GDPR compliance with SAP Customer Experience

03.04.2020
7 min.

As the General Data Protection Regulation (GDPR) was implemented on May 25, 2018, you may think that most companies have already assured their compliance or at least attempted to.

In spite of the fact that a failure to follow the regulations can be rather expensive with fines up to €20 million or 4% of a company’s global turnover from the previous year, whichever is higher, many companies don’t hurry to comply. Most organizations are overwhelmed and choose to take a wait-and-see stance to better understand how they should proceed prior to investing into changes. Everybody realizes that there’s no such thing as 100% privacy. So far, the paradox remained unsolved: customers expect hyper-personalization while being ready to exercise their right to privacy at any moment.

According to the Cisco Data Privacy Benchmark Study, as of January 2019, 59% of the participants were sure they met the majority of GDPR requirements, 29% expected to be GDPR-ready within a year, and 9% expected it to take more than a year to comply.

GDPR readiness by country

A more recent survey by Capgemini, Championing Data Protection and Privacy, found that most companies were too optimistic about their GDPR readiness prior to the regulation implementation. Only 28% of organizations achieved compliance a year after the GDPR came into effect, while 30% claimed they were close to completing the setup of their compliance processes. The rest didn’t only fail to prepare for the GDPR but also struggled to get ready for more recent data privacy laws, such as the CCPA.

Average GDPR compliance status by country

When it comes to finances, those organizations that do their best to comply with the existing regulations invest mostly in technology upgrades:

Expenditures made on various cost heads for data privacy compliance

It comes as no surprise—technology enablement is indeed the major stumbling block on the way to compliance. Most businesses still find it exceptionally troublesome to align their legacy systems with both enforced and upcoming data privacy regulations when developing their cloud migration strategies.

Luckily, there are platforms such as SAP Customer Experience (CX) that have GDPR compliance already baked in. In this article, our team of SAP Customer Experience consultants will run through the main GDPR requirements and the way SAP solutions address them to understand how to leverage the platform to assure your company’s GDPR compliance and gain a competitive advantage.

GDPR-compliant SAP CX products

In 2017, SAP acquired the identity management platform Gigya and turned it into SAP Customer Data Cloud (CDC), a part of the SAP CX ecosystem. SAP CDC includes Customer Identity and Access Management (CIAM) solutions both for B2B and B2C businesses, assisting with GDPR compliance by covering different use cases.

SAP Customer Identity

A CIAM solution that collects permission-based data across multiple touchpoints for building profiles, providing personalization, and streamlining user onboarding.

SAP Customer Consent

A CDC solution that collects consent in a way that is transparent to users. It also gives users the opportunity to view and manage their personal data.

SAP Customer Profile

A CDC solution that stores the data collected via Customer Identity and Customer Consent along with the corresponding consent records and creates customer profiles that can be integrated with other solutions.

Just for the record, the global monthly average of new consents and preferences captured by SAP Customer Data Cloud amounts to 324 million.

Additionally, there are pre-built integrations for SAP Commerce Cloud and SAP Marketing Cloud (integrations for SAP Sales Cloud and SAP Service Cloud are coming). In case the website uses both Commerce and Marketing Clouds, the data can be channeled between them via Customer Data Cloud, thus laying the foundation for big data ecommerce solutions.

Use in Combination with SAP Commerce Cloud

These solutions and integrations help create personalized experiences throughout users’ journeys based on:

  • Unified customer database
  • Progressive profiling
  • Automated capturing of consent and preferences
  • Self-service preference management
  • Orchestration of data and associated consents per profile

What’s more, SAP CX provides role-based access to personal data. It means that only authorized employees can view and update users’ personal data, with all their activities captured and recorded in change logs.

Let’s take a closer look at those SAP data privacy solutions that help you check all the GDPR boxes by default.

Clear and transparent disclosure

GDPR requirement: Transparent information, communication and modalities for the exercise of the rights of the data subject.

What it means: Information relating to personal confidential data (PCD) processing should be concise, transparent, intelligible, and easy-to-access. The disclosure language must be clear and simple, especially for information addressed to a child.

SAP solution: SAP Customer Consent

SAP Customer Consent captures and processes personal data of anonymous and registered users and lets them gain transparency in managing their personal data, preferences, and consent. The solution has a built-in algorithm that ensures that users logging in to the website provided their consent. If they don’t, users can’t complete their login and get access to the website’s services.

SAP Customer Consent data model for consent management

Consent Management

Anonymous users can grant access to data that will be later associated with their PCD. They can also manage consent via browser cookies. If they decide to register during the next session, they can allow their consent settings to be transferred to the registered customer state.

Registered customers can update their preferences via the Consent Management page. They can also view, update and withdraw all their consent states in the My Account/Consent Management pages. An SAP CX admin can view the list of consent templates that are available for a given entry point (for example, a sign-in page or account registration after order placement) and different consents given by specific users.

An admin can automate consent renewal triggered by changes to privacy policies. These renewal actions will be synchronized across all integrated data sources to keep a consent policy consistent across different channels and regions.

It’s possible to create three types of consent statements within Consent Management:

  • Terms of service (mandatory for users to agree to)
  • Privacy policy (mandatory for users to agree to)
  • Other consent statements (optional for users to agree to)
The Consent Management page

Consent Vault

The Consent Vault is a secure and audit-ready storage of logs of time-stamped interactions between the website’s entry points and users in terms of their consent activities.

In the Consent Vault, it’s possible to:

  • View and search the history of all consent activities over a specific period/li>
  • Filter by specific actions (e.g., consent granted, updated, withdrawn)

Communication Preferences

This Customer Consent function enables users to manage their communication preferences through an intuitive self-service portal. They can give their consent to different communication channels, see their subscription status, edit communication frequency, and unsubscribe in one click.

Using Communication Preferences, you can track communication consents, create subscription data points, retrieve users who opted in for specific communication channels, and delete users’ data once they opted out.

Data access

GDPR requirement: Right of access by the data subject.

What it means: The data subject has a right to confirm whether his or her PCD is being processed, and have access to data as well the following information:

  • The purpose of the processing
  • Categories of PCD processed
  • Data retention periods
  • Existence of automated decision-making, such as data profiling

SAP solution: Personal Data Reports; Generic Audit.

Personal Data Reports

The data reporting feature in SAP CX allows customers to request reports on their personal data and related transactions via any customer support channel. A service agent generates a PCD report and shares it with users via channels most convenient to them (as a download link, as a support ticket attachment, in an email, etc.) Personal Data Reports can be of two types:

  1. A snapshot of the currently held PCD
  2. An audit with a complete history of records and their edits
Personal data report in SAP CX

Generic Audit

The Generic Audit feature, available in Commerce Cloud, tracks all persistence actions such as creating, modifying and deleting data, organized by data types. Audits are stored in the form of change logs displaying how an item evolved throughout the customer journey, including its creation, modification, deletion, and editing specifics, such as time of edits and editors’ signatures. Admins can audit data items at the level of properties, with type-level granularity.

The right to be forgotten

GDPR requirement: Right to erasure or right to be forgotten.

What it means:The data subject has the right to the erasure of personal data concerning him or her without any delay. The controller is obliged to erase personal data without any delay.

SAP solution: Customer Account Closure; Data Retention Framework.

Customer Account Closure

Using self-service, customers can close their accounts and have their personal data deleted at any time. When users claim their right to be forgotten, they have three options:

  1. To delete their personal data (address, payment information, order and cart data, etc.)
  2. To retain their personal data, entrusting companies to keep this data for a legally defined data retention period.
  3. To delete personal data audit logs (once their PCD has been fully deleted).

Data Retention Framework

Within this framework, SAP CX solution owners can keep or erase PCD based on legal configurable retention periods, applicable to their jurisdictions.

Data Retention Framework admins can retain instances of specified types before performing a cleanup. Cleanups are based on configurable rules that specify three aspects: instances admins are interested in, cleanup logic to use, and execution time.

Admins can configure rules of retaining PCD objects with the help of:

  • CronJob, a feature for executing rules in the background by means of manual schedules or automated actions.
  • FlexibleSearch, a feature for keeping a data item.
  • Custom cleanup logic, for dealing with each data item.
Data retention framework

The GDPR readiness checklist

Though SAP GDPR solutions make companies’ lives much easier, unfortunately they are not a silver bullet for ensuring data privacy and protection as well as enterprise cybersecurity. First, businesses need to instill data privacy and security importance in their organization by educating employees, developing documented privacy policies, and creating corresponding workflows.

We have compiled a short checklist that should help you assess your readiness to comply with the GDPR and avoid software development risks. Make sure you tick off each statement.

  • You have legal grounds for collecting and processing PCD.
  • You have a formal policy and methodology for personal data collection, storage and usage within your organization.
  • You ask users who intend to use your website for an explicit consent to collect their data.
  • You have a data privacy notice accessible to your users.
  • You have a data retention policy and a well-defined process for deleting and archiving personal data.
  • You encrypt your users’ personal data.
  • You have a procedure for managing data breaches.
  • You have tools to deal with data access and erasure requests from users.
  • You provide guidance for your users when they need to edit their preferences.
  • You have mapped all the PCD sources and sync all the PCD changes across those sources.
  • When you partner with third parties that will have access to customer data, you make sure they are GDPR-compliant.
  • You record histories of PCD edits and collect consent and preferences in a central repository ready for regulatory audits.

Data privacy becomes an imperative

It’s clear by now that transparency and protection of personal data are not fads limited to certain geographical regions. It’s already a global movement. The GDPR has awoken users’ mindfulness regarding the value of their private data and the ways it’s collected and used by companies.

Currently, it’s more of a transition period when organizations are ‘learning’ to respect and protect user data. However, those companies that successfully managed to comply with the regulations and promote the privacy-centric mindset among their staff have already gained a competitive advantage. They are winning users’ trust by delivering engaging experiences on users’ own terms.

As illustrated by SAP Customer Experience and its GDPR-ready solutions, compliance gets easier with the right technology in place. Once it’s set up in line with the legal requirements, it will give you a peace of mind by carrying out compliance-critical processes in the background.