Patric Dahse, profile picture
Uploaded byPatric Dahse
PDF, PPTX609 views

Data Security & Data Privacy: Data Anonymization

The document discusses data security and privacy in SAP systems, specifically data anonymization. It provides an overview of Natuvion, a consulting company specialized in SAP solutions for utilities. It outlines the challenges of anonymizing personal data in SAP systems to comply with privacy regulations like GDPR. Natuvion's Test Data Anonymization solution allows comprehensive pseudonymization or full anonymization of SAP systems, including connected non-SAP databases and SAP BW systems. It addresses challenges like ensuring consistency across networked systems and accounting for all personal data fields.

Embed presentation

Download as PDF, PPTX
Data Security and Data Privacy Natuvion Webcast (4) – Data Anonymization Natuvion GmbH – 09.2017
AGENDA Natuvion Webcast Series Data Security and Data Privacy Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solutions TDA Contact 2
Since 2014, Natuvion supports customers with our experience and expertise in digitalization 3 Founded in 2014 as an owner-managed consulting company specializing in utilities, transformation and security Office locations: Walldorf, Berlin, Munich, Vienna(AT), Philadelphia(US) Company size: > 55 Employees Expertise of consultants: > 75 % SAP certified & Ø 12 years Utilities and SAP SAP Gold Partner SAP Recognized Expertise in Utilities SAP Landscape Transformation Long-term partner of the largest energy suppliers in Germany Services / Skills ▪ Strategic IT-Management ▪ IT Consulting for Utilities Industry ▪ SAP Transformation & Data Services ▪ SAP Security & Data Privacy / Protection ▪ Business Intelligence / Analytics Natuvion Group In-depth experience in implementation of GDPR requirements Strategic partnership with SAP Data Protection and Privacy Development Teams – ILM / IRF / Consent Close & long-term partnership with IT / data protection law experts Complete understanding of the processes and requirements from a business, IT and data privacy perspective Own certified solutions specifically for consistent data erasure, information and anonymization Designated Data Protection and Privacy expertise (solutions) Designated Transformation expertise Success Factors Conception & introduction of anonymization (IS-U / CRM) Group-wide roll-out of a system anonymization (CRM / IS-U / ERP / HCM) Selective data deletion (IS-U / CRM / ERP / BW) Deletion conception based on the GDPR (SAP System landscape) IT and process concept conformity of affected persons rights according to the GDPR (Information and Transparency) System and data decommissioning with SAP ILM Concept and implementation information (SAP IRF) Relevant References Natuvion – Your specialist for the implementation and the requirements of the GDPR Data Security und Data Privacy in SAP - Data Anonymization
AGENDA Natuvion Webcast Series Data Privacy and Protection Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solution TDA Contact 4
Natuvion Webcasts Overview of the webcast series "Data Privacy and Protection" Data Security und Data Privacy in SAP - Data Anonymization5 1 1 hr. The webcast series "Data Privacy and Protection in SAP" offers an outstanding overview of the actions and implementation possibilities in accordance to the EU-GDPR. EU-GDPR Onboarding Legal overview and basic structuring of the fields of action (1 hour) 2 45 min. Deletion of Existing Historical Data Consistent deletion of mass data in SAP system landscapes (30 minutes) 3 45 min. Simple Blocking and Deletion Overview and experiences with the introduction of SAP Information Lifecycle Management (30 minutes) 4 45 min. Anonymization / Pseudonymization Background, challenges and implementation of a GDPR compliant anonymization 5 30 min. Data Reporting / Transparency GDPR compliant data transfer from conception to implementation - SAP IRF 6 45 min. Consent / Approval GDPR compliant approval concept and introduction – SAP CONSENT 7 45 Min. Privacy Impact Assessment How can PIAs be implemented and continue to exist?
Natuvion Webcasts Overview of the webcast series "Data Privacy and Protection" Data Security und Data Privacy in SAP - Data Anonymization6 1 1 hr. The webcast series "Data Privacy and Protection in SAP" offers an outstanding overview of the actions and implementation possibilities in accordance to the EU-GDPR. EU-GDPR Onboarding Legal overview and basic structuring of the fields of action (1 hour) 2 45 min. Deletion of existing Historical Data Consistent deletion of mass data in SAP system landscapes (30 minutes) 3 45 min. Simple Blocking and Deletion Overview and experiences with the introduction of SAP Information Lifecycle Management (30 minutes) 4 45 min. Anonymization / Pseudonymization Background, challenges and implementation of a GDPR compliant anonymization 5 30 min. Data Reporting / Transparency GDPR compliant data transfer from conception to implementation - SAP IRF 6 45 min. Consent / Approval GDPR compliant approval concept and introduction – SAP CONSENT 7 45 min. Privacy Impact Assessment How can PIAs be implemented and continue to exist?
AGENDA Natuvion Webcast Series Data Privacy and Protection Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solution TDA Contact 7
Pressure to create data protection conformity persistently increases in the context of the new Data Protection Act. 8 Data Security und Data Privacy in SAP - Data Anonymization ▪ Fines range from EUR 50.000 to 300.000 per violation (violations can be cumulated) ▪ Deletion of personal data acquired and processed for a particular purpose must be deleted as soon as the knowledge of this data is no longer required for that purpose. ▪ Information: The responsible body must provide the person concerned, on request and free of charge, with information on all stored data with reference to persons, recipients and the purpose of the storage. • (changed) Fines range up to the higher of 20 M€ or 4% of total worldwide annual turnover of affected companies. • (new) Right to data portability (Art. 20 GDPR) • (new) Privacy by Design and by Default (Art. 25 GDPR) • (changed) Right to be forgotten (Art. 17 GDPR) far exceeds the current right to deletion. • (changed) Obligations regarding transparency and disclosure (Art. 12 – 15 GDPR) extend the current right to disclosure (e.g. www.selbstauskunft.net ). • (new) Data Protection Impact Assessment (Privacy Impact Assessments, Art. 35 GDPR) § Data Protection by May 2016 (Summary) § Data Protection by May 2018 (Summary)
AGENDA Natuvion Webcast Series Data Privacy and Protection Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solution TDA Contact 9
Data Security und Data Privacy in SAP - Data Anonymization10 The use of personal data in energy management systems leads to four concrete fields of action. Uses of personal data in energy management IT systems: Fields of Action Comprehensive real data in project / test and training systems Historical data in productive systems Extensive database of process execution SAP test, training and/or project systems are built on a complete copy of the production system. The access to data is possible at any time fully and partially depending on the authorization. After the processing of data, contracts or service contracts, customer data is passed on to new service providers. The historical data remains current and in the respective production systems. Processes for acquisition and contract processing generate data. The use of this data is legitimate for the respective purpose. After the process has been completed, the data is still available without restriction Test and project system only with anonymous data Personal data after expiration of legitimation to be deleted Anonymization training and test systems Deletion of historical data Data blocking and implementation of continuous data management 1 Customer requests to provide information Requests for information about the affected persons concerning the storage and processing of their personal data. Information is currently available as a manual process and information can only be provided with high effort and usually not in the legally prescribed format. Structured, IT-supported processing 2 3 Right to access by the data subject 4
Example of initial situation Initial example of actual IT process & system landscape 11 Historical data in productive systems After the processing of data, contracts or service contracts, customer data is passed on to new service providers. The historical data remains current and in the respective production systems. Extensive database of process execution Processes for acquisition and contract processing generate data. The use of this data is legitimate for the respective purpose. After the process has been completed, the data is still available without restriction Customer requests to provide information Requests for information about the affected persons concerning the storage and processing of their personal data. Information must be provided in a structured, electronic form with the following specifics: the place, the reason and the recipient as well as the duration of the storage / deletion criteria. Comprehensive real data in project / test and training systems SAP test, training and/or project systems are built on a complete copy of the production system. Extensive access to data is possible.  (1) To be implemented  (2) To be implemented  (3) To be implemented 6 4 3 1 Company codes in system with verified legitimation 77.000 4.200.000 ChangeInterested Persons Inactive 1.150.000 400 With supervision Critical Currently aabout. 120 p.a. Access – dark figure Data surveys with legitimation to be verified (Current year) Req. for info. (§ 34 BDSG) Supervision (§ 38 BDSG) * Number of inquiries across all service providers currently can not be determined * Change = Rejected bills of exchange and storage of data  (3) To be implemented 1 2 3 4 Companies Real data in secondary system (Access restricted / restricted access / data anonymized) 16 4 2 475.000 Customers Extensive Limited Anonym. Data Security und Data Privacy in SAP - Data Anonymization
On the way to data privacy compliance? Anonymization / Pseudonymization Data Security und Data Privacy in SAP - Data Anonymization12 Why does data need to be anonymized / pseudonymized? Risk ( 1 ) Project- / Test System ( 3 ) Quality System ( 2 ) Training System • Project / test systems are built as a copy of the productive system. • The authorization structure in this system is usually not very strict. • Both internal and external employees have extensive access to data and processes. • Technical data access / direct database access is often possible. • Training systems are built as a copy of the productive system. • The authorization structure in this system is usually mediocre, depending on the training. • Usually only internal employees are trained. • Technical access to the data is usually not possible. • Quality assurance systems are built as a copy of the productive system. • The authorization structure in this system is usually very strict. • Usually, internal employees have access to these systems. • Technical access to the data is usually not possible. Probability DamagePotential 2 3 1
Personal data may not be used for a test execution of IT software. Data Security und Data Privacy in SAP - Data Anonymization Comprehensive real data in project, test and training systems "[..] Software and IT procedures are to be checked with systematically developed case constellations (test data, no personal data) according to a test plan, from which the desired result emerges. Mass tests can, if necessary, be carried out with anonymized original data after approval and specifications of the competent authority. The approval of the responsible authority for the anonymization of original data and all test results must be documented in a revision-proof manner. Source: https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/ Inhalt/_content/m/m02/m02509.html IT Baseline Protection Catalogs 13. EL on 2013, M 2.509): 13 In SAP test or project systems, no personal data may be held. All test procedures must be carried out with anonymous data. SAP CRM Production CRM SAP ERP / IS Production ERP SAP CRM Devel. CRM SAP ERP / IS Devel. ERP SAP CRM Test CRM SAP ERP / IS Test ERP Project system CRM Training system CRM Project system ERP Training system IS- UER P Sandbox system CRM Sandbox system ERP Sample of SAP System Landscape
AGENDA Natuvion Webcast Series Data Privacy and Protection Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solution TDA Contact 14
Challenges & Solutions Known challenges in pseudonymization Data Security und Data Privacy in SAP - Data Anonymization15 Common Challenges Solutions Networked Systems Coherent systems must also have a synchronized database after pseudonymization. Completeness The pseudonymization must take all personal data into account (customer developments and add-ons). Speed The performance of a system changeover / anonymization is based on the deciding factor of feasibility. The pseudonymization must have no noticeable influence on the established processes. Sustainability & Complexity An SAP system landscape is subject to constant change. Data structures are modified and new data structures are added which may contain data with a person reference. External Systems / Interfaces Interfaces to non-SAP systems are subject to increased attention in the context of pseudonymization. At this point, problems can arise in the testability / functionality of the processes. TDMS (SAP SE) TDA (Natuvion) EDA (Natuvion) ▪ Rule-based data scrambling ▪ Single systems can be pseudonymized or anonymized. ▪ Central control via a control system possible (SOLMAN) ▪ Rule-based pseudonymization ▪ System landscapes or individual systems can be selectively or completely pseudonymized. ▪ Templates for ERP / CRM / HCM / IS-U ▪ Central control of any SAP system ▪ Rule-based pseudonymization and anonymization ▪ Individual systems can be selectively pseudonymized or anonymized. ▪ Templates for IS-U / CRM ▪ Central control of any SAP system
Scope of Anonymization Example of anonymization SAP ERP-IS-U / CRM Data Security und Data Privacy in SAP - Data Anonymization16 0 20 40 60 80 100 120 140 160 180 200 ERP CRM Relevant fields with personal data Standard Customer Master Data Transaction Data Customer-specific Developments ▪ Names Replace rule-based, blend, generate, delete ▪ Bank details Substitute rule-based, generation, mixing of business customers, deletion ▪ Date of Birth Generate rule-based, setting of ranges, deletion ▪ Addresses Centralized, overlapping address assignment ▪ Communication Structures Replace rule-based, blend, generate, delete ▪ Service Provider Replace rule-based, blend, generate, delete ▪ SEPA-Mandates Consistent adaptation to the master data ▪ Returns/Re-payment Request Consistent adaptation to the master data ▪ Payment Lot Consistent adaptation to the master data ▪ Payment Program Consistent adaptation to the master data ▪ CRM-Activities and IS-U Contacts ▪ Automated content-dependent search of data fields with reference to a person ▪ Integration of these fields into rule- dependent field modification
Test Data Anonymization (TDA) Natuvion’s Solution: Overview Key Features of the Solution Quickly supply test systems with anonymized data Comprehensive pseudonymization/full anonymization on ABAP-based systems Anonymization of non SAP solutions (databanks) possible Use of value tables for using real values Anonymization of Business Warehouse Data / Systems Integration / Extension of SAP ILM for SAP BW Extremely high conversion performance (e.g. 14 mil. Partners within 8 hrs.) Supply data across system boundaries, to ensure the consistency of the transferred data at all times Economically & legally certified solution Compatible with NW 7.0 systems and up Distinctive data models for ERP / IS-U / FI-CA / CRM / HCM / BW 17 Data Security und Data Privacy in SAP - Data Anonymization
TDA – Test Data Anonymization Live Demonstration of a Pseudonymization Data Security und Data Privacy in SAP - Data Anonymization18 Selection Transformation Application perspective Administration perspective Data before the anonymization Data after the anonymization ?
The data anonymization can be performed centrally from one system for all connected synchronously or on each connected system asynchronously. TDA – Test Data Anonymization Live Demonstration of a Pseudonymization Data Security und Data Privacy in SAP - Data Anonymization19 Connected System Customer-Specific Developments All Personal data must be taken into account. This also affects proprietary developments and add-ons. Sustainability The permanent changes to the system landscape / data structures must be taken into account in the solution without carrying out continuous development activities. Storage tables can be supplemented easily and flexibly. Performance System anonymization within a quality or test system must be achievable in a minimum runtime frame. Verbrau chsstelle Vertrag Aktivität Partner Partner- beziehu ng Geschäft s- vereinba rung Vorgang Vorgang s- position Zählpun kt Anschlu ssobjekt Ibase ERP CRM
Introduction TDA The implementation of the solution can be carried out in a short and manageable project framework. Data Security und Data Privacy in SAP - Data Anonymization20 Concept Test Position Individualization Golive Support ▪ Introduction Data anonymization in the department and record additional requirements if necessary ▪ Survey of relevant process, authorization or UI adjustments ▪ Delivery of transport orders ▪ Carry out the necessary standard customizing ▪ Create rules and variants ▪ Display of additional functions / selection features ▪ Customizing as a coaching approach ▪ Development of customer- driven developments / tables ▪ Adaptation of variants ▪ Test management ▪ Test execution ▪ Key user training ▪ End user training ▪ Golive ▪ Stabilization ▪ Certification of §9 German Federal Data Protection Act (optional) ▪ Adhoc-Support ▪ Support for additional product extensions ▪ Technical release updates ▪ Updates for new features 2 - 3 PD 5 PD 10 – 15 PD 5 PD Support Contract Project Duration: 6 – 10 Weeks 12 - 24 Months 2 - 3 PD 3 PD 3 - 2 PD 3 PD ---- Scope Test Environment Tailoring your solution Start of Regular Operation Support Contract Typical Phases of Implementation
AGENDA Natuvion Webcast Series Data Privacy and Protection Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solution TDA Contact 21
Natuvion GmbH Altrottstraße 31 | 69190 Walldorf Fon +49 6227 73-1400 Fax +49 6227 73-1410 www.natuvion.com We look forward to answering your questions and concerns! Patric Dahse Managing Director Phone: +49 151 171 357 02 Mail: patric.dahse@natuvion.com 18 Data Security und Data Privacy in SAP - Data Anonymization Visit us on our website! Data Protection & Privacy www.professional-system-security.com/ Natuvion www.natuvion.com/

More Related Content

PPTX
InformationSecurity
bylearnt
 
PPT
It Policies
byJames Sutter
 
PDF
Data Leakage Prevention (DLP)
byNetwork Intelligence India
 
PDF
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
byEryk Budi Pratama
 
PPTX
Effective Cyber Defense Using CIS Critical Security Controls
byBSides Delhi
 
PDF
Data Loss Prevention: Challenges, Impacts & Effective Strategies
bySeccuris Inc.
 
PDF
Data Privacy Compliance
byFinancial Poise
 
PDF
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
InformationSecurity
bylearnt
 
It Policies
byJames Sutter
 
Data Leakage Prevention (DLP)
byNetwork Intelligence India
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
byEryk Budi Pratama
 
Effective Cyber Defense Using CIS Critical Security Controls
byBSides Delhi
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
bySeccuris Inc.
 
Data Privacy Compliance
byFinancial Poise
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 

What's hot

PDF
Big Data & Analytics (Conceptual and Practical Introduction)
byYaman Hajja, Ph.D.
 
PDF
1.1 Data Security Presentation.pdf
byChunLei(peter) Che
 
PDF
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
byEryk Budi Pratama
 
PPTX
Symantec Data Loss Prevention 9
byAriel Martin Beliera
 
PDF
DAS Slides: Building a Data Strategy — Practical Steps for Aligning with Busi...
byDATAVERSITY
 
PDF
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
byEdureka!
 
PDF
GDPR Overview
byTrish McGinity, CCSK
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PDF
Computer Forensic
byNovizul Evendi
 
PPT
Data Leakage Presentation
byMike Spaulding
 
PPT
Information Security & Cryptography
byArun ACE
 
PPTX
Data Loss Prevention
byReza Kopaee
 
PDF
DAS Slides: Building a Future-State Data Architecture Plan - Where to Begin?
byDATAVERSITY
 
PDF
Emerging Trends in Data Architecture – What’s the Next Big Thing
byDATAVERSITY
 
PDF
Activate Data Governance Using the Data Catalog
byDATAVERSITY
 
PPTX
Cybersecurity Risk Management Tools and Techniques (1).pptx
byClintonKelvin
 
PPTX
Data Governance Best Practices
byBoris Otto
 
PDF
Data Privacy: Anonymization & Re-Identification
byMike Nowakowski
 
PDF
Cloud-Enabled: The Future of Endpoint Security
byCrowdStrike
 
Big Data & Analytics (Conceptual and Practical Introduction)
byYaman Hajja, Ph.D.
 
1.1 Data Security Presentation.pdf
byChunLei(peter) Che
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
byEryk Budi Pratama
 
Symantec Data Loss Prevention 9
byAriel Martin Beliera
 
DAS Slides: Building a Data Strategy — Practical Steps for Aligning with Busi...
byDATAVERSITY
 
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
byEdureka!
 
GDPR Overview
byTrish McGinity, CCSK
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Computer Forensic
byNovizul Evendi
 
Data Leakage Presentation
byMike Spaulding
 
Information Security & Cryptography
byArun ACE
 
Data Loss Prevention
byReza Kopaee
 
DAS Slides: Building a Future-State Data Architecture Plan - Where to Begin?
byDATAVERSITY
 
Emerging Trends in Data Architecture – What’s the Next Big Thing
byDATAVERSITY
 
Activate Data Governance Using the Data Catalog
byDATAVERSITY
 
Cybersecurity Risk Management Tools and Techniques (1).pptx
byClintonKelvin
 
Data Governance Best Practices
byBoris Otto
 
Data Privacy: Anonymization & Re-Identification
byMike Nowakowski
 
Cloud-Enabled: The Future of Endpoint Security
byCrowdStrike
 

Similar to Data Security & Data Privacy: Data Anonymization

PPTX
GDPR compliant data anonymization / pseudonymization
byPatric Dahse
 
PDF
Webcast Security No. 8 - Read Access Logging (RAL)
byPatric Dahse
 
PDF
Materializing dataprivacy in sap .. how?
byNico J.W. Kuijper ECMm BPMs ERMp
 
PDF
Materializing dataprivacy in SAP - How?
byNico J.W. Kuijper ECMm BPMs ERMp
 
PDF
Data Security and Data Privacy – EU-GDPR Fields of Action
byPatric Dahse
 
PDF
GDPR & SAP: practical data governance & management activities
byNico J.W. Kuijper ECMm BPMs ERMp
 
PPTX
GDPR Data Lifecycle
byJatin Kochhar
 
PPTX
GDPR Data Life Cycle
byJatin Kochhar
 
PDF
GDPR Art. 25 - Privacy by design and default
byMichelangelo van Dam
 
PPTX
Real world data engineering practices for GDPR
byChing-Yu Wu
 
PPTX
A Framework of Purpose and Consent for Data Security and Consumer Privacy
byAurélie Pols
 
PDF
GDPR - Sink or Swim
byGuy Griffiths
 
PDF
SAP insider GDPR compendium Hernan Huwyler
byHernan Huwyler, MBA CPA
 
PDF
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
byAlan McSweeney
 
PPT
Legal And Regulatory Dp Challenges For The Financial Services Sector
byMSpadea
 
PPTX
Privacy Secrets Your Systems May Be Telling
byRebecca Leitch
 
PPTX
Privacy Secrets Your Systems May Be Telling
bySecurity Innovation
 
PDF
Accelerating the Path to GDPR Compliance
byHernan Huwyler, MBA CPA
 
PDF
General Data Protection Regulation, a developer's story
byMichelangelo van Dam
 
PDF
Data Privacy Program – a customized solution for the new EU General Regulatio...
byIAB Bulgaria
 
GDPR compliant data anonymization / pseudonymization
byPatric Dahse
 
Webcast Security No. 8 - Read Access Logging (RAL)
byPatric Dahse
 
Materializing dataprivacy in sap .. how?
byNico J.W. Kuijper ECMm BPMs ERMp
 
Materializing dataprivacy in SAP - How?
byNico J.W. Kuijper ECMm BPMs ERMp
 
Data Security and Data Privacy – EU-GDPR Fields of Action
byPatric Dahse
 
GDPR & SAP: practical data governance & management activities
byNico J.W. Kuijper ECMm BPMs ERMp
 
GDPR Data Lifecycle
byJatin Kochhar
 
GDPR Data Life Cycle
byJatin Kochhar
 
GDPR Art. 25 - Privacy by design and default
byMichelangelo van Dam
 
Real world data engineering practices for GDPR
byChing-Yu Wu
 
A Framework of Purpose and Consent for Data Security and Consumer Privacy
byAurélie Pols
 
GDPR - Sink or Swim
byGuy Griffiths
 
SAP insider GDPR compendium Hernan Huwyler
byHernan Huwyler, MBA CPA
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
byAlan McSweeney
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
byMSpadea
 
Privacy Secrets Your Systems May Be Telling
byRebecca Leitch
 
Privacy Secrets Your Systems May Be Telling
bySecurity Innovation
 
Accelerating the Path to GDPR Compliance
byHernan Huwyler, MBA CPA
 
General Data Protection Regulation, a developer's story
byMichelangelo van Dam
 
Data Privacy Program – a customized solution for the new EU General Regulatio...
byIAB Bulgaria
 

More from Patric Dahse

PDF
SAP Cloud for Energy Webinar Series Part 1
byPatric Dahse
 
PDF
Webcast DSGVO im bw
byPatric Dahse
 
PDF
Webinar mit TakeASP: Ent-personalisierung
byPatric Dahse
 
PDF
Ent-Personalisierung von IT Systemen (Anonymisierung & Pseudonymisierung)
byPatric Dahse
 
PDF
Wie laufen Prozesse im Unternehmen wirklich ab? Wie wird der Einkauf gelebt?
byPatric Dahse
 
PDF
Steigern Sie Ihre Prozessexzellenz mit Celonis Process Mining
byPatric Dahse
 
PDF
Improve Data Protection and Compliance with UI-Level Logging and Masking
byPatric Dahse
 
PDF
UI-basierte Datenschutz | SAP UI Logging & Masking (Deutsch)
byPatric Dahse
 
PDF
Data Security und Data Privacy: Read Access Logging
byPatric Dahse
 
PDF
Russian: Webcast Security Anonymization (TDA)
byPatric Dahse
 
PDF
Webcast Security & Data Privacy: Anonymization
byPatric Dahse
 
PDF
Doing Business in Europe? GDPR: What you need to know and do
byPatric Dahse
 
PDF
How is GDPR relevant for US companies
byPatric Dahse
 
PDF
Webcast Nr. 3 - Java Entwicklung mit der SAP Cloud Platform
byPatric Dahse
 
PDF
Webcast SAP Cloud Platform 2 - Developing Tools
byPatric Dahse
 
PDF
Webcast SAP Cloud Platform No. 1: On-Boarding
byPatric Dahse
 
PDF
Einfaches Sperren und Löschen / SAP Information LifeCycle Management
byPatric Dahse
 
PDF
Neue umsatzsteuerliche Berechnungsgrundlage des Gemeinderabatts
byPatric Dahse
 
PDF
Abrechnungsprozesse im wettbewerblichen Meßstellenbetrieb
byPatric Dahse
 
PDF
Abrechnung von nonCommodity-Produkten
byPatric Dahse
 
SAP Cloud for Energy Webinar Series Part 1
byPatric Dahse
 
Webcast DSGVO im bw
byPatric Dahse
 
Webinar mit TakeASP: Ent-personalisierung
byPatric Dahse
 
Ent-Personalisierung von IT Systemen (Anonymisierung & Pseudonymisierung)
byPatric Dahse
 
Wie laufen Prozesse im Unternehmen wirklich ab? Wie wird der Einkauf gelebt?
byPatric Dahse
 
Steigern Sie Ihre Prozessexzellenz mit Celonis Process Mining
byPatric Dahse
 
Improve Data Protection and Compliance with UI-Level Logging and Masking
byPatric Dahse
 
UI-basierte Datenschutz | SAP UI Logging & Masking (Deutsch)
byPatric Dahse
 
Data Security und Data Privacy: Read Access Logging
byPatric Dahse
 
Russian: Webcast Security Anonymization (TDA)
byPatric Dahse
 
Webcast Security & Data Privacy: Anonymization
byPatric Dahse
 
Doing Business in Europe? GDPR: What you need to know and do
byPatric Dahse
 
How is GDPR relevant for US companies
byPatric Dahse
 
Webcast Nr. 3 - Java Entwicklung mit der SAP Cloud Platform
byPatric Dahse
 
Webcast SAP Cloud Platform 2 - Developing Tools
byPatric Dahse
 
Webcast SAP Cloud Platform No. 1: On-Boarding
byPatric Dahse
 
Einfaches Sperren und Löschen / SAP Information LifeCycle Management
byPatric Dahse
 
Neue umsatzsteuerliche Berechnungsgrundlage des Gemeinderabatts
byPatric Dahse
 
Abrechnungsprozesse im wettbewerblichen Meßstellenbetrieb
byPatric Dahse
 
Abrechnung von nonCommodity-Produkten
byPatric Dahse
 

Recently uploaded

PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
apidays Paris 2025 | API Layer7 Security: Real-World Use Cases (BBVA & Nexi)
byapidays
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
apidays Paris 2025 | API Layer7 Security: Real-World Use Cases (BBVA & Nexi)
byapidays
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 

Data Security & Data Privacy: Data Anonymization

  • 1.
    Data Security andData Privacy Natuvion Webcast (4) – Data Anonymization Natuvion GmbH – 09.2017
  • 2.
    AGENDA Natuvion Webcast Series DataSecurity and Data Privacy Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solutions TDA Contact 2
  • 3.
    Since 2014, Natuvionsupports customers with our experience and expertise in digitalization 3 Founded in 2014 as an owner-managed consulting company specializing in utilities, transformation and security Office locations: Walldorf, Berlin, Munich, Vienna(AT), Philadelphia(US) Company size: > 55 Employees Expertise of consultants: > 75 % SAP certified & Ø 12 years Utilities and SAP SAP Gold Partner SAP Recognized Expertise in Utilities SAP Landscape Transformation Long-term partner of the largest energy suppliers in Germany Services / Skills ▪ Strategic IT-Management ▪ IT Consulting for Utilities Industry ▪ SAP Transformation & Data Services ▪ SAP Security & Data Privacy / Protection ▪ Business Intelligence / Analytics Natuvion Group In-depth experience in implementation of GDPR requirements Strategic partnership with SAP Data Protection and Privacy Development Teams – ILM / IRF / Consent Close & long-term partnership with IT / data protection law experts Complete understanding of the processes and requirements from a business, IT and data privacy perspective Own certified solutions specifically for consistent data erasure, information and anonymization Designated Data Protection and Privacy expertise (solutions) Designated Transformation expertise Success Factors Conception & introduction of anonymization (IS-U / CRM) Group-wide roll-out of a system anonymization (CRM / IS-U / ERP / HCM) Selective data deletion (IS-U / CRM / ERP / BW) Deletion conception based on the GDPR (SAP System landscape) IT and process concept conformity of affected persons rights according to the GDPR (Information and Transparency) System and data decommissioning with SAP ILM Concept and implementation information (SAP IRF) Relevant References Natuvion – Your specialist for the implementation and the requirements of the GDPR Data Security und Data Privacy in SAP - Data Anonymization
  • 4.
    AGENDA Natuvion Webcast Series DataPrivacy and Protection Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solution TDA Contact 4
  • 5.
    Natuvion Webcasts Overview ofthe webcast series "Data Privacy and Protection" Data Security und Data Privacy in SAP - Data Anonymization5 1 1 hr. The webcast series "Data Privacy and Protection in SAP" offers an outstanding overview of the actions and implementation possibilities in accordance to the EU-GDPR. EU-GDPR Onboarding Legal overview and basic structuring of the fields of action (1 hour) 2 45 min. Deletion of Existing Historical Data Consistent deletion of mass data in SAP system landscapes (30 minutes) 3 45 min. Simple Blocking and Deletion Overview and experiences with the introduction of SAP Information Lifecycle Management (30 minutes) 4 45 min. Anonymization / Pseudonymization Background, challenges and implementation of a GDPR compliant anonymization 5 30 min. Data Reporting / Transparency GDPR compliant data transfer from conception to implementation - SAP IRF 6 45 min. Consent / Approval GDPR compliant approval concept and introduction – SAP CONSENT 7 45 Min. Privacy Impact Assessment How can PIAs be implemented and continue to exist?
  • 6.
    Natuvion Webcasts Overview ofthe webcast series "Data Privacy and Protection" Data Security und Data Privacy in SAP - Data Anonymization6 1 1 hr. The webcast series "Data Privacy and Protection in SAP" offers an outstanding overview of the actions and implementation possibilities in accordance to the EU-GDPR. EU-GDPR Onboarding Legal overview and basic structuring of the fields of action (1 hour) 2 45 min. Deletion of existing Historical Data Consistent deletion of mass data in SAP system landscapes (30 minutes) 3 45 min. Simple Blocking and Deletion Overview and experiences with the introduction of SAP Information Lifecycle Management (30 minutes) 4 45 min. Anonymization / Pseudonymization Background, challenges and implementation of a GDPR compliant anonymization 5 30 min. Data Reporting / Transparency GDPR compliant data transfer from conception to implementation - SAP IRF 6 45 min. Consent / Approval GDPR compliant approval concept and introduction – SAP CONSENT 7 45 min. Privacy Impact Assessment How can PIAs be implemented and continue to exist?
  • 7.
    AGENDA Natuvion Webcast Series DataPrivacy and Protection Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solution TDA Contact 7
  • 8.
    Pressure to createdata protection conformity persistently increases in the context of the new Data Protection Act. 8 Data Security und Data Privacy in SAP - Data Anonymization ▪ Fines range from EUR 50.000 to 300.000 per violation (violations can be cumulated) ▪ Deletion of personal data acquired and processed for a particular purpose must be deleted as soon as the knowledge of this data is no longer required for that purpose. ▪ Information: The responsible body must provide the person concerned, on request and free of charge, with information on all stored data with reference to persons, recipients and the purpose of the storage. • (changed) Fines range up to the higher of 20 M€ or 4% of total worldwide annual turnover of affected companies. • (new) Right to data portability (Art. 20 GDPR) • (new) Privacy by Design and by Default (Art. 25 GDPR) • (changed) Right to be forgotten (Art. 17 GDPR) far exceeds the current right to deletion. • (changed) Obligations regarding transparency and disclosure (Art. 12 – 15 GDPR) extend the current right to disclosure (e.g. www.selbstauskunft.net ). • (new) Data Protection Impact Assessment (Privacy Impact Assessments, Art. 35 GDPR) § Data Protection by May 2016 (Summary) § Data Protection by May 2018 (Summary)
  • 9.
    AGENDA Natuvion Webcast Series DataPrivacy and Protection Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solution TDA Contact 9
  • 10.
    Data Security undData Privacy in SAP - Data Anonymization10 The use of personal data in energy management systems leads to four concrete fields of action. Uses of personal data in energy management IT systems: Fields of Action Comprehensive real data in project / test and training systems Historical data in productive systems Extensive database of process execution SAP test, training and/or project systems are built on a complete copy of the production system. The access to data is possible at any time fully and partially depending on the authorization. After the processing of data, contracts or service contracts, customer data is passed on to new service providers. The historical data remains current and in the respective production systems. Processes for acquisition and contract processing generate data. The use of this data is legitimate for the respective purpose. After the process has been completed, the data is still available without restriction Test and project system only with anonymous data Personal data after expiration of legitimation to be deleted Anonymization training and test systems Deletion of historical data Data blocking and implementation of continuous data management 1 Customer requests to provide information Requests for information about the affected persons concerning the storage and processing of their personal data. Information is currently available as a manual process and information can only be provided with high effort and usually not in the legally prescribed format. Structured, IT-supported processing 2 3 Right to access by the data subject 4
  • 11.
    Example of initialsituation Initial example of actual IT process & system landscape 11 Historical data in productive systems After the processing of data, contracts or service contracts, customer data is passed on to new service providers. The historical data remains current and in the respective production systems. Extensive database of process execution Processes for acquisition and contract processing generate data. The use of this data is legitimate for the respective purpose. After the process has been completed, the data is still available without restriction Customer requests to provide information Requests for information about the affected persons concerning the storage and processing of their personal data. Information must be provided in a structured, electronic form with the following specifics: the place, the reason and the recipient as well as the duration of the storage / deletion criteria. Comprehensive real data in project / test and training systems SAP test, training and/or project systems are built on a complete copy of the production system. Extensive access to data is possible.  (1) To be implemented  (2) To be implemented  (3) To be implemented 6 4 3 1 Company codes in system with verified legitimation 77.000 4.200.000 ChangeInterested Persons Inactive 1.150.000 400 With supervision Critical Currently aabout. 120 p.a. Access – dark figure Data surveys with legitimation to be verified (Current year) Req. for info. (§ 34 BDSG) Supervision (§ 38 BDSG) * Number of inquiries across all service providers currently can not be determined * Change = Rejected bills of exchange and storage of data  (3) To be implemented 1 2 3 4 Companies Real data in secondary system (Access restricted / restricted access / data anonymized) 16 4 2 475.000 Customers Extensive Limited Anonym. Data Security und Data Privacy in SAP - Data Anonymization
  • 12.
    On the wayto data privacy compliance? Anonymization / Pseudonymization Data Security und Data Privacy in SAP - Data Anonymization12 Why does data need to be anonymized / pseudonymized? Risk ( 1 ) Project- / Test System ( 3 ) Quality System ( 2 ) Training System • Project / test systems are built as a copy of the productive system. • The authorization structure in this system is usually not very strict. • Both internal and external employees have extensive access to data and processes. • Technical data access / direct database access is often possible. • Training systems are built as a copy of the productive system. • The authorization structure in this system is usually mediocre, depending on the training. • Usually only internal employees are trained. • Technical access to the data is usually not possible. • Quality assurance systems are built as a copy of the productive system. • The authorization structure in this system is usually very strict. • Usually, internal employees have access to these systems. • Technical access to the data is usually not possible. Probability DamagePotential 2 3 1
  • 13.
    Personal data maynot be used for a test execution of IT software. Data Security und Data Privacy in SAP - Data Anonymization Comprehensive real data in project, test and training systems "[..] Software and IT procedures are to be checked with systematically developed case constellations (test data, no personal data) according to a test plan, from which the desired result emerges. Mass tests can, if necessary, be carried out with anonymized original data after approval and specifications of the competent authority. The approval of the responsible authority for the anonymization of original data and all test results must be documented in a revision-proof manner. Source: https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/ Inhalt/_content/m/m02/m02509.html IT Baseline Protection Catalogs 13. EL on 2013, M 2.509): 13 In SAP test or project systems, no personal data may be held. All test procedures must be carried out with anonymous data. SAP CRM Production CRM SAP ERP / IS Production ERP SAP CRM Devel. CRM SAP ERP / IS Devel. ERP SAP CRM Test CRM SAP ERP / IS Test ERP Project system CRM Training system CRM Project system ERP Training system IS- UER P Sandbox system CRM Sandbox system ERP Sample of SAP System Landscape
  • 14.
    AGENDA Natuvion Webcast Series DataPrivacy and Protection Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solution TDA Contact 14
  • 15.
    Challenges & Solutions Knownchallenges in pseudonymization Data Security und Data Privacy in SAP - Data Anonymization15 Common Challenges Solutions Networked Systems Coherent systems must also have a synchronized database after pseudonymization. Completeness The pseudonymization must take all personal data into account (customer developments and add-ons). Speed The performance of a system changeover / anonymization is based on the deciding factor of feasibility. The pseudonymization must have no noticeable influence on the established processes. Sustainability & Complexity An SAP system landscape is subject to constant change. Data structures are modified and new data structures are added which may contain data with a person reference. External Systems / Interfaces Interfaces to non-SAP systems are subject to increased attention in the context of pseudonymization. At this point, problems can arise in the testability / functionality of the processes. TDMS (SAP SE) TDA (Natuvion) EDA (Natuvion) ▪ Rule-based data scrambling ▪ Single systems can be pseudonymized or anonymized. ▪ Central control via a control system possible (SOLMAN) ▪ Rule-based pseudonymization ▪ System landscapes or individual systems can be selectively or completely pseudonymized. ▪ Templates for ERP / CRM / HCM / IS-U ▪ Central control of any SAP system ▪ Rule-based pseudonymization and anonymization ▪ Individual systems can be selectively pseudonymized or anonymized. ▪ Templates for IS-U / CRM ▪ Central control of any SAP system
  • 16.
    Scope of Anonymization Exampleof anonymization SAP ERP-IS-U / CRM Data Security und Data Privacy in SAP - Data Anonymization16 0 20 40 60 80 100 120 140 160 180 200 ERP CRM Relevant fields with personal data Standard Customer Master Data Transaction Data Customer-specific Developments ▪ Names Replace rule-based, blend, generate, delete ▪ Bank details Substitute rule-based, generation, mixing of business customers, deletion ▪ Date of Birth Generate rule-based, setting of ranges, deletion ▪ Addresses Centralized, overlapping address assignment ▪ Communication Structures Replace rule-based, blend, generate, delete ▪ Service Provider Replace rule-based, blend, generate, delete ▪ SEPA-Mandates Consistent adaptation to the master data ▪ Returns/Re-payment Request Consistent adaptation to the master data ▪ Payment Lot Consistent adaptation to the master data ▪ Payment Program Consistent adaptation to the master data ▪ CRM-Activities and IS-U Contacts ▪ Automated content-dependent search of data fields with reference to a person ▪ Integration of these fields into rule- dependent field modification
  • 17.
    Test Data Anonymization(TDA) Natuvion’s Solution: Overview Key Features of the Solution Quickly supply test systems with anonymized data Comprehensive pseudonymization/full anonymization on ABAP-based systems Anonymization of non SAP solutions (databanks) possible Use of value tables for using real values Anonymization of Business Warehouse Data / Systems Integration / Extension of SAP ILM for SAP BW Extremely high conversion performance (e.g. 14 mil. Partners within 8 hrs.) Supply data across system boundaries, to ensure the consistency of the transferred data at all times Economically & legally certified solution Compatible with NW 7.0 systems and up Distinctive data models for ERP / IS-U / FI-CA / CRM / HCM / BW 17 Data Security und Data Privacy in SAP - Data Anonymization
  • 18.
    TDA – TestData Anonymization Live Demonstration of a Pseudonymization Data Security und Data Privacy in SAP - Data Anonymization18 Selection Transformation Application perspective Administration perspective Data before the anonymization Data after the anonymization ?
  • 19.
    The data anonymizationcan be performed centrally from one system for all connected synchronously or on each connected system asynchronously. TDA – Test Data Anonymization Live Demonstration of a Pseudonymization Data Security und Data Privacy in SAP - Data Anonymization19 Connected System Customer-Specific Developments All Personal data must be taken into account. This also affects proprietary developments and add-ons. Sustainability The permanent changes to the system landscape / data structures must be taken into account in the solution without carrying out continuous development activities. Storage tables can be supplemented easily and flexibly. Performance System anonymization within a quality or test system must be achievable in a minimum runtime frame. Verbrau chsstelle Vertrag Aktivität Partner Partner- beziehu ng Geschäft s- vereinba rung Vorgang Vorgang s- position Zählpun kt Anschlu ssobjekt Ibase ERP CRM
  • 20.
    Introduction TDA The implementationof the solution can be carried out in a short and manageable project framework. Data Security und Data Privacy in SAP - Data Anonymization20 Concept Test Position Individualization Golive Support ▪ Introduction Data anonymization in the department and record additional requirements if necessary ▪ Survey of relevant process, authorization or UI adjustments ▪ Delivery of transport orders ▪ Carry out the necessary standard customizing ▪ Create rules and variants ▪ Display of additional functions / selection features ▪ Customizing as a coaching approach ▪ Development of customer- driven developments / tables ▪ Adaptation of variants ▪ Test management ▪ Test execution ▪ Key user training ▪ End user training ▪ Golive ▪ Stabilization ▪ Certification of §9 German Federal Data Protection Act (optional) ▪ Adhoc-Support ▪ Support for additional product extensions ▪ Technical release updates ▪ Updates for new features 2 - 3 PD 5 PD 10 – 15 PD 5 PD Support Contract Project Duration: 6 – 10 Weeks 12 - 24 Months 2 - 3 PD 3 PD 3 - 2 PD 3 PD ---- Scope Test Environment Tailoring your solution Start of Regular Operation Support Contract Typical Phases of Implementation
  • 21.
    AGENDA Natuvion Webcast Series DataPrivacy and Protection Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solution TDA Contact 21
  • 22.
    Natuvion GmbH Altrottstraße 31| 69190 Walldorf Fon +49 6227 73-1400 Fax +49 6227 73-1410 www.natuvion.com We look forward to answering your questions and concerns! Patric Dahse Managing Director Phone: +49 151 171 357 02 Mail: patric.dahse@natuvion.com 18 Data Security und Data Privacy in SAP - Data Anonymization Visit us on our website! Data Protection & Privacy www.professional-system-security.com/ Natuvion www.natuvion.com/