Exercising “Right to Erasure” on Oracle Cloud
In the world, that is Digitally Connected and Data-Driven, it is significant to have access to the data that complies with all regulatory requirements. It becomes important for any organization to hold a sustainable and comprehensive approach towards handling the “Right to be Forgotten”. With Enterprise Applications in place, considerable data accumulates over a period of time against any person during his / her Employment.
What is GDPR’s Right to Erasure?
The General Data Protection Regulation (GDPR) (Ref: https://gdpr.eu/ )is a regulation in EU law on data protection and privacy. At its core, GDPR is a set of rules designed to give citizens more control over their personal data.
The regulation contains provisions and requirements related to the processing of personal data of individuals and applies to any enterprise — regardless of its location and the individual’s citizenship or residence — that is processing the personal information of these individuals.
While the GDPR is an EU law, it applies to companies outside the EU because it is extra-territorial in scope. It applies to any company that makes its website or services available to EU citizens, including US companies. It imposes obligations onto organizations anywhere, as long as they do target or collect data related to people in the EU.
GDPR’s Article 17 (Right to erasure) states that, (Ref: https://gdpr-info.eu/art-17-gdpr/ )
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay on the grounds that the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
Organizations are required to keep an up-to-date and detailed list of their processing activities and be prepared to show that list to regulators upon request.
The list should include: the purposes of the processing, what kind of data you process, who has access to it in your organization, any third parties (and where they are located) that have access, what you’re doing to protect the data (e.g. encryption), and when you plan to erase it.
While GDPR’s Right to Erasure empowers every individual separated from the Organization to request for it, every Organization falling under this regulation ends up floundering with following questions:
Are we “Good” to Erase?
Let us start with a good news. For Oracle SAAS Customers on the Cloud, there is a standard way to achieve this. In Release 19D, Oracle delivered standard process to Erase identified data. While the solution has a few limitations, it is reassuring that Oracle is enhancing the process to handle more objects / scenarios in every release.
While it’s a good option to ask for Erasure, there may be many dependencies that an Organization is required to validate before proceeding to perform the Erasure. In a typical scenario of Multi-Pillar Implementation on the Oracle Cloud, it is imperative that there is a quicker way to verify the dependencies for decision-making. Dependencies may include activities beyond HCM like Pending Requisitions, Approvals and, if an Employee in Question was a Line Manager and, many more.
What to Erase?
Once it is ensured that there are no dependencies across the application, an organization can make a choice to Erase, Not Erase, Partially Erase based on the ask. What becomes key here is to understand that there is no step back once the data is gone. A thorough check is always recommended.
How do we Erase?
Oracle introduced the “Data Disposal” functionality in Release 19D and they have been upgrading it with new features every quarter. A few of the key features include:
- Easy to Configure and Run
- Ability to select the objects that can be Erased for a Person in question
- Wherever the data cannot be Erased, it will be Replaced by a Static Text
- Detailed log that holds information on the records could not be Erased
However, it is not complete and suffers from a lack of a few desired features. Listed below are some of them.
- Criteria Definition to identify the Workers to be Erased
- Benefits, Payroll, Absences and OTL data cannot be Erased
- User module remains AS-IS – neither the User is De-activated, nor the information on the user record is erased (like User Name, Last Name, Email Address etc.,)
- Any respective dependencies across the Cloud Application (ERP / SCM etc.,)
Cooked, needs Support to Serve
The standard offering is functional only if the dependencies (Payroll, Benefits, Absences) are eliminated. Neither the approach is easy to handle manually, nor can one wait until the future releases for having the dependencies addressed. Answering this concern, Apps Associates has come up with a Custom Tool that can:
- run independently and perform the Data Erasure
- work with the standard Oracle’s offering in a hand-shake mode to mark the Data Erasure complete
Here is a quick compare of how this approach fares with the out-of-the-box solution.
- Coming soon are Talent Management, Recruiting and Learning
- While frequency is subject to Organization’s decision, a best practice is to schedule this run at least once every month. Given that the process is resource intensive, it is advisable to run the process over non-business days.
Apps Associates understands that the needs and adoption options may vary. Hence, the solution comes in 4 different versions – that includes the versions that can be deployed directly on the customer site too.
The choice is yours!
A collaborative effort does wonders – always! Here is a testimony for the same. Thanks to the combined effort of Integrations and HCM Teams of GDC who worked together in making this happen. At last, a Happy Customer is a Happy Customer – and here we are chasing every extra mile.
Vijay Pedamallu is associated as a Senior Delivery Manager for HCM Projects at Apps Associates. Carrying an overall industry experience of 18+ Years he loves following the evolution and adoption of digital trends for a better work-life.