The ongoing topic of GDPR: Data protection now occupies entire departments. It feels like it is impossible to meet the requirements exactly.
It’s true, the requirements are indeed very high and detailed. However, properly set up IT systems and processes make it much easier to implement data protection. As a central data repository, the ERP system plays an equally central role.
Which functions and measures can you use to optimize your ERP system in this respect? This article explains 5 fields of action and lists the most important measures.
1. data minimization and purpose limitation
The GDPR stipulates that as little personal data as possible should be collected: only that which is absolutely necessary for the respective purpose. This data may then only be used for the purpose originally stated. Consequently, employees may only access data that they absolutely need for their tasks (in connection with the respective purpose). Full access for everyone is taboo.
To ensure compliance with these principles, you should implement the following measures:
- Regularly check which personal data is stored in your ERP system and what it is used for. It may be necessary to adapt your processes in order to work in compliance with the GDPR.
- Define clear roles and authorization authorization profiles according to the “need-to-know” principle. Which employee groups are there in your company and what data do they each need? Set up the access rights accordingly. Distinguish between
read, write and delete rights . Not every person who is allowed to view data must also be able to edit it. - Also check the assigned access rights regularly. Adjust them if tasks or responsibilities change or employees leave the company.
Centralized assignment of rights and roles in the ERP system saves you a lot of time. You do not need to adjust the rights twice in several places and fewer errors occur.
2. right to data erasure
The so-called “right to be forgotten” is a key principle of the GDPR. Data subjects can request the erasure of their personal data if it is no longer required or has been processed unlawfully.
However, other obligations take precedence over the right to erasure, such as retention obligations for invoices or other business documents. In this case, a distinction must be made between data that may be deleted and data that may not be deleted.
For your company, this means that you must be able to process deletion requests quickly and in compliance with the law. According to the law, you must also be able to provide proof of deletion. The following measures can help:
- Get an overview and document where personal data is stored.
- Make sure that you can access the affected data quickly. Avoid “data graves” that make targeted deletion difficult. A clear data structure and powerful search functions are crucial here.
- Implement mechanisms for the secure deletion of data.
- In the case of deletion requests, as mentioned above, only certain data relating to a person may be deleted due to retention obligations; other data must be retained. Your ERP system should therefore allow you to selectively delete individual data records – while maintaining data integrity and consistency . Linked data records must not be “orphaned”. Carefully check which dependencies exist and how these are to be handled in the event of deletion.
If your ERP system takes on the central, leading role in the data network, you can find data records much more easily and quickly.
Include the entire IT landscape
For full GDPR compliance, it is not enough to just look at the ERP system. Include the processes and systems that are linked to the ERP system. Data exchange with software for CRM, web store or business intelligence, for example, must be GDPR-compliant. The entire IT landscape must also be included in role and rights management.
Document how the individual components are connected and what effects an action has elsewhere. This is time-consuming, but necessary. As soon as there is a gap somewhere, the entire system no longer meets the requirements.
3. right to information and data portability
Data subjects have the right to know what data is processed for what purpose and to whom it is disclosed. In addition, individuals may request that they can transfer their personal data to third parties, for example to another provider.
You must respond to such requests promptly. In order to fulfill these obligations, you need transparency about your internal data collection and corresponding processes:
- Document all processes and processing steps in which personal data plays a role. Create detailed procedure directories and process descriptions.
- Inform data subjects automatically and proactively about the processing of their data, for example via the website or by e-mail.
- Ensure that you can respond quickly and fully to requests for information from data subjects. Establish clear responsibilities and processes.
- Implement mechanisms (automated if possible) to make personal data available in a common, machine-readable format.
Use the corresponding functions of your ERP system, such as processing directories, consent management or information assistants.
Data protection vs. data security: what’s the difference?
Data protection regulates the handling of personal data. It protects the personal rights and privacy of individuals. Data security, on the other hand, aims to protect data from unauthorized access, loss or manipulation. Data protection always includes data security (not necessarily the other way around).
4. data security
The GDPR requires companies not only to handle personal data confidentially, but also to ensure its security. To this end, you must take appropriate technical and organizational measures such as these:
- Use the security functions of your ERP system across the board. These include, for example, encrypted data transfer, regular data backups, access controls and two-factor authentication for system access.
- Keep logs of access and changes in order to be able to track suspicious activities.
- Implement additional technical protection measures such as firewalls, virus scanners and intrusion detection software. These help to detect and ward off external attacks.
- Define clear security guidelines and processes. Specify who is responsible for data security, how to deal with security incidents and how compliance with the guidelines is monitored.
- Carefully document all security measures taken. This not only fulfills the requirements for GDPR compliance. Documentation also speeds up troubleshooting and rectification in the event of an emergency.
The ERP system as a hub simplifies your data security concept considerably: if all personal data is stored in one place, you can focus your technical protection measures on this.
Even the best technology is useless if employees don’t know how to use it. Employees need to be made aware of and trained in critical issues such as data protection.
5. sensitize and train employees
Even the best technology is useless if employees don’t know how to use it. Employees must be made aware of and trained in critical issues such as data protection. The following measures have proven their worth:
- Make data protection a topic in your company. Provide regular information about current developments and challenges, for example through staff meetings, circular e-mails or the intranet.
- Offer regular training on the subject of data protection. These should cover both the legal principles and the practical use of the ERP system.
- Appoint data protection officers or coordinators in the individual departments. These act as contact persons for colleagues and can provide support in the event of questions or problems.
- Integrate the topic of data protection into the onboarding of new employees.
- Ask your ERP provider for training or material on GDPR compliance.
The responsibility lies with you
ERP systems offer many functions to technically implement the requirements of the GDPR. However, their mere existence is not enough to be fully GDPR-compliant.
Ultimately, the responsibility for compliance with the GDPR lies with you. Ensure that the options are actually used and integrated into operational processes.
When it comes to the specific design and application of the GDPR guidelines in your company, we also recommend working with a specialist lawyer. They will ensure that all legal requirements are implemented correctly and that your company is literally on the safe side.
Info box: What is the GDPR?
The EU’s General Data Protection Regulation (GDPR) is intended to standardize data protection law in Europe. It came into force on May 25, 2018. It has two main objectives:
- On the one hand, the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, should be safeguarded.
- Secondly, the free movement of personal data within the European Union is to be ensured in order to strengthen the digital single market.
The GDPR applies to all companies and organizations that process the personal data of EU citizens – regardless of whether they are based inside or outside the EU. Companies that violate the GDPR face severe fines of up to 20 million euros or 4% of their global annual turnover. In addition, data subjects can assert claims for damages.
Legal notice:
The free and freely accessible content of this website has been created with the greatest possible care. However, we expressly point out that we assume no guarantee or other responsibility for the accuracy, timeliness or completeness of the journalistic guides and information provided on this website.
The content on this website is not intended as legal advice for your company on which you can rely for compliance with the legal regulations on data protection – in particular the GDPR – nor can it replace individual legal advice.
Furthermore, by accessing this free and freely accessible content, no contractual relationship is established between us and you as a user of the website in the absence of a corresponding legally binding intention on our part.
