Data privacy GDPR solutions with SAP Customer Experience

7 min.

With all the information available about General Data Protection Regulations solutions (GDPR solutions), you’d think that companies would have been ready for GDPR by May 2018.

Think again.

Many experts warned us about the financial toll of not complying with the law: in the article about the biggest data breaches, Forbes calculated that Yahoo’s 2013–2014 breach would have cost the company between $80 and $160 million if GDPR had been in place at that time.

Despite the potentially high fines, many companies found themselves unprepared for the coming changes.

A Deloitte study shows that readiness and awareness vary greatly from case to case. Hubspot found that only 36% of execs and marketers in the EU have heard of GDPR. Those who do know about the law, spend their time spiking the number of complaints, demonstrating that not everything is clear at all.

When it comes to finances, 39% of organizations spent less than €100,000, while 15% spent over €5 million. Overall, only 15% of organizations surveyed assessed themselves as fully compliant by May 2018. Most organizations, on the contrary, focused on managing risks and defending their position, if necessary.

Here is a brief look at GDPR readiness assessments, as reported by Hubspot on surveying British, Irish, German, Austrian, and Swiss execs:

This article covers the main GDPR requirements, and tips on how SAP Customer Experience solutions help you meet each one using out-the-box features.

GDPR solutions from SAP Hybris

Hybris + Gigya GDPR Toolkit

We’ve already briefly mentioned Hybris linking up with Gigya. The partnership has merged the best of the two products into SAP Customer Data Cloud.

Besides Customer Data Cloud, SAP Hybris’s partnership with Gigya offers pre-built integrations for Hybris Commerce and Hybris Marketing. These solutions help you create user experiences targeted for identity-specific customers during their whole journey. Gigya’s Registration-as-a-Service (RaaS) and Profile Management solutions offer benefits like profound knowledge of your users, engaged customers, more shopping cart conversions, enhanced segmenting; full, accurate and progressive profiling; faster time-to-market, and lower TCO. Moreover, since customers give consent themselves, you tick all GDPR boxes by definition.

The GDPR Readiness Toolkit for Customer Identity and Access Management includes:

  • A Survey of stats and trends on the state of consumer privacy and trust
  • CIAM Guide to Addressing GDPR Requirements, a practical guide to prepare for GDPR with customer identity management (CIAM) practices in mind
  • GDPR Technical CIAM Self-Assessment, a tool where you can assess your CIAM skills
  • Product Brief, where the full cycle product is described in detail
  • GDPR Compliance Matrix, which includes a list of features that help you meet different GDPR requirements

The toolkit is available for free download here.

SAP Hybris Commerce 6.6 GDPR capabilities

Now let’s look at SAP Hybris Commerce 6.6 GDPR capabilities, which are part of B2C and B2B accelerators. We’ll briefly state GDPR requirements and what SAP Hybris GDPR solutions help you comply with GDPR.

Here is a quick video to watch if you want to know more about all GDPR features in the 6.6 release:

Requirement #1: Data transparency

GDPR Requirement: Transparent Information, Communication and Modalities

GDPR Quote: Information relating to PCD processing should be concise and transparent, intelligible, and easy-to-access. The language used must be clear and simple, especially for information addressed to a child.

SAP Hybris Commerce Solution: Consent Management

Consent Management

Thanks to this feature, customers gain transparency and are engaged in the process of granting permission to capture and process PCD of anonymous and registered customers.

Central consent management solution

The feature allows managing anonymous user data consent. Anonymous users can also grant access to data that will be later associated with their PCD. They manage consent via browser cookies. If they later register on the website, they can also allow their consent setting to be transferred to the register customer state.

Registered customers perform PCD management actions via the Hybris Commerce website storefront and update consent via the Consent Management page. Registered customers can view, update, and maintain all their consent states in the My Account/Consent Management pages.

Backoffice allows Backoffice users to view a list of consent templates that are available for a given base store and the different consents given by specific users.

Entry Points allow consent templates to be highly extendable for different consent entry points in a given base store. Two examples of entry points are 1) account registration using the sign-in page and 2) registering an account after placing an order.

Requirement #2: Data access

GDPR Requirement: Right of Access

GDPR basics: The data subject has a right to confirm whether PCD is being processed, and have access to data, as well the following information:

  • the purpose of processing
  • categories of PCD processed
  • data retention periods
  • existence of automated decision-making, such as data profiling

SAP Hybris Commerce Solution:  Personal Data Reporting and Generic Audit

Personal Data Reporting

Thanks to the data reporting feature from SAP Hybris, customers can view reports about PCD data capture. Via any customer support (CS) channel, customers request a PCD data capture report. The CS Agent generates a PCD report via the Customer Support Backoffice Cockpit. Users get reports via channels most convenient to them (download, CS ticket attachment, email, etc.).

Reports can be of two types:

  1. A “Snapshot” of the current PCD
  2. An “Audit” with complete records of the current PCD state including edits, time stamps of edits, and editors’ signatures.
Creating new audit report

The CS Agent gets timely notifications of reports’ readiness via the Reporting Workflow Engine built into a Backoffice for easier processing.

Generic Audit

The Generic Audit feature allows admins to store all changes to PCD. The feature tracks all persistence actions such as creating, modifying and deleting data, organized by data types. Admins store the audit in the form of a change log displaying how an item evolved throughout the whole customer journey.

Admins can set data items to audit. They do it at the properties level with type-level granularity. When admins use default implementation, they store changes as denormalized JSON payloads in the SAP Hybris Commerce database. This enables them to use transactional write. A Generic Audit API exposed enables audit records integration.

Requirement #3: Right to be forgotten

GDPR Requirement: Right to erasure or right to be forgotten

GDPR Quote: The data subject has a right to the erasure of personal data concerning him or her without any delay. The controller is obliged to erase personal data without any delay.

SAP Hybris Commerce Solution:

There are two features we can use: Customer Account Closure and PCD Retention/Erasure Framework

Customer Account Closure

Using self-service, customers can close accounts at a convenient time. Users do it via the Close Account page in the My Account section. When users choose to go ahead with the account closure, they can pick from three options:

  1. Delete their PCD (address book, payment information, order and cart data, etc.)
  2. Retain their PCD (i.e., companies keep their PCD for a legally defined data retention period)
  3. Delete personal data audit logs (once all PCD has been deleted).

PCD Retention/Erasure Framework

Within the PCD Retention/Erasure Framework capabilities, SAP Hybris Commerce customers can keep or erase PCD based on legal/configurable retention periods.

The Data Retention Framework admins can retain instances of specified types before performing a cleanup. Admins based cleanups on configurable rules that specify three aspects: instances admins are interested in, cleanup logic to use, and execution time.

Admins can configure rules of retaining PCD objects with the help of CronJobs and FlexibleSearch features. Use manual schedules or set up automated actions with CronJobs to execute rules in the background. Use FlexibleSearch to keep a data item. For dealing with each data item, admins can provide their own logic.

Data retention framework from SAP hybris commerce

GDPR solutions SAP Hybris toolkit

Before we give you our GDPR solutions checklist, let’s remember that by opting for SAP Hybris Commerce you get the following advantages:

  • GDPR compliance out-the-box
  • minimized business disruption
  • organic customer trust

SAP Hybris Commerce GDPR Toolkit Checklist

GDPR Requirement SAP Hybris Commerce Solution Features
Data transparency
Central consent management solution

Information transparency


Customer engagement in granting PCD permission


Available for registered and anonymous users


Progressive data consent granting for anonymous users


View, update and maintain consent states for registered users


Extendable consent templates for admins

Data access

Personal data reporting

Request and view PCD data capture reports


Receive reports via downloads, CS ticket attachments, email, etc.


Choose the appropriate report type: “Snapshot” or “Audit”


Admins can generate and present reports to customers


Admins get timely notifications about reports’ state of readiness

Generic audit

Complete change log of PCD states: edits, time of edits, editors’ signatures, etc.


Tracking persistence actions: creating, modifying, and deleting data


Data organization by data type


Setting data items to audit

Right to be forgotten

Customer account closure

Customers can self-service account closure at a time convenient to them


Customers are in full control of deleting PCD, retaining PCD, deleting personal data audit logs


PCD is kept for a legally defined data retention period

  PCD retention/erasure framework

Customers can keep or erase PCD based on legal/configurable retention periods


Admins can retain instances of specified types before a cleanup


Admins choose targeted instances, cleanup logic, time of execution


Admins configure rules of retaining PCD objects manually or automatically