With the May 25 deadline for compliance with the European Union’s General Data Privacy Protection Regulation (GDPR) rapidly approaching, interest in the topic is at a fever pitch. The only bigger news will come when the first company gets slapped with a big fine for failing to adequately protect personal privacy under the law.
Repeat violators could be fined as much as 4 percent of their annual turnover (net sales), a threat that has gotten everyone’s attention. And it’s not just EU companies that must worry: GDPR covers the privacy of any EU citizen, regardless of where a violation occurs.
Every software vendor and IT services provider needs to have an answer for how it addresses GDPR. We’ve published an advisory note on GDPR here. I also invite you to watch our on-demand webinar for more guidance on how to effectively manage the disruptions likely to be associated with GDPR compliance.
The catch is that no one can sell you GDPR compliance as a software bundle. Some software vendors who see GDPR as a sales opportunity are nevertheless marketing products and product upgrades against the deadline. But if you read their marketing copy carefully, you will find they promise to “help” you with the challenge of GDPR compliance, rather than solve the problem for you. Otherwise, they would be guilty of false advertising, and enterprise software vendors all employ lawyers who would never let them make that mistake.
Rimini Street wants to help, too. Part of our third-party support and maintenance for ERP systems is the development of tax and regulatory updates to substitute for those provided by the vendor. We do that even for software that the vendors themselves no longer support.
Unfortunately, GDPR compliance is not like compliance with more targeted regulatory changes, like the imposition of a new tax calculation formula by a specific state or country.
Instead, GDPR covers all the personal data you collect and manage in every system, on premises, remotely hosted, and in the cloud. Your ERP system certainly plays a big role in that — one study found that SAP records social security numbers and other tax identification numbers in more than 900 tables, while date of birth occurs in more than 80. Both are classified as sensitive personally-identifiable information. You have only to look at the identity theft phenomenon to understand why.
Will we help you secure your ERP system? Yes. But addressing this issue is not as simple as securing your database (as if that was simple) because any sizeable enterprise manages hundreds of systems that collect and store information that will be governed by GDPR.
Also, while ensuring the security of personal data is an important part of GDPR, the regulation is as much or more about business processes, as opposed to IT systems that implement those processes. In particular, every business needs to look critically at the processes it follows for collecting personal data in the first place. GDPR is meant to allow individuals to control their own data, as much as possible.
It’s essential to ask for permission up front, as clearly and unambiguously as possible, and to remove personal data from your systems on demand. Just identifying where all that data exists is keeping consultants and data discovery software firms very busy right now.
Updating your ERP or moving to a cloud ERP is not going to solve this problem for you. We see more direct impacts on e-commerce and marketing automation systems, with updates aimed at making sure online order forms and lead capture forms conform to GDPR’s expectations for informed consent to your data collection, storage, and sharing practices.
I wish I could say Rimini Street will solve all your GDPR problems with one bundle of services, wrapped up in a bow. What we can and will do is help you, however we are able to, as you assess your current systems and how well they support your GDPR initiative. We can support things the vendors do not, such as any custom code and custom tables you have added to your ERP app that may also be tracking sensitive, personal data.
Meanwhile, one of the main ways we have focused on the May 25 deadline is by setting our own house in order, ensuring that Rimini Street will comply with GDPR in the delivery of our services to clients. This is a challenge for all of us, but in the long run GDPR promises to be a major force promoting best practices in respecting individual control over personal information.