Finding Personal Data in an SAP system for GDPR compliance
Introduction to the gdpr challenge
Working out which Tables store personal data that needs to be reviewed for the General Data Protection Regulation (GDPR) is a challenge in any environment, but particularly so where the system is one or more of the big Application Packages. Typically these are systems from SAP, Oracle, Salesforce and Microsoft.
The following example describes how to use our tool Safyr® to ‘scope’ the potential tables that store ‘relevant’ personal data in a SAP system. In this case we are looking for tables which store ‘License plate’ information. However the process would work for any data which comes under the general definition of Personal Data. (Article 4 – Definitions, Section 1 of the Regulations defines the scope of data covered).
Of course most SAP systems have been customised so rather than providing a reference model, Safyr is more effective and useful because it extracts metadata from the application as implemented – including customisations.
Worked Example: finding personal data in SAP
We can do a search for definitions of ‘License Plate’ in what Safyr calls a Data Element. A Data Element is a definition of a field, independent of its place in a table.
This gives us a bunch of hits. As we click each one, the description on the right explains what the data element is for. In this case it is “…the license plate number of the employee’s company car”. Which sounds like something we should consider for GDPR.
For each match, we can see which Tables ‘use’ this Data Element –
…and this gives:
Now we can add these to what Safyr calls a ‘Subject Area’ – this is like a folder where we can group tables we want to remember:
We could do this for the other Data Elements until we had assembled a list of all the Tables with a ‘License Plate Number’.
We can now review these tables in more detail:
Notice the Row Count – this is the number of Rows in each table. It may not be necessary to consider Tables that contain no data for our GDPR exercise! If that is the case it is easy to remove them and the results then are:
So there are only 3 tables containing data (in our SAP system – customer systems will have a lot more data) that have a License Plate Number field. The results can be shared with other tools and technology solutions used to deliver GDPR compliance.
This whole exercise has taken about 5 minutes. We could do something similar for Bank Details, Credit Card Numbers……and we’d then have a very good handle on those tables that contain the kind of data we need to think about for GDPR.
If you would like to learn how Safyr works for yourself, you can download a free trial version here.
Leave a ReplyWant to join the discussion?
Feel free to contribute!