Implications of EU GDPR on ERP Value Chain
European Union authorities have introduced GDPR (General Data Protection Regulation) to protect the personal, identifiable data of natural persons in the EU. The regulations are broad in scope and minute in detail. The key ideas include Purpose, Consent, Process to handle data breach, liabilities and penalties, definition of data collection and data processing entities (controller and processor) and their different tasks, process to collect, process and archive data, well laid out redressal mechanism etc.
This landmark regulation with significant implications will take effect from Friday, 25 May, 2018
You can read details about the regulations here.
Since ERP Applications handle large amount of data including personal data, the regulations have lot of impact on the entire ERP value chain. Applications should simplify and make specific the collection of personal data.The personal data includes information on customer, vendor, employee, leads, prospects etc. Currently ERP applications do not segregate and encrypt the PII (Personal Identifiable Information). After GDPR, ERP vendors will have to significantly restructure their applications to handle the PII. ERP applications should include risk mitigating tools like Pseudomization, Encryption, Data Security, Data Masking, Notifications etc.New database tables, new flags (notification sent, consent received etc), new database fields (Purpose of collection, end date of purpose) and table linkages (Foreign Key) will have to be introduced. New PII statuses will need to be created, where the PII cannot be used until consent is received from the data subject.
As a part of the implementation and ongoing activities, adequate time has to be factored in to handle the delay caused to handle GDPR. Time will be taken to inform the data subject of the purpose of collecting the data and receive their consent. Notifications should be sent at different stages of creation, modification and termination of the personal data and consent received. All this will add to the process lead time.
As part of load testing, a high volume data breach risk mitigation test should be conducted and their results documented and the same should be signed off by competent authorities of the controller.
Handling of sensitive data during implementation should be strictly controlled. Currently the consultants holds excel sheets holding a lot of personal data, including bank accounts, PAN Numbers etc. This will need to be strictly regulated and centralized processing should be insisted upon. Maintaining sensitive data in local databases should be prevented by technology means if necessary.
ERP Vendors should incorporate risk mitigation and disclaimer clauses in their contracts. Project manager should plan for the expected delays due to additional tests, inflexibility due to processing of centralized data etc.
If specific approval of data subjects for use of their personal data is required prior to their processing, ERP implementations should provide a separate window to get this approval post loading the data in ERP. Which means that the sequence will be Data Import -- Individual approvals in the ERP Application -- Intake of Opening Balances and start of transactions. This will further increase the go live lead time.
What will be the role of implementation consultants in and ERP Implementation? Will they be considered as processors? Yes, if one goes by the letter of the regulation. So what will be the impact? What will be the legal risk involved and how they can be mitigated?. There are the questions that I do not have an answer to.
Since the personal data is collected for a specific purpose, ERP system cannot archive the data and any personal data has to be purged once its purpose is completed or when specifically requested by the data subject. So ERP system will have to ensure regular purging of the personal data based on triggers.
The regulation applies for data of EU citizens stored in other countries. This will have implications for cloud ERPs which normally store data in servers in US. Also if other unions like UAE follow suit, then the ERP vendors should have to maintain region / country wise servers, which will add to the cost and offset any cost benefits of data centralization and cloud computing.
Other implications? How will onsite / offsite delivery work? What if an Indian ERP Vendor access the personal data of EU citizens remotely? Do they need to get additional certifications and approvals from EU?
As you can see, I do not have answers to many questions, but I am sure the companies would have already worked out these issues and introduced processes to handle the additional requirements.
I am also not sure how ERP Vendors are gearing up to handle GDPR. I understand that Epicor and SAP has released a GDPR compliant version. I don't have the details. Also, I don't know how other ERP vendors are handling this major change.
#GDPR #ERPSoftware #ERPIndia
About Me: I am ERP Implementation specialist with over 16 years of implementation experience with expertise in End to end ERP Implementations. I focus on ERP Implementation Consulting and Advisory Services. While my key areas of expertise are ERP Architecting, Financials and Costing, I have implementation experience in all the core business areas including Supply Chain, Manufacturing and Distribution. My personal vision is to help SME Sector in India become globally competitive through the use of IT, especially ERP. I come with a powerful mix of domain knowledge (10 Years), Academia (2 Years) and ERP Implementation expertise (15 Years and running). I am one of the few ERP consultants in India who can provide an integrated view of ERP Implementation including account and costing aspects of India Taxation.
If you are planning to implement ERP, or are in the middle of ERP Implementation, please get in touch with me. I could help you make your ERP Implementation highly successful.
I can be reached by email [email protected], or through twitter @vkrama01. You could also check out my ERP Blog for additional material on ERP.