GDPR Declaration !!

I am not collecting any personal information of any reader of or visitor to this blog. I am using Blogger, provided by Google to host this blog. I understand that Google is using cookies to collect personal information for its Analytics and Adsense applications.

May 24, 2018

Implications of EU GDPR on ERP Value Chain

European Union authorities have introduced GDPR (General Data Protection Regulation) to protect the personal, identifiable data of natural persons in the EU. The regulations are broad in scope and minute in detail. The key ideas include Purpose, Consent, Process to handle data breach, liabilities and penalties, definition of data collection and data processing entities (controller and processor) and their different tasks, process to collect, process and archive data, well laid out redressal mechanism etc.

This comprehensive set of regulations will come into effect from May 25, 2018. 

Since ERP Applications handle large amount of data including personal data, the regulations  have significant impact on the entire ERP value chain. Applications should simplify and make specific the collection of personal data.
The personal data includes information on customer, vendor, employee, leads, prospects etc. Currently ERP applications do not segregate  and encrypt the PII (Personal Identifiable Information). After GDPR, ERP vendors will have to significantly restructure their
applications to handle the PII. ERP applications should include risk mitigating tools like Pseudomization, Encryption, Data Security, Data Masking, Notifications etc.New database tables, new flags (notification sent, consent received etc), new database fields (Purpose of collection, end date of purpose)  and table linkages (Foreign Key) will have to be introduced. New PII statuses will need to be created, where the PII cannot be used until consent is received from the data subject.   

As a part of the implementation and ongoing activities, adequate time has to be factored in to handle the delay caused to handle GDPR. Time will be taken to inform the data subject of the purpose of collecting the data and receive their consent. Notifications should be sent at different stages of creation, modification and termination of the personal data and consent received. All this will add to the process lead time. 

As part of load testing, a high volume data breach risk mitigation test should be conducted and their results documented and the same should be signed off by competent authorities of the controller.

Handling of sensitive data during implementation should be strictly controlled. Currently the consultants holds excel sheets holding a lot of personal data, including bank accounts, PAN Numbers etc. This will need to be strictly regulated and centralized processing should be insisted upon. Maintaining sensitive data in local databases should be prevented by technology means if necessary.

ERP Vendors should incorporate risk mitigation and disclaimer clauses in their contracts. Project manager should plan for the expected delays due to additional tests, inflexibility due to processing of centralized data etc.
Snapshot of what companies are doing

If specific approval of data subjects for use of their personal data is required prior to their processing, ERP implementations should provide a separate window to get this approval post loading the data in ERP. Which means that the sequence will be Data Import -- Individual approvals in the ERP Application -- Intake of Opening Balances and start of transactions. This will further increase the go live lead time.

What will be the role of implementation consultants in and ERP Implementation? Will they be considered as processors? Yes, if one goes by the letter of the regulation. So what will be the impact? What will be the legal risk involved and how they can be mitigated?. There are the questions that I do not have an answer to.

Since the personal data is collected for a specific purpose, ERP system cannot archive the data and any personal data has to be purged once its purpose is completed or when specifically requested by the data subject. So ERP system will have to ensure regular purging of the personal data based on triggers.

The regulation applies for data of EU citizens stored in other countries. This will have implications for cloud ERPs which normally store data in servers in US. Also if other unions like UAE follow suit, then the ERP vendors should have to maintain region / country wise servers, which will add to the cost and offset any cost benefits of data centralization and cloud computing. 

Other implications? How will onsite / offsite delivery work? What if an Indian ERP Vendor access the personal data of EU citizens remotely? Do they need to get additional certifications and approvals from EU?

As you can see, I do not have answers to many questions, but I am sure the companies would have already worked out these issues and introduced processes to handle the additional requirements.

I am also not sure how ERP Vendors are gearing up to handle GDPR. Epicor is already released their GDPR compliant version. I also understand that SAP is also compliant. I don't know how other ERP vendors are handling this major change.

References and Additional Readings

1. ERP and GDPR: Lumenia Consulting
2. GDPR, Personal Data, ERP and CRM: Silwood Technology
3. SAP Compliance with GDPR: ERPScan
4. GDPR: Prepare your ERP System:
5. How GDPR will affect ERP: SWK Tech
6. How can Epicor ERP meet GDPR Requirements?
7. How could GDPR affect ERP? AltaVista Tech