KEY QUESTIONS:
What are some simple things I can
do here and now to prevent GDPR
compliance problems?
P5
What does GDPR mean for companies in
the U.S.?
P2
Could I have exposure to GDPR and not
even know it?
P3
WHY GDPR MUST BE BAKED
INTO YOUR ENTERPRISE SOFTWARE
IFS WHITE PAPER
Andrew Lichey, Product Manager, IFS
2 WHY GDPR MUST BE BAKED INTO YOUR ENTREPRISE SOFTWARE
Once we see how GDPR
sends tentacles all through
the structured and
unstructured data that
underpins a business
application, we see that
enterprise software must
deliver native built-in
features to facilitate
compliance.
WHY GDPR MUST
BE BAKED INTO YOUR
ENTERPRISE SOFTWARE
BY ANDREW LICHEY
PRODUCT MANAGER, IFS
When it comes to overcoming challenges and managing complexity, most companies
look to their enterprise software. But most enterprise software applications do not yet
have features that deal with the European Union’s new General Data Protection
Regulation (GDPR).
There are standalone point solutions that address GDPR. But can a point solution
address the challenge given that protected data likely exists in many different ways
across a business application like enterprise resource planning (ERP) software? What
are the different places protected data may be housed —beyond customer relationship
management (CRM) software or the customer master in an enterprise resource
planning (ERP) or field service management application?
Can a company effectively deal with GDPR compliance with a point solution integrated
with their enterprise software?
Once we see how GDPR sends tentacles all through the structured and unstructured
data that underpins a business application, we see that enterprise software must
deliver native built-in features to facilitate compliance. Identifiable customer data is
resident throughout your applications, and tracking it, managing it and determining
what data you have the right to use is becoming more complex as traditional product-
oriented industries pursue servitization—focusing more on services delivered around
a product over its lifecycle as opposed to sale of the initial product itself.
MISSION CRITICAL, EVEN IN THE U.S.
Other sources deal at length with the requirements of GDPR. But in short, any
company handling information about individuals must be able show that they:
• Received the consent of subjects for data processing
• Have in place anonymous data collection practices to protect privacy
• Can and do notify subjects of any breach of their identifiable information
• Safely handle the transfer of data across borders
• Have in some cases appointed a data protection officer to oversee GDPR
compliance
EU citizens also have certain rights under GDPR, and it is up to anyone handling their
data to show they are safeguarding these rights, including:
3 WHY GDPR MUST BE BAKED INTO YOUR ENTREPRISE SOFTWARE
Violation of these rights for
an EU resident may result in
stiff financial penalties. Even
if your organization does not
reside or have a presence in
the European Union, a GDPR
violation can lead to a fine
of 4 percent of your annual
revenue or €20 million—
whichever is
greater.
• The right to be informed on how their data is being used, which should be
handled at the point of collection
• The right of access information on how their data is being processed
• The right to rectification of inaccurate information held by a data processor
• The right of erasure, or to be forgotten
• The right to restrict processing for a number of reasons
• The right to data portability, so for instance data can be moved from one
service provider to another, avoiding vendor lock-in
• The right to object to biased or improperly used data
• Rights to opt out of automated decision making and profiling
Violation of these rights for an EU resident may result in stiff financial penalties.
Even if your organization does not reside or have a presence in the European
Union, a GDPR violation can lead to a fine of 4 percent of your annual revenue or
€20 million—whichever is greater. That is admittedly a worst-case scenario that may
be associated with a failure to have sufficient consent to process customer data. You
can be fined up to 2 percent of revenue for something as simple as poor record
keeping. But keep in mind that flouting the core concept of privacy by design, a
systems engineering approach where privacy is taken into account across the scope
of a system, can result in the maximum fine. That is one more reason that enterprise
software should have GDPR compliance built in, tracking and managing access and
management of personal identifiable information with the same control and
granularity as financial value.
MORE EXPOSURE THAN YOU MAY SUSPECT
Data affected by GDPR can reside throughout your business. Any compliance
challenge can be made easier when data is contained in a centralized system of
records. But even in a self-contained application, GDPR presents challenges that
suggest changes to the underlying architecture and functionality are necessary to
streamline compliance.
This is a complex challenge for a few reasons.
Contractors and Integrations: The first reason is that regardless of who owns the
customer relationship, you are responsible for compliance as soon as the customer
data is sent to you. One customer I have been working with closely is a European
contractor that repairs water damage, usually as the result of a storm. The majority of
their work comes to them through insurance companies. A storm affects an insured,
they file a claim and the insurer sends the claim to the contractor. Even if this data
comes into your organization through means like email, an ecommerce portal or an
integration with a supply chain partner’s system, you are responsible for protecting
that data.
4 WHY GDPR MUST BE BAKED INTO YOUR ENTREPRISE SOFTWARE
As product-oriented
companies make the
transition to more and more
service revenue, the amount
of customer data they hold
will increase, and so will the
ways they engage
with that data.
Not Just Customers: A lot of the attention paid to GDPR focuses on customer-facing
or marketing communications. But GDPR affects not just data about current and
prospective customers but also your employees. That means that organizations with
European employees need to address any data that uniquely identifies them as an
individual, including date of birth, address and gender.
Servitization Drives Greater Complexity: As product-oriented companies make the
transition to more and more service revenue, the amount of customer data they hold
will increase, and so will the ways they engage with that data. Rather than marketing
a product up to the point of a sale transaction, the relationship with the customer
continues under a contract or through periodic additional service transactions. This
increases complexity in terms of tracking which customers have contracts in place
and which do not and treating identifying data differently depending on that contrac-
tual status. Customers may also want service history and other historical data
transferred to a new vendor, as required under the regulation. Any company that
issues warranties or service contracts to customers who buy their products will also
need to determine their exposure from the resulting data.
Not Just Data, But Files: The amount of information about your customers across
your organization is substantial. It exists as structured data in the database that
underpins your business systems, but also as unstructured data—files like images,
PDFs, Word documents and more. These are all available in your business systems as
attachments to data objects or transactions. In an ERP system, these files may be
documents signed by the customer and scanned, performance reviews or job
applications in a personnel file. Any company with a service department may also
need to manage pictures of a customer’s home, location or vehicle. Service organiza-
tions need to pay attention to personal identifying data collected in a field service
setting during sign-off or approval of service work.
ATTACKING THE PROBLEM WITH SOFTWARE
Just as ERP and field service management software companies have to re-examine
their applications in light of regulatory changes and gradual shifts like the movement
of US GAAP towards the IFRS standard, enterprise software companies must evolve
their offering quickly to facilitate GDPR compliance.
The scope of what must be done is substantial. They must, in essence, go through
their application and data schema and identify all of the places likely to contain
personal data. But because no two customers use their software the same way, the
application must also maintain the flexibility to allow users to identify other fields as
containing personal data, identify why they have that data and how they will enforce
the right to be forgotten, etc.
BAKED IN IS BETTER
While it will be a challenge, enterprise software vendors will need to evolve their
products to deal with GDPR. This is the most elegant way to achieve key elements of
compliance. Enterprise software will typically enable role-specific access to informa-
tion used to ensure that financial data is viewed or accessed only by approved people.
5 WHY GDPR MUST BE BAKED INTO YOUR ENTREPRISE SOFTWARE
It may…make sense to
consult your attorney or
corporate counsel regarding
your processes…
These defined roles can also be used to ensure that only the people with a legitimate
need to access protected information have the required permissions.
If a customer, employee or other affected party calls you and wants to be forgotten,
you will need to quickly ascertain what personal data you have in the system, and
each disparate system represents a potential failure point in your compliance effort. It
is also very inefficient to create and attempt to follow compliance processes in
multiple systems.
A centralized system of record eases any compliance effort because you have
consistent visibility and control over who can see content, when you destroy or
anonymize content, what content you have permission to use in what way and how
you secured that permission.
PRACTICAL TIPS FOR HERE AND NOW
Most enterprise software vendors will still steer customers towards point solutions
integrated with an enterprise software product for GDPR compliance. At some point,
more vendors may take a holistic, baked-in approach and insert appropriate
functionality directly in ERP, field service management, CRM software and other
affected systems.
It may also make sense to consult your attorney or corporate counsel regarding your
processes around the five key points, using various stopgap measures if necessary:
• Tracking personal consent to use data
• Enforcing the right to be forgotten
• Ensuring only the required people have access to data
• Rectification of erroneous data
• Data portability in case your customer wants to take their service history
or other data to a new vendor
One other practical but counter-intuitive move may be to collect more data! Many
companies will find they underestimated the challenge of identifying someone from
data in their system, particularly if they focus on non-unique identifiers like first and
last name. There are many people with identical names, and a company will need to
ensure they are processing requests to be forgotten or data portability for the right
John Smith, Thomas Anderson or David Daniels. Destroying the wrong person’s data
or handing the wrong person’s data over to an unauthorized person could have
serious repercussions.
The best way to solve it is to put more personal information in the system. This
creates a more unique record and enables you to code it against an index number or
field you can use uniquely in your system. Most email addresses have some degree of
enforced uniqueness, but they change over time.
6 WHY GDPR MUST BE BAKED INTO YOUR ENTREPRISE SOFTWARE
One other approach to use to mitigate GDPR-related risk is to anonymize data. By
assigning a pseudonym or other identifier to records that cannot be connected to an
individual person, you may be able to use personal data with few restrictions.
CONCLUSION
GDPR is certainly a concern for companies operating well outside of the European
Union. The increasingly connected and global nature of business means most
businesses of any scale will have some exposure. But enterprise software is evolving
to mitigate these risks just as it has mitigated risk resulting from previous regulation.
In selecting enterprise software, you may want to ask pointed questions of your
vendor on how well they have baked GDPR compliance tools into their products. In the
meantime, following some of the relatively simple steps above will help you avoid
compliance hassles.
IFS Product Manager Andrew Lichey is responsible for developing and evolving
the IFS Field Service Management software product. He has been leading field
service management software development projects since 1996. Prior to that,
he served as an intelligence analyst for the U.S. Army. He holds a degree in
computer science from the University of Wisconsin-Milwaukee.
The increasingly connected
and global nature of
business means most
businesses of any scale will
have some exposure. But
enterprise software is
evolving to mitigate these
risks just as it has mitigated
risk resulting from previous
regulation.
E
n5
0
5
4
-1
P
ro
du
ct
io
n:
I
FS
C
or
p
or
at
e
M
ar
ke
ti
ng
,
M
ar
ch
2
0
1
8
.
IFSworld.com
COPYRIGHT © 2018 INDUSTRIAL AND FINANCIAL SYSTEMS, IFS AB. IFS AND ALL IFS PRODUCTS AND SERVICES
NAMES ARE TRADEMARKS OF IFS. ALL RIGHTS RESERVED. THIS DOCUMENT MAY CONTAIN STATEMENTS OF
POSSIBLE FUTURE FUNCTIONALIT Y FOR IFS’S PRODUCTS AND TECHNOLOGY. SUCH STATEMENTS ARE FOR
INFORMATION PURPOSES ONLY AND SHOULD NOT BE INTERPRETED AS ANY COMMITMENT OR REPRESENTATION.
THE NAMES OF ACTUAL COMPANIES AND PRODUCTS MENTIONED HEREIN MAY BE THE TRADEMARKS OF THEIR
RESPECTIVE OWNERS.
IFS AB ©2018
IFS develops and delivers enterprise software for customers
around the world who manufacture and distribute goods, maintain
assets, and manage service-focused operations. The industry
expertise of our people and solutions, together with commitment
to our customers, has made us a recognized leader and the
most recommended supplier in our sector. Our team of 3,500
employees supports more than one million users worldwide from
a network of local offices and through our growing ecosystem
of partners.
For more information about IFS, visit IFSworld.com
AMERICAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . +1 888 437 4968
ARGENTINA, BRAZIL, CANADA, ECUADOR, MEXICO, UNITED STATES
ASIA PACIFIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . +65 63 33 33 00
AUSTRALIA, INDONESIA, JAPAN, MALAYSIA, NEW ZEALAND, PHILIPPINES,
PR CHINA, SINGAPORE, THAILAND
EUROPE EAST AND CENTRAL ASIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . +48 22 577 45 00
BALKANS, CZECH REPUBLIC, GEORGIA, HUNGARY, ISRAEL, KAZAKHSTAN,
POLAND, RUSSIA AND CIS, SLOVAKIA, TURKEY, UKRAINE
EUROPE CENTRAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . +49 9131 77 340
AUSTRIA, BELGIUM, GERMANY, ITALY, NETHERLANDS, SWITZERLAND
EUROPE WEST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . +44 1494 428 900
FRANCE, IRELAND, PORTUGAL, SPAIN, UNITED KINGDOM
MIDDLE EAST AND AFRICA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .+971 4390 0888
INDIA, SOUTH AFRICA, SRI LANKA, UNITED ARAB EMIRATES
SCANDINAVIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .+46 13 460 4000
DENMARK, NORWAY, SWEDEN
FINLAND AND THE BALTIC AREA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . +358 102 17 9300
ESTONIA, FINLAND, LATVIA, LITHUANIA
ABOUT IFS
Why GDPR must be baked into your enterprise software
Can you really prepare for General Data Protection Regulation (GDPR) compliance with software that is bolted onto the outside of your enterprise resource planning (ERP) or field service management software? In this white paper, we look at some of the risks you are exposed to including those you may not expect.
Latest in Home