Planning
Planning and coordination are required before implementing GDPR compliancy. You should modify your workflow so your procedural tasks reflect how you will use SA GDPR Compliance Administration. Because of the importance of compliance activities affecting data, the more effort you put into planning, the more successful you will be in effectively using this functionality. In addition to having procedures in place to use SA GDPR Compliance Administration, we recommend that your company have an overall General Data Protection Regulation (GDPR) policy in place.
Before defining compliancy procedures, we recommend that you first conduct an assessment. For example, consider what type of individuals or entities you have in your system, such as customers, ship tos, operators, buyers, users, and expediters. Determine what personal data for each entity must comply with GDPR regulations. This kind of assessment helps to conduct a more efficient and effective search with appropriate criteria when you receive GDPR requests.
Consider how you will respond to GDPR requests: email, phone, text, mail? Who should receive, analyze, and respond to requests? Will you have a predefined form for a call taker to take notes about the request? Consider how you will process GDPR requests. Is this a request for a portable file of instances of an individual or entity's personal data? Is this a request for you to disable an entity? Is this a request for you to forget an entity? How often will you process requests? As needed, weekly, monthly? Can you negotiate with the entity to determine what data should be forgotten and when?
Under what kind of scenarios are you most likely to receive GDPR requests? For example, a vendor calls you and requests a report of all instances of their name with the application. Or, a sales representative has violated company rules and has been suspended. Their manager wants to know all instances of that sales representative throughout the application. Or, a customer is in a legal dispute with the distributor and requests all instances of their name be forgotten within the application.
Consider how you will assess and complete processing on sales or purchase orders associated with an entity. Are there open orders? Outstanding balances? Are there orders that have been invoiced, but not paid? Are there orders that have been shipped, but not invoiced? Are there credit card setup records that are affected? You should complete all stages of an order before you disable or forget an entity.
Are there ancillary procedures that you must establish before re-enabling an entity? The action of "forgetting an entity" redacts the associated data. For example, you have disabled a bank contact in Customer Setup. The customer assures you that they will provide a new contact name. Do you want to complete the forgetting process, or modify the field in edit mode? Another example might be that you are deleting Customer Setup records. When is the most convenient time for that task to be completed?
Are you running more than one environment, such as a test and production environment? Are there special considerations for disabling or forgetting instances of personal data in those environments?
Because of the importance of compliance activities affecting data, we also recommend you designate one, or a limited number of Data Protection specialists. For example, you may decide to have a Data Protection specialist for each business unit, each company, and each warehouse. You may decide to have a Data Protection specialist for initiating requests, and another for executing the requests. Enable SA GDPR Compliance Administration for Data Protection specialists only.