Face severe penalties, if one does not delete data in time.
Since 25 May 2018, the new General Data Protection Regulation (GDPR) has been adopted in Europe. By changing the laws, all EU citizens will acquire a fundamental right have their data deleted.
According to §83 / subsection. 5 GDPR, serious violations may result in fines of up to 4% of company turnover or up to 20 million euros.
Data protection breaches can get expensive
It is not only the logistics processes that are subject to the laws of the Data Protection Regulation – they apply across all industries.
A German company belonging to a housing association felt the effects of this in November last year and was sued for a record fine of 14.5 million euros.
The cause for this case was an insufficient deletion and archiving system for personal data. The company filed an objection. The proceedings have not yet been concluded.
Recognise and delete personal data
In almost all of our projects, sensitive data is stored that has a personal reference. Almost all areas of leogistics are therefore affected by the basic data protection regulation. The challenge is to find all such data in your system and treat it in accordance with data protection regulations.
How you can protect your company from penalties
Therefore, many customers have been unsure whether their implemented solutions meet these requirements. They are rightly asking themselves whether and how they can continue to store driver or employee data, to name a few examples. The personal data is versatile: from names, addresses and telephone numbers to user time stamps.
Measures for the safe use of the leogistics d.s.c.
Particularly in the area of yard and slot management, driver information must be stored, for legal purposes. In case of evacuation measures, the owners of a factory site are obliged to know who is on their private premises. In addition, transparency about who is on the yard when, where and for how long is important to almost all yard operators for various safety reasons.
It sounds contradictory that on the one hand data is stored and on the other hand it must be deleted again in a timely manner. It is not! What is important is the correct handling of the collected, sensitive data.
In order to manage sensitive data in accordance with the law, it must be made anonymous.
We offer the possibility of anonymization in the current version of leogistics d.s.c., where data can be anonymized, deleted or overwritten through batch job.
Even if customers use and store document data in different ways (resources, document lines, business partners, etc.), any request to delete the data can be realized.
By dealing with this sensitive topic at an early stage, the report takes a very generic approach right from the start. The variable development allows you to set different deletion times for different data.
| Data type | Data | Retention period |
|---|---|---|
| Communication data | Phone number and email address | 1 Day |
| Names | Driver’s First and last name | 3650 Days |
| Personal data | Address, qualifications etc. | 730 Days |
Application examplel by leogistics d.s.c.
Cllose customer relations for current market requirements
After the first customers had used the GDPR application, further individual requests were expressed. Depending on customer requirements, individual adaptations to the data management can be realized:
- One wish was, for example, the possibility of distinguishing data for deletion by investigation. This meant that information from shipments that were relevant for dangerous goods was to be kept longer than information from shipments without dangerous goods. With the help of the Business Rule Framework Plus (BRF+), such criteria can now be defined for specific customers.
- Another customer wanted the possibility of manually deleting individual data records. This was solved with a Personal Object Worklist (POWL). The POWL allows the simple search for individual data records and of course the direct anonymization according to the GDPR.
Data protection during terminal integration
The guidelines of the basic data protection regulation are also considered when using check-in and check-out terminals. The driver is informed directly at check-in that his data will first be collected and stored.
The driver is also informed that the data will be deleted in due time. He is also requested at the terminal to tick the box under the GDPR agreement, by which he agrees to the management of his data. The driver may only drive into the yard once he has given his consent.
GDPR in standard sap modules
Personal data is stored in almost all SAP applications. At first glance, this may sound harmless: Even loading date data in SAP EWM or time and attendance data can be personal and must be deleted based on defined retention periods.
Accordingly, it is important that you deal with the topic of data protection so that you do not risk warnings or even expensive fines.
As a solution, SAP offers Information Lifecycle Management (ILM). ILM provides rules, processes, procedures, and tools for entering, storing, and deleting information.
Cloud Services
Cloud applications are probably the most up-to-date topic in the field of digitalization. We too are already represented in the data cloud with some applications.
Especially in the cloud environment there are many questions regarding data security and a lot of need for clarification. Our experienced team of developers and consultants have an eye on the solution-relevant topics of the GDPR for you and will be happy to advise you on the storage of (personal) data in the cloud.
For example, the hosting service provider AWS (Amazon Web Services) already offers over 500 functions and services to ensure the security of your data.
Data storage in germany
GDPR §§44 et sequentes GDPR restrict the transfer of data to a third country.
Therefore, all myleo / dsc data is hosted in Germany and is therefore subject to strict German and European legislation.
Our data center has the following certifications, among others:
- ISO 9001 Requirements for the certification of quality management systems in German and English
- ISO 27001
IT security procedures – Information security management systems – Requirements
- ISO 27017
- ISO 27018
Encyption according to the latest security standards
By default, the data in the data cloud is encrypted using HTTPS and TLS, so that only the sender and receiver can read the data.
Have you thought of everything?
- Is the authorization for data access limited?
- Has it been checked whether the data users have signed the GDPR guidelines?
- Is data collection reduced to a minimum?
- Are deletion times defined?
- Are data protection offices in the company involved?
- Attention for data that is particularly worthy of protection. Is there an audit office?
- Are admissibility requirements considered in the transfer of personal data?
What is your case of application?
If you are unsure which measures you need to take to comply with all the guidelines of the GDPR, please do not hesitate to contact us.
If you have any questions about this or other topics in the blog, please contact blog@leogistics.com.
Jens Arndt
Consultant SAP Logistics
