GDPR: Get rid of data ballast


Four years of the General Data Protection Regulation
Michael Kleine-Beckel, lawyer and board member of t.serv, knows the challenges and has recommendations for implementation. Catrin Schreiner, a trade journalist from Cologne, conducted an interview with Mr. Kleine-Beckel for E-3 Magazine.

What is the status quo in companies four years after the introduction of the GDPR?
Michael Kleine-Beckel, t.serv: Many companies have already implemented initial measures and cleaned up data, while others are in the design phase or have not even started yet. "We'd rather wait and see, nothing will happen" is a phrase I continue to hear often from companies. However, this attitude can have devastating consequences. The penalties for violations are severe. Although I have to admit that companies in the business-to-consumer sector have so far been punished more severely for the incorrect handling of customer data. But it's worth being well positioned in the business-to-business sector as well, because at some point the regulations will become more legally secure and the controls more stringent. I can well imagine that authorities will use automated audit programs in this context in the future, just as they do with digital tax audits. Software providers would then be obliged to integrate these into their solution.
What needs to be considered when designing a GDPR approach?
Kleine-Beckel: On the one hand, there are legal aspects such as retention periods for various data records, for example sick leave and vacation requests, as well as deletion periods, whereby a distinction must be made between table deletions and complete deletions of objects. Each data record must be evaluated individually, and again every year. Secondly, there are technical aspects. Many companies focus only on employee personnel data and forget to include customer and supplier data - but these also count as personal data!
Why are companies struggling with this issue?
Kleine-Beckel: There are several pitfalls. Many are simply overwhelmed by the large amount of data. The more contacts a company has, the more difficult it is to maintain an overview. In case of doubt, a company may not even notice when a single employee leaves - then the data simply gets lost. In addition, table deletions in particular are very complex and require a great deal of involvement with the system. One mistake made when dealing with personal data in IT systems, such as SAP HCM, is that deletion concepts are often developed in advance of implementation without any knowledge of the system. This leads to parts of the concept being partially unusable during implementation because the system determinants for maintaining data integrity were not taken into account.
What applies specifically to SAP customers?
Kleine-Beckel: HR professionals like to collect data according to the motto: "What I don't have to delete, I keep." The problem is that SAP customers are forced to migrate their HR system to Success Factors or the new H4S4 solution by 2027. The latter is based on a Hana database that stores data in memory. The more memory a company needs, the more expensive the database becomes. Therefore, it makes sense to sort out data for cost reasons alone. HR managers should therefore rethink: everything that does not need to be kept or is not needed goes. This includes, for example, information on the curriculum vitae of employees that dates back years. Incidentally, employees are paying more and more attention to what happens to their data, not only in their private lives but also at work. Data protection is not yet as prominent as the issue of sustainability, but it is definitely on the rise.
To what extent can an IT service provider provide support?
Kleine-Beckel: On closer inspection, the deletion of data is also a project like any other. There is a standardized project procedure that unites all topics and participants. Service providers can advise on the content, develop a good and legally compliant solution together with the customer, and carry out the initial data cleansing. They should be technically and professionally trained to do this. It is important to note that service providers are not allowed to provide legal advice. This means that customers themselves are responsible and liable for ongoing operations.
What specific steps do you recommend companies take?
Kleine-Beckel: I recommend appointing an internal data protection officer with legal training to ensure compliance with the regulations. In addition, individual employees should be assigned to central data erasure, not entire departments. Nevertheless, it is important to train all employees in the company - because this is the only way to achieve GDPR security in everyday work. In addition, the decluttered data is the basis for companies to build their analyses on current and meaningful information. This is enormously helpful for new types of analyses and decision-making processes.
E-3: Thank you for the interview.