Since 25 May 2018, the General Data Protection Regulation, short GDPRThe GDPR is in force in all countries of the European Union and the European Economic Area and must be observed by all companies. Although the GDPR, as an EU regulation, is in principle directly applicable in every EU member state, it contains numerous opening clauses that give national legislators certain leeway. The General Data Protection Regulation thus offers individuals control and protection of their personal data. Personal data is any data that identifies or can be used to identify an individual natural person.
This is because, in general, no personal data may be stored without purpose and explicit consent. Overall, it can be said that the requirements for the lawful processing and handling of personal data are increasing in the following areas:
- Providing reports or functions to inform individuals about their stored personal data.
- Deletion of personal data, so-called "right to be forgotten
- Recording in the event of changes to personal data
- Recording on read access to sensitive personal data
Activation of the GDPR tools in SAP Business One
In order to be able to use the data protection functions provided by SAP Business One, on the one hand, one must have the general authorisation to use the data protection tools and, on the other hand, activate the management of the protection of personal data. However, in the standard SAP Business One, the GDPR is already activated for all EU countries. Deactivation, on the other hand, is only possible before a natural person has been designated or a deletion or blocking of personal data has been carried out.
After activating the protection of personal data, the following functions are available:
- Personal data management
- Personal Data Management Assistant
- Access log for sensitive personal data
Definition of personal data
After the activation of the GDPR module has been completed, one can turn to the detailed definition of the data that are considered personal.
Managing personal data with SAP Business One data protection tools starts with data categorisation. Data that is classified as personal or sensitive is included in other personal data processes. Thus, one must properly classify different types of data in order to effectively use the personal data protection features. However, not all data can be classified as personal data.
Personal or sensitive data
Only data displayed in the Personal Data Management window can be classified as personal data. In SAP Business One, data can be classified as personal, non-personal or, in special cases, sensitive personal. Examples of fields that can be classified as sensitive personal data are bank accounts, passport numbers and user-defined fields (UDF) if they are linked to personal data objects.
Fields classified as sensitive, personal data are automatically encrypted by SAP Business One and access is restricted and logged via permissions. By changing the classification from sensitive to personal or non-personal data, the encryption and access restrictions can be removed.
Personal Data Management Assistant
The next step in the SAP Business One Personal Data Management Wizard is to provide six different options for managing personal data
- Identify natural persons
- Reverse the identification of natural persons
- Personal data report
- Personal data cleansing
- Blocking personal data
- Unblocking personal data
However, one cannot manage all personal data from the Data Protection Wizard in SAP Business One. Instead, the following objects, for example, need to have their personal data managed and removed manually:
- Time sheets whose type is set to Other
- Target groups included in campaigns
- Remarks in the master data of the business partners
- Content in activities
Natural persons in SAP Business One
Natural persons can be determined and identified in terms of data protection in SAP Business One via the wizard. You can use a wizard function to determine which data is to be classified as natural persons and which is not. Data that can be used to identify a natural person is described as personal. Once the "natural persons" have been identified, the corresponding personal data can be managed and other functions of the wizard can be performed. However, you can undo the identification or classification of a natural person using the Undo identification of natural person option.
Personal data report
The personal data report provides a retrieval function to inform data subjects about the personal data held about them. As a rule, natural persons have the right to request a report on all stored information about themselves. To generate a report on personal data, the programme stores it in a temporary folder on your computer. After the generation is complete, SAP Business One automatically deletes the report, including the corresponding notification.
Personal data cleansing
According to various country-specific regulations, personal data may only be stored for specific purposes or processes. Furthermore, as soon as the purpose is no longer given or the process is completed, the deletion of personal data should be carried out. Furthermore, natural persons can also request the deletion of their personal data. With the help of the wizard, personal data can be purged or deleted from SAP Business One.
Blocking personal data
If you are obliged to retain personal data according to a retention period, you can block access to the data. Once personal data is locked, the data remains in the system, but can only be accessed by unlocking it. By locking personal data of selected natural persons, SAP Business One encrypts the database entries. The application also anonymises the corresponding data on the user interface. Personal data can only be unlocked again via a wizard. By unlocking the personal data, SAP Business One decrypts the database entries and makes the data available again on the user interface.
Data protection protocols in SAP Business One
The Sensitive Personal Data Access Log provides an overview of who has accessed sensitive personal data in SAP Business One. The access log provides a detailed view of access to personal data. Access to sensitive data via the DI API or the payment wizard records the access log. When using sensitive data in the course of a query or when exporting a table, the sensitive data is encrypted and therefore no access is logged.