With traditional product-oriented industries focusing more on services delivered around a product over its lifecycle, as opposed to sale of the initial product itself, identifiable customer data becomes resident throughout all business applications. As a result, tracking, managing and determining the data you have the right to use with the advent of the European Union’s General Data Protection Regulation (GDPR) legislation is becoming a critical part of a company’s enterprise resource planning (ERP) system.
Instead of marketing a product up to point of sale, the relationship with the customer continues under contract or through periodic additional service transactions. This increases the requirements on sellers, including tracking which customers have contracts in place, and treating identifying data differently depending on its contractual status.
Customers may also want service history and other historical data transferred to a new vendor, a capability that organizations must be able to provide under the new regulation. Any company that issues warranties or service contracts to customers who buy their products will also need to determine their exposure from the resulting data.
The U.S. Isn’t Exempt
Many sources deal with the requirements of GDPR at length, and it might make sense to consult your attorney or corporate counsel regarding your processes. In short, however, any company handling information about individuals must be able show that it has the consent of subjects for data processing, and practices anonymous data collection to protect privacy. Businesses will also be required to notify subjects of any breach of their identifiable information, as well as safely handle the transfer of data across borders. In some cases, they will also need to appoint a data protection officer to oversee GDPR compliance.
E.U. residents also have certain rights under GDPR, and it is up to anyone handling their data to show they are safeguarding those rights. Violations could result in stiff financial penalties. Even if an organization does not reside or have a presence in the European Union, a GDPR violation can lead to a fine of 4 percent of annual revenue sor €20 million , whichever is greater.
More Exposure Than You Might Suspect
Customer data resides throughout your business, and is affected by GDPR. Any compliance challenge can be made easier when it’s contained in a centralized system of record, but even in a self-contained application, GDPR presents challenges that suggest changes to the underlying architecture and functionality will be necessary to implement to streamline compliance. This is a complex challenge for several reasons.
- Contractors and integrations: Regardless of who owns the customer relationship, an organization is responsible for compliance as soon as the customer data is received. Even if this data comes into the organization through means such as email, an e-commerce portal, or integration with a supply chain partner’s system, it is responsible for protecting that data.
- Not just customers: A lot of the attention around GDPR focuses on customer-facing or marketing communications. But GDPR affects data about employees as well as current or prospective customers. This means organizations with European employees need to focus on any data that uniquely identifies them as individuals, including date of birth, address and gender.
- Not just data but files: The amount of information held across organizations is substantial. It can consist of structured data underpinning business systems as well as unstructured data, such as images, PDFs, Word documents and more. These are all available in business systems as attachments to data objects or transactions. In an ERP system, these files may be documents signed by the customer, scanned performance reviews or job applications in a personnel file. Service organizations might also need to pay attention to data collected in a field service setting during sign-off or approval of service work.
Most enterprise software applications do not yet have features that deal with GDPR. The various places in which data may be housed, beyond customer relationship management (CRM) systems, is creating new challenges for companies looking to effectively deal with GDPR compliance.
There are standalone point solutions in response to GDPR, but can they really address the full challenge, given that data exists in many different business applications, including ERP software? It’s essential that enterprise software deliver native built-in features to enable compliance.
Solving With Software
ERP and field service management software companies have to re-examine their applications in light of regulatory changes and gradual shifts, such as the movement of U.S. generally accepted accounting principles (GAAP) toward International Financial Reporting Standards (IFRS). By the same token, enterprise software companies must evolve their offerings quickly to facilitate GDPR compliance.
Most software vendors will still steer customers toward point solutions integrated with an enterprise software product for compliance. While that will be a challenge, vendors will need to evolve their products to deal with GDPR. This is the most elegant way to achieve key elements of compliance.
More Data, Fewer Problems?
Many companies will find they underestimated the challenge of identifying someone from data in their system, particularly if they focus on non-unique identifiers such as first and last name. So, one practical – if seemingly counter-intuitive – move might be to collect more data!
If there are many people with identical names, the company will need to ensure it’s processing data for the right person. Destroying the wrong person’s data, or handing it over to an unauthorized person, could have serious repercussions. The best way to solve the problem is to put more personal information into the system. This enables you to code against an index number or field that can be used uniquely within your system.
Don't Allow a Free-for-All
Enterprise software will typically enable role-specific access to information in order to ensure that financial data is viewed or accessed only by approved people. These defined roles can also be used to ensure that only people with a legitimate need to access protected information have the required permissions.
If a customer, employee or other affected party calls you and wants to be forgotten, organizations need to quickly ascertain what personal data is held in the system. Each disparate system represents a potential failure point in your compliance effort. Moreover, it’s highly inefficient to create and attempt to follow compliance processes across multiple systems.
A centralized system of record eases any compliance effort because it provides consistent visibility and control over who can see content, who can destroy it, who has permission to use it, and how they secured that permission.
As we see how GDPR sends tentacles throughout the structured and unstructured data that underpins business applications, we begin to understand that it's essential that enterprise software deliver native built-in features to facilitate compliance.
Andrew Lichey is product manager for IFS.