Personal Data Protection Compliance Made Easy

Much like the Protection of Personal Information ACT (POPIA), which became fully operational from 1 July 2021, and substantially impacts the recording and disclosure of personal information, the General Data Protection Regulation (GDPR) is a European Union (EU) law that gives consumers greater protection and control of their personal data.

Being a global system, SAP Business One has been GDPR compliant since 2018. The same GDPR system compliance processes are relevant to POPIA in South Africa, which is great news for local customers.

Compliance in four easy steps

Andre Adendorff, Director of Presales at Seidor Africa, says there are four easy ways in which SAP Business One makes compliance with POPIA easier for organisations that may be feeling the heat when it comes to POPIA readiness.

1.  With SAP Business One, organisations can easily determine and discover which data held in the system is personal, through the identification of natural persons.

Natural persons are real human beings, as distinguished from entities like corporations. Sensitive personal data for natural persons is encrypted by default and accessible to authorised users only.

“Once Personal Data Protection is enabled, the system has easy built-in tools to enable users to find personal information,” says Adendorff. “It allows users to identify natural persons and once that has been done, personal data is flagged. In the instance where there’s a request or an inquiry about personal data, a standard report is produced, describing what kind of data is being held, and automatically masking sensitive personal data such as passport numbers, ID numbers and bank account details.”

2.    The ability to block/unblock access to the personal data held in the system.

According to various regulations around the world, the recording and retaining of personal data should be for specific purposes and processes; once the purposes expire and processes are finished, the personal data should be deleted. However, after personal data retention periods expire, extensions or over rulings may be given as mandated by law. Personal data access can be blocked whilst data can be retained where required. The system allows organisations to manage their obligation to block access to personal data of natural persons held in SAP Business One. Once blocked, personal data is retained but made invisible to users or is unblocked again

“This enables the organisation to decide how it wants to interact with the data it holds,” Adendorff explains. “Personal data may be blocked upon request, and then unblocked for a particular purpose.”

3.    Clean up and permanently erase personal data held in the system.

As mentioned in point 2, according to various international regulations, including POPIA, the recording and retaining of personal data should be for specific purposes and processes; once the purposes expire and processes are finished, the personal data should be deleted. In addition, natural persons can request the erasure of their personal data.

“SAP Business One has the tools to manage a company’s obligation to erase the personal data of natural persons held in the system,” says Adendorff.

4.    View which staff changed personal data and who accessed the system.

Authorisations allow specific users in SAP Business One to view, create, and update parts of the system that they have been assigned access to “By controlling who has authorisation to access different parts of the system, companies also can control access to the data in the system,” says Adendorff.

Adendorff adds that with POPIA, organisations using older, pre-GDRP versions of SAP Business One are encouraged to speak to their account managers to seek guidance about upgrades. “The features of SAP Business One can help you to manage your company’s obligations towards the protection of personal data, in conjunction with your company’s own personal data protection policy.”

Using technology for POPIA compliance has the power to not only make it easier for companies, but it also mitigates risk exposure, data breach and cyber-attacks.