Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Materializing dataprivacy in SAP - How?

683 views

Published on

The European Parliament approved the General Data Protection Regulation (the "GDPR") On Thursday, 14 April 2016. The GDPR will become effective for all companies processing personal data of EU citizens on May the 28th 2016.
Failure to comply with the GDPR may result in enforcement actions under the GDPR, including possible fines up to the greater of € 20 million or 4% of annual global turnover.

How is this related to SAP data?
Most SAP using organizations are storing privacy relevant SAP data in their SAP systems (think of personal data related to customers, vendors, business partners, employees, applicants, patients, etc. etc.)
Many data privacy officers are aware of the new EU GDPR and are looking for instruments and know how to translate and apply data privacy measures to SAP data.
The attached presentation gives you some basic insight on how to handle personal and sensitive data in SAP systems.

Published in: Data & Analytics

Materializing dataprivacy in SAP - How?

  1. 1. May 10, 2016 Implementing data privacy measures in SAP Nico J.W. Kuijper, D&IM Services SAP Archiving, Information Lifecycle Management, ECM & (SAP) Data Privacy Consultant Email: nico.kuijper@d-im-services.com - Phone: +31(0)20 615 82 89 Member of the International Association of Privacy Professionals
  2. 2. May 10, 2016 Page 1 Subject and scope of this presentation This presentation is about data privacy seen in the context of SAP data. A data privacy project covers many different legal, organizational and technical aspects - however in this presentation we focus only on (some of the) SAP instruments and practices regarding the enforcement of data privacy regulations (like the new EU GDPR) in SAP systems.
  3. 3. May 10, 2016 Page 2
  4. 4. May 10, 2016 Page 3 Why is this topic relevant for SAP using companies? On Thursday, 14 April 2016, the European Parliament adopted the General Data Protection Regulation (GDPR). The GDPR comes into effect on 25 May 2018 and companies have 24 months to become GDPR compliant. When you are using SAP systems you might be interested in what needs to be done to apply the new EU data privacy laws to your SAP systems, in particular how to handle your SAP data according the new data privacy law. Official EU publication of the EU GDPR: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC You can read the full legislative text of the EU GDPR here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52012PC0011
  5. 5. May 10, 2016 Page 4 The risks of non-compliance with the EU GDPR Not complying with the EU GDPR (General Data Protection Regulation) leads to significant fines and compliance risks. The EU created two tiers of maximum fines for companies violating the GDPR. The higher fine threshold is four percent of an undertaking’s worldwide annual turnover or 20 million euros, whichever is higher. The lower threshold fine is two percent of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher. You can read the full legislative text of the EU GDPR here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52012PC0011
  6. 6. May 10, 2016 Page 5 What is considered privacy relevant information? There are many elements of personal information. Some examples are name, gender, age, date of birth, marital status, citizenship, languages spoken, veteran status, disabled status, IP address (some jurisdictions), business and personal -addresses, - phone numbers, -email addresses, internal identification numbers, credit card and bank account numbers, government-issued identification numbers (social security, drivers license numbers, etc.) and identity verification information, etc. It is important to remember business data elements can be considered personal information as well. “Personal data” is defined as “any information relating to an identified or identifiable natural person”
  7. 7. May 10, 2016 Page 6 The General Data Protection Regulation in short The highlights of the EU GDPR are displayed above and require an update of your privacy program On the next slides we focus on the translation of some of the GDPR articles to the SAP context
  8. 8. May 10, 2016 Page 7 The identification of personal data in SAP The GDPR requires the designation of a data protection officer and the execution of DPIA’s. One of his/her tasks? Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits. DPIAs (Data Privacy Impact Assessments) are used to identify potential privacy issues, evaluate whether the benefits of a project outweigh its risks, implement privacy by design, conduct internal auditing for compliance with legal, regulatory, industry and organizational standards. Do you know how to identify, monitor and audit the use of personal data in SAP?
  9. 9. May 10, 2016 Page 8 Explicit consent for processing personal data in SAP The GDPR requires explicit consent for the processing of (special categories of) personal data. How to request or trigger explicit consent regarding personal data (to be) processed in SAP?
  10. 10. May 10, 2016 Page 9 Erasure or blocking of personal data (right to be forgotten) Under GDPR Article 17, controllers must erase personal data “without undue delay” if the data is no longer needed, the data subject objects to the processing, or the processing was unlawful. Do you know how to erase or block personal data in SAP in a consistent way?
  11. 11. May 10, 2016 Page 10 The transfer of personal data out of the EU The GDPR makes clear that it is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country. It also imposes hefty monetary fines for transfers in violation of the Regulation. Do you know how to restrict the (unlawful) transfer of personal data stored in SAP systems?
  12. 12. May 10, 2016 Page 11 Protect personal data in non productive systems The GDPR encourage data pseudonymization - defined as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information”. Data encryption, pseudo- and anonymization, etc. are means of protecting the rights of individuals while also allowing controllers to benefit from the data’s utility – in the SAP context e.g. the use of SAP data in test and quality assurance systems. Do you know how to (pseudo) anonymize or encrypt personal data in non productive SAP systems?
  13. 13. May 10, 2016 Page 12 Data breach notifications within 72 hours “Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” In the event of a personal data breach, data controllers must notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” Do you know how to prevent and/or detect a data breach in SAP or control the download of privacy relevant data from SAP systems?
  14. 14. May 10, 2016 Page 13 Information security = information privacy? The term information privacy refers to the handling, controlling, sharing and disposal of personal information while the term information security includes a very wide range of activities both physical and administrative that protect not only personal information, but any type of information or information asset that supports a business. The difference between information privacy and information security supports the statement, “You can have security without privacy…but you cannot have privacy without security.” For example, a secure computer with solid access controls may be secure however if access controls were not assigned correctly privacy may become an issue. In these slides we focus mainly on the protection of privacy relevant SAP information.
  15. 15. May 10, 2016 Page 14
  16. 16. May 10, 2016 Page 15 Mitigating the violation of data privacy laws in SAP Organizations handling privacy relevant data in the context of SAP systems might need some practical guidance on how to mitigate the risk of violating data privacy regulations. In this section we show some of the practical examples on how to mitigate the risk of violating data privacy regulations in SAP environments.
  17. 17. May 10, 2016 Page 16 Some examples of data privacy measures in SAP Data privacy topic Applicable to SAP system, functionality or data Supporting SAP functionality Supporting 3rd party functionality Data privacy impact assessment on SAP data SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. AIS (Audit system), special reports, GRC, etc. Activate explicit consent for processing of personal data SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. Standard SAP Restrict / limit access to privacy relevant data SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. Standard SAP Blocking of privacy relevant data (if can’t be deleted) SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. Standard SAP Destruction of privacy relevant SAP data SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. SAP ILM RM (part of standard SAP) Data encryption, masking, anonymizations, etc. Privacy relevant data in all NON productive SAP systems SAP TDMS 4.0 EPI-USE, Dolphin, etc. Data protection & prevention of data leakage (outside SAP) SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. SAP Authorizations, AIS (Audit system). External DLP solution providers like Secude, etc. Monitor unlawful access to privacy relevant or sensitive data in SAP SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. Read Access Logging (RAL), SAP Enterprise Threat detection, etc. Different external solution providers Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access
  18. 18. May 10, 2016 Page 17 Conducting data privacy impact assessments in SAP Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access Context: organizations handling privacy relevant (personal) data are obliged to execute DPIA‘s (Data Privacy Impact Assessments) under the EU GDPR. Organizations need to evaluate the personal data they have; categorizing the data so they are clear where the personal and sensitive data resides and where other less important data sits in the company. What are some of the instruments that can support you in conducting a DPIA on SAP data?
  19. 19. May 10, 2016 Page 18 Some Data Privacy Impact Assessment questions In a DPIA different types of questions might be raised such as: • What data is collected and from which source(s) and why? • Where and how the recorded data is stored (in SAP). • Who (roles/individuals) has access (consulting, updating, etc.) to the data? • What the data is used for, and how it passes both between systems and to data consumers. • How long should data be retained? • Who is responsible for the data at both an operational and a strategic level. It is not always easy to answer some of these questions when you are using a system with a impressive data model and broad functionality like SAP. Where is privacy relevant data actually stored in SAP?
  20. 20. May 10, 2016 Page 19 DPIA’s in SAP – Identify privacy relevant data (I) There are reports available in SAP to identify where in the data model of SAP privacy relevant information could be stored (including your custom developments). Categorizing the data so that it becomes clear where the personal and sensitive data resides in SAP is an important step in your Data Privacy Impact Assessment.
  21. 21. May 10, 2016 Page 20 DPIA’s in SAP – Identify privacy relevant data (II) Another useful step is to identify if you actually store privacy relevant data in SAP – and this should be assessed at least once a year. Audit Information System reports can support you in this task.
  22. 22. May 10, 2016 Page 21 DPIA’s in SAP – Identify privacy relevant data (III) Once it is clear where privacy relevant data is stored in SAP, you want to know who has access to it and the type of actions that can be executed by the users/roles (this can be done using e.g. GRC and other tools). It is also relevant to check who can access privacy relevant data directly on database level using a table browser like e.g. SE16 – often used as backdoor to access data.
  23. 23. May 10, 2016 Page 22 Supporting data privacy assessments in SAP Once organisations understand just what personal data they have, they should then ensure that regular risk assessments are completed to understand the degree of threat imposed on the company when processing privacy relevant data in SAP. There are many tools and reports available in SAP that can support you in conducting your Data Privacy Impact Assessment in SAP in a structured way, we just scratched on the surface of the possibilities. Knowing (and measuring) your risks is key for a solid data privacy program.
  24. 24. May 10, 2016 Page 23 Explicit consent for processing of personal data Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access Context: the GDPR requires explicit consent for the processing of personal data. There are different options available in SAP to enforce the explicit consent for the processing of privacy relevant data.
  25. 25. May 10, 2016 Page 24 Data privacy – requesting explicit consent in SAP 24 Individuals have rights when it comes to the collection & processing of personal information. Consent and choice are two of those rights. As a result, organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information. There are different options in SAP to request explicit consent for the storage and processing of personal data in for example HCM (employee data and in e-recruiting), ECC, SRM, CRM, IS*, etc. Processing personal data in SAP without explicit consent is unlawful and should be avoided.
  26. 26. May 10, 2016 Page 25 Blocking of personal data in SAP Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access Context: the GDPR gives data subjects the right to have their personal data erased. However, personal data sometimes cannot be erased due to data consistency rules, other (overruling) legislation. In some cases privacy relevant (master)data must be blocked for further access and/or processing in SAP.
  27. 27. May 10, 2016 Page 26 Blocking privacy relevant data 26 SAP delivers business functions for the blocking of personal (business partner) data that can’t be deleted instantly for different reasons (SAP data consistency or data must be preserved longer due to overruling legal or fiscal legislation, etc.).
  28. 28. May 10, 2016 Page 27 Right to be forgotten and erasure of personal SAP data Context: the GDPR gives data subjects the right to have their personal data erased, provided that certain conditions are met. SAP offers > 100 so called data destruction objects for the rule based and compliant erasure of privacy relevant SAP data (for e.g. ECC6, CRM, SRM, IS*, etc.). This is delivered by the SAP functionality called SAP ILM (Information Lifecycle Management). Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access
  29. 29. May 10, 2016 Page 28 Placing information under corporate control Definition of a ‘RECORD’ SOX GAAP EU GDPR BASEL II/III HIPAA Etc. Corporate information that is subjected to legislation must be managed as a “record” using records management principles in order to manage, preserve and destruct the information according rules
  30. 30. May 10, 2016 Page 29 Introduction of SAP ILM The lifecycle of information (put under corporate control) can be managed with SAP Information Lifecycle management (ILM). SAP ILM is currently the only SAP tool to manage the lifecycle of SAP data and documents in a controlled way using records management & retention policies.
  31. 31. May 10, 2016 Page 30 Data destruction objects For the controlled destruction of privacy relevant SAP data and documents, SAP ILM offers so called data destruction objects. Alone in SAP module HCM we find more then 100 data destruction objects, and the SAP HCM data destruction objects can (in most of the cases) be used without additional SAP license implications.
  32. 32. May 10, 2016 Page 31 Retention policy: manage the lifecycle of your data Privacy relevant data should be managed in alignment with other legislation based on retention rules. Other (overruling) legislation – e.g. tax regulation – might require the preservation of privacy relevant data, blocking e.g. the destruction of financial data containing privacy relevant data. With SAP ILM we can harmonize this and apply specific policies for specific types of SAP data.
  33. 33. May 10, 2016 Page 32 Data destruction in SAP Based on the defined retention rules in SAP ILM it is possible to comply with the GDPR rule to destroy privacy relevant SAP data in a controlled way.
  34. 34. May 10, 2016 Page 33 Data protection in non productive SAP systems Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access Context: the GDPR prohibit the unauthorized access to personal data and encourage the (pseudo) anonymization of data when possible. How do you give developers, testers and contract workers access to a non-production system without endangering your data privacy and data security regulations? Encrypting or (pseudo) anonymization might be the answer.
  35. 35. May 10, 2016 Page 34 Data protection in context and some terminology Even if great care is taken to set up authorizations, design roles and isolate duties in the production environment, these authorizations do not work in non-production systems. How do you give developers, testers and contract workers access to a non-production system without endangering data privacy and data security? Data encryption or (pseudo)anonymization might be the answer. Terminology explained We speak of anonymity if the identity of a person is not known or if a person does not wish to make his identity known. Pseudonymization and anonymization are both techniques by means of which the identity of a person can no longer be traced. Pseudonymization is a procedure by means of which identifying data with a particular algorithm are replaced by encrypted data (the pseudonym). The algorithm can always calculate the same pseudonym for a person, by means of which information about the person, also from various sources, can be combined. Pseudonymization distinguishes itself in this way from anonymization, because linking information to a person, from various sources, is not possible with anonymization. (source wikipedia.org)
  36. 36. May 10, 2016 Page 35 SAP TDMS 4.0: scramble privacy relevant data SAP offers, with SAP TDMS 4.0, the option to scramble privacy relevant data in non productive SAP systems. (see SAP slide of TDMS 4.0 above)
  37. 37. May 10, 2016 Page 36 3rd party solutions for SAP data encryption Other (SAP certified 3rd party) vendors do deliver data encryption and (pseudo)anonymization tools for SAP data as well. Note: under the GDPR, a data breach (especially data theft) of encrypted data still must be reported to the authorities – data security remains of vital importance in al cases.
  38. 38. May 10, 2016 Page 37 Data theft & data leakage prevention of SAP data Context: the GDPR also introduces the need for organizations to prepare a data breach notification plan in the event that something does actually go wrong. However, it is vital to prevent data leakage! How can you actually prevent that privacy relevant SAP data can be “leaked” and distributed outside your organization? Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access
  39. 39. May 10, 2016 Page 38 Is privacy relevant data leaving your SAP system? Privacy relevant data should only be downloaded from SAP when authorized (ensure a adequately configured authorization concept). Misuse of personal data by the download function and/or the XXL/ALV List Viewer is prohibited under the GDPR (considered a data breach/data leakage). Even with appropriate SAP authorizations it is often difficult to control what happens with the data outside the controlled SAP environment – however there are tools to overcome that hurdle.
  40. 40. May 10, 2016 Page 39 Data leakage prevention in SAP 39 Not many companies are aware of what sensitive/privacy relevant data is leaving their systems. Often, that sensitive information is sent to unsecure locations such as unprotected mobile devices, and public cloud environments. There are 3rd party tools that can block the download of sensitive data from SAP – not only useful for compliance with regulations, but also to protect your IP, etc.
  41. 41. May 10, 2016 Page 40 Controlled access to downloaded SAP data (1) 40 With 3rd party software you can combine SAP authorizations (controlling access to privacy relevant data in SAP) with MS Digital Right Management (controlling access to privacy relevant data outside the SAP environment). With this concept you can protect SAP data even when it is leaving SAP.
  42. 42. May 10, 2016 Page 41 Controlled access to downloaded SAP data (2) 41 Using these kind of SAP certified 3rd party tools, you can get a grip on the sensitive / privacy relevant data that is leaving your SAP systems in a controlled and auditable way.
  43. 43. May 10, 2016 Page 42 Monitor the access to privacy relevant SAP data Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access Context: a data breach covers under the GDPR different unauthorized activities. Unauthorized access to & processing of privacy relevant data (not only by hackers also by the employees of the organization) is considered a data breach that must be reported within 72 hours. How can you actually detect that privacy relevant SAP data has been accessed unauthorized? SAP delivers different instruments to monitor the unlawful access of privacy relevant SAP data.
  44. 44. May 10, 2016 Page 43 Monitoring databreaches in SAP If data is leaked, companies must inform the Data Protection Authority (DPO) within two working days of them being aware of the breach. All data breaches must be sufficiently documented. So organizations must indicate exactly where in the systems breaches have taken place and what consequences they have. They must also inform the owners of the leaked data. SAP offers a standard tool (as part of NetWeaver) to monitor the unauthorized access to (privacy relevant) data – even if this is “just looking” at privacy relevant data. The name of the tool is RAL (Read Access Logging) and it can monitor the access to data from many different channels.
  45. 45. May 10, 2016 Page 44 RAL (Read Access Logging) - 1 With RAL you can define and categorize the logging purpose, domains and object yourself.
  46. 46. May 10, 2016 Page 45 RAL (Read Access Logging) - 2 Access to privacy relevant SAP data via different channels (Gui, internet, RFC) can be logged in a flexible way so that you can determine what needs to be logged in detail. RAL can help you significantly in detecting and logging data breaches in SAP.
  47. 47. May 10, 2016 Page 46 Closure In this presentation we presented some of the available options in SAP to mitigate data privacy risks Looking for expertise to enforce data privacy in your SAP systems? Don’t hesitate to consult us!
  48. 48. May 10, 2016 Page 47 Nico J. W. Kuijper, D&IM Services SAP Archiving, Information Lifecycle Management, ECM & (SAP) Data Privacy Consultancy Email: nico.kuijper@d-im-services.com - Phone: 0031(0)20 615 82 89 DISCLAMER. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. D&IM Services assumes no responsibility for errors or omissions in this document, except if such damages were caused intentionally or grossly negligent.

×