Sage X3 (Enterprise Management) Supporting Compliance with GDPR

By: | Category: ERP

GDPR stands for General Data Protection Regulation and is a European regulation passed on May 25, 2018 that describes the rules that companies must comply with to protect personal data. Non-compliance could cost companies dearly. Sage (X3) Enterprise Management provides tools to help with compliancy. In this post, we’ll go over the tools that support compliancy with GDPR in Sage X3 (Sage Enterprise Management) and review other important information you need to know as relates to GDPR and your Sage application.

Supporting Compliance with GDPR

GDPR compliance cannot be obtained through the Sage X3 software. It requires internal administrative work that includes being able to identify and document internally where personal data is managed, why the data is stored, how it is used, the list of companies it is shared with and the countries where this data is stored. If the data is stored outside Europe, you might have contracts to secure the data protection.

Additionally, a person must be assigned as a “Data Protection Officer” to manage compliance, protect the data, warn others if a data breach has been detected, delete or make the personal data anonymous upon request of an individual, provide a copy of the personal data in a digital usable format upon request of an individual, and update the personal data if errors exist (rectification rights).

Other Important Information about GDPR in Sage X3 (Sage Enterprise Management)

There are exceptions in the Sage X3 ERP fields – this is because legal compliance can force you to keep the data. The standard features of Sage X3 provide you with tools to help comply with GDPR. In other words, Sage X3 is GDPR ready.

Although the software has been maintaining compliance with GDPR, there are new features in this release. A new GDPR visual process has been added to the Data administrator home page that provides access to the various function available in the software that support GDPR compliance. With these new tools, you can:

  • Identify a Data Protection Officer.
  • Generate a log listing the companies inside and outside of Europe with the associated Data Protection Officer.
  • List the data types related to personal information.
  • Export all the fields associated to individuals.
  • Use a search tool for personal data search.
  • Access personal data records (Users, BPs, etc.).
  • Export templates and export of personal data records.
  • Extract all phone numbers and emails in order to ease a data breach communication process.

In the Companies definition, the Contacts tab now includes a Data Protection Officer check box to identify the DPO person within a company. A function extracts the list of Data Protection Officers per company within 2 groups (Out of Europe, and In Europe). This also allows you to identify whether some legal agreements are necessary if some facilities are located outside the European area.

An additional dictionary table (GDPR data type setup) has been added to help you document the fields in the database that are references to main records identifying individuals, email addresses and/or phone number fields in the database. This dictionary can be completed to take into account specific / vertical additional data.

Extracting

A function uses the previous setup to extract, in CSV format, the list of all the tables and fields holding personal data. Identifying where a main record is referenced and for which date can help with managing the compliance. The first step is to use the search engine to identify the master record key. From the key record, you can then search for all the related data on documents as well as the first/last date for these movements.

Extracting all the phone numbers or email addresses related to individuals can be critical to prepare a communication plan in case of data breach. Two dedicated exports are provided to help you extract this data in CSV format. These can be exported to an Excel spreadsheet. The extraction function is based on the data type description given in the GDPR data type dictionary.

Let us know if you have questions as relates to Sage X3 and GDPR compliance.