Jelle Uenk
Read all my blogsD-day for the GDPR is getting closer and closer, it’s only 6 months until May 25, 2018. SAP is doing a lot of work to get it’s products GDPR compliant. In this blog I’ll focus on the Cloud for Customer solution. Several requirements for compliancy have been present in C4C for some time, and SAP is continuously improving the solution with regard to GDPR compliancy.
Data provisioning and removal
Retention Rules
Before explaining about the Data privacy workbench, I’ll need to make a side step into data archiving and deletion in general. When a customer or contact asks for removal of his data from your system, this can have quite some impact: the customer might have ordered goods or services from you, maybe some pending invoices and so on. Removal of the customer’s data therefore is only possible if all these customer processes have been closed correctly. Even then, there might be some legal reasons to keep the customer and the related documents like invoices in the system for some time. Most countries have laws requiring companies to keep invoices and tax related documents for at least 5 years. This implies that the customer can only be removed after this period of time. Similar logic is valid for employee data for which often HR-related data (pension schemes, salary payments etc.) require special care when removal requests are done.
In C4C this is controlled via the retention time for deletion of customers and employees. Where in the on-premise SAP solutions SAP promotes the SAP ILM solution (which enables fine-tuning of retention times for all kinds of business objects), in SAP Cloud for Customer you only have two retention rules available:
These can be edited in the business configuration. You can only edit the rules when the data retention rules are in scope, otherwise the fields remain display only.
Also, a system-defined lower limit of 4 years is set by SAP.
Data Privacy Workbench
Personal Data Disclosure
Personal Data Removal
In order to be sure that this customer is indeed removed, the removal log contains enough details to validate the correct removal. This is also your ‘Proof of removal’ in case of an audit for compliancy.