Explaining Customer Data and Privacy Regulations

Customer Data is any type of personal, demographic, or behavioral data collected by a company or entity.

Customer Privacy protection is the enforcement of rules and regulations designed to protect customer data from being used in an inappropriate/unlawful manner.

Customer Privacy Regulations: The EU's General Data Protection Regulation (GDPR)​ sets requirements and principles for data management. It regulates how data is stored, canceled, or transferred. It aims to protect the rights of individuals. GDPR sets strict guidelines that companies must adhere to regarding data protection and data privacy.

• Data protection means keeping data safe from unauthorized access
• Data privacy means empowering your users to decide who can process their data and for what purpose.​

The law requires a company to make a reasonable effort that provide customers with the means to control how their data is used and who has access to it. Companies are required to openly provide customers with the information (Consent Statements) so that they can understand how their data is collected and used.

SAP monitors and stays compliant with the always-evolving global data protection and privacy requirements applicable to SAP's products and services. The chart below illustrates the common types of data collected and individual customer rights.

There are other global data and privacy regulations such as the California Privacy Rights (CCPA/CPRA), The Brazil General Data Protection Act (LGPD), and the "Important Data" under China Data Security Law to name a few.

Consent is when a customer or consumer agrees to release their personal information to a company or entity for use within a scope and defined purpose. Consent is a key task in SAP Customer Data Cloud. As a Developer, Consultant, or Administrator, you must ensure that the Consent Statements in SAP Customer Data Cloud are correctly maintained and downstream to connected systems. This will ensure the customer's rights to privacy and business compliance with local regulations.

Consent: When a customer agrees to the company's use of their data.

• Must be specific and explicit.
• Must be given for an exact purpose.
• Ensures the end users can decide to agree with consent.

For example, when a customer checks the box for agreeing to terms and conditions or signs up for the company's mailing list

Withdrawal Consent: When a customer requests to remove access to their personal data.

• Should provide the customer with an easy way to withdraw consent.
• Should completely stop processing for the purpose noted by the customer.
• Ensures the end users can decide to revoke consent.

For example, when customers unsubscribe to a company’s e-mail or promos.

Consent Record: It’s the log of the consent statement the customer accepted or withdrew from.

• Any change in consent communicated by the customer must be carefully audited​.
• Should indicate what purpose, version, and locale of the consent statement has been granted to, renewed, or withdrawn by the customer.
• Should be retained for a reasonable period of time and made available upon DPO request​.

For example, a customer may unsubscribe to a company’s e-mail list. That action generates an unmodifiable consent record.

SAP Customer Consent is a secure profile, preference, and consent management solution that addresses regional privacy compliance throughout the customer life cycle.

It provides transparency to the customer while helping you (as the company) uphold rigorous standards to support your compliance with international privacy regulations. Customer Consent gives customers control over their data.​

• Supports compliance with data privacy laws.
• Additional optional consent statements allow flexibility in your relationship with the customer.
• Communication preferences allow users to subscribe to various communication channels.
• Provides the option to withdraw consent and manage communication preferences.
• Consent vault contains the records of the customer's agreement to your site policies, the consent statement version, and other additional information.
• Synchronize consent-based user data to third-party platforms using IdentitySync or GConnectors.

Note: While SAP Customer Data Cloud offers a full suite of solutions designed to help clients comply with applicable data privacy laws, it is the client's responsibility to comply with its obligations under such data privacy laws. Consult with your legal team regarding such data privacy laws before implementing the SAP Customer Data Cloud suite of solutions.

Consent Management: You can use Consent Management to display the terms and conditions that the customer must consent to in exchange for using your site's services. It also captures the consent version and locale that the customer agreed to. This consent allows you to fine-tune your services to users and downstream to third-party applications using Dataflows (IdentitySync), SAP Customer Data Cloud's ETL platform.​

Consent Example: Let’s look at two common types of consent.

Image A: This customer is signing up for your company's online services. A Terms and Conditions consent statement was added to the Customer Registration screen-set. By checking the Terms and Conditions check-box, the customer consents and agrees to how the company will use their personal information. Using the UI Builder you can also add a link to the consent document that details how the company will use the customer's personal data.

Image B: The Privacy screen-set shows all consent statements the customer previously agreed to. The customer can also update their consent to either agree or withdraw to optional consents.