Have you ever heard Data Subject Request (DSR)? It is a request to know where, what and how our personal data is handled.
In fact, every European citizen, through the GDPR (Art. 15), has the possibility to request a copy of his or her personal data for information purposes. Whatever service it is.
This is a right that the European Data Protection Regulation (GDPR) has introduced.
Through this request, therefore, any interested party can request a copy of his or her managed personal data from the data holder.
Several platforms offer this option, usually under the menu called Privacy. But are privacy and personal data the same thing?
Let's look together at some examples in the various platforms. Starting with the SAP Universal ID platform. Through the Privacy menu, it is possible to request the deletion of your data (another right introduced by the GDPR) but also to request a copy of your data "Request data export"
It is also possible to do the same extraction in other platforms, such as, for example, Google.
Facebook also offers, clearly the same possibility, in the menu "Your information on Facebook" - "Access your information"
But what do we find in this report? There is no common, standard form each platform often has different methods of providing this data. A ZIP archive with all the data, grouped in folders or not, additional data in more technical formats e.g. XML
In case there is data from interested parties (read here about who are the figures under the GDPR), it is necessary to define a procedure to deal with this request that might arise. But from whom? From Employees, suppliers or customers. Clearly in the latter cases they must be individuals.
In case your company's business is totally "business to business" so toward companies, you will probably have to handle this request only for employees.
In case data of customers or suppliers are saved within SAP systems as individuals then it will be necessary to activate the procedure for them as well.
There are several scenarios that can be explored. Also because of the complexity of the systems and the amount of data to be extracted.
In some SAP systems, for example, only the SAP ERP management system is involved (thus only one system) in a very limited way (the data of the stakeholders are in very specific tables).
In other more complex scenarios, the data of the interested party are "scattered" across multiple SAP systems. For example, ERP, not necessarily one. In the case of utilities in IS-U (Industry Solutions Utility) systems or CRM (Customer Relationship Management) or SRM (Supply Relationship Management) systems, in On premise or Cloud systems.
Technology aspects can also clearly influence. Especially in a hybrid situation where some systems are on premise and others cloud.
In general, it can be helpful to follow these steps:
Topics: SAP GDPR, gdpr, sap ilm, dsr, data subject request gdpr, data access subject request