GDPR impact on every (ERP, Business intelligence and MS EXCEL) information systems! Are your Business GDPR ready? 2.5/5 (2)

Call Mondy Holten today for “GDPR Impact Scan” on SAP ERP, Business Intelligence systems, sap gdpr, sap gdpr implementation, gdpr Business Intelligence implementation. The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years – we’re here to make sure you’re prepared .


What is GDPR?

In short, GDPR gives the following rights to individuals over their personal data:

  • The right to be informed
  • The right of access
  • The right of rectification
  • The right to erase
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

[Information available from Information Commissioners Office (ICO)]

Gdpr impact on erp & BI systems Storage Limitations (Data Retention)

The predecessor to the GDPR (EU Data Protection Directive 95/EC/46) required businesses to minimize the retention of personal data such that it was not retained for longer than needed for the purposes for which it was collected. The GDPR, which replaced this directive on May 25, goes further: to comply with the principles of storage limitation and data minimization, the business’s data controllers must ensure that personal data is only stored for a limited time period.

For BI systems, this means that any personal data stored must have a clearly defined retention period beyond which it should be deleted; PII data items should be anonymized.

GDPR impact on every (BI) system . Is Big Data still new Cold?

embed picture:

Today, many BI systems do not have a deletion process because “Data The New Gold! Data has a shorter history than gold, but it will have a greater impact on global businesses of all sizes in the future” — accumulating data over time enhances such BI processes as data mining and predictive analytics. We have also been encouraged to grab as much data as possible “just in case.” Under the GDPR, “just in case” is not a sufficient justification; you must have a clear use case for storing and processing individuals’ personal data.

Many of these new restrictions can be implemented with the use of views that limit access to personal data items to only those roles that have a legitimate business use. Going forward, more robust methods will have to be implemented to automatically manage the storage and retention of personal data. This could mark the beginning of a new era for BI systems.

Are you GDPR ready?

GDPR impact on every (ERP, BI and MS EXCEL) information systems Are your Business GDPR ready?

The GDPR law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.

  • Article 29 Working Party Opinion 05/2014 on Anonymisation Techniques

Gdpr impact on erp Examples of personal data

  • a name and surname;
  • a home address;
  • an email address such as;
  • an identification card number;
  • location data (for example the location data function on a mobile phone)*;
  • an Internet Protocol (IP) address;
  • a cookie ID*;
  • the advertising identifier of your phone;
  • data held by a hospital or doctor, which could be a symbol that uniquely
  • identifies a person.

*Note that in some cases, there is a specific sectoral legislation regulating for instance the use of location data or the use of cookies – the ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 (OJ L 201, 31.7.2002, p. 37) and Regulation (EC) No 2006/2004) of the European Parliament and of the Council of 27 October 2004 (OJ L 364, 9.12.2004, p. 1).

Gdpr impact on erp WP 01245/07/EN, WP 136 Opinion 4/2007 on the concept of personal data

1# The Working Party is aware of the need to conduct a deep analysis of the concept of personal data. Information about current practice in EU Member States suggests that there is some uncertainty and some diversity in practice among Member States as to important aspects of this concept which may affect the proper functioning of the existing data protection framework in different contexts. The outcome of this analysis of a central element for the application and interpretation of data protection rules is bound to have a profound impact on a number of important issues, and will be particularly relevant for topics such as Identity Management in the context of e-Government and e-Health, as well as in the RFID context. The objective of the present opinion of the Working Party is to come to a common understanding of the concept of personal data, the situations in which national data protection legislation should be applied, and the way it should be applied. Working on a common definition of the notion of personal data is tantamount to defining what falls inside or outside the scope of data protection rules. A corollary of this work is to provide guidance on the way national data protection rules should be applied to certain categories of situations occurring Europe-wide, thus contributing to the uniform application of such norms, which is a core function of the Article 29 Working Party. This document makes use of examples drawn from the national practice of European DPAs to support and illustrate the analysis. Most examples have only been edited for proper use in this context.


Gdpr impact on erp WP 01245/07/EN, WP 136 Opinion 4/2007 on the concept of personal data

2# GENERAL CONSIDERATIONS AND POLICY ISSUES The Directive contains a broad notion of personal data The definition of personal data contained in Directive 95/46/EC (henceforth “the data protection Directive” or “the Directive”) reads as follows: “Personal data shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”. It needs to be noted that this definition reflects the intention of the European lawmaker for a wide notion of “personal data”, maintained throughout the legislative process. The Commission’s original proposal explained that “as in Convention 108, a broad definition is adopted in order to cover all information which may be linked to an individual” 2 . The Commission’s modified proposal noted that “the amended proposal meets Parliament’s wish that the definition of “personal data” should be as general as possible, so as to include all information concerning an identifiable individual” 3 , a wish that also the Council took into account in the common position4 .

Gdpr impact on erp WP 01245/07/EN, WP 136 Opinion 4/2007 on the concept of personal data

3# ANALYSIS OF THE DEFINITION OF “PERSONAL DATA” ACCORDING TO THE DATA PROTECTION DIRECTIVE The definition in the Directive contains four main building blocks, which will be analyzed separately for the purposes of this document. They are the following ones: – “any information” – “relating to” – “an identified or indentifiable” – “natural person” Those four building blocks are closely intertwined and feed on each other. However, for the sake of the methodology to be followed in this document, each of these items will be dealt with separately.

Gdpr impact on erp: Article 29 Working Party Opinion 05/2014 on Anonymisation Techniques

In this Opinion, the WP analyses the effectiveness and limits of existing anonymisation techniques against the EU legal background of data protection and provides recommendations to handle these techniques by taking account of the residual risk of identification inherent in each of them. The WP acknowledges the potential value of anonymisation in particular as a strategy to reap the benefits of ‘open data’ for individuals and society at large whilst mitigating the risks for the individuals concerned. However, case studies and research publications have shown how difficult it is to create a truly anonymous dataset whilst retaining as much of the underlying information as required for the task. In the light of Directive 95/46/EC and other relevant EU legal instruments, anonymisation results from processing personal data in order to irreversibly prevent identification. In doing so, several elements should be taken into account by data controllers, having regard to all the means “likely reasonably” to be used for identification (either by the controller or by any third party). Anonymisation constitutes a further processing of personal data; as such, it must satisfy the requirement of compatibility by having regard to the legal grounds and circumstances of the further processing. Additionally, anonymized data do fall out of the scope of data protection legislation, but data subjects may still be entitled to protection under other provisions (such as those protecting confidentiality of communications). The main anonymisation techniques, namely randomization and generalization, are described in this opinion. In particular, the opinion discusses noise addition, permutation, differential privacy, aggregation, k-anonymity, l-diversity and t-closeness. It explains their principles, their strengths and weaknesses, as well as the common mistakes and failures related to the use of each technique.

Gdpr impact on erp 2

The opinion elaborates on the robustness of each technique based on three criteria: (i) is it still possible to single out an individual, (ii) is it still possible to link records relating to an individual, and (iii) can information be inferred concerning an individual? Knowing the main strengths and weaknesses of each technique helps to choose how to design an adequate anonymisation process in a given context. Pseudonymisation is also addressed to clarify some pitfalls and misconceptions: pseudonymisation is not a method of anonymisation. It merely reduces the linkability of a dataset with the original identity of a data subject, and is accordingly a useful security measure. The Opinion concludes that anonymisation techniques can provide privacy guarantees and may be used to generate efficient anonymisation processes, but only if their application is engineered appropriately – which means that the prerequisites (context) and the objective(s) of the anonymisation process must be clearly set out in order to achieve the targeted anonymisation while producing some useful data.

Gdpr impact on erp 3:

The optimal solution should be decided on a case-by-case basis, possibly by using a combination of different techniques, while taking into account the practical recommendations developed in this Opinion. Finally, data controllers should consider that an anonymised dataset can still present residual risks to data subjects. Indeed, on the one hand, anonymisation and re-identification are active fields of research and new discoveries are regularly published, and on the other hand even anonymised data, like statistics, may be used to enrich existing profiles of individuals, thus creating new data protection issues. Thus, anonymisation should not be regarded as a one-off exercise and the attending risks should be reassessed regularly by data controllers.

More free information?

Please leave a comment below. Sharing is Caring


GDPR Impact Scan?

The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years – we’re here to make sure you’re prepared .


Business Intelligence GDPR Analyst

WhatsApp only: +31629446309

Connection by linkedin:


Please rate this