GDPR and the challenge of personal data discovery
For enterprises to comply with GDPR it's vital that they have an understanding of where personal data is located in each of their systems.
Metadata discovery specialist Silwood Technology is releasing research into five of the largest and most widely used application packages to understand the scale of the challenge encountered by their customers when locating personal data.
The research team selected the top five application packages based on customer base and size -- SAP, JD Edwards, Microsoft Dynamics AX 2012, Siebel and Oracle E-Business Suite. It used the terms Date of Birth and Social Security Number for test purposes and conducted searches to see how often they appeared.
"Whilst GDPR needs to be considered for any 'system' that potentially stores information about individuals (including paper-based systems), much of the data in a medium to large sized organization will be found in one or more of the major application packages from SAP, Oracle or Microsoft," says founder and technical director of Silwood Technology, Nick Porter. "With GDPR coming, those application packages that have been modified or customized will be the most difficult in which to locate personal data information. Whilst SAP is the biggest of the ERP vendors (exact figures are hard to come by, but it is generally accepted that there are around 30,000 SAP ERP customers), Oracle and Microsoft also have a significant presence."
Taking the most widely used ERP package, SAP, the research finds in excess of 90,000 tables in a typical system and over 900,000 fields. Social Security Number, or its equivalent appears in over 900 tables and Date of Birth appears in over 80 tables.
This means that less than one percent of a typical SAP system contains the personal data that could cause GDPR breaches that cost an organization up to four percent of its annual turnover.
The other packages tested showed similar occurrences of personal data occurring in multiple tables that companies could find hard to locate manually.
"The GDPR becomes enforceable across the EU in May 2018, and not since Y2K has there been so much confusion and hype around a single business issue," Porter concludes. "Every software company and consulting firm that even remotely plays in the data governance space is jumping onto the GDPR bandwagon. The reality is that there is no one GDPR 'solution' and any company saying they have one is probably overplaying their capabilities -- unless of course throwing bodies at the task is considered to be a solution. The scale of the issue means that businesses that are not well-advanced in data discovery or are undertaking manual discovery processes will struggle to be ready on time for GDPR."