Sifting through your ERP solution to find data relevant to GDPR is not always simple. Silwood Technology has revealed research that SAP ERP alone has 90,000 tables and more than 900,000 often esoterically named fields.
GDPR is less than 100 days away. Vendors of all shapes and sizes are proclaiming that they have the tool to remove the risk that GDPR will present to organisations. ERP vendors are producing updates aimed at insuring that their customers are ready. One of the latest of these was mid-tier ERP vendor IFS. However, for heavily customised applications, organisations are only just starting to realise the headache they have.
UK vendor Silwood Technology has carried out some initial research on five popular ERP applications. These are JD Edwards, SAP, Oracle E-Business Suite, Microsoft Dynamics AX 2012 and Siebel. ET spoke to Nick Porter, Founder and Technical Director, and Roland Bullivant, Business Development Manager, Silwood Technology to discuss the findings.
Silwood did not test every single version of the different software packages. According to Porter: “Meta data model of these systems tend not to change. We pulled meta data from SAP data dictionary, from the AX Data dictionary etc. The stuff which would be typical data tends not to vary version to version but we did test several instances of each packages.”
Most of the research was carried out on SAP ECC6, JD Edwards 9.1, Microsoft Dynamics AX 2012, Oracle E-Business Suite 12 and Siebel 16. To carry out the research the company used its own software Safyr, a data driven metadata discovery software for ERP and CRM systems. This software reads the metadata stored within ERP systems and can create a map of the data flows and relationships between the tables and fields in use.
The results
Silwood only looked for a few of the relevant terms in their initial search. These includes variations of Date of Birth, Social Security Number or Tax ID
- SAP : 90,000 tables, 900,000 fields, SSN appeared in more than 900 tables and Date of Birth in over 80.
- JDE: 5,000 tables,, 140,000 fields, SSN appeared in more than 170 tables, Date of Birth in more than 210.
- MS Dynamics: 7,000 tables,, 100,000 fields, SSN appeared in more than 150 tables, Date of Birth in approximately 10.
- Siebel: 5,000 tables, 170,000 fields, SSN appeared in more than 14 tables, Date of Birth in more than 6.
- Oracle E Business Suite: 22,000 tables,, 570,000 fields, SSN appeared in 5 tables, Date of Birth in more than 40.
This is just the tip of the iceberg. Porter believes that Safyr can provide part of the solution for finding that data. It is only the first step though and it does not search through text data to discover fields that may contain GDPR relevant information.
In November they launched their first starter pack for GDPR compliance, for SAP. Porter sees SAP users as having the biggest problem to locate the data. He commented: “If you are an SAP customer– how would you locate personal data fields without a product like Safyr?
“Documentation? Try to search for documentation that doesn’t exist. SAP don’t provide you with the model and they don’t provide you with the any tools to do that slicing through the model to find those attribute names. The competition is employing armies to do it or deploying half a dozen workbench specialists to do it for you which would delay other projects.”
What is in the Safyr GDPR starter pack
The starter pack contains all the relevant field references to GDPR. Field names and tables are grouped into subject areas according to Porter. He continued: “We have produced a separate subject area per personal data category. So we have got one that points to all the date of birth fields, one that points to the social security fields, one that points to all the license plate number.
“What you can then do is merge those in the products. So if an HR table has, date of birth, gender and address it will pull all the data together in one data set.”
Companies are able to select the relevant fields pertinent to their industry and are to locate and map the data and its flows using the Safyr tools. This is important as field names are rarely obvious. This is where Safyr can make a difference. Companies using the starter pack are able to quickly map where GDPR is likely to be stored. This saves hours of searching through data structures.
Although Silwood has completed the SAP starter pack, there is another on the way for JD Edwards. Porter inferred that more wold follow if there was sufficient interest.
What does it mean
Organisations, especially those based outside the EU, are starting to wake up to the fact that they need to become GDPR compliant if they operate in Europe. It is not a small task and Silwood Technology believes that Safyr is a tool that can help companies move towards compliance. Porter outlined three steps that organisations need to consider on that journey:
- Decide what categories of personal data you need to consider.
- Find out where this personal data is by using discovery automation software (Safyr) – don’t forget any of the custom fields you have added to your SAP system(s).
- Transfer this catalogue of personal data fields to an environment where you can analyse the data content, assign governance responsibility, etc. This might be a repository or data catalogue from vendors such as ASG, Adaptive, Collibra or Alation.
