GDPR. Sage X3 People

Size: px

Start display at page:

Download "GDPR. Sage X3 People"

Dulcie Hart
5 years ago
Views:

1 GDPR Sage X3 People

2 This how to guide presents tools available in Sage X3 People for version 9 helping companies to fulfil some of their obligations regarding the European General Data Protection Regulation (GDPR). Please read the Sage Legal Disclaimer set out at the end of this guide. Audience This document is aimed at highlighting some Sage X3 People features that can be used when adhering to certain GDPR duties. This document is not intended to cover all the GDPR requirements. For this, please refer to some useful links in the Find out More section below. GDPR is a European law and it applies to all companies that operate in the EU and companies outside the EU who process the personal data of individuals in the EU. What s new The version 9 for Sage X3 People is GDPR ready. The tools delivered are especially for GDPR, to further assist customers. Find out More You can find appropriate supplementary documentation. Know Your GDPR Functional documentation for Enterprise Management - Online Help Centre (Access from the Enterprise Management pages) GDPR * Page 2 of 20

3 Contents Audience 2 What s new 2 Find out More 2 OVERVIEW 4 Features 4 Documentation 6 FEATURES THAT HELP YOU WITH GDPR 7 Ease of access to the right information and process 7 Data Protection Officer (DPO) management 7 Attachments 8 Auditing tools 9 Requester 9 Purge process 10 Search engine 12 Import/export data 13 Access security and data filtering 13 DOCUMENTATION 16 Personal data List, content and location 16 Specifically, for the HR and payroll modules, the standard data types associated to personal data main records are the following: 16 Security principles 17 SAGE LEGAL DISCLAIMER 19 GDPR * Page 3 of 20

4 Overview How Sage X3 People helps customers Definitions GDPR General Data Protection Regulation DATA PROTECTION OFFICER Under the GDPR companies and any third-parties that process personal data on their behalf will need to appoint a Data Protection Officer ( DPO ) if: (i) they are a public body; (ii) if the core activities of the business or third-parties involve monitoring of individuals on a large scale; or if the core activities consist of processing on a large scale of special categories of personal data, including data relating to criminal convictions and offences. The DPO needs to have expert knowledge of data protection law, although doesn t necessarily need to be an employee and could instead be employed on a service contact to fulfil the role. Details of the DPO will need to be communicated to the supervisory authority, such as the ICO in the UK. Features Feature How this feature can help you Comments Visual process dedicated to GDPR Data Protection Officer (DPO) management Attachment of documents, forms Auditing tool Requester You can design a dedicated home page for GDPR with all links and direct accesses to the functions you need You can create and allocate roles to users. You can attach to a master record any type of document needed for the GDPR, for example forms expressing the consent of people. You can track all activities, including connection, execution of a function, update/creation/deletion of records You can create your own extraction and reporting tools related to GDPR, for example, search/list/extract records linked to an individual For version 9 of X3 People a ready-to-use home page is designed and provided by Sage. You can personalise it. For version 9, the users can associate to a company, and to a role code defined as DPO. GDPR * Page 4 of 20

5 Feature How this feature can help you Comments Purging rules You can set-up rules to purge data that is no longer required, Note that this should be both from a business and a legal perspective (You must ensure that you adhere to all local data retention regulations). Personal data analysis Search engine Reference to a master record Import / Export templates Before v7.1, you can leverage the capabilities of the requester or extractions using import/export templates to identify records related to an individual, on demand. All business intelligence tools (Sage Enterprise Intelligence, BusinessObjects, Sage Data Management & Analytics ), if you installed one, can help you in this task. Sage X3 People is meta-data driven. The data is associated to a data type. See in the documentation section the list of data types that can rely to personal data. All data may be extracted or integrated using the import/export templates. Note that in the case of an import, the consistency of the data must be ensured. Please look at the list of the templates available in the solution, either standard or specific (You have set up or personalized). From v7.1, a full text search engine is delivered into the solution that can help you find the right information, as soon as the data is indexed. For more information, see in the section Search engine. To version 9* of X3 People the platform delivers a dedicated reporting tool enabling users to find the transactions linked to an individual, with the date of the first and last use. This provides you a powerful tool helping you to analyse the personal data, the content and the location, and decide whether this data may be obfuscated or purged (depending on the legal retention rules). *For Version 9, this tool will be delivered in Patch 10. GDPR * Page 5 of 20

6 Feature How this feature can help you Comments Data breach warning To limit the risk of a data breach and related penalties, you must make sure to implement best practices in terms of security and access right management, including your network, database and application. In case of breach, you can extract personal data stored into the database to contact relevant people impacted by the breach *For Version 9, this tool will be delivered in Patch 10. Documentation Topic Content Comments Data types This documentation lists the data types considered as personal data and detailing the content and location of this data. Local data retention rules Some examples of retention rules that apply for countries. Sage doesn t warrant the validity or the relevance of these rules, that are provided just as example. GDPR * Page 6 of 20

Features that help you with GDPR Ease of access to the right information and process If you have a person responsible for GDPR in your business, they are most probably not experts in the use of Sage

7 Features that help you with GDPR Ease of access to the right information and process If you have a person responsible for GDPR in your business, they are most probably not experts in the use of Sage X3 People, or its numerous tools for manipulating and storing personal data. As such, Sage X3 People provides you with the ability to design and allocate dedicated home pages for such people. Allowing you to group the information they might need on a dashboard and designing visual processes for them to easily access the relevant functions. For version 9, a new standard visual process dedicated to GDPR is delivered, with all relevant links to the Sage X3 People features. Intended to provide a base from which you can easily adapt to your own processes and organization as required. The following screenshot shows you the process delivered for X3 People: Data Protection Officer (DPO) management If you need to identify a DPO or want to record the individual(s) with responsibility for data protection you can do this within Sage X3 People by following these steps. You can use the following features: GDPR * Page 7 of 20

8 For version 9, you can use the responsibility code that can be freely defined to identify the DPO. To access this field: Setup -> Organizational structure -> Companies: A patch is delivered with the miscellaneous table 906 containing this new code for DPO purposes. However, it is possible to create the record in this table manually. Attachments If you would like to keep track of administrative events linked to data protection such as consents, data access rights and alteration. You can use Sage X3 People which provides you with the ability to attach documents to any record. From the master record, an attachment link gives access to a page where you can create links associated to keywords that can be freely defined; for example, consents linked to employees. Commenté [GC1]: Is it true in V9? Commenté [MJ2R1]: Yes, this is the example in V9. GDPR * Page 8 of 20

Auditing tools To manage the security linked to personal data it is advisable to put in place security and audit parameters regardless of the Sage X3 People technology used.

9 Auditing tools To manage the security linked to personal data it is advisable to put in place security and audit parameters regardless of the Sage X3 People technology used. One of the tools provided by X3 People makes available, is a set-up of an audit that can be triggered on access to any functions and any modification done. This can be done on creation, updates, deletion, and stores in the audit trail fields the values (before and after modification). The audit can also be focused and conditioned. For example, below the creation, modification and deletion of customers are tracked as soon as the first contact date is greater than a given date: This feature automatically creates database triggers that ensure the traceability of modifications, regardless of the way the updates were performed. With X3 People one can set an audit of any record, to track all changes, or only a deletion or only a value change. This parameter can be set-up at the user level and is managed by an Enterprise Management supervisor function. Requester If you would like to extract data for search and auditing purposes X3 People integrates various reporting tools including an ad-hoc requester. GDPR * Page 9 of 20

10 The result of such a request can generate PDF files, Excel spreadsheets, csv files, and many other formats. At execution, the requester performs a strict filtering on data based on the rights given to the user. The recommendation is to use requests that are not shared if they are authorised to several users, except if all these users have the same rights. Purge process Purging rules are described in a meta data dictionary. Every set of data (representing a document such as a payslip) are described by a rule that includes the conditions that must be fulfilled to allow the purging of such data. These descriptions are supplied as standard but can be personalized to take into account additional rules. For example, you could define that a dedicated status prevents you to purge automatically some data. Commenté [GC3]: We can here add the menu entry, at least the name of the function. GESAHI? Commenté [MJ4R3]: The link to the function is already present in the process. An example of purging rule is given below: GDPR * Page 10 of 20

The purge parameters define the minimum duration for storing these documents: The purge process can be launched per company or globally, in interactive or in batch mode.

An alternative of purging master records is to obfuscate or blank personal data as soon as there is no legal or business / contractual reason to keep it.

11 The purge parameters define the minimum duration for storing these documents: The purge process can be launched per company or globally, in interactive or in batch mode. No automatic purging process exists for main records such as employees or contacts. The purging of these records may be processed manually. An alternative of purging master records is to obfuscate or blank personal data as soon as there is no legal or business / contractual reason to keep it. Basic actions like removing s, phone numbers, bank Ids or names is a simple and effective method that may also be considered. A manual suppression is also possible as long as no document references the master record. An additional feature described in the next paragraph gives you information about the document dates associated to a master record, so you can identify if, you can delete the master record after purging such documents. GDPR * Page 11 of 20

Search engine You may receive a request from an individual without limited detail, which might make it difficult to identify this individual in your database.

For version 9, X3 People includes a search engine, and all personal data could be defined as searchable to allow you to quickly find the right record to answer the request.

12 Search engine You may receive a request from an individual without limited detail, which might make it difficult to identify this individual in your database. For this, you can leverage all capabilities of Sage X3 People regarding data extraction, inquiries, requester, including additional business intelligence tools connected to Enterprise Management. For version 9, X3 People includes a search engine, and all personal data could be defined as searchable to allow you to quickly find the right record to answer the request. Starting from a name, you will immediately find the associated records. For example, if you search for Martin, you might find a lot of results that you can filter depending on what you are searching, an employee, a user or any other master record. Commenté [GC5]: When I search POUSSE in SEED Folder, the result displays data in common function. It seems to not display information in other function like in GESEML. Perhaps I am wrong! Commenté [MJ6R5]: The tables and records must be flagged with searchable in order to work. You have to define the data as searchable to have results. A search on an address would probably have given only one result: Once the master record is found, you can use all the other tools to process the action needed. Note: You have to make sure the classes, representations and fields are flagged as searchable within the system. Commenté [GC7]: So I understand better why my search is not concluding. In V9 we have very few syracused function. So probably it is not applicable for X3P V9 Commenté [MJ8R7]: No, I did this in V9 and it works. GDPR * Page 12 of 20

13 Import/export data Sage X3 People provides you with standard import/export templates associated to the different master records and documents. This allows you to extract data to answer any data access request you have received. The set-up can be changed to allow additional fields. The set-up is shown below. Note that the output format can be ascii with various separators (covering csv), but also XML and other various formats. Most of the templates but not all of them can be used not only for export, but also for import. Note that consistency constraints of X3 People version 9 will need to be fulfilled. This in part allows you to integrate data supplied by an individual (data portability). Access security and data filtering You may want to manage user access to personal and sensitive personal data in Sage X3 People. It is advisable to set-up the security of your system according to best practices to limit the risk of data breaches and related penalties, but also to set-up the security filters on data so that every user of the system has only the required access needed for performing their tasks. Sage X3 People allows you to restrict each user s access by function and also to assign filtering rules to the corresponding data per company, site, access codes or row level permissions. Note that an access code is a code that can be assigned to an individual record and globally restricts either the ability to read, to create, and to trigger complex operations on the record. The access security is closely related to the audit features, and allows you to manage access to sensitive or personal data. Some examples of the corresponding pages are given below: Access filtering per site and companies for a given profile and function GDPR * Page 13 of 20

14 GDPR * Page 14 of 20

15 Access code set-up for a given profile code Filtering rules per main record data function for given fields GDPR * Page 15 of 20

16 Documentation Personal data List, content and location Specifically, for the HR and payroll modules, the standard data types associated to personal data main records are the following: Data type EML Description Employee Id Commenté [GC9]: As I have understood the objective was to provide the list of data types, which allow to identify a person. I am not sure to understand how to use this list of fields. And fields, contents and location: Table Description Field Description Data Type REFNUM Employee ID EML SRN First name A NAM Name A CIV Title C PSD Known as NAM DATBRN Date of birth D EMPPIC Photo ABB Image file SEX Gender M NTT Nationality Code CRY CRYNAM Country name NCY CTYBRN Municipality A EMPLOID Civil status ADD1/ADD2/ADD3 Address ADL CTY City CTY CODPOS Postal Code POS TEL Telephone TEL MOB Mobile phone TEL FAX Fax TEL EML A NAMCNT Person of contact: Name NAM SRNCNT Person of contact: First name NAM TELCNT Person of contact: Telephone TEL MOBCNT Person of contact: Mobile phone TEL EMLCNT Person of contact: A CHDNAM Name A EMPLOCHD Children CHDSRN First Name A CHDSEX Gender M DATCHDBRN Date of Birth D SSITFAM Marital Status C SJNTREFNUM Spouse's registration number MAT EMPLOJNT Spouses (>1) SJNTNAM Spouse's name A SJNTSRN First name A SJNTDATBRN Date of birth D SJNTTEL Telephone TEL EMPLOAD Administrative information FLGHDC Disabled worker M HDC Handicap rate DCB EMPLORIB Bank ID statement BIDNUM Bank ID number BID EMPLOMED Medical examinations MEDDCT Doctor A Commenté [MJ10R9]: This is only used for the data search function that is not available yet, however I don t think it should be removed from the document. GDPR * Page 16 of 20

17 Fields for France legislation only: Table Description Field Description CTYBRNSEE Federal ID code DEPBRN Department EMPLOID Civil status NUMSSC Social Security no. CODUE EU coding CODSEE Federal ID code EMPLOCHD Children NUMSSEBNF1 NIR Fields for Portuguese legislation only: Table Description Field Description EMPLOID Civil status NUMSSC Social Security no. EMPTAXNBR Tax identification FORTAXNBR Foreign tax ID EMPLOIDPOR Civil status IDNBR Identification no. PLCRGT Registration EXPDAT Expiration date Security principles To minimise the risk of data breaches and related penalties some elementary security principles are advisable. For version 9 please refer to the documentation available for more details: o o Technology and Architecture Overview document for this version; The Online help for more details for Security, Security Best Practices and Data Security on the platform module. Main principles Security was a strong focus in the design and development of Sage X3. The solution was audited and certified by a third-party for safe operation in the Cloud. Sage X3 supports external identity providers like LDAP, Oauth2 (Google and Microsoft Live accounts) and Sage ID. This improves security by offloading the management of user credentials, and also improves the user experience by providing a Single Sign-On (SSO) experience. User credentials do not transit through the ERP when integrated with Oauth2 identity providers or with Sage ID. In addition, communications with the various client components can be GDPR * Page 17 of 20

18 secured with HTTPS, and communications between server-side components are authenticated with certificates. GDPR * Page 18 of 20

19 Information on every page load. As the URL can contain data (customer ID, order number for example), sanitization rules based on regular expressions are defined in the configuration file. This ensures that no personal data is sent to pendo even if activated. By default, the rules used perform the following sanitization: Sage Legal Disclaimer o Host and port are removed from URL The information contained in this guide is for general guidance purposes only. It should not o Function, classes and representations segments are sent to identify the use case be taken for, nor is it intended as, legal advice. We would like to stress that there is no substitute o for Report customers codes, making statistical their codes, own detailed landing investigations page names or are seeking not sent their but own replaced legal by advice if they STAT, are unsure QUERY, about home. the implications of the GDPR on their businesses. While we have made o every No data effort segment to ensure is sent that the information provided in this guide is correct and up to date, Sage makes no promises as to completeness or accuracy and the information is delivered on an as is basis without any warranties, express or implied. Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information. GDPR * Page 19 of 20

www.sage.com www.sage.com/gdpr 2018 The Sage Group plc or its licensors. All rights reserved.

20 The Sage Group plc or its licensors. All rights reserved. Sage, Sage logos, and Sage product and service names mentioned herein are the trademarks of The Sage Group plc or its licensors. All other trademarks are the property of their respective owners.

SCHOOL SUPPLIERS. What schools should be asking!

SCHOOL SUPPLIERS. What schools should be asking! SCHOOL SUPPLIERS What schools should be asking! Page:1 School supplier compliance The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will be applied into UK law via the updated