SNP Group, a software company based in Germany, is square in the crosshairs of Europe’s General Data Protection Regulation, which went into effect in 2018.
The company’s cloud-based product, SNP CrystalBridge, helps companies manage their enterprise resource planning systems. As a result, SNP had access to its employees’ private data as well as the private data of end users. It also potentially had access to the private information in its customers’ ERP systems. However, under the General Data Protection Regulation (GDPR), companies must have permission before they can collect private data — they need to protect that data and they must be able to delete it upon request.
The first step for SNP Group was to thoroughly inventory the private data it was collecting, said Steele Arbeeny, the company’s CTO. “What do we have? Where is it? What could be construed as protected information?”
This information includes anything that could be used to identify a person, such as name, phone number, address and even whether that person prefers to use 12-hour or 24-hour time format.
“Legal doesn’t want to deal with any of these problems cropping up,” Arbeeny said. “They tend to err on the side of being overly cautious.” But it wasn’t an easy job. Personal data doesn’t just show up in well-defined database fields, he added.