ERP and GDPR
We are now within a year of the General Data Protection Regulation [GDPR] coming into legal effect—25 May 2018. It has been expected and prepared for by those enterprises and state organisations that are directly affected and conscious of it, those as it were specialising in personal data. Financial services, online retailers and service providers, government agencies, health services and even recruitment agencies are professionally aware of the new levels of compliance required. Most are still working on GDPR compliance requirements and finding hidden complications and complexity. But their compliance projects are largely well under way.
Unfortunately, the imminent impact of GDPR has been ignored or put aside by the general body of businesses. All too many managements and boards of directors have been blissfully unaware of the fact that they will be obliged to comply. Others simply thought, or indeed still think, that there is plenty of time to prepare. Even in SMEs, that is not necessarily true.
One of the significant problems that is not generally understood in business is that there is already a shortage of expertise in this entire area. Regulatory compliance management is a function in those larger organisations, typically financial services, but is rare outside of that. Compliance in personal data protection is more specialised.
A related factor is that the consultants, very much including IT service providers, which have expertise in GDPR implementation and related areas are coming under increasing market pressure. If your enterprise has not sought expert assistance by now it will be more difficult to find—and the leading firms may not be available.
Our interest in this is because ERP and CRM are technology first cousins, we know our way around all aspects of such systems and they are often the most common personal data repositories in our client organisations. But it must be emphasised that GDPR compliance is in essence not an IT or software project. GDPR is essentially a legal business regime, a governance and management matter to do with policy, business processes and rules. It advances the EU protection of personal information that has been around for over two decades.
The GDPR makes it somewhat stricter but has two key components that make it a very serious issue:
- Administrative fines, imposed by the national data protection authorities, can be very severe. Notoriously, at this stage, they can go up to 2% of global turnover and a maximum of €20 million.
- Those fines can be imposed not for data breaches but for non-compliance. Any organisation has to be able to prove that it is compliant.
In practice, that may well mean proving that it has made every effort and is adhering to Best Practice. But we don’t know yet and there will of course no case law from appeals to the courts until the GDPR regime is in full operation for some time.
But we do know that compliance with GDPR will be almost entirely dependent on IT systems, from apps and corporate applications like CRM and ERP to data storage to cloud to geographic and national legal boundaries. It will specifically involve smart data management and transparent processes.
One key requirement that will help to make the potential difficulties clear is that the organisation has to identify every single instance of a data store, from giant corporate databases to a small folder, that contains personal information. That may be on-premise, in the cloud, on back-up media including old tape, on employee devices or perhaps in the data stores of partners or agents employed for projects such as direct marketing campaigns.
Then when a former customer exerts the right to be erased from your records, as the GDPR provides, you will be able to certify that every single trace has been identified and wiped. Or will you?
This blog post was written by Sean Jackson, Principal Consultant at Lumenia Consulting. If you would like further information on ERP & GDPR or any aspect of ERP Strategy, Selection or Implementation, please send an e-mail to Sean Jackson.