available to help.
If you do store Personal Data in your CRM and ERP systems and they are in the form of packages from SAP, Salesforce, Oracle or Microsoft and you cannot already begin to answer the questions above quickly, easily and confidently then yes, it might be time to become a little anxious.
The reason is that even before they have been customised to meet your specific requirements, these systems are very large, very complex, with very opaque data models. Add in a layer of customisation to the data model by adding or changing tables, fields etc. and you are compounding an already difficult challenge.
This means for example that finding where you are storing Social Security numbers or other pieces of key Personal Data amongst say the 90,000+ tables in an SAP system is not a trivial task. Using normal methods it will often take days or weeks to locate the subset of tables which are relevant for each data item. Even then you may have a quite justifiable concern that not everything has been found or that the information you have located is not accurate.
Of course, in order to locate Personal Data in any system it is commonly important to be able to identify the relevant metadata which relates to it. It might, in certain instances, be possible to profile data to get a sense of what is being stored. However in the case of many business focused systems that will not be possible unless one knows their data structures intimately and so a clear understanding of the data model, or metadata, which underpins them is critical.
If you can access and understand it your application metadata will be the best and most accurate way to identify the appropriate Personal Data and how it is used.
In this context it is your friend and ally – as long as you can quickly and easily find and use it.
In many systems it will be a simple matter. There may be some up to date documentation, for example, or its database schema can be reverse engineered quickly with a modeling tool.
Making a friend of metadata in large packages from SAP, Oracle, Salesforce or Microsoft is more of a challenge. They are a bit prickly and present a variety of hurdles to a long lasting and fruitful relationship.
For example for most of them, their System Catalogues contain no business names or descriptions for tables and fields, and no information to tell you the relationships between tables. Trying to put together a model of Personal Data in this way would be difficult and would probably not meet the requirements without the associated business descriptions.
Another consideration is that these vendors do not provide a usable reference data model or metadata glossary and if they did, it would not be accurate because in almost all implementations of their packages, significant customizations have been made.
Even more complexity can be added if you have more than one implementation of a system and their underlying data models are different.
To make friends with your packaged application’s valuable, but hidden metadata and get the most out of it, your best bet is to find something which understands it. Such a tool would know where it is, how to access and harvest it and then how to be able to present it in such a way as to allow you to search, analyze, filter and identify the those data objects relevant for Personal Data and GDPR.
This is what our product Safyr® does. It makes it possible for you to find Personal Data data in large, complex and customized packages from SAP, Oracle, Salesforce, Microsoft and others, quickly and easily.