Have you ever heard Data Subject Request (DSR)? It is a request to know where, what and how our personal data is handled.

In fact, every European citizen, through the GDPR (Art. 15), has the possibility to request a copy of his or her personal data for information purposes. Whatever service it is.

What is the Data Subject Request (DSR)

This is a right that the European Data Protection Regulation (GDPR) has introduced.

Through this request, therefore, any interested party can request a copy of his or her managed personal data from the data holder.

Data Subject Request Examples

Several platforms offer this option, usually under the menu called Privacy. But are privacy and personal data the same thing?

Let's look together at some examples in the various platforms. Starting with the SAP Universal ID platform. Through the Privacy menu, it is possible to request the deletion of your data (another right introduced by the GDPR) but also to request a copy of your data "Request data export"

• Universal ID -> SAP (the functionality present in SAP's Universal ID).
  
  

It is also possible to do the same extraction in other platforms, such as, for example, Google.

• In the Google account settings via the "Data and privacy" menu you can do a "Download your data"
  
  

Facebook also offers, clearly the same possibility, in the menu "Your information on Facebook" - "Access your information"

• Facebook

But what do we find in this report? There is no common, standard form each platform often has different methods of providing this data. A ZIP archive with all the data, grouped in folders or not, additional data in more technical formats e.g. XML

Data Subject Request, should it also be done in SAP?

In case there is data from interested parties (read here about who are the figures under the GDPR), it is necessary to define a procedure to deal with this request that might arise. But from whom? From Employees, suppliers or customers. Clearly in the latter cases they must be individuals.

In case your company's business is totally "business to business" so toward companies, you will probably have to handle this request only for employees.

In case data of customers or suppliers are saved within SAP systems as individuals then it will be necessary to activate the procedure for them as well.

But what should I do then in SAP if I fall into the cases seen above?

There are several scenarios that can be explored. Also because of the complexity of the systems and the amount of data to be extracted.

In some SAP systems, for example, only the SAP ERP management system is involved (thus only one system) in a very limited way (the data of the stakeholders are in very specific tables).

In other more complex scenarios, the data of the interested party are "scattered" across multiple SAP systems. For example, ERP, not necessarily one. In the case of utilities in IS-U (Industry Solutions Utility) systems or CRM (Customer Relationship Management) or SRM (Supply Relationship Management) systems, in On premise or Cloud systems.

Technology aspects can also clearly influence. Especially in a hybrid situation where some systems are on premise and others cloud.

In general, it can be helpful to follow these steps:

1. Identify the case you are in (do you need to manage data from employees, suppliers, customers, or a subset of these)?
2. Identify what systems the data may be in (note, you may also find non-SAP systems in the company here) you had thought that as much as you register visitors at the entrance, that too is personal data. What system are they in?
3. For real systems, identify exactly where the personal data are. When I say exactly I mean the very tables and fields (in the case of SAP) where this data resides. It becomes necessary to perform a mapping of this data across systems. In this context, in very complex scenarios, the paid Information Steward tool can be useful (read here what other tools SAP offers for GDPR management)
4. Identify which tools could be used to extract data
   • In simpler cases, SE16 or similar tools could also be used (how to use SE16 transaction)
   • Evaluate whether it might be useful to use the tool that SAP has designed for this situation, namely the Information Retrieval Framework (IRF)
     
   • There are other tools on the market that may also offer alternative solutions, for example, the EPI-USE suite or Inquaero
5. Define the internal procedure for what should be done in case of a request and who should take action. Define how interested parties can make this request, through an email request? Through a portal request?
   
   

Topics: SAP GDPR, gdpr, sap ilm, dsr, data subject request gdpr, data access subject request