GDPR and ERP
Data collection
All modern companies generate and collect data, mainly through their different IT systems, not least the ERP system. Collection, storage and accessibility of this data has become essential for companies when they, for example, develop new products and services but also identify business strategies for the future. After the EU has introduced its new data protection regulation called General Data Protection Regulation (DGPR), which deals with personal data as well as how they are treated by companies, it has become extremely important for companies to be aware of how these data are processed.
Prepare your ERP system for GDPR
GDPR aims to change the way in which many companies, including those who sell and use ERP systems in the EU and operate within the EU, are doing business. In short, the purpose of the GDPR is to follow the digital development and new reality, in which data is recorded and used everywhere, and protecting the privacy of the individual citizens' personal data.
The purpose of the data regulation
In short, the main purpose of GDPR is data protection. At a time when companies have become better at collecting and utilizing data and the EU's population is increasingly involved in various online networks from which a large part of these data are collected, EU has felt obliged to ensure that the citizens have precise knowledge of when their data is exposed and how. In addition to providing users with a better understanding of when and how their data are used, the regulation also aims to make the data processing of companies more transparent, thus visualize how the citizen's data is collected and processed.
There are a number of questions companies should ask themselves. These include:
- How and when will the personal data be collected?
- Where is the data stored?
- Why is it necessary for the company to store the data?
- How is it secured?
- How can a request for deletion of data be submitted?
- How can an individual request to be handed over personal data be answered?
- How can data be deleted if requested to do so?
All companies should therefore look at how the GDPR Regulation affects them and their IT systems and infrastructure. Here are a number of suggestions on how GDPR will affect your ERP system.
1. Make your customers data visible
Your customers may require that you remove their personal data from your system, in that case it is important that this data is both available and accessible. Compliance with the GDPR Regulation will therefore require better visibility and availability of customer data within the ERP system, so that all data can easily be found and removed whenever desired. However, in the often complex ERP systems, it can be a challenge to identify where all the sensitive data is located.
2. Better understanding of the dataflow in your business
As a company and user of an ERP system, it is also important to have a clear understanding of the system's dataflow. How does your customer's data move through the system and where is it stored? The company should therefore have control over the handling of personal information and how it is handled and revised, or implement policies designed to preserve the privacy of the customers.
3. Customize your data management processes
In addition to mapping the dataflow both within and outside the ERP system, companies should also adjust their data handling processes in order to comply with the requirements of GDPR in the ERP system. Therefore, for the best possible and most appropriate handling of the data recorded, standardized processes to handle, for example the right to access data for the registered, the right to rectification, the right to delete data, etc. should be implemented and applied by each company. That way you minimize the risk of data breach and not to live up to regulation while at the same time being responsible as a company.
4. Better data protection
A part of the new regulation imposes a requirement for companies who store data from EU citizens that their data archives must be completely secured. The penalty for not complying with the new rules and ensuring the data, and thus the privacy for the users, is severely punished, as much as up to 4 percent of the company's worldwide turnover.
The data that the ERP system must protect under GDPR can range from completely basic identity information such as names, addresses, and ID numbers, to web related data such as location information, IP addresses, cookie data, and RFID tags, but also includes personally sensitive information about everything from the individual's health, genetic and biometric data to racial or ethnicity, political beliefs and sexual orientation.
5. Greater importance for the ERP system
The introduction of GDPR will probably increase the demand for ERP systems that can handle the large amounts of data safely and efficiently.
In an ERP system, data is stored in a single location, which makes it easier to handle customer requests regarding their data. Therefore, GDPR can increase focus on ERP as the regulation forces companies to streamline their IT infrastructure, not least by reducing the number of software applications that is used to run the company's daily operations.
Centralized system
The new requirements that have been introduced as part of GDPR can be a big mouthful for some companies, but the cost of failing to live up to them can be substantial. Although the localization and deletion of personal data in an ERP system is not necessarily as straightforward as one could wish for, an ERP system could be a great help and resource as it is easier to handle the personally sensitive data in a centralized system rather than if data is scattered in several different systems.