The GDPR entered into force on 25 May 2018. And so-far nothing new.

Question: Are we 100% sure that your SAP landscape is already fully in line with the directives of the regulation?

In this article I tackle – hopefully in a smart way – the topic of privacy and security of personal data in non-productive SAP systems.

Yes, it is precisely non-productive systems that generally contain a myriad of personal data that must be protected to the same extent as implemented for production systems.

Indeed, it is estimated that in a standard SAP landscape, data (and therefore also data of natural persons) are replicated from production to the various clone environments up to 7 times!

Assuming to have the classic SAP ERP chain made by Production, Quality and Development, the QAS and DEV environments are exposed to the risk of a potential data breach as much as the production environment is.

If we then add the traditional “satellites” environment of the ERP, such as the various CRMs, SRMs, SCMs, HCMs, etc., this is how the information of natural persons present in the system is easily spread and distributed on average up to 7 times among the various SAP databases.

Exactly. How shall we behave then?

A viable way is to apply the various GDPR-Compliant solutions to all SAP environments, both productive and non-productive.

Wanting to remain in the panorama of the SAP proposals for GDPR, surely GRC Access Control, Process Control, UI masking, UI logging, ETD, ILM, etc. are all very valid solutions for a thorough “defense” of production systems.

A question arises spontaneously.

Is it really necessary to apply the same mechanisms implemented in production systems to all copies of these environments?

Or maybe there is a simple alternative – at the same time – valid for curbing the spread of personal and sensitive data?

Well yes. Exists.

For non-productive SAP environments we have created an intelligent anonymization solution for all personal information of natural persons, whether they are customers, suppliers or employees: Inquaero® A N O N I M O PII-IM:

I’ll explain how it works with a simple example.

It’s a bit like going to the cinema or seeing a TV drama. That’s all.

The characters in the script are often “invented”, i.e. they are not real physical persons. But they look like real and could very well exist, or have existed in the past, carrying a proper name, a surname, an address of residence, and – why not – even a valid tax code.

The Inquaero ANONIMO solution applies the “movie-fiction” logic to all personal data of natural persons stored in the databases of non-productive systems.

And it does – let me say – intelligently!

Using algorithms based on artificial intelligence (AI), the solution performs a Personally IdentifiableI information Intelligent mapping (PII-IM) on the whole SAP database, i.e. a “remapping” of the data that identifies a real physical person with generated and credible new personal data. The new “remapped” data will be very close to the original ones, but at the same time will not allow to trace the original identity of the “remapped” subject.

Another example comes to help us.

Imagine a Telco running SAP, which includes among its clients the well-known Sicilian television presenter Pippo Baudo, born in Militello in Val di Catania, on 7 June 1936, residing in etc. etc.

Naturally in the SAP ERP production system the personal data of the customer “Pippo Baudo” are stored and processed according to the directives of the GDPR, then subjected to the logic of SAP GRC, UI Masking, UI Logging, and so on.

In the various Quality systems – copies of the production system – the Inquaero ANONIMO solution (wisely adopted by this Telco) intercepts the data of the original physical person and transforms them into a new identity reconstructed with appropriate logics.

Hence “Pippo Baudo” is “transformed” perhaps into “Antonio Caruso (GDPR)” born in Acireale (always in the province of Catania), October 17, 1936 (the same year as Pippo), residing in Acireale, street Ludovico Ariosto, 37.

Naturally, Mr. Antonio Caruso from Acireale, born in Acireale on the 17th of October 1936 has never existed.

However, Mr. Caruso has a newly generated tax code (CRSNTN36R17A028F) specifically for billing testing purposes, he resides in the same geographical area of ​​the original identity (Acireale belongs to the same province of Catania) and has the same age (82 years) of Mr. Baudo, just in case you’d need to test a flow with a rate plan linked to age.All this thanks to the intelligent algorithm (AI-based) for the remapping and conversion of personal data at the SAP database level (with the support of SAP SLO technology).

Here below is how the generated Italian tax code (codice fiscale) appears.

And here, how the new place of residence is selected, by random extraction of a city which lays inside the circle the geo-location algorithm has built.

In short, what are the advantages of the Inquaero A N O N I M O solution?

  • P.I.I. Intelligent mapping, with fictitious but likely generation of personal data in non-productive SAP environments

  • High quality in testing data of “invented” non-real individuals (GDPR Compliance)

  • High speed of re-mapping and conversion of personal data, thanks to SAP SLO (direct input) technology

  • Elimination of Data Breach or Data Loss risk in non-productive systems

  • Configurability of the tool and possibility of autonomous use by the client For a more in-depth explanation, do not hesitate to ask for a free demo.