From a legal perspective, it is crucial that unnecessary data is deleted – and from a business perspective, it is crucial that they are deleted in the correct order. Based on process and data analysis, NNIT is helping a company to set up a rule-based deletion process in a comprehensive and complex SAP solution. The project is agile, and it is giving fast results.
NNIT is helping a major Danish company to implement an SAP Information Lifecycle Management (SAP ILM) solution that trawls through the company's SAP system and uses rule-based deletion to delete all the non-consented and non-permissible data in the system. The stricter GDPR legislation as of May 25, 2018 means that the company, as with all other companies in the EU, must be able to demonstrate that it manages personally identifiable information in a responsible manner.
Automated and rule-basedThe fact that SAP ILM is rule-based means that it is possible to analyze the data set based on its own defined regulations, for example the Accounting Act. It can then automatically delete data that is no longer authorized according to the selected rules.
–SAP ILM also allows us to incorporate a blocking solution that differentiates between who is allowed access to which data and when. It continuously blocks access to data, so only the relevant employees have access at any given time, explains Rasmus Jakobsen, Manager of Enterprise Information Management, SAP Solutions at NNIT.
Cost-effective deletion routines However, the ILM solution does not stand alone. This specific SAP system has been around for 20 years, and older SAP solutions often contain features that are no longer in use, but which still contain personal data. Here it does not make sense to set up rules in SAP ILM and run them once, as it will typically be necessary to delete entire tables or functions. Instead, NNIT has helped the company implement a series of deletion routines that result in a deletion report, which can be reviewed and approved by a decision maker.
– Of course, it is crucial that data is deleted in the correct order so that it does not destroy essential information or functionality elsewhere in the system, emphasizes Rasmus Jakobsen.
High data and system complexity The company holds massive amounts of personally identifiable data including health, assets, insurance, identification numbers, and employee contracts. This data must now be cleaned up so that the company complies with GDPR. However, mapping and deleting such amounts of data is no easy task.
– There is no doubt that the level of data complexity here is very high. In this company, employees are not just employees, but also customers. There is a great deal of interlinked data; some of which is relevant to some parts of the customer relationship, but not to others. At the same time, the 20-year-old SAP solution has been continuously upgraded and changed, and in many places there are old functions no longer in use that contain data, explains Rasmus Jakobsen
Agile data cleaning in three waves As the GDPR deadline approaches, NNIT and the client organization have chosen to complete the project in three waves. By May 25, 2018, the first wave will be over, and the first major clean-up will be completed.After that, NNIT will initiate an ongoing, rule-based data cleaning process. – The entire project has been developed using the Scaled Agile Framework® (SAFe), similar to SCRUM. This means that the project does not define in advance exactly what to delete and when. Instead, we aim for continuous learning. In a comprehensive compliance project like this, it is only natural that we will learn from good routines, as well as face changes in scope. The project, of course, must be able to take this into account, explains Rasmus Jakobsen.
The choice of NNIT was largely due to its agile project management, the three waves, and a high level of confidence in NNIT’s ability to deliver within scope and on time.
The vast majority of organizations are well into the process of conducting data analysis with the regulatory framework of GDPR in mind. But does your organization also have a good system solution ready and waiting? Contact Rasmus Jakobsen, Manager of SAP Enterprise Information Management at NNIT, to learn more about how to implement good deletion routines in an agile project.
Rasmus Jakobsen, Manager of SAP Enterprise Information Management at NNIT, email@example.com or +45 3077 8563