GDPR is almost here! On 25 May 2018 the GDPR will become enforceable by law and companies not abiding with the new regulations will be fined. But what is the reason for GDPR? GDPR will give users more control over their data and will ensure that companies do their utmost to ensure data privacy.
For whom does this apply?
- GDPR applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location;
- GDPR will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU;
- GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU;
For the use of personal data, companies are required to request consent of the user. This consent request may not contain unclear terms or long legalese. The request must be clear, in plain text and provided in such a manner that users understand what they are consenting to.
The user has the right to know what data is stored about him/her. The company is required to provide this information.
If the user so wishes, data that is no longer relevant has to be erased from the system. The user can also withdraw his consent. in that case the data stored in the system must be purged.
Sensitive data stored in the system about a user must be protected in such a way that the privacy of the user is ensured at all times.
How SAP SuccessFactors assists in GDPR compliance
With the consent form feature you can set up a form that will be presented to the user when logging on to the system. This form must be signed or access to the system will not be permitted.
For all standard fields in EC the flag mask can be set. Once this is done the data will be shown as asterisks in the system. A “show” to view option is available for those who have been granted rights to the masked field.
In the system you can set up retention times for all objects containing personal information of your users. These retention times can be set up per country with one setting for active users and one for inactive users.
For each object you have set up retention times in the system, you need to create a purge job. This job can be scheduled. When the job is run an approve request will be send to the approver. This user will have to review the to-be purged data and once approved, the data is purged from the system.
When a user asks what data is stored in the system the information report can supply that user with an overview of this data. The system automatically collects all objects which could have sensitive data. A one time configuration is needed to set the fields you want to be available in the report. After the initial configuration the report can be run for any user, candidate or onboarding user in the system.
Historical data should be purged once the required retention time has passed. In some cases you might be required to store it longer, but don’t want to give unnecessary access to users. To solve this problem SuccessFactors offers the Data blocking feature. This will enable you to determine how long individual roles will be able to access the data.
For more information please contact firstname.lastname@example.org