SlideShare a Scribd company logo

The Basics of GDPR

Bhupesh Chaurasia
Bhupesh Chaurasia

In May 2016, the European Union (EU) adopted a newly harmonized data protection law called the General Data Protection Regulation (GDPR). As of May 25, 2018, the GDPR will be in force throughout all EU member states and in the European Economic Area. Any organization that collects or processes personal data of an individual within the Union is subject to this regulation, regardless of the organization’s location. While the GDPR does not introduce many substantially new concepts, it substantially increases the compliance requirements of data controllers and processors regarding their handling of personal data.

Software
1 of 15
Download to read offline
SAP WhitePaper GDPR The Basics of GDPR How the right HCM solutions can support your compliance journey ©2017SAPSEoranSAPaffiliatecompany.Allrightsreserved. 1 / 14
2 / 14 Table of Contents 4 Introduction and Objectives 5 Scope 6 Impact 10 Features of SAP SuccessFactors Solutions © 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR 3 / 14 In May 2016, the European Union (EU) adopted a newly harmonized data protection law called the General Data Protection Regulation (GDPR). As of May 25, 2018, the GDPR will be in force throughout all EU member states and in the European Economic Area. Any organization that collects or processes personal data of an individual within the Union is subject to this regulation, regardless of the organization’s location. While the GDPR does not introduce many substantially new concepts, it substantially increases the compliance requirements of data controllers and processors regarding their handling of personal data. © 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR 4 / 14 As a company, SAP is committed to ensuring compliance with the GDPR by May 25, 2018. We have been consistent in our approach to data protection as part of our general product stan- dards, and we are now extending this approach to reflect new requirements of the GDPR. As you, our customers, prepare for compliance, we have summarized the changes introduced by the GDPR, the implications of these changes, and how SAP® product features can help you imple- ment GDPR requirements. The information contained in this document is for general guidance only and is provided on the understanding that SAP is not herein en- gaged in rendering legal advice. The responsibili- ty to adopt appropriate measures to achieve GDPR compliance rests with your organization as controllers in terms of the GDPR, and SAP ac- cepts no liability for any actions taken as re- sponse to this document. As such, it should not be used as a substitute for legal or professional consultation. OBJECTIVES The GDPR aims to harmonize data protection requirements across Europe into one single EU data protection regulation. It addresses corporate bodies governed by public and private law in their capacity of either controller or processor. The new law aims to protect the rights and freedoms of natural persons, to enhance data subjects’ confidence in organizations that hold or process their personal data, and to strengthen the EU’s internal market. To this end, the GDPR provides a uniform set of rules to govern the processing of personal data across the EU. The degree of EU- wide harmonization achievable by the GDPR is, however, restricted to the extent that the regula- tion contains opening clauses that allow EU member states to set out country-specific laws and requirements for specific data processing activities. These opening clauses, therefore, may result in applying additional rules and obligations for data controllers and processors. Introduction and Objectives The GDPR aims to harmonize data protection requirements across Europe into one single EU data protection regulation. © 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR 5 / 14 MATERIAL SCOPE The GDPR has a broad material scope covering the processing of personal data by automated means or in other structured form, including those intended for part of a filing system. The GDPR states that the regulation does not apply where natural persons process personal data ex- clusively during a purely personal, private, or household activity. TERRITORIAL SCOPE Likewise, the GDPR has a broad territorial scope and applies to any activities of a data controller or processor in the EU that comprise the pro- cessing of an individual’s personal data. Central to this is whether the controller or processor is located in the EU. The GDPR also applies to con- trollers or processors located outside the EU where the processing serves to offer goods or services to data subjects in the EU or to monitor the behavior of data subjects in the EU. Scope The GDPR introduces several new legal requirements that may substantially affect a controller’s or processor’s business. © 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR 6 / 14 LAWFUL GROUNDS FOR PROCESSING Processing personal data will be lawful only if one of the criteria for permission, as set forth in the GDPR, is met. In the absence of direct legal allow- ance, organizations need consent from individu- als whose data is to be processed. This consent must cover all purposes for which the organiza- tions (intending to process the data) collect and process the data and must allow for the individu- al’s right to withdraw consent at any time. This means that blanket consent or global consent is not valid for the processing of personal data. The GDPR specifies what are considered lawful grounds for the processing of personal data. These are shown in Figure 1 and described below. These are good practices to follow regardless of whether an organization is subject to the GDPR. Regulations concerning data privacy and protec- tion are ever evolving, and it is in your organiza- tion’s best interest to establish and maintain strict data privacy and protection policies. In the end, each organization must make its own inter- pretation of what it considers legal grounds for processing personal data. Chapter 2, Article 6, of the GDPR describes the lawfulness of processing as follows: Processing shall be lawful only if and to the ex- tent that at least one of the following applies: The GDPR introduces several new legal require- ments that may substantially affect a controller’s or processor’s business. Therefore, each control- ler or processor must verify which GDPR obliga- tion applies to them and must also ascertain how to implement the requirements accordingly. GENERAL PRINCIPLES In accordance with its general processing princi- ples, the GDPR requires the processing of per- sonal data to be lawful, proportionate, transpar- ent, adequate, accurate, secure, confidential, limited in time and to designated purposes, and conducted in a responsible and accountable manner. This last point means applying appropri- ate security—including technical and organiza- tional measures—to ensure integrity and confidentiality. PERSONAL DATA The GDPR explicitly defines what it means by the term personal data: any data that identifies or can be used to identify an individual. The term clearly includes metadata or other associated data such as IP addresses, cookies, or other iden- tifiers that may trace back to an individual. The GDPR has broadened the known catalog of spe- cial categories of personal data to include genetic data, biometric data if used to uniquely identify a natural person, and data related to criminal con- victions and offenses. Impact In the absence of direct legal allowance, organizations need consent from individuals whose data is to be processed. © 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR 7 / 14 •• The data subject has given consent to the pro- cessing of his or her personal data for one or more specific purposes •• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract •• Processing is necessary for compliance with a legal obligation to which the controller is subject •• Processing is necessary in order to protect the vital interests of the data subject or of another natural person •• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller •• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child ACCOUNTABILITY The GDPR aims to improve accountability of those processing personal data and increase transparency of the data being processed. Despite its similarity in substance and structure to the current data protection legislation, the GDPR will take a much tougher line in helping enforcement. Penalties for noncompliance are Lawful grounds for processing personal data Figure 1 CONSENT PUBLIC INTEREST CONTRACT PROTECTION OF VITAL INTERESTS LEGAL OBLIGATION LEGIMIATE INTEREST © 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR 8 / 14 remarkably high, including administrative fines of up to €20 million or 4% of an enterprise’s global annual revenue, with potential damage claims and other legal liability risks designed to incentiv- ize companies to enhance internal structures and processes to comply with the regulation. DATA PROTECTION BY DESIGN AND BY DEFAULT Under the terms of the GDPR, organizations must deliberately build in privacy, and both sys- tems and processes have to adopt privacy by de- fault. Organizations are obligated to ensure that the processing of personal data is for a specific purpose, and the organizations must demon- strate that data protection is at the heart of their IT framework and solution design. TECHNICAL AND ORGANIZATIONAL SECURITY Organizations are also obligated to implement all necessary technical and organizational measures to ensure a level of security appropriate to the risk of the processing for the data subjects. It is therefore necessary that the organization analyz- es its internal IT asset landscape to identify and map data flows. This will help to ascertain the ap- propriateness of the security framework. DATA SUBJECT RIGHTS Organizations should be guided by the concept that the individual should know and always be able to identify what personal data is processed, by whom, for what purposes, and over what peri- od of time. Thus, data controllers will need to ac- tively provide certain general and specific infor- mation; this is in accordance with the GDPR’s revised concepts of data portability and the indi- vidual’s rights to access, refuse or object, or be forgotten. Organizations involved in processing personal data will therefore require robust inter- nal processes with designated roles. DATA GOVERNANCE With an onus to clearly show customers, data subjects, and regulators that they are GDPR compliant, organizations must implement a host of systemic measures to reduce the risk of viola- tion. Complexity grows when organizations need to keep track of every purpose for which personal data is being processed and when they need to ensure that all individuals have given their con- sent for each data processing use case. These measures must be built into existing IT infra- structures. Depending on the outcome of a data protection risk assessment, organizations should take measures to help maintain compliance. Such measures include the appointment of a dedicated data protection officer (DPO), the execution of privacy impact assessments (PIAs), and the adoption of regular audit procedures. DATA RETENTION VERSUS DATA DELETION Business systems, such as human capital man- agement (HCM) systems, contain combinations of a multitude of records on both employees and other individuals, such as job applicants and contractors. A company’s HCM system may, for example, store data related to job applications, payroll records, training history, compensation history, retirement plans, health information, and so on. Over time, a company’s HCM system will accumulate a considerable number of records, many of which contain personal information related to individuals. The GDPR requires organizations to remove any personal data from their systems once this data is no longer needed for the course of business. You must do this, for example, when an employee leaves the company (including any transfer of employment to an affiliated company). In other © 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR 9 / 14 cases, an employee may simply revoke their con- sent to a special data processing activity. At the same time, personal data obtained may still be lawfully processed on other legal grounds or be an integral part of records that are subject to re- tention times of 5, 10, or even 30 years. In such cases, the company needs to determine how to best store that data so it is not unnecessarily ac- cessed but can still be retrieved by authorized parties. DATA PROTECTION AS A PART OF LEGAL COMPLIANCE Data protection requirements are only one sub- set of compliance requirements faced by a company. Data protection requirements need to be aligned with other applicable requirements, including tax legislation or industry-specific laws. Retention requirements are the best example. If more specific legislation defines that certain re- cords, including personal information, need to be kept for 30 years, deletion of this data is not al- lowed. Organizations need to analyze their busi- ness processes with regard to all applicable legis- lation, and establish the appropriate technical and organizational measures to achieve and maintain compliance. ROLE OF SAP PRODUCTS As mentioned previously, SAP has been consis- tent in our approach to data protection as part of our general product standards. We are extending this approach as related to the new requirements of the GDPR as well as improving existing standards. Therefore, our company is committed to achieving GDPR compliance by May 25, 2018. In tandem, we are committed to developing and further improving our products to help you, our customers, meet GDPR requirements to the best of your ability. Development measures include the ongoing en- hancement of already existing product features as well as the implementation of new requirements. If configured properly, SAP software products can help your controllers comply with certain GDPR obligations. This is because SAP products (as a digital platform and from a solutions per- spective) are designed to help ensure the consis- tency and accuracy of data across systems. SAP solutions provide layers of assurance, appropri- ate technical and organizational measures – such as pseudonymization and encryption – and a management system of standards and best prac- tices. All these strategies help protect fundamen- tal rights and freedoms of natural persons as stated under the GDPR. Organizations need to analyze their business processes with regard to all applicable legislation, and establish the appropriate technical and organizational measures to achieve and maintain compliance. © 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR 10 / 14 We will now look more specifically at how features of SAP SuccessFactors solutions can support your organization’s journey toward GDPR compliance. We will examine this function- ality by looking at the lifecycle of personal data. We can view the lifecycle of data—including personal data—as comprising three phases: the “active” phase, during which the data is pro- cessed for its intended purpose; the “retention” or “blocked” phase, during which the data should not be actively processed but can be displayed for specific reasons; and the “end-of-use” phase at the end of the data’s applicable retention peri- od. (See Figure 2.) SAP SuccessFactors solutions provide robust data protection features for all three phases. Each organization needs to define for itself what it classifies as personal or “sensitive” data (such as special categories of personal data). Therefore, we plan to offer configuration options for SAP SuccessFactors solutions to mark data elements as personal or sensitive. Classifying data elements as personal or sensitive will facili- tate blocking, deleting, and reporting on personal or sensitive data. ACTIVE DATA PHASE During the phase when you actively need person- al data in an HCM system, your company typical- ly uses it for processes such as time tracking, payroll, and performance management. Features of SAP® SuccessFactors® Solutions Personal data lifecycle Figure 2 Active Retention End of Use Data processed for its intended purpose Data displayed or processed for specific purposes only Data purged © 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR 11 / 14 READ LOGGING AND REPORTING SAP SuccessFactors solutions log every read ac- cess to sensitive data, regardless of the channel used to read the data (for example, user inter- face, API, exports, or reporting). SAP plans to cre- ate a report for this information. The goal is to al- low authorized users to run a report that shows the personal data that was read for a specific data subject or personal data that was read by a specific user. CHANGE LOGGING AND REPORTING Any changes made to personal data (including corrections) are automatically tracked in SAP SuccessFactors solutions. The SAP SuccessFac- tors Employee Central solution, for example, cap- tures all changes made to personal data by de- fault. You can define yourself whether or not to track changes to metadata framework (MDF)- based objects. The software tracks all changes regardless of the channel used to make the change (user interface, API, or imports). SAP plans to create a “change log report” that will display all changes made to personal data in the format “before value” and “after value.”We plan for the software to provide additional infor- mation depending on the functional subarea to explain the context of a change.The goal is to al- low authorized users to run a report that shows changes to sensitive data for a specific data sub- ject or changes to sensitive data by a specific user. PERMISSIONS SAP SuccessFactors solutions offer a compre- hensive permission control, called role-based permissions (RBPs), to help keep personal data secure. With RBPs, you can set up a very fine- grained authorization concept following the “need to know” principle, including the ability to define separate permissions for displaying, changing, and deleting data. You should regularly confirm that the rationale to grant permissions still applies. The main elements of RBPs are permission roles and permission groups. •• Permission role controls the access rights that an employee or group of employees has to the application or employee data. RBPs allow you to grant a role to a specific employee, a manag- er, a group, or all employees in the company. •• Permission group is used to define groups of employees who share specific attributes. You can use various attributes to select the group members – for example, a user’s department, country, or job code. Groups can be static or dynamic. •• How are roles and groups related? While roles define what is allowed, the groups define who is allowed to do it (granted users) and for whom (target users). © 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR 12 / 14 PERSONAL DATA REPORTING There may be cases in which you need to report on personal data stored within the SAP Success- Factors solution for a specific data subject. For example, an (ex-)employee might request a copy of all their personal data stored in the HR system, for what purpose the data is being used, and how long it will be retained. SAP plans to develop an “information report” to display this information. The report is designed to be associated with spe- cific permissions to help ensure only authorized persons can run the report. The goal is for the system to also track when the report was run, by whom, and whether it was downloaded. RETENTION DATA PHASE Once there is no longer a business need to pro- cess personal data, it is advisable to delete – or at least restrict – access to it to minimize risk of data loss or breach. There may be cases where you no longer need to actively process the per- sonal data but need to retain it for compliance reasons. Retention periods include legal, regula- tory, contractual, or statutory retention require- ments. The blocking and deletion of personal data in business software tends to be complex. This is largely due to the number of retention reg- ulations that need to be taken into account, but also because the same data is used for different processes by different users. When restricting the use of personal data, you may need to consider not just the kind of data, but the “age” of the data. For example, performance feedback is not effec- tive-dated, but it does have a validity for a specif- ic year (that is, performance is evaluated for a calendar year). Once there is no longer a business need to process personal data, it is advisable to delete—or at least restrict— access to the data to minimize risk of data loss or breach. © 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR 13 / 14 BLOCKING You can use blocking to restrict access to histori- cal personal data within a retention period that is still in the system. In some cases, one role may need to still have access to the data, while you may block access for another role. RBPs in SAP SuccessFactors solutions already have the option to restrict the permissions for a role to the current data only (that is, no historical records). Planned enhancements for RBPs in- clude the ability to define a time period for which the history should be visible, including the ability to define different intervals of time restrictions based on country as well as employee status (ac- tive/inactive). This is needed because different countries may have different rules about how long certain data can be accessed. MASKING You can use masking to hide (or mask) field con- tents on the user interface. If data is masked, it will be displayed as asterisks (********* [Click to View]) to the user. Only in the case when the user explicitly clicks on the masked field will it be displayed. You can switch on masking per field, which helps you not expose personal or even sensitive data by default. Note: You can use field-level permissions to re- strict the access to specific fields as well. END-OF-USE PHASE The cost of data storage continues to decline. This tends to discourage organizations from in- vesting in effort to remove data that is no longer needed. Nevertheless, organizations are legally obliged to delete personal data at the end of the applicable retention period. Organizations are legally obliged to delete personal data at the end of the applicable retention period. © 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR 14 / 14 DATA PURGING Purging personal or sensitive data when it is no longer needed for business purposes is a good risk management strategy – and one of the re- quirements of the GDPR. SAP SuccessFactors solutions offer a “data re- tention management” tool that enables you to purge obsolete data and inactive users from SAP SuccessFactors solutions. You can create busi- ness rules to specify exceptions or dependen- cies, as well as an approval workflow for oversight of data purge requests. SAP plans to enhance the existing data retention management tool so that you can flexibly define retention configuration by time period and country for each data retention object at a minimum. Each product within the SAP SuccessFactors solutions may offer addi- tional criteria to define purge rules, such as divi- sion, department, location, and so on. When executing a data purge request, the soft- ware will check for dependencies in all compo- nents and purge the data accordingly. The purge configurations are provided at the functional object level, and you can group multiple purge objects into a data retention group. You can con- figure retention times at data retention group lev- el based on different parameters – such as coun- try level and employee data type (active/inactive). DATA PORTABILITY AND EXPORT Under GDPR, data controllers across all industry sectors will be required to provide personal data to individuals—or even directly to competitors— in a structured, machine-readable format. For more information on this requirement, see also the Guidelines to the Article 29 Data Protection Working Party document on the right to data portability. SAP SuccessFactors solutions already make all personal data for a data subject available for reporting. You can download and export reporting data, for example, in .CSV and .XLS format. MORE INFORMATION SAP plans to provide updates to support GDPR compliance in the normal quarterly release cycles and provide corre- sponding documentation with those releases. For information on GDPR and SAP go to www.sap.com/gdpr For further information on data privacy and protection at SAP view, www.sap.com/security. You can reference the full text of the General Data Protection Regulation (Regulation (EU) 2016/679) vQ417 © 2017 SAP SE or an SAP affiliate company. All rights reserved.
© 2017 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. See http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. www.sap.com/contactsap

Recommended

Guide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationGuide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationN N
 
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...ObservePoint
 
How to get your business GDPR ready
How to get your business GDPR readyHow to get your business GDPR ready
How to get your business GDPR readyPremier EPOS
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Happiest Minds Technologies
 
Data Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service OverviewData Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service OverviewDVV Solutions Third Party Risk Management
 
How the EU-GDPR May Affect Your Website
How the EU-GDPR May Affect Your WebsiteHow the EU-GDPR May Affect Your Website
How the EU-GDPR May Affect Your WebsiteSilverTech
 
Data Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRData Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRImogenRutherford
 
Are you GDPRed yet?
Are you GDPRed yet?Are you GDPRed yet?
Are you GDPRed yet?Datamatics Business Solutions Ltd.
 

Recommended

Guide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationGuide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationN N
 
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...ObservePoint
 
How to get your business GDPR ready
How to get your business GDPR readyHow to get your business GDPR ready
How to get your business GDPR readyPremier EPOS
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Happiest Minds Technologies
 
Data Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service OverviewData Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service OverviewDVV Solutions Third Party Risk Management
 
How the EU-GDPR May Affect Your Website
How the EU-GDPR May Affect Your WebsiteHow the EU-GDPR May Affect Your Website
How the EU-GDPR May Affect Your WebsiteSilverTech
 
Data Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRData Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRImogenRutherford
 
Are you GDPRed yet?
Are you GDPRed yet?Are you GDPRed yet?
Are you GDPRed yet?Datamatics Business Solutions Ltd.
 
The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
The GDPR Most Wanted: The Marketer and Analyst's Role in ComplianceThe GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
The GDPR Most Wanted: The Marketer and Analyst's Role in ComplianceObservePoint
 
12 steps to prepare for GDPR
12 steps to prepare for GDPR12 steps to prepare for GDPR
12 steps to prepare for GDPRGary Chambers
 
GDPR 12 Steps infographic
GDPR 12 Steps infographic GDPR 12 Steps infographic
GDPR 12 Steps infographic Ermine Amies
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupThe Pathway Group
 
The Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsThe Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsElliot Reeman
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpraudrey miguel
 
The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018Shane Gray
 
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?DATUM LLC
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR The Pathway Group
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Frank Dawson
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
 
An Overview Of GDPR (General Data Protection Regulation)
An Overview Of GDPR (General Data Protection Regulation)An Overview Of GDPR (General Data Protection Regulation)
An Overview Of GDPR (General Data Protection Regulation)Madhumita Mantri
 
Privacy Year In Preview
Privacy Year In PreviewPrivacy Year In Preview
Privacy Year In PreviewRockwell Bower, Esq., CIPP(US), CIPM
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 
GDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to FollowGDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to Followetouches
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate RulesJan Dhont
 
The International Comparative Legal Guide to: Data Protection 2016
The International Comparative Legal Guide to: Data Protection 2016The International Comparative Legal Guide to: Data Protection 2016
The International Comparative Legal Guide to: Data Protection 2016Matheson Law Firm
 
Data Protection Audit Checklist
Data Protection Audit ChecklistData Protection Audit Checklist
Data Protection Audit ChecklistDigital Guardian
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?VILT
 
GDPR
GDPRGDPR
GDPRGopi PD
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 

More Related Content

What's hot

The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
The GDPR Most Wanted: The Marketer and Analyst's Role in ComplianceThe GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
The GDPR Most Wanted: The Marketer and Analyst's Role in ComplianceObservePoint
 
12 steps to prepare for GDPR
12 steps to prepare for GDPR12 steps to prepare for GDPR
12 steps to prepare for GDPRGary Chambers
 
GDPR 12 Steps infographic
GDPR 12 Steps infographic GDPR 12 Steps infographic
GDPR 12 Steps infographic Ermine Amies
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupThe Pathway Group
 
The Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsThe Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsElliot Reeman
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpraudrey miguel
 
The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018Shane Gray
 
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?DATUM LLC
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Frank Dawson
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
 
An Overview Of GDPR (General Data Protection Regulation)
An Overview Of GDPR (General Data Protection Regulation)An Overview Of GDPR (General Data Protection Regulation)
An Overview Of GDPR (General Data Protection Regulation)Madhumita Mantri
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 
GDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to FollowGDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to Followetouches
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate RulesJan Dhont
 
The International Comparative Legal Guide to: Data Protection 2016
The International Comparative Legal Guide to: Data Protection 2016The International Comparative Legal Guide to: Data Protection 2016
The International Comparative Legal Guide to: Data Protection 2016Matheson Law Firm
 
Data Protection Audit Checklist
Data Protection Audit ChecklistData Protection Audit Checklist
Data Protection Audit ChecklistDigital Guardian
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?VILT
 

What's hot (20)

The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
The GDPR Most Wanted: The Marketer and Analyst's Role in ComplianceThe GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
 
12 steps to prepare for GDPR
12 steps to prepare for GDPR12 steps to prepare for GDPR
12 steps to prepare for GDPR
 
GDPR 12 Steps infographic
GDPR 12 Steps infographic GDPR 12 Steps infographic
GDPR 12 Steps infographic
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
 
The Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsThe Countdown to the GDPR Regulations
The Countdown to the GDPR Regulations
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
 
The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018
 
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
 
An Overview Of GDPR (General Data Protection Regulation)
An Overview Of GDPR (General Data Protection Regulation)An Overview Of GDPR (General Data Protection Regulation)
An Overview Of GDPR (General Data Protection Regulation)
 
Privacy Year In Preview
Privacy Year In PreviewPrivacy Year In Preview
Privacy Year In Preview
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017
 
GDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to FollowGDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to Follow
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate Rules
 
The International Comparative Legal Guide to: Data Protection 2016
The International Comparative Legal Guide to: Data Protection 2016The International Comparative Legal Guide to: Data Protection 2016
The International Comparative Legal Guide to: Data Protection 2016
 
Data Protection Audit Checklist
Data Protection Audit ChecklistData Protection Audit Checklist
Data Protection Audit Checklist
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?
 
GDPR
GDPRGDPR
GDPR
 

Similar to The Basics of GDPR

The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaperJim Wilson
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationPete S
 
General Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian FirmsGeneral Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian Firmsaccenture
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanEquiGov Institute
 
GDPR Explained - A Quick Guide for US Businesses
GDPR Explained - A Quick Guide for US BusinessesGDPR Explained - A Quick Guide for US Businesses
GDPR Explained - A Quick Guide for US BusinessesJessica Clark
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRJenny Ferguson
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing MindsetNetworkIQ
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationOlivier Vandeputte
 
Why is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with linksWhy is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with linksVISTA InfoSec
 
The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")Parsons Behle & Latimer
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessMark Baker
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisAngad Dayal
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. dan hyde
 
The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsHubilo
 
All you need to know about GDPR
All you need to know about GDPRAll you need to know about GDPR
All you need to know about GDPRHubilo
 
Aon GDPR white paper
Aon GDPR white paperAon GDPR white paper
Aon GDPR white paperGraeme Cross
 

Similar to The Basics of GDPR (20)

The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaper
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
General Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian FirmsGeneral Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian Firms
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbean
 
GDPR Explained - A Quick Guide for US Businesses
GDPR Explained - A Quick Guide for US BusinessesGDPR Explained - A Quick Guide for US Businesses
GDPR Explained - A Quick Guide for US Businesses
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPR
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing Mindset
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection Regulation
 
Why is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with linksWhy is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with links
 
The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with Varonis
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
 
GDPR: Time to Act
GDPR: Time to ActGDPR: Time to Act
GDPR: Time to Act
 
The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event Professionals
 
All you need to know about GDPR
All you need to know about GDPRAll you need to know about GDPR
All you need to know about GDPR
 
Aon GDPR white paper
Aon GDPR white paperAon GDPR white paper
Aon GDPR white paper
 

More from Bhupesh Chaurasia

How Can Better Collaboration Between HR and Finance Help High -Bandwidth Opt...
How Can Better Collaboration Between HR and Finance Help High -Bandwidth Opt...How Can Better Collaboration Between HR and Finance Help High -Bandwidth Opt...
How Can Better Collaboration Between HR and Finance Help High -Bandwidth Opt...Bhupesh Chaurasia
 
Making compensation pay: Increasing the ROI from monetary investments spent o...
Making compensation pay: Increasing the ROI from monetary investments spent o...Making compensation pay: Increasing the ROI from monetary investments spent o...
Making compensation pay: Increasing the ROI from monetary investments spent o...Bhupesh Chaurasia
 
The Peloton Model of Social Performance Management
The Peloton Model of Social Performance ManagementThe Peloton Model of Social Performance Management
The Peloton Model of Social Performance ManagementBhupesh Chaurasia
 
Talking About Compensation: Easier Said Than Done
Talking About Compensation: Easier Said Than Done Talking About Compensation: Easier Said Than Done
Talking About Compensation: Easier Said Than Done Bhupesh Chaurasia
 
Can You Pay People Without Rating Them?
Can You Pay People Without Rating Them? Can You Pay People Without Rating Them?
Can You Pay People Without Rating Them? Bhupesh Chaurasia
 
The value of human capital management technology
The value of human capital management technologyThe value of human capital management technology
The value of human capital management technologyBhupesh Chaurasia
 
Managing the Next Generation of Compensation Strategies
Managing the Next Generation of Compensation StrategiesManaging the Next Generation of Compensation Strategies
Managing the Next Generation of Compensation StrategiesBhupesh Chaurasia
 
SAP White Paper - Future of Work & Organizations
SAP White Paper - Future of Work & OrganizationsSAP White Paper - Future of Work & Organizations
SAP White Paper - Future of Work & OrganizationsBhupesh Chaurasia
 
Secure HR Platform for Utilities
Secure HR Platform for Utilities Secure HR Platform for Utilities
Secure HR Platform for Utilities Bhupesh Chaurasia
 
Learning in the Cloud for Regulated Industries
Learning in the Cloud for Regulated IndustriesLearning in the Cloud for Regulated Industries
Learning in the Cloud for Regulated IndustriesBhupesh Chaurasia
 
Develop a More Diverse and Inclusive Workforce
Develop a More Diverse and Inclusive WorkforceDevelop a More Diverse and Inclusive Workforce
Develop a More Diverse and Inclusive WorkforceBhupesh Chaurasia
 
Continuous Performance Management
Continuous Performance ManagementContinuous Performance Management
Continuous Performance ManagementBhupesh Chaurasia
 
HR TRANSFORMATION: Delivery Roadmaps
HR TRANSFORMATION: Delivery Roadmaps HR TRANSFORMATION: Delivery Roadmaps
HR TRANSFORMATION: Delivery Roadmaps Bhupesh Chaurasia
 
Welthungerhilfe: How Do You Bring Together the Right People to Help End Hunger?
Welthungerhilfe: How Do You Bring Together the Right People to Help End Hunger? Welthungerhilfe: How Do You Bring Together the Right People to Help End Hunger?
Welthungerhilfe: How Do You Bring Together the Right People to Help End Hunger? Bhupesh Chaurasia
 
STRATEGIC COMPENSATI ON: A CRITICAL SOLUTION
STRATEGIC COMPENSATI ON: A CRITICAL SOLUTION STRATEGIC COMPENSATI ON: A CRITICAL SOLUTION
STRATEGIC COMPENSATI ON: A CRITICAL SOLUTION Bhupesh Chaurasia
 
Building the-learning-business-case
Building the-learning-business-caseBuilding the-learning-business-case
Building the-learning-business-caseBhupesh Chaurasia
 
Learning Partnerships in Organizations
Learning Partnerships in OrganizationsLearning Partnerships in Organizations
Learning Partnerships in OrganizationsBhupesh Chaurasia
 
Getting People to Talk : Creating a Culture of Continuous Performance Manage...
Getting People to Talk : Creating a Culture of Continuous Performance Manage...Getting People to Talk : Creating a Culture of Continuous Performance Manage...
Getting People to Talk : Creating a Culture of Continuous Performance Manage...Bhupesh Chaurasia
 
Using Calibration Effectively - Total Workforce Performance Management
Using Calibration Effectively - Total Workforce Performance ManagementUsing Calibration Effectively - Total Workforce Performance Management
Using Calibration Effectively - Total Workforce Performance ManagementBhupesh Chaurasia
 
Mitigate cybersecurity risk with FedRAMP-certified HR solutions
Mitigate cybersecurity risk with FedRAMP-certified HR solutions Mitigate cybersecurity risk with FedRAMP-certified HR solutions
Mitigate cybersecurity risk with FedRAMP-certified HR solutions Bhupesh Chaurasia
 

More from Bhupesh Chaurasia (20)

How Can Better Collaboration Between HR and Finance Help High -Bandwidth Opt...
How Can Better Collaboration Between HR and Finance Help High -Bandwidth Opt...How Can Better Collaboration Between HR and Finance Help High -Bandwidth Opt...
How Can Better Collaboration Between HR and Finance Help High -Bandwidth Opt...
 
Making compensation pay: Increasing the ROI from monetary investments spent o...
Making compensation pay: Increasing the ROI from monetary investments spent o...Making compensation pay: Increasing the ROI from monetary investments spent o...
Making compensation pay: Increasing the ROI from monetary investments spent o...
 
The Peloton Model of Social Performance Management
The Peloton Model of Social Performance ManagementThe Peloton Model of Social Performance Management
The Peloton Model of Social Performance Management
 
Talking About Compensation: Easier Said Than Done
Talking About Compensation: Easier Said Than Done Talking About Compensation: Easier Said Than Done
Talking About Compensation: Easier Said Than Done
 
Can You Pay People Without Rating Them?
Can You Pay People Without Rating Them? Can You Pay People Without Rating Them?
Can You Pay People Without Rating Them?
 
The value of human capital management technology
The value of human capital management technologyThe value of human capital management technology
The value of human capital management technology
 
Managing the Next Generation of Compensation Strategies
Managing the Next Generation of Compensation StrategiesManaging the Next Generation of Compensation Strategies
Managing the Next Generation of Compensation Strategies
 
SAP White Paper - Future of Work & Organizations
SAP White Paper - Future of Work & OrganizationsSAP White Paper - Future of Work & Organizations
SAP White Paper - Future of Work & Organizations
 
Secure HR Platform for Utilities
Secure HR Platform for Utilities Secure HR Platform for Utilities
Secure HR Platform for Utilities
 
Learning in the Cloud for Regulated Industries
Learning in the Cloud for Regulated IndustriesLearning in the Cloud for Regulated Industries
Learning in the Cloud for Regulated Industries
 
Develop a More Diverse and Inclusive Workforce
Develop a More Diverse and Inclusive WorkforceDevelop a More Diverse and Inclusive Workforce
Develop a More Diverse and Inclusive Workforce
 
Continuous Performance Management
Continuous Performance ManagementContinuous Performance Management
Continuous Performance Management
 
HR TRANSFORMATION: Delivery Roadmaps
HR TRANSFORMATION: Delivery Roadmaps HR TRANSFORMATION: Delivery Roadmaps
HR TRANSFORMATION: Delivery Roadmaps
 
Welthungerhilfe: How Do You Bring Together the Right People to Help End Hunger?
Welthungerhilfe: How Do You Bring Together the Right People to Help End Hunger? Welthungerhilfe: How Do You Bring Together the Right People to Help End Hunger?
Welthungerhilfe: How Do You Bring Together the Right People to Help End Hunger?
 
STRATEGIC COMPENSATI ON: A CRITICAL SOLUTION
STRATEGIC COMPENSATI ON: A CRITICAL SOLUTION STRATEGIC COMPENSATI ON: A CRITICAL SOLUTION
STRATEGIC COMPENSATI ON: A CRITICAL SOLUTION
 
Building the-learning-business-case
Building the-learning-business-caseBuilding the-learning-business-case
Building the-learning-business-case
 
Learning Partnerships in Organizations
Learning Partnerships in OrganizationsLearning Partnerships in Organizations
Learning Partnerships in Organizations
 
Getting People to Talk : Creating a Culture of Continuous Performance Manage...
Getting People to Talk : Creating a Culture of Continuous Performance Manage...Getting People to Talk : Creating a Culture of Continuous Performance Manage...
Getting People to Talk : Creating a Culture of Continuous Performance Manage...
 
Using Calibration Effectively - Total Workforce Performance Management
Using Calibration Effectively - Total Workforce Performance ManagementUsing Calibration Effectively - Total Workforce Performance Management
Using Calibration Effectively - Total Workforce Performance Management
 
Mitigate cybersecurity risk with FedRAMP-certified HR solutions
Mitigate cybersecurity risk with FedRAMP-certified HR solutions Mitigate cybersecurity risk with FedRAMP-certified HR solutions
Mitigate cybersecurity risk with FedRAMP-certified HR solutions
 

Recently uploaded

Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdfAndrey Devyatkin
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfmaor17
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools
 
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jGraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jNeo4j
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsJean Silva
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 

Recently uploaded (20)

Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdf
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptx
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
 
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jGraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero results
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 

The Basics of GDPR

  • 1. SAP WhitePaper GDPR The Basics of GDPR How the right HCM solutions can support your compliance journey ©2017SAPSEoranSAPaffiliatecompany.Allrightsreserved. 1 / 14
  • 2. 2 / 14 Table of Contents 4 Introduction and Objectives 5 Scope 6 Impact 10 Features of SAP SuccessFactors Solutions © 2017 SAP SE or an SAP affiliate company. All rights reserved.
  • 3. The Basics of GDPR 3 / 14 In May 2016, the European Union (EU) adopted a newly harmonized data protection law called the General Data Protection Regulation (GDPR). As of May 25, 2018, the GDPR will be in force throughout all EU member states and in the European Economic Area. Any organization that collects or processes personal data of an individual within the Union is subject to this regulation, regardless of the organization’s location. While the GDPR does not introduce many substantially new concepts, it substantially increases the compliance requirements of data controllers and processors regarding their handling of personal data. © 2017 SAP SE or an SAP affiliate company. All rights reserved.
  • 4. The Basics of GDPR 4 / 14 As a company, SAP is committed to ensuring compliance with the GDPR by May 25, 2018. We have been consistent in our approach to data protection as part of our general product stan- dards, and we are now extending this approach to reflect new requirements of the GDPR. As you, our customers, prepare for compliance, we have summarized the changes introduced by the GDPR, the implications of these changes, and how SAP® product features can help you imple- ment GDPR requirements. The information contained in this document is for general guidance only and is provided on the understanding that SAP is not herein en- gaged in rendering legal advice. The responsibili- ty to adopt appropriate measures to achieve GDPR compliance rests with your organization as controllers in terms of the GDPR, and SAP ac- cepts no liability for any actions taken as re- sponse to this document. As such, it should not be used as a substitute for legal or professional consultation. OBJECTIVES The GDPR aims to harmonize data protection requirements across Europe into one single EU data protection regulation. It addresses corporate bodies governed by public and private law in their capacity of either controller or processor. The new law aims to protect the rights and freedoms of natural persons, to enhance data subjects’ confidence in organizations that hold or process their personal data, and to strengthen the EU’s internal market. To this end, the GDPR provides a uniform set of rules to govern the processing of personal data across the EU. The degree of EU- wide harmonization achievable by the GDPR is, however, restricted to the extent that the regula- tion contains opening clauses that allow EU member states to set out country-specific laws and requirements for specific data processing activities. These opening clauses, therefore, may result in applying additional rules and obligations for data controllers and processors. Introduction and Objectives The GDPR aims to harmonize data protection requirements across Europe into one single EU data protection regulation. © 2017 SAP SE or an SAP affiliate company. All rights reserved.
  • 5. The Basics of GDPR 5 / 14 MATERIAL SCOPE The GDPR has a broad material scope covering the processing of personal data by automated means or in other structured form, including those intended for part of a filing system. The GDPR states that the regulation does not apply where natural persons process personal data ex- clusively during a purely personal, private, or household activity. TERRITORIAL SCOPE Likewise, the GDPR has a broad territorial scope and applies to any activities of a data controller or processor in the EU that comprise the pro- cessing of an individual’s personal data. Central to this is whether the controller or processor is located in the EU. The GDPR also applies to con- trollers or processors located outside the EU where the processing serves to offer goods or services to data subjects in the EU or to monitor the behavior of data subjects in the EU. Scope The GDPR introduces several new legal requirements that may substantially affect a controller’s or processor’s business. © 2017 SAP SE or an SAP affiliate company. All rights reserved.
  • 6. The Basics of GDPR 6 / 14 LAWFUL GROUNDS FOR PROCESSING Processing personal data will be lawful only if one of the criteria for permission, as set forth in the GDPR, is met. In the absence of direct legal allow- ance, organizations need consent from individu- als whose data is to be processed. This consent must cover all purposes for which the organiza- tions (intending to process the data) collect and process the data and must allow for the individu- al’s right to withdraw consent at any time. This means that blanket consent or global consent is not valid for the processing of personal data. The GDPR specifies what are considered lawful grounds for the processing of personal data. These are shown in Figure 1 and described below. These are good practices to follow regardless of whether an organization is subject to the GDPR. Regulations concerning data privacy and protec- tion are ever evolving, and it is in your organiza- tion’s best interest to establish and maintain strict data privacy and protection policies. In the end, each organization must make its own inter- pretation of what it considers legal grounds for processing personal data. Chapter 2, Article 6, of the GDPR describes the lawfulness of processing as follows: Processing shall be lawful only if and to the ex- tent that at least one of the following applies: The GDPR introduces several new legal require- ments that may substantially affect a controller’s or processor’s business. Therefore, each control- ler or processor must verify which GDPR obliga- tion applies to them and must also ascertain how to implement the requirements accordingly. GENERAL PRINCIPLES In accordance with its general processing princi- ples, the GDPR requires the processing of per- sonal data to be lawful, proportionate, transpar- ent, adequate, accurate, secure, confidential, limited in time and to designated purposes, and conducted in a responsible and accountable manner. This last point means applying appropri- ate security—including technical and organiza- tional measures—to ensure integrity and confidentiality. PERSONAL DATA The GDPR explicitly defines what it means by the term personal data: any data that identifies or can be used to identify an individual. The term clearly includes metadata or other associated data such as IP addresses, cookies, or other iden- tifiers that may trace back to an individual. The GDPR has broadened the known catalog of spe- cial categories of personal data to include genetic data, biometric data if used to uniquely identify a natural person, and data related to criminal con- victions and offenses. Impact In the absence of direct legal allowance, organizations need consent from individuals whose data is to be processed. © 2017 SAP SE or an SAP affiliate company. All rights reserved.
  • 7. The Basics of GDPR 7 / 14 •• The data subject has given consent to the pro- cessing of his or her personal data for one or more specific purposes •• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract •• Processing is necessary for compliance with a legal obligation to which the controller is subject •• Processing is necessary in order to protect the vital interests of the data subject or of another natural person •• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller •• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child ACCOUNTABILITY The GDPR aims to improve accountability of those processing personal data and increase transparency of the data being processed. Despite its similarity in substance and structure to the current data protection legislation, the GDPR will take a much tougher line in helping enforcement. Penalties for noncompliance are Lawful grounds for processing personal data Figure 1 CONSENT PUBLIC INTEREST CONTRACT PROTECTION OF VITAL INTERESTS LEGAL OBLIGATION LEGIMIATE INTEREST © 2017 SAP SE or an SAP affiliate company. All rights reserved.
  • 8. The Basics of GDPR 8 / 14 remarkably high, including administrative fines of up to €20 million or 4% of an enterprise’s global annual revenue, with potential damage claims and other legal liability risks designed to incentiv- ize companies to enhance internal structures and processes to comply with the regulation. DATA PROTECTION BY DESIGN AND BY DEFAULT Under the terms of the GDPR, organizations must deliberately build in privacy, and both sys- tems and processes have to adopt privacy by de- fault. Organizations are obligated to ensure that the processing of personal data is for a specific purpose, and the organizations must demon- strate that data protection is at the heart of their IT framework and solution design. TECHNICAL AND ORGANIZATIONAL SECURITY Organizations are also obligated to implement all necessary technical and organizational measures to ensure a level of security appropriate to the risk of the processing for the data subjects. It is therefore necessary that the organization analyz- es its internal IT asset landscape to identify and map data flows. This will help to ascertain the ap- propriateness of the security framework. DATA SUBJECT RIGHTS Organizations should be guided by the concept that the individual should know and always be able to identify what personal data is processed, by whom, for what purposes, and over what peri- od of time. Thus, data controllers will need to ac- tively provide certain general and specific infor- mation; this is in accordance with the GDPR’s revised concepts of data portability and the indi- vidual’s rights to access, refuse or object, or be forgotten. Organizations involved in processing personal data will therefore require robust inter- nal processes with designated roles. DATA GOVERNANCE With an onus to clearly show customers, data subjects, and regulators that they are GDPR compliant, organizations must implement a host of systemic measures to reduce the risk of viola- tion. Complexity grows when organizations need to keep track of every purpose for which personal data is being processed and when they need to ensure that all individuals have given their con- sent for each data processing use case. These measures must be built into existing IT infra- structures. Depending on the outcome of a data protection risk assessment, organizations should take measures to help maintain compliance. Such measures include the appointment of a dedicated data protection officer (DPO), the execution of privacy impact assessments (PIAs), and the adoption of regular audit procedures. DATA RETENTION VERSUS DATA DELETION Business systems, such as human capital man- agement (HCM) systems, contain combinations of a multitude of records on both employees and other individuals, such as job applicants and contractors. A company’s HCM system may, for example, store data related to job applications, payroll records, training history, compensation history, retirement plans, health information, and so on. Over time, a company’s HCM system will accumulate a considerable number of records, many of which contain personal information related to individuals. The GDPR requires organizations to remove any personal data from their systems once this data is no longer needed for the course of business. You must do this, for example, when an employee leaves the company (including any transfer of employment to an affiliated company). In other © 2017 SAP SE or an SAP affiliate company. All rights reserved.
  • 9. The Basics of GDPR 9 / 14 cases, an employee may simply revoke their con- sent to a special data processing activity. At the same time, personal data obtained may still be lawfully processed on other legal grounds or be an integral part of records that are subject to re- tention times of 5, 10, or even 30 years. In such cases, the company needs to determine how to best store that data so it is not unnecessarily ac- cessed but can still be retrieved by authorized parties. DATA PROTECTION AS A PART OF LEGAL COMPLIANCE Data protection requirements are only one sub- set of compliance requirements faced by a company. Data protection requirements need to be aligned with other applicable requirements, including tax legislation or industry-specific laws. Retention requirements are the best example. If more specific legislation defines that certain re- cords, including personal information, need to be kept for 30 years, deletion of this data is not al- lowed. Organizations need to analyze their busi- ness processes with regard to all applicable legis- lation, and establish the appropriate technical and organizational measures to achieve and maintain compliance. ROLE OF SAP PRODUCTS As mentioned previously, SAP has been consis- tent in our approach to data protection as part of our general product standards. We are extending this approach as related to the new requirements of the GDPR as well as improving existing standards. Therefore, our company is committed to achieving GDPR compliance by May 25, 2018. In tandem, we are committed to developing and further improving our products to help you, our customers, meet GDPR requirements to the best of your ability. Development measures include the ongoing en- hancement of already existing product features as well as the implementation of new requirements. If configured properly, SAP software products can help your controllers comply with certain GDPR obligations. This is because SAP products (as a digital platform and from a solutions per- spective) are designed to help ensure the consis- tency and accuracy of data across systems. SAP solutions provide layers of assurance, appropri- ate technical and organizational measures – such as pseudonymization and encryption – and a management system of standards and best prac- tices. All these strategies help protect fundamen- tal rights and freedoms of natural persons as stated under the GDPR. Organizations need to analyze their business processes with regard to all applicable legislation, and establish the appropriate technical and organizational measures to achieve and maintain compliance. © 2017 SAP SE or an SAP affiliate company. All rights reserved.
  • 10. The Basics of GDPR 10 / 14 We will now look more specifically at how features of SAP SuccessFactors solutions can support your organization’s journey toward GDPR compliance. We will examine this function- ality by looking at the lifecycle of personal data. We can view the lifecycle of data—including personal data—as comprising three phases: the “active” phase, during which the data is pro- cessed for its intended purpose; the “retention” or “blocked” phase, during which the data should not be actively processed but can be displayed for specific reasons; and the “end-of-use” phase at the end of the data’s applicable retention peri- od. (See Figure 2.) SAP SuccessFactors solutions provide robust data protection features for all three phases. Each organization needs to define for itself what it classifies as personal or “sensitive” data (such as special categories of personal data). Therefore, we plan to offer configuration options for SAP SuccessFactors solutions to mark data elements as personal or sensitive. Classifying data elements as personal or sensitive will facili- tate blocking, deleting, and reporting on personal or sensitive data. ACTIVE DATA PHASE During the phase when you actively need person- al data in an HCM system, your company typical- ly uses it for processes such as time tracking, payroll, and performance management. Features of SAP® SuccessFactors® Solutions Personal data lifecycle Figure 2 Active Retention End of Use Data processed for its intended purpose Data displayed or processed for specific purposes only Data purged © 2017 SAP SE or an SAP affiliate company. All rights reserved.
  • 11. The Basics of GDPR 11 / 14 READ LOGGING AND REPORTING SAP SuccessFactors solutions log every read ac- cess to sensitive data, regardless of the channel used to read the data (for example, user inter- face, API, exports, or reporting). SAP plans to cre- ate a report for this information. The goal is to al- low authorized users to run a report that shows the personal data that was read for a specific data subject or personal data that was read by a specific user. CHANGE LOGGING AND REPORTING Any changes made to personal data (including corrections) are automatically tracked in SAP SuccessFactors solutions. The SAP SuccessFac- tors Employee Central solution, for example, cap- tures all changes made to personal data by de- fault. You can define yourself whether or not to track changes to metadata framework (MDF)- based objects. The software tracks all changes regardless of the channel used to make the change (user interface, API, or imports). SAP plans to create a “change log report” that will display all changes made to personal data in the format “before value” and “after value.”We plan for the software to provide additional infor- mation depending on the functional subarea to explain the context of a change.The goal is to al- low authorized users to run a report that shows changes to sensitive data for a specific data sub- ject or changes to sensitive data by a specific user. PERMISSIONS SAP SuccessFactors solutions offer a compre- hensive permission control, called role-based permissions (RBPs), to help keep personal data secure. With RBPs, you can set up a very fine- grained authorization concept following the “need to know” principle, including the ability to define separate permissions for displaying, changing, and deleting data. You should regularly confirm that the rationale to grant permissions still applies. The main elements of RBPs are permission roles and permission groups. •• Permission role controls the access rights that an employee or group of employees has to the application or employee data. RBPs allow you to grant a role to a specific employee, a manag- er, a group, or all employees in the company. •• Permission group is used to define groups of employees who share specific attributes. You can use various attributes to select the group members – for example, a user’s department, country, or job code. Groups can be static or dynamic. •• How are roles and groups related? While roles define what is allowed, the groups define who is allowed to do it (granted users) and for whom (target users). © 2017 SAP SE or an SAP affiliate company. All rights reserved.
  • 12. The Basics of GDPR 12 / 14 PERSONAL DATA REPORTING There may be cases in which you need to report on personal data stored within the SAP Success- Factors solution for a specific data subject. For example, an (ex-)employee might request a copy of all their personal data stored in the HR system, for what purpose the data is being used, and how long it will be retained. SAP plans to develop an “information report” to display this information. The report is designed to be associated with spe- cific permissions to help ensure only authorized persons can run the report. The goal is for the system to also track when the report was run, by whom, and whether it was downloaded. RETENTION DATA PHASE Once there is no longer a business need to pro- cess personal data, it is advisable to delete – or at least restrict – access to it to minimize risk of data loss or breach. There may be cases where you no longer need to actively process the per- sonal data but need to retain it for compliance reasons. Retention periods include legal, regula- tory, contractual, or statutory retention require- ments. The blocking and deletion of personal data in business software tends to be complex. This is largely due to the number of retention reg- ulations that need to be taken into account, but also because the same data is used for different processes by different users. When restricting the use of personal data, you may need to consider not just the kind of data, but the “age” of the data. For example, performance feedback is not effec- tive-dated, but it does have a validity for a specif- ic year (that is, performance is evaluated for a calendar year). Once there is no longer a business need to process personal data, it is advisable to delete—or at least restrict— access to the data to minimize risk of data loss or breach. © 2017 SAP SE or an SAP affiliate company. All rights reserved.
  • 13. The Basics of GDPR 13 / 14 BLOCKING You can use blocking to restrict access to histori- cal personal data within a retention period that is still in the system. In some cases, one role may need to still have access to the data, while you may block access for another role. RBPs in SAP SuccessFactors solutions already have the option to restrict the permissions for a role to the current data only (that is, no historical records). Planned enhancements for RBPs in- clude the ability to define a time period for which the history should be visible, including the ability to define different intervals of time restrictions based on country as well as employee status (ac- tive/inactive). This is needed because different countries may have different rules about how long certain data can be accessed. MASKING You can use masking to hide (or mask) field con- tents on the user interface. If data is masked, it will be displayed as asterisks (********* [Click to View]) to the user. Only in the case when the user explicitly clicks on the masked field will it be displayed. You can switch on masking per field, which helps you not expose personal or even sensitive data by default. Note: You can use field-level permissions to re- strict the access to specific fields as well. END-OF-USE PHASE The cost of data storage continues to decline. This tends to discourage organizations from in- vesting in effort to remove data that is no longer needed. Nevertheless, organizations are legally obliged to delete personal data at the end of the applicable retention period. Organizations are legally obliged to delete personal data at the end of the applicable retention period. © 2017 SAP SE or an SAP affiliate company. All rights reserved.
  • 14. The Basics of GDPR 14 / 14 DATA PURGING Purging personal or sensitive data when it is no longer needed for business purposes is a good risk management strategy – and one of the re- quirements of the GDPR. SAP SuccessFactors solutions offer a “data re- tention management” tool that enables you to purge obsolete data and inactive users from SAP SuccessFactors solutions. You can create busi- ness rules to specify exceptions or dependen- cies, as well as an approval workflow for oversight of data purge requests. SAP plans to enhance the existing data retention management tool so that you can flexibly define retention configuration by time period and country for each data retention object at a minimum. Each product within the SAP SuccessFactors solutions may offer addi- tional criteria to define purge rules, such as divi- sion, department, location, and so on. When executing a data purge request, the soft- ware will check for dependencies in all compo- nents and purge the data accordingly. The purge configurations are provided at the functional object level, and you can group multiple purge objects into a data retention group. You can con- figure retention times at data retention group lev- el based on different parameters – such as coun- try level and employee data type (active/inactive). DATA PORTABILITY AND EXPORT Under GDPR, data controllers across all industry sectors will be required to provide personal data to individuals—or even directly to competitors— in a structured, machine-readable format. For more information on this requirement, see also the Guidelines to the Article 29 Data Protection Working Party document on the right to data portability. SAP SuccessFactors solutions already make all personal data for a data subject available for reporting. You can download and export reporting data, for example, in .CSV and .XLS format. MORE INFORMATION SAP plans to provide updates to support GDPR compliance in the normal quarterly release cycles and provide corre- sponding documentation with those releases. For information on GDPR and SAP go to www.sap.com/gdpr For further information on data privacy and protection at SAP view, www.sap.com/security. You can reference the full text of the General Data Protection Regulation (Regulation (EU) 2016/679) vQ417 © 2017 SAP SE or an SAP affiliate company. All rights reserved.
  • 15. © 2017 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. See http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. www.sap.com/contactsap