Can ERP Software Assist with GDPR Compliance?
With the GDPR fast approaching, companies with customers in the EU will soon have to change business practices regarding data. Whether the business uses CRM or ERP software or has a varied assemblage of applications, GDPR compliance will have a strong impact on these systems.
GDPR (General Data Protection Regulation) refers to the new set of rules in the EU aimed at transforming the way companies handle data, giving EU citizens more control than ever before. The law goes into effect on May 25, 2018. The largest changes from the previous 1995 EU directive deal with the scope of the law, as well as the severity of the fines imposed.
In terms of scope, the law affects companies inside and outside the EU (i.e., regardless of residence) that use and store the data of EU citizens. Therefore, the regulation will impact companies all across the world.
The penalty meanwhile has been raised significantly. The GDPR website states, “Under GDPR, organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)” [emphasis added]. While these are maximum fines, companies can be fined 2% simply for not having records in order.
Legislated rights that the EU citizen is accorded by the GDPR include the right to be notified of a breach of data, the right to know what information a company has on them, the right to request a company delete that data (also known as the “right to be forgotten”), and more. An additional concept included in the legislation is “privacy by design,” which means systems must be designed to fulfill these new obligations.
Because CRM and ERP software contain so much data, the GDPR will undoubtedly impact the way companies use them. For example, if an individual asks for data about him to be removed, the company will have to do so on all of its systems where the information is present.
This example brings up an important point: ERP systems can actually be a benefit for GDPR compliance compared to the alternative. If a company uses multiple software and someone requests a removal of data, the company has to go through each software where the data may be present and delete it from there. Employees might have to go into their private computers and remove the information from Excel files, etc. as well.
In other words, the more software a company uses, the more burdensome this will be. Meanwhile, since ERP software centralizes enterprise data in one location, it makes this job easier.
Another benefit stems from the segmentation of information on ERP systems, where different employees have different access capabilities based on their roles. This means that, for example, if there’s a breach into the system, it’s very easy to identify what information was accessed. In addition, if the purpose of specific data needs to be reported, it’s easy to isolate and identify the business departments that have access to it and what they are using it for.
Of course, having an ERP system doesn’t mean a company is now scot-free in GDPR compliance. Businesses will still have to adjust the way they approach data and this may take drastic changes to the systems and processes they have in place. It won’t be easy, but it will be necessary so that businesses don’t face the stiff penalties mentioned earlier.