Blogs • 12 Mar 2018

GDPR is here for you

Disclaimer. This post is not legal advice. We’re not lawyers. But we know how to handle the General Data Protection Regulation. We know how to implement the GDPR by design.

What you already know

You’ve definitely already read a lot about GDPR. If you haven’t, you should pick up your game quickly, since the General Data Protection Regulation is coming into effect on 25 May. 2018, that is. We’ve been looking into it for months already and helped some of our clients to get their business compliant. So we know a thing or two about this law, the regulation and the pitfalls. And why this GDPR is a good thing.

Yes, it’s a good thing, this whole exercise. Actually, it’s not an exercise. It’s more like a game changer. A behavioral change. You’ll notice, it will be hard to change the entire system. The complete ecosystem of your business will be impacted. We never said it’s easy and it never will be. No, not easy. But nevertheless, it’s a good thing.
It’s a lifestyle change for your business. From junk food to whole foods. From quick wins to sustainability.

Why the GDPR is good for your business

The GDPR brings all EU regulations concerning data privacy to the same level. No investments in compliance for different countries, no extra lawyers or law firms on your payroll. Fewer costs, which means more profit. The easiest equation in business, right?

GDPR - privacy regulations vs economic benefitsThe cost of different privacy regulations versus the economic benefits of having one law.

The whole GDPR is a matter of trust. A lot of people still distrust online business. In a 2016 study performed by the American government, researchers found that 84% of the respondents had concerns about online shopping.

One of the solutions, says Alex Birkett from Conversion XL, is the use of trust symbols.
GDPR is a trust symbol.

“A lack of trust in old data protection rules held back the digital economy and quite possibly your business.”

What this article is about

This article has three topics:

Very clear steps to follow

When you read the full GDPR text, you will probably have to read it again. And again. Talk to people about it. Call your law firm.

At least that’s what we did. Reading, listening, discussing and getting advice.
And now we summarized this into a few steps that are the bare necessity to get your business started to comply with the GDPR.

Step 1: appoint one person as responsible

Whatever the size of your firm, you need someone who cares about the whole GDPR process. Someone who helps you to get all regulation in place. Someone who cares about other people taking their responsibility.

So our first step will always be to help you appoint this data protection officer. Because it clarifies responsibilities.

You’re next move: appoint this DPO!

We know not all businesses are being obliged to get a DPO. But it’s better to dedicate someone to this task. Maybe not fulltime, maybe the time spent on DPO duty will decline over time, but anyhow: find someone in your organization (or on consultancy basis) who follows the complete process.

Step 2: demonstrate you have a decent plan to get compliant

Even since you have to be compliant on 25 May 2018, it probably won’t be all in place by then. That doesn’t need to be a problem, as long you can show a plan and a strategy for the data you’re processing.

This plan should contain a roadmap where you’re going, but also a rigorous study. This study should contain all types of personal data that pass through your company, who has access to this and what needs to change to be compliant with GDPR.

GDPR compliancy is not only about technology: it’s mostly about documentation, planning and authorization. As always, the technical part is the easiest part. The behavioral chance of your employees, suppliers and all persons that have access to this data will have the biggest impact.

Step 3: make all systems GDPR compliant.

It’s like learning to swim.

  1. Go to the pool
  2. Put on your swim trunks
  3. Swim

Of course, this isn't an easy step.

But changing the system and procedures is far more easy than changing people and the way people work. The whole GDPR is mostly about a change in attitude and daily routine.

We’re talking about all systems, so it’s not only a matter of getting your IT department to do (extra) work. Also, your non-IT systems and procedures have to comply.

Documentation will be key, the attitude towards personal data will have to follow.

So here we go:

  • list all your data and who has access to it
  • list all current procedures and see where they match GDPR
  • list all your systems and what data is processed there
  • put everything into a matrix
  • see what should change, why it should change and where it has an impact
  • change it

For this step, having both a reliable IT partner and a seasoned legal partner is key. You should focus on your business and all its processes, your partners can help to get the compliance right.

As an extra idea, it will be useful to have someone in your company who can explain all new regulations and changes in procedures to your staff. Here also, a dedicated DPO will come in handy.

The hard part of GDPR

Where the whole GDPR will be a lot of work, the real work lies in a very dark corner. And you will neglect it as long as possible.

Different systems and different databases

Aligning one system with the new regulations won’t be easy. Let alone different systems, with partially the same data and different structures.  Mapping this data will be very hard.

Anonymization of the complete chain

Of course, you’ll need data to make your business spin. Of course, this data is subject to the GDPR. And that means you have to be able to anonymize and pseudonymize the data. At least for certain roles within the organization.

In certain cases, salespeople won’t be allowed to see the personal data from customers where the accountancy and legal department have more rights. Marketing has nothing to do with a client’s invoice and the receptionist shouldn’t be able to see who’s a defaulter.

Open up data for the perusal of your clients and suppliers

People have the right to access all of their data your company has. Not just their name and email address, but all data. Also every kind of categorization or profiling you use in your day-to-day business.

Making this data access very easy will build a lot of trusts. It’ll show the data subject that you’re being transparent on the matter of data.

Most important pitfalls summarized

To not overwhelm you with pitfalls, we picked only three. Of course, there are more. And it will be hard. But if you miss or forget about the following three steps, becoming GDPR compliant will be completely impossible.

  1. Map out your change management and create a change management plan.
    Make a plan for all the work, define what needs to be changed and work the plan. Even small steps will get you where you’re heading.
  2. A tool is never the solution. it’s about the whole journey.
    Make sure you have good partners who can help you with your plan. This means people who are tried and tested in all legal aspects, people who know how to get your policies right and understandable and a seasoned IT partner. Buying a new tool will not solve any of the issues by itself.
  3. Authorization: define who are authorized to see specific data.
    Make sure you’re able to decide who can see which data. Make sure this works easy. Because you will definitely get 
    “a letter from hell”.

What if you have an SAP system

SAP has the advantage of being a standardized system that can be altered along the way.

As a consequence, there are different solutions available in the market that can help you achieve GDPR compliancy in your SAP environment. At Amista we have looked at a couple of them and we found that the solution of SAP itself is a very good one. The solution is SAP Information Lifecycle Management”, SAP ILM in short.

SAP ILM is a business function that is available for all standard NetWeaver based SAP systems. It brings additional security and authorization roles to traditional SAP Business Suite but also in the latest releases of SAP like S/4HANA. This helps you to gain complete access to and control over the information you have in your system and in your business. It is a very powerful solution that provides access control for every piece of information, with the implementation of “simplified blocking and deletion of personal data”.

With SAP ILM Retention Management, you can control the lifetime that you keep personal information in your systems, related to retention and blocking periods, before removal or archiving is started.

The best thing about this information lifecycle management doesn’t require additional system or hardware since it is integrated into your existing system.

As explained earlier, a tool is not the only thing you need. You also need a trusted IT partner who has experience with data privacy and who can guide you throughout that process.

If you want to know more about Amista’s methodology for GDPR compliancy with SAP ILM contact us at