The Protection of Personal Information Act (or PoPIA) regulates the management of the information that South African companies hold about individuals, business and other legal entities – in effect protecting the personal data of customers, suppliers and employees and any other party whose data is held.
Many South African companies must also comply with similar regulations, such as the European Union’s Global Data Protection Regulations, that protect personal data in other jurisdictions.
An obvious prerequisite to managing personal information is to identify where it resides across your organisation’s IT systems. For those organisations that have standardised on commercial ERP or CRM packages – such as SAP ECC, SAP S/4HANA, JD Edwards, Salesforce, Microsoft Dynamics 2012, Oracle E-Business Suite and Siebel – this can be like searching for a needle in a haystack.
Challenges to finding personal data in your ERP
- The names of tables and attributes in the databases underlying these platforms are often not meaningful. For example, the SAP tables LFA1 contains 150 or so attributes with names like LIFNR or KUNNR. These names do not help you to find personal data items.
- In addition, the size of the underlying database makes it difficult to navigate. Using SAP as the example, again, a typical SAP or S/4HANA implementation has over 90,000 tables (each with an obscure name) and more than a million opaquely names attributes. This makes it very time consuming to search through this set.
A “brute force” approach – depending on SAP consultants to work through the full attribute set will take years.
Cost not-withstanding,this approach cannot be applied to meet PoPIA deadlines. One also needs the ERP team to focus on maintaining and extending functionality to meet changing business areas, rather than providing metadata
How does Safyr® help?
A typical SAP implementation has nearly 100000 tables, as shown in the below Safyr screenshot.
The sheer volume of tables makes this overwhelming. However, using Safyr we can easily find relevant tables by applying filters. For example, in this case we can look for tables that contain “Date of Birth” attributes
This filter does not require us to understand the underlying SAP data model or naming conventions, and can be performed by any analyst, even one that has no prior knowledge of SAP.
As you can see below, this example returns just 90 tables – a manageable fraction of the nearly 100000 tables that we started with.
This view provides additional metadata that can be used to apply additional filters. For example, by examining the row counts for each of these tables we can identify a number of tables that have no rows. If we filter out tables that hold no data, we are left, in this example, with just 5 tables that hold “Date of Birth” information.
Each SAP system will expose different results, depending on which SAP features and modules have been implemented, and how the system has been customised.
Having found a set of tables that probably contain personal data, this set can be added to what Safyr calls a Subject Area. This is a grouping of related tables that can be shared for further analysis. One can also mark individual attributes within these tables.
This leaves us with a view similar to that below: A group of tables that contain data, and that include one, or more, attributes for “Date of Birth.” The “Marked Fields” column shows how many fields in each table meet the search criteria. For example, table PA0002 illustrated below has 3 such fields
We can easily drill down by clicking on a field, to see the details of the individual fields including the actual, technical field names.
Using Safyr we can easily create subject areas for other personal data fields: such as name, telephone number, credit card number, and so on; and merge these into a consolidated Personal Data list for further analysis.
These consolidated sets can be make visible to a broader audience by importing these into your enterprise data modelling, metadata or data governance tool (such as Collibra, Infogix, Informatica etc)
Or you can simply share via Excel – making this valuable information accessible to your PoPIA team.
Finding personal data is the first step
Identifying where personal data is found is just one of the steps needed in operationalising PoPIA. Safyr helps by providing a business friendly view of your commercial ERP or CRM platform, applying appropriate filters and allowing you to make good decisions.
As with any data project, PoPIA compliance cannot be seen a as a one-time job. Safyr removes your dependence on the ERP development team, and helps you to monitor changes to how you store personal data overtime, as your ERP or CRM is extended to meet evolving requirements.