At the end of last year, we published an article on GDPR and what the impact can be on your business. We also shared the SuccessFactors 2017 Q4 and 2018 Q1 release notes. It was one of our most visited blog articles. Now our clients are starting to realize the importance and SuccessFactors adjusted their software to be able to comply, we have held many workshops to help our clients adopt best practices and guide them through the steps which need to be taken.
So, what is GDPR again? Companies store a wide range of personal data on people ranging from basic details like name and date of birth to more potentially sensitive information such as religion or medical history.
To be compliant with data privacy laws, companies need to ensure that the process and protect this data correctly. The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. You probably have EU citizens as your employees (i.e. green card holders), clients or applicants.
Below a visual representation of the GDPR regulations:
Now here is the answer from SuccessFactors:
So.. which modules are impacted by what?
What is a Change Audit?
Personal data is subject to frequent changes. In the interests of keeping fully accurate records, and complying with data protection and privacy laws, you need to keep track of any changes that are made to an employee’s personal data. For this reason, SAP SuccessFactors provides the Change Audit function, which:
- Enables you to check either on Data Privacy:
- – Changes made to a user’s personal data (changes to John’s personal data)
- – Changes made by a user (changes made by John)
- Enables you to check Configuration changes:
– Role-Based Permission
– Proxy Assignment Change
– User Change
- Change Audit Tracking and Shared Users
- Within the context of Change Audit, a “change” means inserting, updating, or deleting data.
What is a Read Audit?
Companies store a wide range of personal data on both their employees and external candidates that apply for open positions. This personal data can vary from the very basic (such as name and date of birth) to the potentially sensitive (such as religion or medical history). To be compliant with data protection and privacy laws, it’s important to keep track of who has accessed such sensitive personal data.
- For this reason, SAP SuccessFactors provides the Read Audit function, which enables you to check either:
- who has accessed the personal data of employees
- who has accessed the personal data of external candidates
What is Data Subject Info?
Companies store all kinds of personal data on their employees, from basic information like name and address to more potentially sensitive information such as marital status and the results of performance reviews. Employees and former employees have the right to know exactly what personal information has been stored and for what purpose.
For this reason, SAP SuccessFactors provides the Information Report. A single report is generated for integrated SuccessFactors instances, which pulls data from:
- Employee Central
- Recruiting management
What is Data Purge?
Generally speaking, historical data should not be stored any longer than is required. Once the required retention time has passed, data should be purged. A data purge is a means of permanently removing data from storage.
Data retention time management (DRTM) is the recommended data purge solution for data protection and privacy. Use it, if any of the following are applicable:
- A legal requirement to purge all personal data for at least some of your employees in any country
- Different retention times need to be configured for different countries
- Need the ability to put a legal hold on data for specified users so that it is excluded from the purge
- Need to setup Data Retention Management in SuccessFactors for the first time
What is Data Blocking?
As a general principle, historical personal data should not be stored any longer than is absolutely necessary. Once the legally required retention time for personal data has passed, it should be purged.
SAP SuccessFactors provides a data blocking function. This enables you to control exactly how long individual roles will be able to access historical personal data, based on their role-based permissions.
- At no point, data will be available to anyone who shouldn’t have access to it. Data blocking is only available in Employee Central and Reporting. In other SAP SuccessFactors modules, all personal data is accessible by authorized users until it is purged.
Consent agreements inform users that their data is stored and explain why it must be stored. SAP SuccessFactors can show users a consent agreement.
Consent agreements are used in:
- General: when logging in to SuccessFactors
- Recruitment: Present a candidate with a notification detailing how the customer handles the candidate’s personal data. Candidates must accept this statement before entering their data.
- Learning: only if you have not adopted the platform
- Onboarding: New Hires can be required to acknowledge an internal, external, or login consent statement prior to entering any data in Onboarding.
- Performance Management: The only use case for user consent is when requesting feedback from external users, using Ask for Feedback functionality. If you are concerned about user consent compliance, SAP recommends that you do not include external users in your review process while asking for feedback.Request Workshop