Five ERP data requirements affected by GDPR legislation

As many of you know the EU recently released new General Data Protection Regulations (GDPR) in May of this year. The new regulations are the result of four years work oriented to ensuring a new standard of data protection and personal privacy, but illuminating differences between corporate and private data users may offer some challenges.

While the 2018 GDPR is being touted as being an enhanced data protection paradigm, ERP operators may face some bumps along the road, since the impending regulations may trigger some changes regarding what data-sets will continue to be confidential while others, that were previously private, will now be unmasked. While we don’t have enough space to catalog all the changes that may, or may not have, impacted ERP data operations, we will illuminate five major data types below that have been affected.

The big five:

1. Personal information: according to Articles 17 and 18 of the GDPR, data will experience additional personal information security while being processed automatically. In the case of ERP then, it is assumed that any digital exchange from company-to-company, or between a customer and a commercial platform, including an ERP system, will be largely confidential.

2. Commercial platform security: GDPR requires companies to implement reasonable data protection measures to ensure privacy against loss or exposure, as stipulated in Articles 23 and 30. This means that the ERP side of any peer-to-peer relationship, such as that found between a customer and a commercial platform, will be subject to additional internal security requirements.  

3. Breach announcement: in the past, major data breaches were largely handled internally, while any internal system recoveries or the payment of financial compensation to affected users were considered matters of corporate confidentiality. However, the new GDPR’s Article 31 calls for a public announcement of a single data breach within 72 hours of an incident. This announcement must also provide for a formalized format including; specific details regarding the type and characteristics, along with a suggested number of impacted individual data subjects. In the GDPR’s supporting Article 32, the new regulation will also require data managers to notify potential breach subjects that individual rights and freedoms may be at risk.

4. Specific data representative: under Article 35 of the GDPR, the regulation mandates companies to install a ‘data protection officer’. This individual will be responsible for the management and supervision of any data that reveals a person’s  “genetic data, health, racial or ethnic origin, religious beliefs”, etc. ‘Data protection officers’ will formally advise compliance regarding GDPR at the enterprise level. This individual will also act as a central point-of-contact between a company and a governmental Supervising Authority (SA). It is expected that some companies, such as ERP operators, may be subjected to GDPR requirements simply because they collect personal information during the human resources process.

5. Universal assessment and risk-analysis: under GDPR (Articles 33 and 33a),  ERP-based companies are mandated to perform initial and recurrent ‘Data Protection Impact Assessments’ based on establishing digital risks associated with any threat related to company/consumer data. It is assumed that should a risk emerge, the company will execute a consequent remedial response. Given the pervasive nature of enterprise ERP, one must immediately execute a risk analysis and assessment extending throughout and the systems data environment.

ERP operators should ensure their compliance is in order, since not only do the new protocols stipulate hosts of specific changes, but they offer significant penalties as well.