Addressing GDPR/CCPA “Right to be Forgotten” in SAP using Soft Deletion
Article 17 of the GDPR requires organizations to delete customer’s data upon their request in certain circumstances. GDPR is fairly straightforward about this and obligates organizations to apply RTBF. However, this requirement interferes with the laws of retention which requires them to keep customer data for 7-10 years and other cases such as Big Data environments in which data cannot be deleted.
SAP addresses the “Right to be forgotten” requirement (“RTBF”) by flagging the customer record and hiding it from all application user interfaces. This process fits the GDPR/CCPA requirement – making the SAP application adhere to the purpose of the regulation. On the other hand, other downstream applications, Data Warehouse and Big data environments that were previously copying customer data, did not include deleting capabilities. Such an operation exposes users to customers who already asked to be forgotten or revoked their processing consent.
How to expand SAP Soft Deletion while also applying it across all other applications and Big data environments?
The SAP Soft Deletion capability serves the “RTBF” through the retention period (7-10 years during which customer data cannot be hard-deleted) and after.
During the long retention period, the data is continuously being proliferated to all other systems and environments.
The only way to “delete” old customers data across all environments is to apply Soft Deletion, while addressing “Restriction of processing” and access on a “need-to-know basis” from the GDPR/CCPA requirements.
SecuPi provides a quick, simple and effective approach to apply both “Soft deletion” and “Hard Deletion” to both SAP, home-grown and custom applications, Big data and DBA tools, both on-prem and cloud. SecuPi application overlays are implemented on every one of these domains within days and with no code changes or database configurations.
Disclaimer: SecuPi does NOT apply Soft or Hard Deletion on SAP R3 systems, but does apply it on all non-SAP R3 applications.