With all the information available about General Data Protection Regulations solutions (GDPR solutions), you’d think that companies would have been ready for GDPR by May 2018.
Many experts warned us about the financial toll of not complying with the law: in the article about the biggest data breaches, Forbes calculated that Yahoo’s 2013–2014 breach would have cost the company between $80 and $160 million if GDPR had been in place at that time.
Despite the potentially high fines, many companies found themselves unprepared for the coming changes.
A Deloitte study shows that readiness and awareness vary greatly from case to case. Hubspot found that only 36% of execs and marketers in the EU have heard of GDPR. Those who do know about the law, spend their time spiking the number of complaints, demonstrating that not everything is clear at all.
When it comes to finances, 39% of organizations spent less than €100,000, while 15% spent over €5 million. Overall, only 15% of organizations surveyed assessed themselves as fully compliant by May 2018. Most organizations, on the contrary, focused on managing risks and defending their position, if necessary.
Here is a brief look at GDPR readiness assessments, as reported by Hubspot on surveying British, Irish, German, Austrian, and Swiss execs:
This article covers the main GDPR requirements, and tips on how SAP Customer Experience solutions help you meet each one using out-the-box features.
Besides Customer Data Cloud, SAP Hybris’s partnership with Gigya offers pre-built integrations for Hybris Commerce and Hybris Marketing. These solutions help you create user experiences targeted for identity-specific customers during their whole journey. Gigya’s Registration-as-a-Service (RaaS) and Profile Management solutions offer benefits like profound knowledge of your users, engaged customers, more shopping cart conversions, enhanced segmenting; full, accurate and progressive profiling; faster time-to-market, and lower TCO. Moreover, since customers give consent themselves, you tick all GDPR boxes by definition.
The GDPR Readiness Toolkit for Customer Identity and Access Management includes:
The toolkit is available for free download here.
Now let’s look at SAP Hybris Commerce 6.6 GDPR capabilities, which are part of B2C and B2B accelerators. We’ll briefly state GDPR requirements and what SAP Hybris GDPR solutions help you comply with GDPR.
Here is a quick video to watch if you want to know more about all GDPR features in the 6.6 release:
GDPR Requirement: Transparent Information, Communication and Modalities
GDPR Quote: Information relating to PCD processing should be concise and transparent, intelligible, and easy-to-access. The language used must be clear and simple, especially for information addressed to a child.
SAP Hybris Commerce Solution: Consent Management
Thanks to this feature, customers gain transparency and are engaged in the process of granting permission to capture and process PCD of anonymous and registered customers.
The feature allows managing anonymous user data consent. Anonymous users can also grant access to data that will be later associated with their PCD. They manage consent via browser cookies. If they later register on the website, they can also allow their consent setting to be transferred to the register customer state.
Registered customers perform PCD management actions via the Hybris Commerce website storefront and update consent via the Consent Management page. Registered customers can view, update, and maintain all their consent states in the My Account/Consent Management pages.
Backoffice allows Backoffice users to view a list of consent templates that are available for a given base store and the different consents given by specific users.
Entry Points allow consent templates to be highly extendable for different consent entry points in a given base store. Two examples of entry points are 1) account registration using the sign-in page and 2) registering an account after placing an order.
GDPR Requirement: Right of Access
GDPR basics: The data subject has a right to confirm whether PCD is being processed, and have access to data, as well the following information:
SAP Hybris Commerce Solution: Personal Data Reporting and Generic Audit
Thanks to the data reporting feature from SAP Hybris, customers can view reports about PCD data capture. Via any customer support (CS) channel, customers request a PCD data capture report. The CS Agent generates a PCD report via the Customer Support Backoffice Cockpit. Users get reports via channels most convenient to them (download, CS ticket attachment, email, etc.).
Reports can be of two types:
The CS Agent gets timely notifications of reports’ readiness via the Reporting Workflow Engine built into a Backoffice for easier processing.
The Generic Audit feature allows admins to store all changes to PCD. The feature tracks all persistence actions such as creating, modifying and deleting data, organized by data types. Admins store the audit in the form of a change log displaying how an item evolved throughout the whole customer journey.
Admins can set data items to audit. They do it at the properties level with type-level granularity. When admins use default implementation, they store changes as denormalized JSON payloads in the SAP Hybris Commerce database. This enables them to use transactional write. A Generic Audit API exposed enables audit records integration.
GDPR Requirement: Right to erasure or right to be forgotten
GDPR Quote: The data subject has a right to the erasure of personal data concerning him or her without any delay. The controller is obliged to erase personal data without any delay.
SAP Hybris Commerce Solution:
There are two features we can use: Customer Account Closure and PCD Retention/Erasure Framework
Using self-service, customers can close accounts at a convenient time. Users do it via the Close Account page in the My Account section. When users choose to go ahead with the account closure, they can pick from three options:
Within the PCD Retention/Erasure Framework capabilities, SAP Hybris Commerce customers can keep or erase PCD based on legal/configurable retention periods.
The Data Retention Framework admins can retain instances of specified types before performing a cleanup. Admins based cleanups on configurable rules that specify three aspects: instances admins are interested in, cleanup logic to use, and execution time.
Admins can configure rules of retaining PCD objects with the help of CronJobs and FlexibleSearch features. Use manual schedules or set up automated actions with CronJobs to execute rules in the background. Use FlexibleSearch to keep a data item. For dealing with each data item, admins can provide their own logic.
Before we give you our GDPR solutions checklist, let’s remember that by opting for SAP Hybris Commerce you get the following advantages:
|GDPR Requirement||SAP Hybris Commerce Solution||Features|
|Central consent management solution||
Customer engagement in granting PCD permission
Available for registered and anonymous users
Progressive data consent granting for anonymous users
View, update and maintain consent states for registered users
Extendable consent templates for admins
Personal data reporting
Request and view PCD data capture reports
Receive reports via downloads, CS ticket attachments, email, etc.
Choose the appropriate report type: “Snapshot” or “Audit”
Admins can generate and present reports to customers
Admins get timely notifications about reports’ state of readiness
Complete change log of PCD states: edits, time of edits, editors’ signatures, etc.
Tracking persistence actions: creating, modifying, and deleting data
Data organization by data type
Setting data items to audit
|Right to be forgotten||
Customer account closure
Customers can self-service account closure at a time convenient to them
Customers are in full control of deleting PCD, retaining PCD, deleting personal data audit logs
PCD is kept for a legally defined data retention period
|PCD retention/erasure framework||
Customers can keep or erase PCD based on legal/configurable retention periods
Admins can retain instances of specified types before a cleanup
Admins choose targeted instances, cleanup logic, time of execution
Admins configure rules of retaining PCD objects manually or automatically