General Data Protection Regulation (GDPR) is impacting businesses whether or not they have a presence in the European Union (EU). It gives citizens in the EU more control of how their data is being collected, stored, and disposed of. In the second quarterly product release of 2018, Sage Intacct launched the “Personal Data Management Service” for GDPR compliance. We spoke to our friends at Sage Intacct to get the highlights of how they help organizations have the right tools for GDPR.
Who is it geared for?
(1) EU-based companies or multinational corporations that do business in the EU, as well as (2) companies based in the United States who market their products or services over the Web in the EU.
What does it do?
The service helps you manage retention periods of personal data that are stored in your Sage Intacct instance. Upon request and subject to your payment of the associated professional service fees, Sage Intacct can obfuscate personal data that was entered into your company before a specified date,
What personal data does it impact?
Start Dates, End dates, Dates of birth
Phone or Fax Numbers
Social security numbers
Bank account numbers
What happens to that data?
For all personal data, the service only considers the header-level when deciding what records to obfuscate. This means that the service does not consider if the record is used in a line item in a transaction created after the obfuscation date.
What are the ripple effects of obfuscating data?
In addition, when you use the obfuscation service, the following items are deleted in Sage Intacct because they might contain or store personal information related to records that are obfuscated:
- All audit trail entries for affected records
- Offline and stored reports
- Previously generated PDFs
- Attachments attached to transactions that were completed prior to the obfuscation date
What is the cost?
The cost is based on the number of hours spent by the Sage Intacct professional services team. Hours will vary based on the amount of data requested to be obfuscated.
What are the things I should be considering when deciding whether to adopt this service?
Other legal obligations: If you have other legal obligations or regulations you need to abide by, such as HIPAA compliance for healthcare organizations, you should carefully consider the interplay between the obfuscation service and your other requirements.
Advanced Audit Trail tracking: The Advanced Audit Trail furthers your HIPAA compliance by tracking access to pesronal data in your Sage Intacct instance. Since this obfuscation service deletes all Advanced Audit Trail entries and obfuscates the personal data held in the contact, customer, and vendor objects, it may be problematic to use this service if you need to be HIPAA-compliant.
Integrations reliant upon any obfuscated records: If an obfuscated record is also part of an integration, using this service may break your integration. Most notably, you should check any ACH, credit card, and bank account information that may be used in an integration. Integrations that may be affected include Payment Services, Vendor Payment Services, or the Salesforce sync.
Once the obfuscation service is performed, it cannot be reversed, and there will not be any way to retrieve the obfuscated and deleted information.
If you’re interested in learning more about GDPR and Sage Intacct, please contact me for more information. I would be happy to assist you. Email me at firstname.lastname@example.org