Data Privacy has always been important and is a key business enabler for Companies to gain public trust and to ensure continued business with their Business Partners. With the information age and vast amount of data being digitized, many Geographies have introduced legislations (GDPR, CCSL etc.) to help protect Data of their Citizens by ensuring that business complete data is deleted, and Customer Data stored in the system is transparent and processed in a legally compliant manner
In this blog post I would like to share a key problem faced by Customers to realize data privacy compliance in modern IT Landscapes and how the Data Privacy Integration service can help support here
As an end user or in data privacy terms a “data subject”, I would want to know what personal data is stored about me and why. This is usually simpler said than done.
Modern business platforms are composed of multiple applications and microservices with user personal data being transferred across them to fulfill the business needs.
Even if applications can export the data on request, it is not transparent to the user why is there so many copies of their data across many landscapes and for what purpose
By managing the purpose (Business Context) information for the user centrally Data Privacy Integration can help resolve some of the challenges. Below we will have an overview of the service and how it can be used to help with our problem statement
Overview of Data Privacy Integration
Data Privacy Integration (DPI) is a service that supports applications realize their data privacy functions i.e Business Purpose Management ( Ensure Data is processed in a compliant manner based on valid Business Purpose ), Data Deletion and Retrieval of personal data. Applications that are part of an end to end business process can integrate with DPI to provide a centralized management of data privacy
Consider the example sales scenario below where customer data is processed as part of several applications
Data Privacy Integration manages the purpose centrally for the user (Data Subject) so that applications can evaluate the purpose based on their need to store or transfer personal data. In the scenario above, the customer data is shared to a marketing or CRM system to trigger marketing campaigns
The applications in such an end to end scenario can associate its personal data with the business purpose information. In the above case, the marketing campaign data and sales data is associated to central purpose for the user.
This allows the retrieval of purpose data and associated personal data for reporting needs
On completion of Business or “End of Purpose” the data can be marked for deletion based on configured retention rules
The following steps need to be performed to consume Data Privacy Integration service:
- The Application would need to add entitlement for Data Privacy Integration service to their Global Account
- Implement the necessary endpoint for Information Retrieval and Deletion
- Create a service Instance of Data Privacy Integration with the necessary Configuration data (Refer help document below for more information)
Data Privacy Integration is available on the Cloud Platform as a CPEA offering.
If you build your Business Applications or extensions to SAP applications on the Cloud Foundry or Kyma Runtime in the cloud platform you can consume our service.
The service is also planned to provide integration with existing SAP applications so that you could provide transparent and end to end data privacy functions for your users