What is DPP and GDPR policy
Data protection policy (DPP) and General Data Protection Regulation (GDPR) requirements call for “Erasure of PII data when the reason for capturing and processing has expired. This data, having a clearly defined purpose, and appropriate retention period, shall be irrecoverably erased once the retention period has expired”
SAP Limos had introduced data security opt-in controls to allow organizations to 'Enable' and define the data protection policy specific to their organization.
How does Data Security work
By default Data Security is disabled for all accounts and only Account owner will have to ability to enable the functionality. Once enabled and retention period is defined the system will track and select all qualifying users. Then the personal information (PII data) of qualified users will be purged on the 1st and the 15th (Scheduled purge runs)
Where to enable data security settings for DPP and GDPR
Opt-in controls to enable data retention policies will be available to every account. These settings can be enabled by the Account owners from Account > Data security settings. Note: The minimum retention period is set at 6 months. The retention can be set in months or years
Who will be affected by enabling Data Retention policy
Active users : Active users will not be affected by the data retention policy.
Deactivated users: Deactivated users will be affected by the data retention policy
- Only personally identifiable data (PII data) of deactivated users who fall outside the org defined data retention window will be purged.
- If an admin updated an user's profile or updated their achievement that user will fall back on purge eligibility.
- Personally identifiable data (PII data) includes all the user profile fields including, default fields, Legacy custom fields and Advanced custom fields.
- The PII data purge job runs on 1st and 15th of every month Account Owners can set purge email reminders to be made aware of an upcoming purge.
Blocked users (NEW): Data retention policy does not affect blocked users.
- A deactivated user can be blocked by Account owner from data purge in case of legal conflict for example.
- Blocked users cannot be un-blocked under any circumstance (due to security reasons)
Who are blocked users
A deactivated user can be blocked to be protected from system purge in case of legal conflict for example. Only an Account owner is able to block a user from system purge and general view. A blocked user cannot be un-blocked (due to security reasons) and can only be deleted when the purpose of block is fulfilled.
How can an Account Owner block a deactivated user
When Data retention policy is Enabled there will be a sub-tab on the Account >Data security> Deactivated users. This tab will list all deactivated users, days until they will be purged, Access level and the Action ( block and delete) . Here the Account owners can choose to block a user by clicking on the ‘Block’.
Is there a separate log of the GDPR policy setting updates
There will be new History log that will capture field level changes to the retention policy settings and data purge details. This log is only available for the Account owners under Account > Data security > History Logs. Account owners can also download all the data in a CSV
User status : action and access permissions
|Roles||Block user||Access Blocked user||
(with the DPP setting)
|Access Purged user||Deactivate user||Access deactivated user||Activate user||Access Active user|