Why GDPR Compliance Must Be Baked Into Your Enterprise Software

The different places data may be housed beyond customer relationship management (CRM) is creating new challenges for companies looking to effectively deal with the European Union’s new General Data Protection Regulation (GDPR).

Mnet 111360 Gdpr
Andrew LicheyAndrew Lichey

Most enterprise software applications do not yet have features that deal with the European Union’s new General Data Protection Regulation (GDPR). There are standalone point solutions that address GDPR, but can they really address the challenge given that data exists in many different business applications including enterprise resource planning (ERP) software? The different places data may be housed beyond customer relationship management (CRM) is creating new challenges for companies looking to effectively deal with GDPR compliance. So it is essential that enterprise software delivers native built-in features to enable compliance.

Identifiable customer data is resident throughout your applications, and tracking it, managing it and determining what data you have the right to use is becoming more complex as traditional product-oriented industries pursue products ‘as a service’ — focusing more on services delivered around a product over its lifecycle, as opposed to sale of the initial product itself.

Mission Critical, Even in the U.S.

Many sources deal with the requirements of GDPR at length, and it may make sense to consult your attorney or corporate counsel regarding your processes, but in short, any company handling information about individuals must be able to show that they have the consent of subjects for data processing and practice anonymous data collection to protect privacy. Businesses will also be required to notify subjects of any breach of their identifiable information as well as safely handle the transfer of data across borders. In some cases, they will also need to appoint a Data Protection Officer to oversee GDPR compliance.

EU residents also have certain rights under GDPR, and it is up to anyone handling their data to show they are safeguarding these rights. Violation of these rights may result in stiff financial penalties. Even if an organization does not reside or have a presence in the European Union, a GDPR violation can lead to a fine of 4 percent of your annual revenue or €20 million — whichever is greater.

Servitization Drives Greater Complexity

As product-oriented companies make the transition to more and more service offerings, the amount of customer data they hold will increase, and so will the ways they engage with that data. Rather than marketing a product up to the point of a sale transaction, the relationship with the customer continues under a contract or through periodic additional service transactions.

This increases complexity in terms of tracking which customers have contracts in place and which do not, and treating identifying data differently depending on its contractual status. Customers may also want service history and other historical data transferred to a new vendor, a capability organizations must be able to provide under the new regulation. Any company that issues warranties or service contracts to customers who buy their products will also need to determine their exposure from the resulting data.

GDPR: The Data Challenge

This data can reside throughout your business and is affected by GDPR. Any compliance challenge can be made easier when data is contained in a centralized system of record, but even in a self-contained application, GDPR presents challenges that suggest changes to the underlying architecture and functionality will be necessary to implement to streamline compliance. This is a complex challenge for several reasons.

  • Contractors and integrations: Regardless of who owns the customer relationship, an organization is responsible for compliance as soon as the customer data is received. Even if this data comes into the organization through means such as email, an e-commerce portal or an integration with a supply chain partner’s system, it is responsible for protecting that data.
  • Not just customers: A lot of the attention around GDPR focuses on customer-facing or marketing communications. But GDPR affects data about employees as well as current or prospective customers. This means organizations with European employees need to focus on any data that uniquely identifies them as an individual, including date of birth, address and gender.
  • Not just data but files: The amount of information held across organizations is substantial. It can be organized as structured data in the database underpinning business systems, but also as unstructured data —such as images, PDFs, Word documents and more. These are all available in business systems as attachments to data objects or transactions. In an ERP system, these files may be documents signed by the customer, scanned performance reviews or job applications in a personnel file. Service organizations may also need to pay attention to data collected in a field service setting during sign-off or approval of service work.

Attacking the Problem with Software - Baked in is Better

Just as ERP and field service management software companies have to re-examine their applications in light of regulatory changes and gradual shifts such as the movement of U.S. GAAP towards the IFRS standard, enterprise software companies must evolve their offering quickly to facilitate GDPR compliance.

Most enterprise software vendors will still steer customers towards point solutions integrated with an enterprise software product for compliance. While it will be a challenge, vendors will need to evolve their products to deal with GDPR. This is the most elegant way to achieve key elements of compliance.

Less Data can Create More Problems

Many companies will find they underestimated the challenge of identifying someone from data in their system, particularly if they focus on non-unique identifiers such as first and last name. So, one practical — if seemingly counter-intuitive move — may be to collect more data!

If there are many people with identical names, the company will need to ensure they are processing data for the right person. Destroying the wrong person’s data or handing the wrong person’s data over to an unauthorized person could have serious repercussions. The best way to solve it is to put more personal information in the system. This creates a more unique record and enables you to code it against an index number or field you can use uniquely in your system.

Role-Specific Access

Enterprise software will typically enable role-specific access to information in order to ensure that financial data is viewed or accessed only by approved people. These defined roles can also be used to ensure that only people with a legitimate need to access protected information have the required permissions.

If a customer, employee or other affected party calls you and wants to be forgotten, organizations need to quickly ascertain what personal data is held in the system — and each disparate system represents a potential failure point in your compliance effort. It is also very inefficient to create and attempt to follow compliance processes across multiple systems.

A centralized system of record eases any compliance effort because it gives you consistent visibility and control over who can see content, who can destroy content, what content people have permission to use in what way and how they secured that permission.

As we see how GDPR sends tentacles throughout the structured and unstructured data that underpins business applications, we start to understand that it is essential that enterprise software delivers native built-in features to facilitate compliance.

Andrew Lichey is Product Manager at IFS.

More in Operations