Lately, I have received a flood of calls regarding GDPR asking why we have not published anything on the subject yet. The latest call was from a senior consultant in one of the Big-4 firms asking what Xpandion’s stance is on the GDPR regulations. So here it is! YES, Xpandion is in the GDPR space, but from a professional point of view and not from a consulting point of view. What does this mean? Continue reading.
After so many articles going into what GDPR is I will not bore you with the same details, but I will tell you that it is definitely a game-changer for certain organizations. While most of them are more interested in locating and defending visitors’ data, some organizations understand that the new regulations will also impact their data in ERP, CRM and HRMS systems. But, there are still a few points that are ambiguous such as:
- what data is relevant
- where the data is in the system
- how to defend that data
- how to enforce the “rights to be forgotten” etc.
This is where Xpandion can help.
Simply put: Xpandion can easily locate the relevant data in your SAP systems, map it, put access policies in place, monitor to whom it was exposed and even manage the workflow for notifying authorities about potential breaches. Now, this requires that the organizations know what they need, and this is the real challenge. As soon as the “need” has been defined, the technology can come into play to solve it. This is the reason that we refer customers with GDPR questions to our partners and do not advise them until their actual needs are defined.
Taking example from the GRC regulation implementation a couple of years ago, we anticipate that there will be a couple of “waves” in the GDPR implementation. The first wave is right now (May/June 2018). This is when organizations are “digesting” the new regulations and preparing to implement “something” that will keep them compliant. They are spending huge amounts of money just to prove that they did their best to act in accordance with the new regulations. They still expect certain situations to occur, such as, a person that wants their information purged, or a person who wants access to ALL their information – but they can’t anticipate ALL the possible requests. So, organizations will do their best and even more importantly – they will document their efforts so nobody can blame them for not doing enough. This wave ends with the situation in which most organizations feel that they did enough to prepare for D-Day, 25 of May 2018.
This leads us into the second wave. This wave is when organizations begin to understand that the most of the sensitive data is really located in their business applications – ERP systems, CRM systems, HR systems and home-grown applications. Data such as employee’s personal information, personal details of all external contacts, contact details of customers and even details about people’s children are all happily sitting in these systems, just waiting to be exposed by an accidentally-authorized employee.
If this does happen, Xpandion will be there.
Like with GRC, somewhere in the near future GDPR will become a standard in authorizations. Although organizations are not quite there yet – Xpandion’s products are ready for it NOW. In ANY access request workflow that Xpandion is implementing now there is a GDPR-ready step to verify if sensitive data is involved. If the conditions in this step are met, workflows will be redirected to the right compliance officer. Furthermore, for all sensitive data, there should be well documented controls and processes in place, something Xpandion can help you monitor as well.
To conclude – Xpandion is your trusted solution for GDPR, but first and foremost you need to define your needs with your advisors.