Claudia Traving

Claudia Traving
Claudia is a Program Manager for OpenText Enterprise Content Management for SAP, with an additional focus on Public Sector, Enterprise Asset Management and IT Excellence. She is based in Germany and has worked in the SAP Solution Group at OpenText for 25 years, bringing over twenty years of experience in SAP-related solutions and business scenarios.

General Data Protection Regulation (GDPR) – How can Customers use OpenText and SAP for Timely Deletion

GDPR

In part 1 of this blog, we discussed what the General Data Protection Regulation (GDPR) means for enterprises and how data and content, which is generated and stored in the course of day-to-day business processes in SAP is subject to this regulation. Our example was the incoming vendor invoice on paper, which is scanned, attached to the SAP transaction via ArchiveLink and then securely stored on the OpenText™ Archive Center. This paper invoice may contain a contact name of the supplier, a phone number, an email address, all data that when combined together could identify an individual, such as an employee of the supplier. This personal data is protected by GDPR. Let’s recap: Collecting and processing data is legitimate as long as it serves a justified purpose, as defined by GDPR, “if data processing is needed for a contract, for example, for billing, a job application or a loan request; or if processing is required by a legal obligation …” Justfied purposes for storing and retaining personal data include laws that govern retention of content, such as tax relevant data and documents, where retaining the scanned vendor invoice or a customer bill is not only justified but an obligation. BUT: When the legitimate reason for the procession has expired, the transactional data and the attached ArchiveLink document need to be deleted. In our example above, the scanned vendor invoice needs to be retained as long as taxation laws require, but be deleted just after this retention period, which is 10 years in Germany for example. This means that enterprises are advised to set up retention rules to govern the necessary retention AND put processes in place that will delete data and attached content in a timely fashion, when it is no longer needed, or when the justified purpose for retention has expired. Retention Management for SAP® Data and Related Content Neither OpenText nor SAP can provide legal advice or guidance in this matter, but they do offer software capabilities that help customers set up policies and procedures for retention and deletion of transactional data and attached content. The products that play together here are SAP® Information Lifecycle Management (SAP ILM) and OpenText™ Enterprise Content Management solutions for SAP: OpenText™ Archiving, Document Access and Extended ECM for SAP Solutions (see OpenText Suite for SAP). SAP ILM provides records management for SAP data and can also be configured to apply the same retention schedule to the attached SAP ArchiveLink documents. However SAP ILM itself does not provide the storage for data and documents but relies on ILM aware platforms for this purpose. OpenText Archiving, Document Access and Extended ECM provide the compliant ILM aware platform for ILM data files and ArchiveLink documents. These solutions store the content, enforce the retention and holds from ILM and pass it up to the hardware level, and, at the end of the lifecycle, execute the deletion request coming from SAP ILM. SAP ILM acts here as leading application for the retention management of SAP data and attached ArchiveLink documents. So far so good, if you only look at SAP data and attached ArchiveLink documents. Enterprise Wide Records Management However, personal information in business documents does not stop at the boundaries of the SAP applications. You will also have content outside SAP, which you want to retain and manage, put under records management and execute timely deletion when the reason for retention has expired. This is where Extended ECM for SAP Solutions comes into play. Extended ECM provides DoD certified records management for SAP ArchiveLink documents as well as NON-SAP content, which can be related to SAP business objects via the ECMLink module. A customer that wants to benefit from the DoD certified records management for documents can use Extended ECM for all unstructured content inside and outside SAP, whereas SAP ILM provides the records management for SAP data. If SAP ILM is to delete data which relates to Extended ECM content that has not yet expired, both solutions can synchronize, so that business documents in Extended ECM will not be orphaned by SAP ILM. At the same time, Extended ECM represents the ILM aware storage platform for SAP data and documents. So SAP ILM together with Extended ECM for SAP Solutions can manage the retention of data and unstructured content inside and outside SAP. Where to Find More Information Learn more about OpenText’s capabilities to support GDPR requirement by reading our other blogs here and here. You can also visit our main web site and learn how OpenText EIM offers capabilities that support customers to prepare for GDPR.

Read More

General Data Protection Regulation (GDPR) – What is it and how Does it Impact Enterprise Information Management

GDPR

In May 2016, a new EU Regulation and Directive was released to govern the protection of personal data, the General Data Protection Regulation (GDPR). It will enter into force after a two year grace period in May 2018. This is just little more than one year to go and enterprises need to get active to evaluate what it means for them and how they need to prepare. As stated on the European Commission website: “The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business.” Data protection laws are nothing new in the European Union. However, the new GDPR rules presents some significant impacts and changes to current data privacy regulations. For one, what used to be a directive, is now a regulation with full force of the law, valid across all EU countries. And despite BREXIT, the UK government has confirmed that UK will implement GDPR (read the UK Information Commissioner’s blog on this topic). The other important aspect is that GDPR now imposes substantial fines upon individuals and enterprises that do not adhere to the law. Minor breaches will be fined up to 10 Million EURO, or up to 2% of the total worldwide annual turnover of the preceding financial year for a business, whichever is higher. Major breaches will be fined up to 20 Million EURO, or up to 4% of the total worldwide annual turnover of the preceding financial year for a business, whichever is higher. And it should be re-emphasized that the turnover is not just the turnover of the EU located part of the enterprise, but the worldwide turnover of the enterprise. Protecting Personal Data of EU Citizens – What does that mean? As GDPR protects the personal data of the citizens of the European Union, it imposes duties upon enterprises, that collect and manage personal data. These entities are called “Data Processors”. Data processing entities located in the EU are subject to GDPR, but also companies outside the EU that process personal data of EU citizens. So the regulation also applies to non-EU enterprises: EU GDPR requires compliance outside of the EU as well (EU GDPR applies for non-EU companies with contact points to the EU). Collecting and processing data is legitimate as long as it serves a justified purpose, as defined by GDPR, for example “if data processing is needed for a contract, for example, for billing, a job application or a loan request; or if processing is required by a legal obligation …” Such justified purposes for storing and retaining personal data are, for example, laws that govern retention of content, such as tax relevant data and documents, where retaining the scanned vendor invoice or a customer bill is not only justified but an obligation. What is the relevance of GDPR for Day-to-Day Business Processes? There is personal data processed and stored during the course of day-to-day business processes that relates to business partners, such as customers and suppliers, in the procure-to-pay processes as well as order-to-cash process. To give some concrete examples, let’s now take a look at an enterprise that uses SAP ERP to manage their processes and OpenText to attach business documents to these processes. It is of course not just about the data created and stored in the SAP database of the leading enterprise application (ERP, CRM, …), it is also about the business documents that are captured during this process. Take for example, an incoming vendor invoice on paper, which is scanned, attached to the transaction via ArchiveLink and then securely stored on the OpenText™ Archive Center. Or in the example of an order-to-cash process it an incoming sales order and delivery note to a client, which are linked to the SAP order and stored in OpenText. May 2018, GDPR will start to apply following a two-year transition period to allow the public and private sector get ready for the new rules. So how should enterprise prepare and get ready for GDPR? With regards to aspects of storing personal data for a justified purpose, enterprises need to set up policies and procedures – not only to retain content as long as they are obliged to do by law such as taxation or product liability laws, but also to delete content in a timely fashion when it is no longer needed respectively the justified purpose for retention has expired. Learn more about OpenText’s capabilities to support GDPR requirement in the SAP environment in a forthcoming blog post, and also by reading our other blog entries here  and here. You can also visit our web site and learn how OpenText EIM offers capabilities that can support customers to prepare for GDPR. Register for the Webinar by OpenText and Digital Clarity Group on GDPR You can register for this webinar “New EU Data Policies Will Transform Business Practices Across the Organization: Get Ready for the GDPR” which is being held on March 1st. In this interactive format, Digital Clarity Group’s Tim Walters and OpenText’s Janet de Guzman discuss key questions that frame the conversations that you should be having, including: New insight into GDPR provisions and customer expectations about use of their data How organizations can seize opportunities to achieve competitive advantage under the GDPR Tools for starting critical discussions with partners and internal stakeholders

Read More