Silwood Technology has launched five GDPR Starter Packs for major application packages, including SAP, JD Edwards, Microsoft Dynamics 2012, Oracle E-Business Suite and Siebel.
Working out which tables store personal data that needs to be reviewed for GDPR is a challenge in any environment, but particularly so where the system is one or more of the major application packages. The following example describes how to use the tool Safyr® to ‘scope’ the potential tables that store ‘relevant’ personal data in an SAP system. In this case we are looking for tables which store ‘Date of Birth’ information. However, the process would work for any data which comes under the general definition of Personal Data. (Article 4 – Definitions, Section 1 of the Regulations defines the scope of data covered).
Of course many SAP systems have been customised so rather than providing a reference model, Safyr is more effective and useful because it extracts metadata from the application as implemented – including customisations.
Worked example: finding personal data in SAP
The screenshot below shows a list of tables from a typical SAP system which has been extracted into Safyr, in this case just short of 100,000 tables, which is around the number in most such systems.
We can do a search across all these tables to find any that contain a field with the ‘business name’ of the field containing the string ‘Date of Birth’.
This reduces the list of nearly 100,000 tables to just 84. So there are 84 tables that have a field with the description of the field containing ‘date of birth’.
On the right of the list is a Row Count which gives the number of records in each table. Quite a few have zero – and this is not unusual in a SAP system as SAP delivers a full set of features and tables that may or may not be actually used by a given customer.
The query on ‘date of birth’ can be refined to filter out any of the tables with no data and this gives just 10 tables (this may be very different in another SAP system, depending on what features and modules of SAP the customer uses).
Having found a set of tables that contain likely Personal Data attributes, the results can be recorded using what Safyr calls a Subject Area. This is like a folder where we can group tables, and can be refined further by identifying individual fields.
It’s easy to select the tables and add them to a Subject Area – and there is an option to ‘mark’ those fields that meet the selection criteria used (in this case ‘data of birth’ fields).
So the result is a group of tables that contain a field with the string ‘date of birth’ in the ‘business’, name and containing data.
The ‘Marked Fields’ column shows how many fields on each table meet the search criteria. In the example above, table PA0002 has 3 such fields. The table details can be displayed to show the individual fields.
Two of the 3 fields are visible in this example. We could do this same process for other Personal Data fields until we had assembled a set of GDPR Subject Areas that represent all the Personal Data categories that need to be assessed.
Safyr then has features for merging these Subject Areas to create a consolidated list of Personal Data items. This brings together the Personal Data fields for each of the categories (Birth, Address, Credit Card Number….) into one integrated set.
Here is the same table – HR Master Record show above – with the merged fields from these categories.
Having identified and marked the Personal Data fields using the method described above, a next step might be to make the attributes for these fields easily available to a wider audience.
Safyr has a number of formats that can be exported, one of the most popular for GDPR being Excel. It’s easy to select exactly what properties to include in the spreadsheet.
Conclusion
Identifying candidate Personal Data attributes is but one step of any GDPR strategy. In the case of large application packages like SAP it can be a very challenging first step.
And a final thought. Unlike Y2K, GDPR is not a one-time job. There is a responsibility on each organisation to monitor their storage of personal data on an on-going basis.