SAP Business One & GDPR Compliance
Wednesday, 21 Nov, 2018

One of the most talked about regulations in recent times is the General Data Protection Act, or GDPR, which came into force on the 25th May this year. As one of the world’s leading business software companies, customers using SAP Business One can be assured that version 9.3 PL04 is compliant with GDPR. Various new features have been added to this version to accommodate extra security in how companies deal with personal data.

Data Protection Tools are now accessible under the Administration/Utilities tab, which enables a centralised location for managing personal data protection. The General Authorisations form has been extended to support authorisations for new Data Protection Tools, which provides the ability to restrict access and set authorisations to sensitive data, as well as restricting access to various functions under Data Protection Tools.

A particularly important new feature is that new GDPR objects are now supported in the Change Log – this covers Activities, Checks for Payments and Service Contracts. Logging changes (date, time, owner) to personal data is a critical requirement under GDPR and the Change Log needs to be available everywhere personal data is stored and maintained.

One requirement under GDPR is the right of any person to contact an organisation and request a report about the personal data that the organisation stores and processes about them. SAP Business One v.9.3 PL04 provides the option to generate Personal Data Reports, which are gathered from master data and transactions, facilitating any requests to retrieve personal data which is held by the company, as well as verifying personal data correctness following feedback on personal data reports.

Another important requirement is the ability to permanently erase all personal data held on a person either upon their request, or after all legal periods to legitimately hold on to the data have expired, and there is no reason to block the data. This action is irreversible so must be taken after proper consideration and checking that all data retention periods are over, and there is no legal obligation to continue to hold on to that personal data.

SAP Business One 9.3 PL05 also offers the ability to block personal data, which differs from erasing data in that this action is reversible. It means that personal data cannot be accessed unless unblocked, and these records cannot be used for future marketing purposes but allows personal data retention for specific purposes and processes, for example, extensions to the time allowed to retain such data or overruling mandated by law. Personal data can also be unblocked and is visible to users authorised for forms where this data is stored, but this data cannot be used in future transactions. Unblocking personal data might be required if the organisation has to fulfil a legal request to an external authority.

SAP Business One provides the ability to encrypt all bank account data from version 9.3 PL06, affecting fields for Business Partner Bank Account No., Business Partner IBAN No. and Employee Bank Account. Bank account values in master data and transactions (payments, check register, bill of exchange, OPEX table, deposits etc) are encrypted in the database, and only selected authorised users are able to view hidden sensitive personal data values.

For more information about upgrading to the latest version of SAP Business One to ensure compliance with GDPR, and other forthcoming legislative changes, such as the new Making Tax Digital regulation coming next year, please contact the Ascarii team now on +44 (0)1789 777466 or email 

Book a demo or consultation now

Call +44 (0)1789 777 466