360Suite tools for SAP BusinessObjects will help you be GDPR compliant
GDPR, originally adopted in April 2016 by the European Parliament as the Data Protection Act, is becoming enforceable beginning 25th May 2018 throughout the EU. It applies to EU-based organizations and those who have EU-based customers.
The Regulation relates to the processing and storing of personal data, how it should be used and protected.
The GDPR sets out the principles for data management and the rights of the individual. This includes human resources record of employees and even IP addresses of users of online services. It also requires obtaining explicit consent, notifying in cases of breaches and hacking, as well as appointing data protection officers, anonymizing and pruning the collection of data to what is only functionally required to perform particular transactions. In essence, it would be the reversal of Big Data and the gathering of as much data as possible about customers and users.
GDPR is a business project, not a technology one, although certain tools are required to tackle it.
All IT systems, from your CRM, ERP, to your Business Objects applications contain personal data. They are all present risks if the new data protection rules are not applied, with hefty fines as a consequence. Gartner predicted few months ago that by the end of 2018, more than 50% of companies affected by the GDPR will not be in full compliance with its requirements (Gartner Newsroom report)*. It is time to act!
Are you able to answer those few questions:
- Do you know what personal data you have in your BI landscape?
- Do you know how it’s processed?
- Do you know who can access it?
- Do you know where it is stored?
- Do you know its retention period?
- Do you know when it should be anonymized?
- Do you know in which country your users are located?
GB&Smith’s 360Suite tools are used by over 2,000,000 people within the SAP BusinessObjects marketplace. Our solutions aim to increase efficiency, secure your deployment and through comprehensive auditing deliver a far deeper understanding of how your Business Objects environment can support your policies for Governance Risk and Compliance needs.
Recently, one of our customers wanted to ensure their Business Objects environment complied with GDPR. Although they had a comprehensive understanding of the regulations they found it challenging to apply it to Business Objects because their information requirements were not all available, out of the box. Below are a set of questions they had around data flow, for which 360Suite provided the answers: How do we track what Business Objects users are doing with reports and data therein?
- Can we flag personal data used in reports?
- Can we know which reports will be affected by changes made to: universes, data warehouse tables, etc?
- Can we track report usage, including actions on reports?
- Can we identify changes to universes?
- Can we identify duplicate reports?
This is critical as the data they hold pertains to individuals in the context of selling goods and services to citizens in the EU, regardless of where the company is located within the EU or not. This customer possesses our suite of tools, which they’ve used for the daily administration, testing, impact analysis and disaster recovery needs, but they’ve understood that they can help with their GDPR implementation.
Tracking and Auditing SAP BusinessObjects
Most of our customers’ questions are currently answered via Webi reports, as part of 360Eyes, our full BI-on-BI solution. So far, this tool has helped many customers keep control of their Business Objects platform, perform impact analysis as a precautionary measure for Business Objects updates and upgrades, changes to fields in the universe or a data warehouse, but more importantly, obtain an in-depth insight of the platform’s utilization, as well as comparisons of content at a point in time as well as over a period of time.
Through metadata extracted from the CMS, Auditor and the Filestore, you can pull Webi reports to display every user action of each report, as well as the action type, including printing, and exporting to an external format.
A number of Impact Analysis reports allow you to determine how many documents are going to be affected by changes in the EDW, the Universes, the BEx queries, SQL expressions, or even regressions due to Business Objects calculation engine changes.
A further set of reports allows comparing document and universes, to understand objects that have been added, deleted and modified.
Using an MD5 hash function, we can also pinpoint duplicate reports and where they are stored, thereby preventing any leaks due to personal data held in personal documents or inboxes.
Tracking personal data transfer is pivotal in GDPR, and being able to track the flow of data: where does the data come from – we can help with data lineage from SAP Business Warehouse and Data Services, and where the data goes to. We can extract what data has been saved, exported and scheduled, by whom, when and to which destination. This lifecycle goes all the way to data deletion, based on the retention period enforced.
The important thing within the process of GDPR is being able to perform an inventory of personal data, i.e. risk assessment. Our tools allow you to achieve this via flagging Business Objects universe objects. Another option is to track this at the database level, for example for those users of Freehand SQL or Crystal Reports with a direct database connection, essentially any data and report that is not based on a universe.
Security auditing and lifecycle management using 360Suite
360View enables checking and implementing security, both from a user-centric or resource-centric view, so you can easily pinpoint what user Bob has access to, and who in your company has access to HR resources.
Furthermore, a patented and unique security matrix can be used to display and modify explicit and inherited rights granted to resources and groups. The output of that matrix can also be documented via an export to Excel and PDF, which can be used for Change Control and auditing purposes.
360Vers provides a solid lifecycle management solution. Objects (universes, reports and connections) can be checked-out and locked whilst being edited, and checked back in with an incremented version, in a fashion similar to Subversion or GitHub. Version history is stored, allowing rollback to previous versions, as well as promoting specific versions, performing version comparisons, and more importantly the capability to run full Lifecycle analysis.
Closely tied to 360Vers, is 360Plus, a tool that makes creating and maintaining full and incremental backups easy and automated. As part of lifecycle management, you can recover individual objects, including security, thereby ensuring your Business Objects deployment is in synch, secured and auditable. For more information on enabling rolling back of Business Objects security, please refer to this article: Rollback Business Objects Security.
Many companies are already overburdened with heavy regulation. That, together with recessionary pressures and budget cuts over several decades means organisations are constantly having to do more with less, whilst still bringing operating costs down. The last thing they need is more red tape so our pragmatic approach to automate the collation and tracking of essential information means that the process of GDPR can be streamlined and made easily achievable by leveraging the power of the 360Suite of tools. In doing so you always have full, in-depth knowledge of the content of your Business Objects deployment and, critically, will be able to document data flows to achieve and maintain compliance – and demonstrate it to the auditors.
Once you are GDPR compliant, make sure you remain that way! 360Suite with its Security auditing and Life cycle management will help you stay on track.