Data Protection settings in SAP Enable Now

Data privacy and protection is a significant concern with all methods of content delivery, and is only likely to become more prescriptive. In this article, we look at what SAP Enable Now provides to address data privacy and protection, and how to enable or disable these features. Firstly, do you need to worry about them?

In 2016, the European Union put in place the General Data Protection Regulation (GDPR) which provides guidelines for the collection and processing of personal information from individuals who live in the European Union. In 2020, a similar law – the California Consumer Privacy Act (CCPA) – came into effect in California. These are legal requirements, and there can be stiff penalties for companies that do not abide by them. If you have SAP Enable Now users in any EU country, or California, you need to comply with these regulations. And even if you don’t need to comply with them for legal purposes, you may still want to adhere to them, as a ‘best practice’. You may find your company has similar requirements anyway, so check with your Data Controller or Data Protection Officer (or Legal department if these specific positions do not exist).

In short, the GDPR and CCPA both govern the way in which a user’s personal information is collected, stored, and shared. They are relevant to SAP Enable Now, because SAP Enable Now requires users to have a Userid in the SAP Enable Now system, and then tracks which content objects the user ‘consumes’. Specifically, SAP Enable Now stores the following information, for the purposes indicated below (this is taken from the SAP Enable Now Security Guide 2021-11-01 edition, with some annotations):

  • For identification (to allow login):
    • SAP Enable Now Userid (this may be taken from the IAS)
    • First Name, Middle Name (if provided), Last Name
  • For contacting the user:
    • Email address
    • Phone number (if provided)
  • For user management:
    • Roles assigned to the user
    • Organizational Units to which the user is assigned
  • For interface display:
    • Interface language
    • Dialog display settings (e.g. last used screen layout)
    • Personal preference settings (e.g. always prompt to publish on Finish Editing)
  • For progress reporting (if activated):
    • Content objects accessed
    • Time for which individual objects were accessed
    • Success rate for object access (e.g. Test mode scores, completed indicator for courseware)
  • For content collaboration (authors only)
    • Start/finish editing and save to server dates/times for content objects
    • Comments on content objects
    • Dates and times of changes to object metadata (such as Status, Tags, Workflow, and so on)

This is all ‘personal information’, and therefore covered under GDPR and CCPA. Luckily, SAP Enable Now is equipped to fully comply with both of these requirements.

There are two SAP Enable Now settings applicable to data protection. These can be found under Administration > Server Settings, in Manager.

Data Protection settings in Manager

If the first one of these (Enable Data Protection Feature) is selected, then the following features are available in SAP Enable Now:

  • End users can view the personal data collected for them. They can see this in Manager (only) under menu option Settings > User Info.
  • End users can view changes made to their personal data. They can see this in Manager (only), under menu option Settings > Personal Data. (There is an example of this in the last screenshot in this article.) Users can also download this information.
  • Administrators can purge all personal data for a given individual or for all users (this is “the right to be forgotten”). This is done in Manager, under Administration > Users > {User} > Purge All Personal Data (button). Data can be purged for ‘all time’, or for a specific period (for example, outside of a defined data retention period).

The second of the server settings, Request Consent from Users, is the more interesting one. If this is selected, each user will be required to accept a ‘data protection and privacy statement’ when they first log on to (any components of) SAP Enable Now. This includes Learners who are just consuming content – even if they do not realize that they are ‘logging on’ to SAP Enable Now (for example, where Single Sign On is activated, and Create user on SAML login is selected). A typical example of the consent request is shown below:

Data Protection and Privacy statement at first login

I say this is a ‘typical’ example, as this is how a lot of companies seem to leave it – just showing the placeholder text of “Provide your data policy here.”. So before we go any further, let’s look at how to change the Data Protection and Privacy Statement , and provide our own text. Note that this can only be done by an Administrator who has System Workarea access.

Firstly, you need to create a new text file (outside of SAP Enable Now) that contains your Data Protection and Privacy Statement. This must be named xxxx.txt – where xxxx is the Locale ID (a.k.a. the language code) of the language in which you want the statement to be displayed. This is the language in which the user will log on to the SAP Enable Now system. This is typically assigned when their Userid is created (and defaults to English), but each user can change it in the Interface Language field on the Settings > User Info screen. The code for English is 1033, so for the United States, you would name this file 1033.txt.

Although this is a text file, you can provide some formatting (paragraphs, lists) through the use of HTML tags, but you cannot use hyperlinks (as the information on the end of them could change). You should be able to obtain the appropriate text from your Legal department. If you cannot obtain a suitable text, or if Legal asks for details, you might consider using the following example as a potential starting point. This is based largely on SAP’s own Data Protection and Privacy Statement for their SAP Enable Now based Info Center, and so is directly applicable to SAP Enable Now implementations. (But please, have this validated by Legal – I do not claim it to be suitable for any given company or jurisdiction.)

The SAP Enable Now system is a content development and delivery service which needs to store and handle personal data.

We have created this Privacy Statement to demonstrate our firm commitment to the individual’s right to data protection and privacy. This Privacy Statement outlines how we handle information that can be used to directly or indirectly identify an individual (“Personal Data”).
 
Data Controlling
The Data Controller for the SAP Enable Now system is {company}, with its data protection officer {name}.
 
Duration of data storage
SAP Enable Now will store your name, email address and telephone number (your “Personal Data”) only for as long as the processing of your Personal Data is based on your consent (plus, where applicable, statutory data retention periods), either until your participation in processing and / or creation of learning material has ended or until you revoke your consent.
 
Any provision of Personal Data is entirely voluntarily for you. However, without this information it will not be possible to make the access to the application landscape and content available to you.
 
Data usage
Your personal data will be used to identify your individual processing of provided learning material and other content as well as to generate summary or individual reports of the content processing and / or learning achievements within content provided from this hosted application.
 
Rights to request and purge Personal Data
You can revoke the given consent and request purging of your personal data at any time in your personal user settings area. You can also request from {Administrator} at any time information about which Personal Data SAP Enable Now processes about you and the correction or deletion of such Personal Data. Please note, however, that {company} can or will delete your Personal Data only if there is no statutory obligation or prevailing right of {company} to retain it. Kindly note further that if you request that {company} deletes your Personal Data, you will not be able to continue to use the SAP Enable Now system.
 
Transmission of data
Your Personal Data will be stored and processed only within this service landscape without any transmission to {company} affiliates or third-party partners.
 
Right to lodge a complaint
If you take the view that SAP Enable Now is not processing your Personal Data in accordance with the requirements set out herein or applicable European Economic Area (EEA) data protection laws, you can at any time lodge a complaint with the data protection authority of the EEA country where you live.

Once you have created the text file (in each required language), you can load it in to SAP Enable Now, as follows:

  1. Access the System workarea (ID _system) in Producer.
  2. Go to Resources > Adaptable Resources, and locate the consent resource.
  3. Start Editing the consent resource.
  4. Right-click on the consent resource again and select Open Folder from the shortcut menu. This will open Windows Explorer, showing the files within this resource.
  5. Drag your text file(s) into the folder (you will be asked if you want to replace the 1033.txt file).
  6. Close the folder window and return to Producer.
  7. Right-click the on the consent resource and select Refresh Object from the shortcut menu. (This is important! If you do not refresh the object, your changes will not be recognized by SAP Enable Now.)
  8. Finish Editing the consent resource. Make sure you select the Publish option (if you do not, your new consent statement(s) will not be displayed).
  9. Exit from Producer.

New users (logging on to your SAP Enable Now system for the first time) will now see your new Data Protection and Privacy Statement, and have to accept this. Note that any users who have already accepted any previous version of the Data Protection and Privacy Statement will not be prompted to accept this new version – if you need them to do this (and you probably will), you should revoke their existing consent, as explained below.

Users can always see what they agreed to on the Settings > Personal Data screen, as shown below.

Personal Data screen, showing the accepted Data Protection and Privacy Statement

This will show the the Data Protection and Privacy Statement as it appeared when the user consented to it, even if the statement has changed since then. This is a legal requirement. (Tip: If users do not normally access Manager, you can provide them with direct access to this page via a URL in the form (for a cloud implementation): https://client.enable-now.cloud.sap/index.htm#settings/user_data.)

Administrators can revoke consent for all users by going to Administration > Users and clicking on the Invalidate Global Consent button. All users will be required to accept the (new) Data Protection and Privacy Statement the next time they log on (they will not be automatically logged off in the meantime). Typically, you would want to do this if the statement has changed, and you need all users to accept the new statement.

Users can also revoke their individual consent, by clicking on the Withdraw Privacy Statement Consent button on the upper-right of the Settings > Personal Data screen. As soon as a user withdraws their consent, they are logged off, and will not be able to log on again until they accept the privacy statement (again).

In summary, SAP Enable Now provides the ability to comply with current data protection and privacy laws. If your SAP Enable Now system has users in jurisdictions covered by these laws, you must use these features to ensure you are in compliance. And if you don’t need to comply, disable the features in SAP Enable Now – at least the consent request; don’t just leave your users having to accept a statement of “Provide your data policy here.”!