SAP SuccessFactors has been updated with features to to help companies comply with new privacy laws. The announcement was made at the beginning of the UNLEASH conference in London. The changes will assist companies with the upcoming GDPR legislation, due to come into force across the EU on May 25th. They will also help companies adhering to recent changes in Australian and Chinese privacy law.
SAP SuccessFactors President Greg Tomb commented: “We’re committed to helping customers adhere to data protection and privacy regulations, and protect the confidentiality, integrity and availability of their data in our highly regulated world. We’ve addressed previous regulations by standing up data center operations in countries like Russia and Brazil.
“With GDPR now on the horizon, we’re supporting customers in their compliance journey by providing tools that not only help them comply with these laws, and thereby avoid losses and exposure to fines, but also improve governance. Most important, we are helping organizations create value by earning and sustaining trust with employees and candidates.”
The key advantage for cloud-based solutions such as SuccessFactors is that the update can be rolled out far faster than traditional on-premises solutions.
What has SAP included for GDPR
SAP highlighted four areas with additional or enhanced functionality. These can apply to any personal data stored within SAP SuccessFactors. SAP define personal data in their press release as “data that can be used to identify a natural person – this could be an employee, a candidate, an external learner, or a customer.”
This is important to understand as companies often consider only customer data as relevant. Employees also have rights under the new regulation. Although the company is entitled to hold the data it requires to carry out its obligations, employees now have far more rights than before.
Organisations require consent to hold personal data. This feature allows an organisation to introduce workflows that collect and record consent on data it holds. This starts at the recruitment stage. If necessary the system will require consent to be given by the candidate before a process continues.
This new functionality allows an organization to designate a single role as having access to historical personal data, while blocking it from other users. This feature does not appear very granular in nature and some organisations may find it restrictive. It appears to be all or nothing. The example given is: “an HR service center employee fielding questions from employees may only need to see employee data going back one year, whereas an HR system administrator may need to see all history on the employee.“
Data subject info reporting
Under GDPR companies can no longer charge for Subject Access Requests. The timescales for producing the data have also been shorten. It is a month rather than 40 days. The new feature allows the HR administrator to generate a single report containing all relevant data across SAP SuccessFactors solution. This will not, however, extend beyond the SuccessFactors solution. Companies with add -n solutions may need to consider how they address that issue.
Purging data is now even more important. Organisations should no longer seek to store data longer than they require for operational or to meet compliance requirements. SAP SuccessFactors now allows organisations to define location specific data retention parameters and for the system to permanently delete data once those parameters are met. Again, there is little detail around any specific granularity to this feature and the devil may be in the detail.
The full list of functionality available in version 1708 is available here. It includes information pertaining to the SAP role as data processor. It also defines personal data types as including:
- Personal details
- Bank account data and credit or debit card data
- HR data
- Qualification and education details
- Salary and Social Security data
- System access
- Authorization data
What does this mean
GDPR is fast approaching. Software companies whose products may hold private information need to implement such features as these soon. There are still some organisations that fall well short of what will be required come May 25th. Many of these SAP SuccessFactors features have been available since October 2017 in release 1708. What isn’t clear is which of the enhancements (if any) that SAP is announcing. For example, in the 1708 release organisations were expected to write their own queries to extract personal data. This press release infers a single report is already available to extract all data,
In making this announcement at UNLEASH, SAP are highlighting the functionality they now have. They are not the only software company to do so. Workday has been talking GDPR for nearly a year and IFS, an ERP vendor with an HCM module, launched their feature set in February. For on-premises solutions such as SAP ERP there is a larger issue, especially where organisations have introduced bespoke development. There are other solutions out there such as Safyr. It looks at the meta data within the database to highlight the impact of GDPR and help organisations through the process of rectification.
There are others who have yet to make an announcement. It should also be said that until the deadline is passed and the first subject access requests are issued organisations will not know the full extent of the problem. While SAP is not early to the table with this announcement they are not late. However, companies, both inside and outside the EU, will need to make sure that they enable the new features to meet their obligations in May.