In today’s business landscape, adhering to data privacy laws is becoming ever more important, as more governments are releasing legislation to protect their citizens’ right to privacy. The General Data Protection Regulation (GDPR) in the European Union, for example, gives individuals control over and protection of their personal data. Penalties may be up to 4% of annual global revenue or €20 million, whichever is greater.
Who must comply? Organizations that offer goods or services to EU residents, including processing, monitoring, or holding their personal data.
Applies to: The processing of the personal data of individuals, independent of nationality or place of residence in the EU.
This means understanding what personal data is collected, how it's used, where it's stored, and ensuring individuals have the right to access, correct, erase, and restrict processing of their data.
Note
GDPR Features Supported in SAP Commerce Cloud
- Consent Management: Available to both anonymous and registered users.
- Customer Account Closure: Available to registered users in the storefront’s self-service area or through Customer Support.
- Personal Data Reporting: Backoffice supports the generation of personal data reports upon customer request.
- Data Retention/Deletion: Triggers deletion after a predefined retention period.
We'll touch on all these topics, but first, we'll have a look at the consent management available to both anonymous and registered users. When entering the storefront for the first time, any user can initially decide how their data is processed.
This setting is valid for an anonymous user during the current session. Any logged in user can manage their initial decision afterward at any time in the My Account area under Consent Management.
Note
Consent Templates
Consent templates define the content shown to users on the Consent Management page in the storefront. A storefront can have multiple consent templates, and one template can be used for multiple storefronts. They can be easily managed in the Backoffice Administration Cockpit by navigating to User, and then Consent Template.
For reusability, usually every service that needs consent has its own template, and the Consent Management Page simply aggregates all templates with the status Exposed.
Each exposed template then shows up on the Consent Management Page with its name and description and can be checked by the user individually or all together.
Let’s have a look at the relationship of the consent templates in Backoffice and their exposure on the Consent Management Page.
Creating a template is also simple. Just click the create button and follow the few wizard steps. After creation, reopen it and set the Exposed flag to true to make it instantly show up on the Consent Management Page.
Let’s see the creation of a DemoService consent template in the following screenshots.
How SAP Commerce Cloud Includes Information in Reports
SAP Commerce Cloud is designed to include relevant customer information in audit reports to facilitate compliance efforts. The information in these reports is based on configurable Generic Audit logs that track all changes to specific items in SAP Commerce Cloud. In this case, the relevant tracked information is:
- Personal Data: Information such as names, addresses, e-mail addresses, and contact details.
- Consent Records: Records of when and how customers provided consent for data collection and usage.
- Order History: Details of past purchases, including products, dates, and amounts.
- Activity Logs: Records of customer interactions with the storefront, such as logins, page visits, and form submissions.
This data is organized to offer a comprehensive overview of customer interactions and consent history, allowing businesses to demonstrate compliance with GDPR requirements. Support staff, including customer support agents, managers, and administrators, can generate reports using the Customer Support Cockpit. Other applications can easily use the structured data for further processing. With some developer effort, they can also be presented in various formats for report readers.
Let's look at a short screen recording that demonstrates the entire process a customer support agent follows to generate an audit report requested through a customer ticket. This walk-through will cover everything from logging in to accessing and partially presenting the structured yet raw report data.
Customer Support Agent Working on Customer Data
Customer Support (CS) Agents can access and manage customer data through the Customer Support Cockpit. The Customer tab offers a comprehensive view of the customer's profile, including personal information, order history, consent records, and other relevant details.
From this tab, CS Agents can:
- View and update customer data: Access and modify customer details as needed, ensuring accuracy and compliance.
- Process data requests: Handle customer requests related to data access, rectification, or deletion.
- Generate audit reports: Create audit reports to track data changes and ensure compliance.
There are two types of reports to choose from:
- Audit reports provide a full report on all historical data for a customer stored in the database. For example, this includes the old address when a customer changes their address.
- Snapshot reports offer a condensed version, only providing the current records stored.
The Customer Support Cockpit offers the tools CS Agents need to manage customer data while effectively complying with data privacy rules.
Data Deletion
SAP Commerce Cloud offers mechanisms to handle customer data deletion requests in compliance with GDPR's "right to be forgotten." When a customer chooses to close their account, their personal data can be deleted through a series of cron jobs.
Some relevant facts:
- Account deactivation: When a customer closes their account, the deactivationDate is set.
- Retention period: There's a retention period (two days by default) during which the customer can cancel the deactivation by contacting customer support.
- Cron jobs: When the retention period expires, cron jobs delete customer-related data, including e-mail addresses, contact information, shipping details, consent settings, and payment details.
A customer’s order history is retained for 10 years (default setting). Immediate deletion is restricted for several reasons, including laws regarding tax traceability and the prevention of money laundering. Customers can contact customer support within the order retention period if they need any information about their order history.
Cleanup cron jobs:
The actual cleanup after the retention time expires is done by cron jobs run by the system.
Cron jobs allow SAP Commerce Cloud to schedule repeated business tasks. Examples might include pushing order status information to customer accounts or deleting customer data when requested.
- Customer specific cron jobs: They clean up data for deactivated customers after closing the account, and the two-day retention time has expired.
- Order specific cron jobs: Clean up orders and order-related data for deactivated customers after the order retention period of typically ten years.
These cron jobs can be configured to reference explicit configurations called Retention Rules, allowing for custom logic to be plugged in for specific tasks.
Summary
- Compliance with data protection regulations, such as GDPR, is crucial for businesses using SAP Commerce Cloud.
- Different consent templates define the content displayed to users in the storefront and are aggregated on the Consent Management page.
- SAP Commerce Cloud includes customer information in audit reports, capturing personal data, consent records, order history, and activity logs.
- Audit reports can be generated in the Backoffice Customer Support Cockpit to track data changes and ensure compliance.
- Data deletion mechanisms, including cron jobs, help businesses comply with the "right to be forgotten" under GDPR.