The uncertainty is great. With the new General Data Protection Regulation (DSGVO) poses additional challenges for every company. You can find an overview of the contents here. As an SAP Business One partner, we naturally ask ourselves what needs to be considered with regard to the GDPR and ERP operation. In order not to fish in the mud, we have consulted attorney Wolfgang A. Schmida recognised expert on the subject.
Versino Blog: Is the operation of an ERP system affected by the GDPR at all?
Mr Schmid: The prerequisite is that personal data is processed. Already if contact persons of customers are regularly (with name, telephone extension or personalised E-mail address), we are right in the middle of the EU GDPR's scope of application.
Are there any requirements that an ERP ? manufacturer must observe with regard to the programming, design and/or provision of its ERP software?
The customer is the controller and addressee of the EU GDPR. He has to guarantee the security of the processing. He must ensure that the software used - whether it is On-premise Behind the firewall or SaaS - Prove that the application has constructive or at least possible settings options for data protection. Privacy by design and privacy by default can be a competitive advantage for the manufacturer if the customer can simplify their inspection obligations with the corresponding documents. In future, the definition of erasure concepts within the programming will massively differentiate "data protection-friendly" from "data protection-unfriendly" software.
Lawyer Wolfgang A. Schmid
Partner at SCHMID FRANK Rechtsanwälte PartG mbB, Augsburg, specialist lawyer for information technology law, has been training data protection officers since 2004 and advises them nationwide, external certified data protection officer in numerous companies, specialised lectures and speaker activities, e.g. since 2009 at the German Lawyers' Academy, VKU, TÜV Rheinland, etc.
Are there any other obligations, such as information or documentation obligations, that an ERP manufacturer must comply with?
What responsibility does an ERP partner have towards the customer with regard to the GDPR?
This depends very much on whether personal data of the Customers are to be processed in accordance with the order. If the manufacturer is a processor, it must document the procedures for each customer and comply with obligations arising from a processing agreement. This includes information and documentation obligations.
Does it make a difference whether an ERP partner only advises and trains or, for example, offers such services as hosting?
About hosting and access to personal data Data the ERP partner presumably opens the door to commissioned processing and will have to accept corresponding audits and documentation obligations as a processor. The formal effort is different. In terms of data protection law, hosting can also be easily secured. Up to now, the consultant has only had to sign confidentiality agreements.
What happens when you get your ERP from the cloud? How are the responsibilities distributed there?
In terms of data protection law, the scope of Art. 28 EU GDPR may be relevant. The operator of the cloud, presumably the manufacturer, who can also access personal data, becomes a processor. The latter has the obligations that apply to him as a processor. What is new above all is the joint and several liability in addition to the actual controller.
How to deal with historically "grown systems" and the often huge amounts of data they contain?
If personal data is also affected, there is the major challenge of organising the EU-DSGVO requirement for storage limitation. This means an erasure concept. In the future, the manufacturers who offer solutions for this will win the race.
What should be considered when setting up interfaces to other software and/or other business partners?
The manufacturer who can make a statement about how he guarantees transparency and security conceptually or through settings will be ahead in the future. The responsible body must document access by other departments or third parties in process descriptions. Here, the intelligent manufacturer must do the groundwork and FAQs or similar.
What do I have to regulate organisationally in my company despite or because of an ERP system?
In essence, the company must provide the description of procedures in the register of processing activities, verification of the lawfulness of the data processing, as well as risk assessment.
If I operate an ERP ? System, do I also need a data protection officer? If so, who can that be (internal/external)?
This depends independently of the Application according to the EU-DSGVO from this if an authority / responsible body processes the data, extensive regular and systematic monitoring of data subjects takes place or e.g. health data is processed. According to the new BDSG 2018 again (by the way, no change to the old BDSG), if at least 10 persons with log-in and PW regularly process personal data. There is always the option of appointing either an in-house DPO or an external DPO. What certainly speaks in favour of the external DPO is the fact that the company DPO becomes absolutely non-terminable.
The new EU General Data Protection Regulation: Expensive violations for companies
GOBD and GOBD myths
Optimisation of the integrated financial system
SAP Business One 10 FP2011
Big Data – Relevant for SMEs?
Revision security – what does that mean for a digital archive?
