The Solution Pack extends APplus with key new functionalities for implementing EU regulations, including a GDPR-compliant anonymization function, the introduction of purposes of use as a new master data and protection against unauthorized processing for the highest possible level of data protection.

According to the industry association Bitkom at the end of last year, only around one in eight companies believe they will be equipped to comply with the new European General Data Protection Regulation (GDPR) from the deadline in May. In many cases, the reason for this is unlikely to be a lack of awareness of the sometimes draconian penalties for violations. Rather, compliance with the GDPR seems to be such a challenge that quite a few companies are almost resigning themselves to the abundance of regulations and different approaches to their implementation.

If you want to meet the requirements of the European General Data Protection Regulation on time, you need to ensure a complete overview of all personal data collected and consistent documentation of all processing procedures as quickly as possible. This is because the requirements from Europe are strict: according to the GDPR, for example, every person in the EU will in future be entitled to request a complete overview of all personal data stored about them by a company - including the purposes for which it is used. As part of the "right to be forgotten", a "data subject" can also request their deletion or irreversible anonymization. In general, data may only be stored and enable the identification of individuals for as long as is necessary for the purposes for which it is processed or if the respective data subject has given their consent. Accordingly, the purposes for which the data is used must be fully recorded and documented along with the data. This strict data protection also applies within the company: companies are obliged to take technical measures to protect personal data from unlawful access and processing.

In combination with the new Solution Pack, APplus offers companies a range of native and dedicated GDPR functions that support them in implementing these strict requirements. These include, among others:

- Anonymization function
The new GDPR Solution Pack provides users with an anonymization function that enables the implementation of the "right to be forgotten" in APplus. This enables companies to irreversibly anonymize master and transaction data in the ERP system at the customer's request or automatically according to defined rules. The solution also observes previously defined retention periods for APplus objects, such as invoices and other central contract data that must be retained for certain periods of time in order to safeguard legal claims. Before anonymization, APplus checks the existence of corresponding restrictions and ensures that the data record is only anonymized when the last deadline expires.

- Implementation of processing purposes
As part of the new Solution Pack, APplus introduces the "processing purpose" as a new master data. This enables the system to define and manage corresponding purposes for personal data, which can be automatically assigned to the respective data records in APplus according to freely definable rules. In this way, the additional manual effort involved in creating a data record is kept to a minimum, while at the same time ensuring that all relevant purposes are reliably taken into account. Reports on data usage can also be created on this basis in order to comply with the right to information in the event of inquiries and the obligation to provide information when creating new data records. These can be sent manually or automatically to the person concerned.

- Protection against unauthorized processing
According to the GDPR, personal data must be protected against unauthorized access at all times. This regulation can be implemented with the help of APplus access rights. Depending on the user role - and depending on the respective job profile - companies can define what the user's access rights look like in detail. In addition, database filters can be used to individually set which data records the respective user has access to. In this way, companies also meet their documentation obligations: The authorization concept implemented in APplus can be used to prove to a supervisory authority how personal data in APplus is protected against unauthorized access within the company.

A solid data protection concept
"No matter how mature a GDPR-compliant IT solution may be, the first and most important step towards compliance with the General Data Protection Regulation is and remains going to a lawyer," emphasizes Holger Nawratil, CEO of Asseco Solutions. "We can only recommend all companies that are still undecided about implementing the requirements: Talk to a lawyer who specializes in data protection law and work with them to create your individual data protection concept! This forms the essential basis for implementing the required functions at a technical level in compliance with the regulations with the help of our GDPR Solution Pack. The GDPR functionalities in the ERP system can only be correctly parameterized if there is clarity about what data is collected, for what purposes, where exactly it is stored and how, why and by whom it is processed. A careful inventory of all data and processes and an audit by a legal expert are therefore the be-all and end-all for GDPR compliance."

The release of the APplus Solution Pack for GDPR is scheduled for today, March 22, 2018. The current APplus version 6.3 will be supported initially, with a further solution pack for version 5.2 to follow. Further information on implementing the GDPR with APplus can be found here. In addition, Asseco Solutions offers a comprehensive training program for implementing the requirements resulting from the GDPR in APplus.