Create a free Manufacturing.net account to continue

Why GDPR must be baked into your enterprise software

Can you really prepare for General Data Protection Regulation (GDPR) compliance with software that is bolted onto the outside of your enterprise resource planning (ERP) or field service management software? In this white paper, we look at some of the risks you are exposed to including those you may not expect.

IFS
KEY QUESTIONS: What are some simple things I can do here and now to prevent GDPR compliance problems? P5 What does GDPR mean for companies in the U.S.? P2 Could I have exposure to GDPR and not even know it? P3 WHY GDPR MUST BE BAKED INTO YOUR ENTERPRISE SOFTWARE IFS WHITE PAPER Andrew Lichey, Product Manager, IFS 2 WHY GDPR MUST BE BAKED INTO YOUR ENTREPRISE SOFTWARE Once we see how GDPR sends tentacles all through the structured and unstructured data that underpins a business application, we see that enterprise software must deliver native built-in features to facilitate compliance. WHY GDPR MUST BE BAKED INTO YOUR ENTERPRISE SOFTWARE BY ANDREW LICHEY PRODUCT MANAGER, IFS When it comes to overcoming challenges and managing complexity, most companies look to their enterprise software. But most enterprise software applications do not yet have features that deal with the European Union’s new General Data Protection Regulation (GDPR). There are standalone point solutions that address GDPR. But can a point solution address the challenge given that protected data likely exists in many different ways across a business application like enterprise resource planning (ERP) software? What are the different places protected data may be housed —beyond customer relationship management (CRM) software or the customer master in an enterprise resource planning (ERP) or field service management application? Can a company effectively deal with GDPR compliance with a point solution integrated with their enterprise software? Once we see how GDPR sends tentacles all through the structured and unstructured data that underpins a business application, we see that enterprise software must deliver native built-in features to facilitate compliance. Identifiable customer data is resident throughout your applications, and tracking it, managing it and determining what data you have the right to use is becoming more complex as traditional product- oriented industries pursue servitization—focusing more on services delivered around a product over its lifecycle as opposed to sale of the initial product itself. MISSION CRITICAL, EVEN IN THE U.S. Other sources deal at length with the requirements of GDPR. But in short, any company handling information about individuals must be able show that they: • Received the consent of subjects for data processing • Have in place anonymous data collection practices to protect privacy • Can and do notify subjects of any breach of their identifiable information • Safely handle the transfer of data across borders • Have in some cases appointed a data protection officer to oversee GDPR compliance EU citizens also have certain rights under GDPR, and it is up to anyone handling their data to show they are safeguarding these rights, including: 3 WHY GDPR MUST BE BAKED INTO YOUR ENTREPRISE SOFTWARE Violation of these rights for an EU resident may result in stiff financial penalties. Even if your organization does not reside or have a presence in the European Union, a GDPR violation can lead to a fine of 4 percent of your annual revenue or €20 million— whichever is greater. • The right to be informed on how their data is being used, which should be handled at the point of collection • The right of access information on how their data is being processed • The right to rectification of inaccurate information held by a data processor • The right of erasure, or to be forgotten • The right to restrict processing for a number of reasons • The right to data portability, so for instance data can be moved from one service provider to another, avoiding vendor lock-in • The right to object to biased or improperly used data • Rights to opt out of automated decision making and profiling Violation of these rights for an EU resident may result in stiff financial penalties. Even if your organization does not reside or have a presence in the European Union, a GDPR violation can lead to a fine of 4 percent of your annual revenue or €20 million—whichever is greater. That is admittedly a worst-case scenario that may be associated with a failure to have sufficient consent to process customer data. You can be fined up to 2 percent of revenue for something as simple as poor record keeping. But keep in mind that flouting the core concept of privacy by design, a systems engineering approach where privacy is taken into account across the scope of a system, can result in the maximum fine. That is one more reason that enterprise software should have GDPR compliance built in, tracking and managing access and management of personal identifiable information with the same control and granularity as financial value. MORE EXPOSURE THAN YOU MAY SUSPECT Data affected by GDPR can reside throughout your business. Any compliance challenge can be made easier when data is contained in a centralized system of records. But even in a self-contained application, GDPR presents challenges that suggest changes to the underlying architecture and functionality are necessary to streamline compliance. This is a complex challenge for a few reasons. Contractors and Integrations: The first reason is that regardless of who owns the customer relationship, you are responsible for compliance as soon as the customer data is sent to you. One customer I have been working with closely is a European contractor that repairs water damage, usually as the result of a storm. The majority of their work comes to them through insurance companies. A storm affects an insured, they file a claim and the insurer sends the claim to the contractor. Even if this data comes into your organization through means like email, an ecommerce portal or an integration with a supply chain partner’s system, you are responsible for protecting that data. 4 WHY GDPR MUST BE BAKED INTO YOUR ENTREPRISE SOFTWARE As product-oriented companies make the transition to more and more service revenue, the amount of customer data they hold will increase, and so will the ways they engage with that data. Not Just Customers: A lot of the attention paid to GDPR focuses on customer-facing or marketing communications. But GDPR affects not just data about current and prospective customers but also your employees. That means that organizations with European employees need to address any data that uniquely identifies them as an individual, including date of birth, address and gender. Servitization Drives Greater Complexity: As product-oriented companies make the transition to more and more service revenue, the amount of customer data they hold will increase, and so will the ways they engage with that data. Rather than marketing a product up to the point of a sale transaction, the relationship with the customer continues under a contract or through periodic additional service transactions. This increases complexity in terms of tracking which customers have contracts in place and which do not and treating identifying data differently depending on that contrac- tual status. Customers may also want service history and other historical data transferred to a new vendor, as required under the regulation. Any company that issues warranties or service contracts to customers who buy their products will also need to determine their exposure from the resulting data. Not Just Data, But Files: The amount of information about your customers across your organization is substantial. It exists as structured data in the database that underpins your business systems, but also as unstructured data—files like images, PDFs, Word documents and more. These are all available in your business systems as attachments to data objects or transactions. In an ERP system, these files may be documents signed by the customer and scanned, performance reviews or job applications in a personnel file. Any company with a service department may also need to manage pictures of a customer’s home, location or vehicle. Service organiza- tions need to pay attention to personal identifying data collected in a field service setting during sign-off or approval of service work. ATTACKING THE PROBLEM WITH SOFTWARE Just as ERP and field service management software companies have to re-examine their applications in light of regulatory changes and gradual shifts like the movement of US GAAP towards the IFRS standard, enterprise software companies must evolve their offering quickly to facilitate GDPR compliance. The scope of what must be done is substantial. They must, in essence, go through their application and data schema and identify all of the places likely to contain personal data. But because no two customers use their software the same way, the application must also maintain the flexibility to allow users to identify other fields as containing personal data, identify why they have that data and how they will enforce the right to be forgotten, etc. BAKED IN IS BETTER While it will be a challenge, enterprise software vendors will need to evolve their products to deal with GDPR. This is the most elegant way to achieve key elements of compliance. Enterprise software will typically enable role-specific access to informa- tion used to ensure that financial data is viewed or accessed only by approved people. 5 WHY GDPR MUST BE BAKED INTO YOUR ENTREPRISE SOFTWARE It may…make sense to consult your attorney or corporate counsel regarding your processes… These defined roles can also be used to ensure that only the people with a legitimate need to access protected information have the required permissions. If a customer, employee or other affected party calls you and wants to be forgotten, you will need to quickly ascertain what personal data you have in the system, and each disparate system represents a potential failure point in your compliance effort. It is also very inefficient to create and attempt to follow compliance processes in multiple systems. A centralized system of record eases any compliance effort because you have consistent visibility and control over who can see content, when you destroy or anonymize content, what content you have permission to use in what way and how you secured that permission. PRACTICAL TIPS FOR HERE AND NOW Most enterprise software vendors will still steer customers towards point solutions integrated with an enterprise software product for GDPR compliance. At some point, more vendors may take a holistic, baked-in approach and insert appropriate functionality directly in ERP, field service management, CRM software and other affected systems. It may also make sense to consult your attorney or corporate counsel regarding your processes around the five key points, using various stopgap measures if necessary: • Tracking personal consent to use data • Enforcing the right to be forgotten • Ensuring only the required people have access to data • Rectification of erroneous data • Data portability in case your customer wants to take their service history or other data to a new vendor One other practical but counter-intuitive move may be to collect more data! Many companies will find they underestimated the challenge of identifying someone from data in their system, particularly if they focus on non-unique identifiers like first and last name. There are many people with identical names, and a company will need to ensure they are processing requests to be forgotten or data portability for the right John Smith, Thomas Anderson or David Daniels. Destroying the wrong person’s data or handing the wrong person’s data over to an unauthorized person could have serious repercussions. The best way to solve it is to put more personal information in the system. This creates a more unique record and enables you to code it against an index number or field you can use uniquely in your system. Most email addresses have some degree of enforced uniqueness, but they change over time. 6 WHY GDPR MUST BE BAKED INTO YOUR ENTREPRISE SOFTWARE One other approach to use to mitigate GDPR-related risk is to anonymize data. By assigning a pseudonym or other identifier to records that cannot be connected to an individual person, you may be able to use personal data with few restrictions. CONCLUSION GDPR is certainly a concern for companies operating well outside of the European Union. The increasingly connected and global nature of business means most businesses of any scale will have some exposure. But enterprise software is evolving to mitigate these risks just as it has mitigated risk resulting from previous regulation. In selecting enterprise software, you may want to ask pointed questions of your vendor on how well they have baked GDPR compliance tools into their products. In the meantime, following some of the relatively simple steps above will help you avoid compliance hassles. IFS Product Manager Andrew Lichey is responsible for developing and evolving the IFS Field Service Management software product. He has been leading field service management software development projects since 1996. Prior to that, he served as an intelligence analyst for the U.S. Army. He holds a degree in computer science from the University of Wisconsin-Milwaukee. The increasingly connected and global nature of business means most businesses of any scale will have some exposure. But enterprise software is evolving to mitigate these risks just as it has mitigated risk resulting from previous regulation. E n5 0 5 4 -1 P ro du ct io n: I FS C or p or at e M ar ke ti ng , M ar ch 2 0 1 8 . IFSworld.com COPYRIGHT © 2018 INDUSTRIAL AND FINANCIAL SYSTEMS, IFS AB. IFS AND ALL IFS PRODUCTS AND SERVICES NAMES ARE TRADEMARKS OF IFS. ALL RIGHTS RESERVED. THIS DOCUMENT MAY CONTAIN STATEMENTS OF POSSIBLE FUTURE FUNCTIONALIT Y FOR IFS’S PRODUCTS AND TECHNOLOGY. SUCH STATEMENTS ARE FOR INFORMATION PURPOSES ONLY AND SHOULD NOT BE INTERPRETED AS ANY COMMITMENT OR REPRESENTATION. THE NAMES OF ACTUAL COMPANIES AND PRODUCTS MENTIONED HEREIN MAY BE THE TRADEMARKS OF THEIR RESPECTIVE OWNERS. IFS AB ©2018 IFS develops and delivers enterprise software for customers around the world who manufacture and distribute goods, maintain assets, and manage service-focused operations. The industry expertise of our people and solutions, together with commitment to our customers, has made us a recognized leader and the most recommended supplier in our sector. Our team of 3,500 employees supports more than one million users worldwide from a network of local offices and through our growing ecosystem of partners. For more information about IFS, visit IFSworld.com AMERICAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . +1 888 437 4968 ARGENTINA, BRAZIL, CANADA, ECUADOR, MEXICO, UNITED STATES ASIA PACIFIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . +65 63 33 33 00 AUSTRALIA, INDONESIA, JAPAN, MALAYSIA, NEW ZEALAND, PHILIPPINES, PR CHINA, SINGAPORE, THAILAND EUROPE EAST AND CENTRAL ASIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . +48 22 577 45 00 BALKANS, CZECH REPUBLIC, GEORGIA, HUNGARY, ISRAEL, KAZAKHSTAN, POLAND, RUSSIA AND CIS, SLOVAKIA, TURKEY, UKRAINE EUROPE CENTRAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . +49 9131 77 340 AUSTRIA, BELGIUM, GERMANY, ITALY, NETHERLANDS, SWITZERLAND EUROPE WEST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . +44 1494 428 900 FRANCE, IRELAND, PORTUGAL, SPAIN, UNITED KINGDOM MIDDLE EAST AND AFRICA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .+971 4390 0888 INDIA, SOUTH AFRICA, SRI LANKA, UNITED ARAB EMIRATES SCANDINAVIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .+46 13 460 4000 DENMARK, NORWAY, SWEDEN FINLAND AND THE BALTIC AREA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . +358 102 17 9300 ESTONIA, FINLAND, LATVIA, LITHUANIA ABOUT IFS
Latest in Home
Ep162
Report: Tyson Dumping Millions of Pounds of Waste into U.S. Waterways
May 6, 2024
Oeotn
Boeing, Lockheed Passed Up; Heineken Uproots Huge Orchard; Autopia Goes EV | Today in Manufacturing Ep. 168
May 6, 2024
Air Force Secretary Frank Kendall sits in the front cockpit of an X-62A VISTA aircraft at Edwards Air Force Base, Calif., on Thursday, May 2, 2024.
An AI-controlled Fighter Jet Took the Air Force Leader for a Historic Ride
May 6, 2024
An Airbus A350 prepares to land at the Dubai Air Show, United Arab Emirates, Nov. 14, 2023. In the latest round of their decades-long battle for dominance in commercial aircraft, Europe's Airbus has established a clear sales lead over Boeing as the American company deals with the fallout from manufacturing troubles and ongoing safety concerns.
Airbus Staying Humble Even as Boeing Flounders. There's a Reason for That
May 6, 2024
Related Stories
Outofoffice
Home
Notice: No Mnet Newsletters Next Week
Outofoffice
Home
No Mnet Newsletters Until Jan. 3
Imts
Home
Preview Days Videos Help Attendees Pre-Plan IMTS 2022 Agenda
Out Of Office Istock 5eff498fc27a7
Home
Notice: No Newsletters Next Week
More
Ep162
Video
Report: Tyson Dumping Millions of Pounds of Waste into U.S. Waterways
In five years, the company's plants dumped an estimated 371.72 million pounds of pollutants into waterways.
May 6, 2024
Oeotn
Video
Boeing, Lockheed Passed Up; Heineken Uproots Huge Orchard; Autopia Goes EV | Today in Manufacturing Ep. 168
Also on the podcast, Chinese nationals tried to illegally export U.S. tech, SpaceX's excessive injuries, Boeing buys GKN's plant, blood device mimics leeches and a Formula E race car goes really fast.
May 6, 2024
Air Force Secretary Frank Kendall sits in the front cockpit of an X-62A VISTA aircraft at Edwards Air Force Base, Calif., on Thursday, May 2, 2024.
Aerospace
An AI-controlled Fighter Jet Took the Air Force Leader for a Historic Ride
Here's what that means for war.
May 6, 2024
An Airbus A350 prepares to land at the Dubai Air Show, United Arab Emirates, Nov. 14, 2023. In the latest round of their decades-long battle for dominance in commercial aircraft, Europe's Airbus has established a clear sales lead over Boeing as the American company deals with the fallout from manufacturing troubles and ongoing safety concerns.
Aerospace
Airbus Staying Humble Even as Boeing Flounders. There's a Reason for That
Airbus has outpaced Boeing for five straight years in plane orders and deliveries.
May 6, 2024
Ep161
Video
Poultry Processors Agree to One of the Largest Wage Violation Settlements in History
Facility supervisors made severe threats to workers to disrupt the investigation.
May 3, 2024
Workers remove wreckage of the collapsed Francis Scott Key Bridge, Thursday, April 25, 2024, in Baltimore.
Safety
Maryland Officials Release Timeline, Cost Estimate for Rebuilding Bridge
It will take over four years at an estimated cost between $1.7 billion and $1.9 billion.
May 3, 2024
Nippon Steel Corporation's logo is displayed on a sign outside its headquarters in Tokyo on Nov. 26, 2021.
Operations
Nippon Steel Delays Closing of Acquisition of U.S. Steel
The sale has drawn opposition from both U.S. presidential candidates.
May 3, 2024
Andy Jassy, Amazon president and CEO, attends the premiere of 'The Lord of the Rings: The Rings of Power' at The Culver Studios on Monday, Aug. 15, 2022, in Culver City, Calif. An administrative law judge ruled Wednesday, May 1, 2024, that Jassy violated labor law by making certain anti-union comments during media interviews two years ago.
E-Commerce
NLRB: Amazon CEO's Union Comments Violated Law
Comments that workers “would be better off” without a union ran afoul of federal labor law.
May 3, 2024
Ep160
Video
Beermaker to Be Fined Daily Over Rotten Egg Smell
The company has already spent more than $1 million on repair efforts that have come up dry.
May 2, 2024
I Stock 1146714788
Laws & Regulations
Florida Man to Pay Cisco $100 Million in Restitution for Fake Equipment Scheme
He was sentenced to more than six years in prison.
May 2, 2024
Ap24122568655562
Automotive
Tesla Laid Off its EV Charging Division. Other Automakers Are Worried
Nearly all automakers selling EVs in the U.S. have signed up to join Tesla's Supercharger network.
May 1, 2024
Ep159
Video
Heineken Uproots Huge Apple Orchard as Cider Sales Slip
How do you like them apples? Well, a lot of people don’t like them at all.
May 1, 2024
I Stock 484459870
Aerospace
Boeing Takes Over GKN Plant to Support F/A-18, F-15 Programs
The aerospace giant also brought along some 550 workers.
May 1, 2024
Johnson & Johnson Consumer Health in Flourtown, Pa., Friday, April 28, 2023.
Safety
J&J Subsidiary Proposes $6.48 Billion Over 25 Years to Settle Talc Lawsuits
The settlement would cover allegations that its baby powder containing talc caused ovarian cancer.
May 1, 2024
The Miller OptX 2kW handheld laser welder is ideal for precision welding applications with tight fit-up and minimal gaps where high productivity is needed, including sheet metal, fabrication, manufacturing, aerospace and defense, transportation and HVAC.
Labor
Miller OptX 2kW Laser Welder Looks to Combat Skill Shortage
The device provides a five to 10-time productivity increase compared to precision welding processes.
May 1, 2024