It’s unlikely you’ve not heard of the phrase ‘GDPR’ given the amount of news time and ‘junk’ mail that the subject has attracted, but just in case, GDPR (General Data Protection Regulation) is officially Europe’s strongest data protection rule that came into force as of the 25th of May 2018. It has totally overhauled the personal information laws that were previously loosely controlled and modernised them for the digital age.
Under GDPR every person within the EU has various different rights which, in summary allow an individual to know how their personal data is being used by the organisations that hold that data (more details can be found at the Information Commissioners Office here). In addition, an individual can request for that data to be erased where the processing of the data is no longer necessary for the purpose in which it was originally gathered. All such requests for information must be handled in a reasonable timeframe and certainly no later than one month. If the organisation fails to comply with these GDPR laws they could be subject to fines of up to €20M or 4% of annual turnover (see article 83 of the GDPR).
As you can imagine, this is a hot topic and your organisation will no doubt have created the key roles to abide by this new legislation. Indeed, as far as SAP run organisations are concerned we can well imagine that a Data Controller and their team has considered the majority of business focussed back-end systems such as SAP ECC, S/4HANA, etc…, but what about other systems such as SAP Solution Manager? This is unlikely to be at the forefront of the Data Controllers mindset when considering how personal information is stored and used across their organisation.
What does this mean for Solution Manager systems?
It may not be commonly known, but SAP Solution Manager has a host of functionality which stores information that can be related back to a specific individual, for example, consider simple items such as Business Partner records which contain a name, address, email, etc… Thankfully, this has not escaped SAP’s attention and changes have been incorporated into the latest support pack to ensure your Solution Manager system is now GDPR compliant!
With the latest release of SP08, SAP has enhanced the functionality to give more control to system administrators in how they manage personal data within their Solution Manager system, below we discuss a few of the most important ones and how this supports some of the key GDPR rights.
The “right to be forgotten”, which enables employees to request the removal of links to irrelevant or outdated data related to them.
There are several functions where a person and their identifying data is stored and used in SAP Solution Manager, but let’s consider one of the most obvious in ITSM. ITSM (IT Service Management) is SAP’s service desk (or ticketing) functionality; used to record Incidents, Problems and their resolutions. Typical information that would be recorded in ITSM includes a user’s name and email address, both of which would be associated with an ITSM record to support communication and an audit trail of who did what. To help support the ‘right to be forgotten’ the ITSM configuration now allows you to define when ‘old’ Incidents get deleted from the system. This is a handy enhancement, meaning that residency times and the subsequent deletion of data will be thought about during the build phase and make that tedious task of going through and deleting old, redundant data a thing of the past.
Another enhancement SAP have created is a suite of utility reports that provide administrators with the ability to clean up old data which is associated with deleted users. For example, if you needed to remove a deleted user’s data from Test Suite or Solution Documentation this report will automatically identify impacted records and clean-up this data for you. At the moment the current reports available are related to deletion of user data, Business Process Change Analysis, Landscape Management, SAP Engagement and Service Delivery, along with Solution Documentation and Test Suite (as previously mentioned). We expect the amount of reports to continue to grow in future support packs.
With the introduction of GDPR, individuals now have the right to be informed about the collection and use of their personal data i.e. where this data is held/used in your IT systems.
One of the most impressive features SAP has enhanced in SP08 is the Personal Data Retrieval report. This executes an analysis across all scenarios within SAP Solution Manager (e.g. Process Management, ChaRM, Test Suite, Technical Monitoring, etc) to identify where personal data is being used. As an example, this is ideal for two purposes (i) allows you to identify the type of data that you are still holding about a specific individual, and, (ii) helping you to ensure an ex-employees data is completely removed from the system. The report carries out a comprehensive analysis and produces a high level view of any data that remains in the system associated with that user. This should go some way to satisfying any such request for information you may receive from a user relating to the SAP Solution Manager system.
To complement the above functions, SAP has also created associated authorisation objects for these reports and utilities to protect personal data being deleted by accident. There are plenty more data management tools available in Solution Manager, too many to go into under the scope of this article, however, if you would like a discussion to understand more about these functions please click here.
Want to know more about GDPR and Solution Manager?
As you can see by the reports and configuration settings we have mentioned above (which is a subset of the overall new functionality aligned with GDPR) SAP have made great strides to give companies the best chance possible to stay GDPR compliant. We expect this is just the start of developments in this area and it will only improve as both customer organisations and SAP continue to understand the full implications of GDPR legislation.
What about other systems?
SAP has made great strides in helping us manage sensitive data in our SAP Solution Manager systems, but what have they done for the rest of our SAP systems? The answer lies in a toolset known as SAP ILM (Information Lifecycle Management). This is SAP’s solution to data management in SAP systems. SAP ILM isn’t included in Solution Manager, but is SAP’s all in one data management tool, feel free to contact us for more information.
Remember that most of the GDPR features mentioned above are exclusive to the latest support pack release SP08. This, coupled in with the impending SAP Backbone changes, mean now is the time to upgrade if you haven’t already done so! If you need help with your upgrade, patching exercise, or simply want to know more about how you can use all the ALM tools at your disposal, don’t hesitate to get in contact.