Patric Dahse, profile picture
Uploaded byPatric Dahse
PPTX, PDF1,507 views

GDPR compliant data anonymization / pseudonymization

The document discusses challenges and solutions for anonymizing personal data in SAP systems to comply with the GDPR. It describes fields of action for anonymizing data in test, training, and production systems. The document also provides an overview of Natuvion's Test Data Anonymization solution for pseudonymizing data across connected SAP systems in a centralized and rule-based manner.

Embed presentation

Downloaded 57 times
Data Security and Data Privacy Natuvion Webcast (4) – Data Anonymization Natuvion GmbH – 08.2017
AGENDA Natuvion Webcast Series Data Security and Data Privacy Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solutions TDA Contact 2
AGENDA Natuvion Webcast Series Data Security and Data Privacy Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solutions TDA Contact 3
Since 2014, NATUVION supports customers with our experience and expertise in digitalization 4 Founded in 2014 as an owner-managed consulting company specializing in utilities, transformation and security Office locations: Walldorf, Berlin, München, Vienna(AT), Philadelphia(US) Company size: > 55 Employees Expertise of consultants: > 75 % SAP certified & Ø 12 years Utilities and SAP SAP Gold Partner SAP Recognized Expertise in Utilities SAP Landscape Transformation Long-term partner of the largest energy suppliers in Germany Services / Skills  Strategic IT-Management  IT Consulting for Utilities Industry  SAP Transformation & Data Services  SAP Security & Data Privacy / Protection  Business Intelligence / Analytics Natuvion Gruppe In-depth experience in implementation of DS-GVO / GDPR requirements Strategic partnership with SAP Data Protection and Privacy Development Teams – ILM / IRF / Consent Close & long-term partnership with IT / data protection law experts Complete understanding of the processes and requirements from a business, IT and data privacy perspective Own certified solutions specifically for consistent data erasure, information and anonymization Designated data protection and privacy expertise (solutions) Designated Transformation expertise Success Factors Conception & introduction of anonymization (IS-U / CRM) Group-wide roll-out of a system anonymization (CRM / IS-U / ERP / HCM) Selective data deletion (IS-U / CRM / ERP / BW) Deletion concept of DS-GVO / GDPR (SAP System landscape) IT and process concept conformity of affected persons rights according to DS-GVO / GDPR (Information and Transparency) System and data decommissioning with SAP ILM Concept and implementation information (SAP IRF) Relevant References Natuvion – Your specialist for the implementation and requirements of the GDPR / DS-GVO Data Security und Data Privacy in SAP - Data Anonymization
Natuvion Webcasts Overview of the webcast series „Data Security and Data Privacy" Data Security und Data Privacy in SAP - Data Anonymization5 1 1 hr. The webcast series „Data Security and Data Privacy in SAP“ offers an outstanding overview of the actions and implementation possibilities in accordance to the EU-GDPR / EU-DSGVO. EU-DSGVO/ GDPR Onboarding Legal overview and basic structuring of the fields of action (1 hour) 2 45 min. Deletion of Existing Historical Data Consistent deletion of mass data in SAP system landscapes (30 minutes) 3 45 min. Simple Locking and Deletion Overview and experiences with the introduction of SAP Information Lifecycle Management (30 minutes) 4 45 min. Anonymization / Pseudonymization Background, challenges and implementation of a DSGVO / GDPR compliant anonymization 5 30 min. Data Reporting / Transparency DSGVO / GDPR compliant data transfer from conception to implementation - SAP IRF 6 45 min. Consent / Approval DSGVO / GDPR complient approval concept and introduction – SAP CONSENT 7 45 Min. Privacy Impact Assessment How can PIAs be implemented and continue to exist?
Natuvion Webcasts Overview of the webcast series „Data Security and Data Privacy" Data Security und Data Privacy in SAP - Data Anonymization6 1 1 hr. The webcast series „Data Security and Data Privacy in SAP“ offers an outstanding overview of the actions and implementation possibilities in accordance to the EU-GDPR / EU-DSGVO. EU-DSGVO/ GDPR Onboarding Legal overview and basic structuring of the fields of action (1 hour) 2 45 min. Deletion of Existing Historical Data Consistent deletion of mass data in SAP system landscapes (30 minutes) 3 45 min. Simple Locking and Deletion Overview and experiences with the introduction of SAP Information Lifecycle Management (30 minutes) 4 45 min. Anonymization / Pseudonymization Background, challenges and implementation of a DSGVO / GDPR compliant anonymization 5 30 min. Data Reporting / Transparency DSGVO / GDPR compliant data transfer from conception to implementation - SAP IRF 6 45 min. Consent / Approval DSGVO / GDPR complient approval concept and introduction – SAP CONSENT 7 45 min. Privacy Impact Assessment How can PIAs be implemented and continue to exist?
AGENDA Natuvion Webcast Series Data Security and Data Privacy Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solutions TDA Contact 7
Pressure to create data protection conformity persistently increases in the context of the new Data Protection Act. 8 Data Security und Data Privacy in SAP - Data Anonymization  Fines range from EUR 50.000 to 300.000 per violation (violations can be cumulated)  Deletion of personal data acquired and processed for a particular purpose must be deleted as soon as the knowledge of this data is no longer required for that purpose.  Information: The responsible body must provide the person concerned, on request and free of charge, with information on all stored data with reference to persons, recipients and the purpose of the storage. • (changed) Fines range up to the higher of 20 M€ or 4% of total worldwide annual turnover of affected companies. • (new) Right to data portability (Art. 20 GDPR) • (new) Privacy by Design and by Default (Art. 25 DS-GVO) • (changed) ‘Right to be forgotten’ (Art. 17 GDPR) far exceeds the current right to deletion. • (changed) Obligations regarding transparency and disclosure (Art. 12 – 15 GDPR) extend the current right to disclosure (e.g. www.selbstauskunft.net ). • (new) Data Protection Impact Assessment (Privacy Impact Assessments, Art. 35 DS-GVO) § Data Protection by May 2016 (Summary) § Data Protection by May 2018 (Summary)
AGENDA Natuvion Webcast Series Data Security and Data Privacy Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solutions TDA Contact 9
Data Security und Data Privacy in SAP - Data Anonymization10 The use of personal data in energy management systems leads to four concrete fields of action. Uses of personal data in energy management IT systems: Fields of Action Comprehensive real data in project / test and training systems Historical data in productive systems Extensive database of process execution SAP Test, Training and/or project systems are built on a complete copy of the production system. The access to data is possible at any time fully and partially depending on the authorization. After the processing of data, contracts or service contracts, customer data is passed on to new service providers. The historical data remains current and in the respective production systems. Processes for acquisition and contract processing generate data. The use of this data is legitimate for the respective purpose. After the process has been completed, the data is still available without restriction Test and project system only with anonymous data Personal data after expiration of legitimation to be deleted Anonymization training and testing system Delete historical data Lock and implement continuous data managment 1 Customer requests to provide information Requests for information about the affected persons concerning the storage and processing of their personal data. Information is currently available as a manual process and information can only be provided with high effort and usually not in the legally prescribed format. Structured, IT-supported processing 2 3 Request for information about personal data 4
Example of Initial Situation Initial example of actual IT process & system landscape 11 Historical data in productive systems After the processing of data, contracts or service contracts, customer data is passed on to new service providers. The historical data remains current and in the respective production systems. Extensive database of process execution Processes for acquisition and contract processing generate data. The use of this data is legitimate for the respective purpose. After the process has been completed, the data is still available without restriction Customer requests to provide information Requests for information about the affected persons concerning the storage and processing of their personal data. Information must be provided in a structured, electronic form with the following specifics; the place, the reason and the recipient as well as the duration of the storage / deletion criteria. Comprehensive real data in project / test and training systems SAP Test, Training and/or project systems are built on-a complete copy of the production system. Extensive access to data is possible.  (1) To be implemented  (2) To be implemented  (3) To be implemented 6 4 3 1 Company codes in system with verified legitimation 77.000 4.200.000 ChangeInterested Persons Inactive 1.150.000 400 With supervision Critical Currently aabout. 120 p.a. Access – dark figure Data surveys with legitimation to be verified (Current year) Req. for info. (§ 34 BDSG) Supervision (§ 38 BDSG) * Number of inquiries across all service providers currently can not be determined * Change = Rejected bills of exchange and storage of data  (3) To be implemented 1 2 3 4 Companies Real data in secondary system (Access restricted / restricted access / data anonymized) 16 4 2 475.000 Customers Extensive Limited Anonym. Data Security und Data Privacy in SAP - Data Anonymization
On the way to data privacy compliance? Anonymization / pseudonymization Data Security und Data Privacy in SAP - Data Anonymization12 Why does data need to be anonymized / pseudonymized? Risk ( 1 ) Project- / Test System ( 3 ) Quality System ( 2 ) Training System • Project / test systems are built as a copy of the productive system. • The authorization structure in this system is usually not very strict. • Both internal and external employees have extensive access to data and processes. • Technical data access / direct database access is often possible. • Training systems are built as a copy of the productive system. • The authorization structure in this system is usually mediocre, depending on the training. • Usually only internal employees are trained. • Technical access to the data is usually not possible. • Quality assurance systems are built as a copy of the productive system. • The authorization structure in this system is usually very strict. • Usually, internal employees have access to these systems. • Technical access to the data is usually not possible. Probability DamagePotential 2 3 1
Personal data may not be used for a test execution of IT software. Data Security und Data Privacy in SAP - Data Anonymization Comprehensive real data in project, test and training systems "[..] Software and IT procedures are to be checked with systematically developed case constellations (test data, no personal data) according to a test plan, from which the desired result emerges. Mass tests can, if necessary, be carried out with anonymized original data after approval and specifications of the competent authority. The approval of the responsible authority for the anonymization of original data and all test results must be documented in a revision-proof manner. Source: https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/ Inhalt/_content/m/m02/m02509.html IT Baseline Protection Catalogs 13. EL on 2013, M 2.509): 13 In SAP test- or project systems, no personal data may be held. All test procedures must be carried out with anonymous data. SAP CRM Production CRM SAP ERP / IS Production ERP SAP CRM Devel. CRM SAP ERP / IS Devel. ERP SAP CRM Test CRM SAP ERP / IS Test ERP Project- system CRM Training- system CRM Project- system ERP Training- system IS- UER P Sandbox- system CRM Sandbox- system ERP Sample of SAP System Landscape
AGENDA Natuvion Webcast Series Data Security and Data Privacy Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solutions TDA Contact 14
Challenges & Solutions Known challenges in pseudonymization Data Security und Data Privacy in SAP - Data Anonymization15 Common Challenges Solutions Networked Systems Coherent systems must also have a synchronized database after pseudonymization. Completeness The pseudonymization must take all personal data into account (customer developments and add-ons). Speed The performance of a system changeover / anonymization is based on the deciding factor of feasibility. The pseudonymization must have no noticeable influence on the established processes. Sustainability & Complexity An SAP system landscape is subject to constant change. Data structures are modified and new data structures are added which may contain data with a person reference. External Systems / Interfaces Interfaces to non-SAP systems are subject to increased attention in the context of pseudonymization. At this point, problems can arise in the testability / functionality of the processes. TDMS (SAP SE) TDA (Natuvion) EDA (Natuvion)  Rule-based data scrambling  Single systems can be pseudonymized or anonymized.  Central control via a control system possible (SOLMAN)  Rule-based pseudonymization  System landscapes or individual systems can be selectively or completely pseudonymized.  Templates for ERP / CRM / HCM / IS-U  Central control of any SAP system  Rule-based pseudonymization and anonymization  Individual systems can be selectively pseudonymized or anonymized.  Templates for IS-U / CRM  Central control of any SAP system
Scope of Anonymization Example of anonymization SAP ERP-IS-U / CRM Data Security und Data Privacy in SAP - Data Anonymization16 0 20 40 60 80 100 120 140 160 180 200 ERP CRM Relevant fields with personal data Standard Customer Stammdaten Transaction Data Customer-specific Developments  Names Replace Rule-based, Blend, Generate, Delete  Bank details Substitute Rule-based, generation, mixing of business customers, deletion  Date of Birth Generate Rule-based, setting of ranges, deletion  Addresses Centralized, overlapping address assignment  Communication Structures Replace Rule-based, Blend, Generate, Delete  Service Provider Replace Rule-based, Blend, Generate, Delete  SEPA-Mandates Consistent adaptation to the master data  Returns/Repayment Request Consistent adaptation to the master data  Payment Lot Consistent adaptation to the master data  Payment Program Consistent adaptation to the master data  CRM-Activities and IS-U Contacts  Automated content-dependent search of data fields with reference to a person  Integration of these fields into rule- dependent field modification
Test Data Anonymization (TDA) Natuvion’s Solution: Overview Key Features of the Solution Quickly supply test systems with anonymized data Comprehensive pseudo/full anonymization on ABAP-based systems Anonymization of non SAP solutions (databanks) possible Use of value tables for using real values Extremely high conversion performance (e.g. 14 Mil. Partners within 8 Hrs.) Supply data across system boundaries, to ensure the consistency of the transferred data at all times Economically & legally certified solution Compatable with NW 7.0 systems and up Distinctive data models for ERP / IS-U / FI-CA / CRM / HCM / BW 17 Data Security und Data Privacy in SAP - Data Anonymization
TDA – Test Data Anonymization Practical Demonstration of a Pseudonymization Data Security und Data Privacy in SAP - Data Anonymization18 Selection Transformation Application perspective Administration perspective Data before the anonymization Data after the anonymization ?
The data anonymization can be performed centrally from one system for all connected synchronously or on each system asynchronously. TDA – Test Data Anonymization Practical Demonstration of a Pseudonymization Data Security und Data Privacy in SAP - Data Anonymization19 Connected System Customer-Specific Developments All Personal data must be taken into account. This also affects proprietary developments and add-ons. Sustainability The permanent changes to the system landscape / data structures must be taken into account in the solution without carrying out continuous development activities. Storage tables can be supplemented easily and flexibly. Performance System anonymization within a quality or test system must be achievable in a minimum runtime frame. … Vertrag Aktivität PartnerReleati. Connec. Act. … … … … ERP CRM
Introduction TDA The implementation of the solution can be carried out in a short and manageable project framework. Data Security und Data Privacy in SAP - Data Anonymization20 Concept Test Position Individualization GoLive Support  Introduction Data anonymization in the FB and record additional requirements if necessary  Survey of relevant process, authorization or UI adjustments  Delivery of transport orders  Carry out the necessary standard customizing  Create rules and variants  Display of additional functions / selection features  Customizing as a coaching approach  Development of customer- driven developments / tables  Adaptation of variants  Test management  Test execution  Key user training  End user training  Going live  Stabilization  Certification of §9 BDSG (optional)  Adhoc-Support  Support for additional product extensions  Technical release updates  Updates for new features 2 - 3 PT 5 PT 10 – 15 PT 5 PT Support Contract Project Duration: 6 – 10 Weeks 12 - 24 Months 2 - 3 PT 3 PT 3 - 2 PT 3 PT ---- Scope Test Environment Tailoring your solution Start of Regular Operation Support Contract Typical Phases of Implementation
AGENDA Natuvion Webcast Series Data Security and Data Privacy Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solutions TDA Contact 21
Natuvion GmbH Altrottstraße 31 | 69190 Walldorf Fon +49 6227 73-1400 Fax +49 6227 73-1410 www.natuvion.com We look forward to answering your questions and concerns! Patric Dahse Managing Director Phone: +49 151 171 357 02 Mail: patric.dahse@natuvion.com 18 Data Security und Data Privacy in SAP - Data Anonymization Visit us on our website! Data Protection & Privacy www.professional-system-security.com/ Natuvion www.natuvion.com/

More Related Content

PPTX
SAP GRC AC 10.1 - ARM Workflows
byRohan Andrews
 
PDF
Data Security & Data Privacy: Data Anonymization
byPatric Dahse
 
PPTX
Big Data Readiness Assessment
byChristopher Bradley
 
PPTX
Microsoft Azure Information Protection
bySyed Sabhi Haider
 
PPTX
SAP Security & GRC Framework
byHarish Sharma
 
PPTX
Data Observability.pptx
bySonaSamad1
 
PDF
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
byAlan McSweeney
 
PPT
Introduction on sap security
byyektek
 
SAP GRC AC 10.1 - ARM Workflows
byRohan Andrews
 
Data Security & Data Privacy: Data Anonymization
byPatric Dahse
 
Big Data Readiness Assessment
byChristopher Bradley
 
Microsoft Azure Information Protection
bySyed Sabhi Haider
 
SAP Security & GRC Framework
byHarish Sharma
 
Data Observability.pptx
bySonaSamad1
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
byAlan McSweeney
 
Introduction on sap security
byyektek
 

What's hot

PDF
Activate Data Governance Using the Data Catalog
byDATAVERSITY
 
PDF
Building Data Quality pipelines with Apache Spark and Delta Lake
byDatabricks
 
PDF
Working with MS Endpoint Manager
byGeorge Grammatikos
 
PPT
DB security
byERSHUBHAM TIWARI
 
PDF
Implementing SAP security in 5 steps
byERPScan
 
PPTX
DIY-CyberArk-Blueprint-Roadmap-Template.pptx
byBirLama2
 
PDF
Data Privacy: Anonymization & Re-Identification
byMike Nowakowski
 
PPT
Sap Security Workshop
bylarrymcc
 
PPTX
ITIL - iTop combodo tool
byAmit Lanjewar
 
PDF
Empower Your Security Practitioners with Elastic SIEM
byElasticsearch
 
PPT
Shariyaz abdeen data leakage prevention presentation
byShariyaz Abdeen
 
PPTX
Azure Sentinel.pptx
byMohit Chhabra
 
PPTX
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
byNeo4j
 
PPTX
Splunk Overview
bySplunk
 
PPT
It Policies
byJames Sutter
 
PDF
SAP HANA "THE WHY"- Value Proposition - Run Simple
bySandeep Mahindra
 
PDF
Data Loss Prevention: Challenges, Impacts & Effective Strategies
bySeccuris Inc.
 
PDF
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
byAlan McSweeney
 
PPTX
Demystifying Data Warehouse as a Service
bySnowflake Computing
 
PDF
Azure Databricks – Customer Experiences and Lessons Denzil Ribeiro Madhu Ganta
byDatabricks
 
Activate Data Governance Using the Data Catalog
byDATAVERSITY
 
Building Data Quality pipelines with Apache Spark and Delta Lake
byDatabricks
 
Working with MS Endpoint Manager
byGeorge Grammatikos
 
DB security
byERSHUBHAM TIWARI
 
Implementing SAP security in 5 steps
byERPScan
 
DIY-CyberArk-Blueprint-Roadmap-Template.pptx
byBirLama2
 
Data Privacy: Anonymization & Re-Identification
byMike Nowakowski
 
Sap Security Workshop
bylarrymcc
 
ITIL - iTop combodo tool
byAmit Lanjewar
 
Empower Your Security Practitioners with Elastic SIEM
byElasticsearch
 
Shariyaz abdeen data leakage prevention presentation
byShariyaz Abdeen
 
Azure Sentinel.pptx
byMohit Chhabra
 
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
byNeo4j
 
Splunk Overview
bySplunk
 
It Policies
byJames Sutter
 
SAP HANA "THE WHY"- Value Proposition - Run Simple
bySandeep Mahindra
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
bySeccuris Inc.
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
byAlan McSweeney
 
Demystifying Data Warehouse as a Service
bySnowflake Computing
 
Azure Databricks – Customer Experiences and Lessons Denzil Ribeiro Madhu Ganta
byDatabricks
 

Similar to GDPR compliant data anonymization / pseudonymization

PDF
Materializing dataprivacy in sap .. how?
byNico J.W. Kuijper ECMm BPMs ERMp
 
PDF
Materializing dataprivacy in SAP - How?
byNico J.W. Kuijper ECMm BPMs ERMp
 
PDF
Data Security and Data Privacy – EU-GDPR Fields of Action
byPatric Dahse
 
PDF
Webcast Security No. 8 - Read Access Logging (RAL)
byPatric Dahse
 
PDF
GDPR & SAP: practical data governance & management activities
byNico J.W. Kuijper ECMm BPMs ERMp
 
PPTX
GDPR Data Lifecycle
byJatin Kochhar
 
PPTX
GDPR Data Life Cycle
byJatin Kochhar
 
PDF
GDPR - Sink or Swim
byGuy Griffiths
 
PDF
GDPR Art. 25 - Privacy by design and default
byMichelangelo van Dam
 
PPT
Legal And Regulatory Dp Challenges For The Financial Services Sector
byMSpadea
 
PDF
General Data Protection Regulation, a developer's story
byMichelangelo van Dam
 
PDF
SAP insider GDPR compendium Hernan Huwyler
byHernan Huwyler, MBA CPA
 
PPTX
Data protection
byRaviPrashant5
 
PPTX
3A – DATA PROTECTION: ADVICE
byCFG
 
PPTX
Real world data engineering practices for GDPR
byChing-Yu Wu
 
PPTX
A Framework of Purpose and Consent for Data Security and Consumer Privacy
byAurélie Pols
 
PPTX
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
byCodemotion
 
PDF
Accelerating the Path to GDPR Compliance
byHernan Huwyler, MBA CPA
 
PPTX
Privacy (1).pptx
byEng. Ala' Zayadeen- MBA,CEH,ISO Lead Implementer, MCP
 
PDF
GDPR and Security.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Materializing dataprivacy in sap .. how?
byNico J.W. Kuijper ECMm BPMs ERMp
 
Materializing dataprivacy in SAP - How?
byNico J.W. Kuijper ECMm BPMs ERMp
 
Data Security and Data Privacy – EU-GDPR Fields of Action
byPatric Dahse
 
Webcast Security No. 8 - Read Access Logging (RAL)
byPatric Dahse
 
GDPR & SAP: practical data governance & management activities
byNico J.W. Kuijper ECMm BPMs ERMp
 
GDPR Data Lifecycle
byJatin Kochhar
 
GDPR Data Life Cycle
byJatin Kochhar
 
GDPR - Sink or Swim
byGuy Griffiths
 
GDPR Art. 25 - Privacy by design and default
byMichelangelo van Dam
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
byMSpadea
 
General Data Protection Regulation, a developer's story
byMichelangelo van Dam
 
SAP insider GDPR compendium Hernan Huwyler
byHernan Huwyler, MBA CPA
 
Data protection
byRaviPrashant5
 
3A – DATA PROTECTION: ADVICE
byCFG
 
Real world data engineering practices for GDPR
byChing-Yu Wu
 
A Framework of Purpose and Consent for Data Security and Consumer Privacy
byAurélie Pols
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
byCodemotion
 
Accelerating the Path to GDPR Compliance
byHernan Huwyler, MBA CPA
 
Privacy (1).pptx
byEng. Ala' Zayadeen- MBA,CEH,ISO Lead Implementer, MCP
 
GDPR and Security.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 

More from Patric Dahse

PDF
SAP Cloud for Energy Webinar Series Part 1
byPatric Dahse
 
PDF
Webcast DSGVO im bw
byPatric Dahse
 
PDF
Webinar mit TakeASP: Ent-personalisierung
byPatric Dahse
 
PDF
Ent-Personalisierung von IT Systemen (Anonymisierung & Pseudonymisierung)
byPatric Dahse
 
PDF
Wie laufen Prozesse im Unternehmen wirklich ab? Wie wird der Einkauf gelebt?
byPatric Dahse
 
PDF
Steigern Sie Ihre Prozessexzellenz mit Celonis Process Mining
byPatric Dahse
 
PDF
Improve Data Protection and Compliance with UI-Level Logging and Masking
byPatric Dahse
 
PDF
UI-basierte Datenschutz | SAP UI Logging & Masking (Deutsch)
byPatric Dahse
 
PDF
Data Security und Data Privacy: Read Access Logging
byPatric Dahse
 
PDF
Russian: Webcast Security Anonymization (TDA)
byPatric Dahse
 
PDF
Webcast Security & Data Privacy: Anonymization
byPatric Dahse
 
PDF
Doing Business in Europe? GDPR: What you need to know and do
byPatric Dahse
 
PDF
How is GDPR relevant for US companies
byPatric Dahse
 
PDF
Webcast Nr. 3 - Java Entwicklung mit der SAP Cloud Platform
byPatric Dahse
 
PDF
Webcast SAP Cloud Platform 2 - Developing Tools
byPatric Dahse
 
PDF
Webcast SAP Cloud Platform No. 1: On-Boarding
byPatric Dahse
 
PDF
Einfaches Sperren und Löschen / SAP Information LifeCycle Management
byPatric Dahse
 
PDF
Neue umsatzsteuerliche Berechnungsgrundlage des Gemeinderabatts
byPatric Dahse
 
PDF
Abrechnungsprozesse im wettbewerblichen Meßstellenbetrieb
byPatric Dahse
 
PDF
Abrechnung von nonCommodity-Produkten
byPatric Dahse
 
SAP Cloud for Energy Webinar Series Part 1
byPatric Dahse
 
Webcast DSGVO im bw
byPatric Dahse
 
Webinar mit TakeASP: Ent-personalisierung
byPatric Dahse
 
Ent-Personalisierung von IT Systemen (Anonymisierung & Pseudonymisierung)
byPatric Dahse
 
Wie laufen Prozesse im Unternehmen wirklich ab? Wie wird der Einkauf gelebt?
byPatric Dahse
 
Steigern Sie Ihre Prozessexzellenz mit Celonis Process Mining
byPatric Dahse
 
Improve Data Protection and Compliance with UI-Level Logging and Masking
byPatric Dahse
 
UI-basierte Datenschutz | SAP UI Logging & Masking (Deutsch)
byPatric Dahse
 
Data Security und Data Privacy: Read Access Logging
byPatric Dahse
 
Russian: Webcast Security Anonymization (TDA)
byPatric Dahse
 
Webcast Security & Data Privacy: Anonymization
byPatric Dahse
 
Doing Business in Europe? GDPR: What you need to know and do
byPatric Dahse
 
How is GDPR relevant for US companies
byPatric Dahse
 
Webcast Nr. 3 - Java Entwicklung mit der SAP Cloud Platform
byPatric Dahse
 
Webcast SAP Cloud Platform 2 - Developing Tools
byPatric Dahse
 
Webcast SAP Cloud Platform No. 1: On-Boarding
byPatric Dahse
 
Einfaches Sperren und Löschen / SAP Information LifeCycle Management
byPatric Dahse
 
Neue umsatzsteuerliche Berechnungsgrundlage des Gemeinderabatts
byPatric Dahse
 
Abrechnungsprozesse im wettbewerblichen Meßstellenbetrieb
byPatric Dahse
 
Abrechnung von nonCommodity-Produkten
byPatric Dahse
 

Recently uploaded

PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
AI in the Real World: From University to Industry
byDarvan Shvan
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PPTX
Exploring-AI-Basics in Artificial Intelligence
bysharmilas219546
 
PDF
AI TOOLS FOR PRODUCTIVITY IN MODERN TIMES.pdf
bySantunu
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PPTX
Real-Time KPI Dashboard Playbook: What to Track Live and What Not To
byvictorworkvebo
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
AI in the Real World: From University to Industry
byDarvan Shvan
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Exploring-AI-Basics in Artificial Intelligence
bysharmilas219546
 
AI TOOLS FOR PRODUCTIVITY IN MODERN TIMES.pdf
bySantunu
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Real-Time KPI Dashboard Playbook: What to Track Live and What Not To
byvictorworkvebo
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
final.pdf
byomarbishtawi04
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 

GDPR compliant data anonymization / pseudonymization

  • 1.
    Data Security andData Privacy Natuvion Webcast (4) – Data Anonymization Natuvion GmbH – 08.2017
  • 2.
    AGENDA Natuvion Webcast Series DataSecurity and Data Privacy Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solutions TDA Contact 2
  • 3.
    AGENDA Natuvion Webcast Series DataSecurity and Data Privacy Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solutions TDA Contact 3
  • 4.
    Since 2014, NATUVIONsupports customers with our experience and expertise in digitalization 4 Founded in 2014 as an owner-managed consulting company specializing in utilities, transformation and security Office locations: Walldorf, Berlin, München, Vienna(AT), Philadelphia(US) Company size: > 55 Employees Expertise of consultants: > 75 % SAP certified & Ø 12 years Utilities and SAP SAP Gold Partner SAP Recognized Expertise in Utilities SAP Landscape Transformation Long-term partner of the largest energy suppliers in Germany Services / Skills  Strategic IT-Management  IT Consulting for Utilities Industry  SAP Transformation & Data Services  SAP Security & Data Privacy / Protection  Business Intelligence / Analytics Natuvion Gruppe In-depth experience in implementation of DS-GVO / GDPR requirements Strategic partnership with SAP Data Protection and Privacy Development Teams – ILM / IRF / Consent Close & long-term partnership with IT / data protection law experts Complete understanding of the processes and requirements from a business, IT and data privacy perspective Own certified solutions specifically for consistent data erasure, information and anonymization Designated data protection and privacy expertise (solutions) Designated Transformation expertise Success Factors Conception & introduction of anonymization (IS-U / CRM) Group-wide roll-out of a system anonymization (CRM / IS-U / ERP / HCM) Selective data deletion (IS-U / CRM / ERP / BW) Deletion concept of DS-GVO / GDPR (SAP System landscape) IT and process concept conformity of affected persons rights according to DS-GVO / GDPR (Information and Transparency) System and data decommissioning with SAP ILM Concept and implementation information (SAP IRF) Relevant References Natuvion – Your specialist for the implementation and requirements of the GDPR / DS-GVO Data Security und Data Privacy in SAP - Data Anonymization
  • 5.
    Natuvion Webcasts Overview ofthe webcast series „Data Security and Data Privacy" Data Security und Data Privacy in SAP - Data Anonymization5 1 1 hr. The webcast series „Data Security and Data Privacy in SAP“ offers an outstanding overview of the actions and implementation possibilities in accordance to the EU-GDPR / EU-DSGVO. EU-DSGVO/ GDPR Onboarding Legal overview and basic structuring of the fields of action (1 hour) 2 45 min. Deletion of Existing Historical Data Consistent deletion of mass data in SAP system landscapes (30 minutes) 3 45 min. Simple Locking and Deletion Overview and experiences with the introduction of SAP Information Lifecycle Management (30 minutes) 4 45 min. Anonymization / Pseudonymization Background, challenges and implementation of a DSGVO / GDPR compliant anonymization 5 30 min. Data Reporting / Transparency DSGVO / GDPR compliant data transfer from conception to implementation - SAP IRF 6 45 min. Consent / Approval DSGVO / GDPR complient approval concept and introduction – SAP CONSENT 7 45 Min. Privacy Impact Assessment How can PIAs be implemented and continue to exist?
  • 6.
    Natuvion Webcasts Overview ofthe webcast series „Data Security and Data Privacy" Data Security und Data Privacy in SAP - Data Anonymization6 1 1 hr. The webcast series „Data Security and Data Privacy in SAP“ offers an outstanding overview of the actions and implementation possibilities in accordance to the EU-GDPR / EU-DSGVO. EU-DSGVO/ GDPR Onboarding Legal overview and basic structuring of the fields of action (1 hour) 2 45 min. Deletion of Existing Historical Data Consistent deletion of mass data in SAP system landscapes (30 minutes) 3 45 min. Simple Locking and Deletion Overview and experiences with the introduction of SAP Information Lifecycle Management (30 minutes) 4 45 min. Anonymization / Pseudonymization Background, challenges and implementation of a DSGVO / GDPR compliant anonymization 5 30 min. Data Reporting / Transparency DSGVO / GDPR compliant data transfer from conception to implementation - SAP IRF 6 45 min. Consent / Approval DSGVO / GDPR complient approval concept and introduction – SAP CONSENT 7 45 min. Privacy Impact Assessment How can PIAs be implemented and continue to exist?
  • 7.
    AGENDA Natuvion Webcast Series DataSecurity and Data Privacy Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solutions TDA Contact 7
  • 8.
    Pressure to createdata protection conformity persistently increases in the context of the new Data Protection Act. 8 Data Security und Data Privacy in SAP - Data Anonymization  Fines range from EUR 50.000 to 300.000 per violation (violations can be cumulated)  Deletion of personal data acquired and processed for a particular purpose must be deleted as soon as the knowledge of this data is no longer required for that purpose.  Information: The responsible body must provide the person concerned, on request and free of charge, with information on all stored data with reference to persons, recipients and the purpose of the storage. • (changed) Fines range up to the higher of 20 M€ or 4% of total worldwide annual turnover of affected companies. • (new) Right to data portability (Art. 20 GDPR) • (new) Privacy by Design and by Default (Art. 25 DS-GVO) • (changed) ‘Right to be forgotten’ (Art. 17 GDPR) far exceeds the current right to deletion. • (changed) Obligations regarding transparency and disclosure (Art. 12 – 15 GDPR) extend the current right to disclosure (e.g. www.selbstauskunft.net ). • (new) Data Protection Impact Assessment (Privacy Impact Assessments, Art. 35 DS-GVO) § Data Protection by May 2016 (Summary) § Data Protection by May 2018 (Summary)
  • 9.
    AGENDA Natuvion Webcast Series DataSecurity and Data Privacy Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solutions TDA Contact 9
  • 10.
    Data Security undData Privacy in SAP - Data Anonymization10 The use of personal data in energy management systems leads to four concrete fields of action. Uses of personal data in energy management IT systems: Fields of Action Comprehensive real data in project / test and training systems Historical data in productive systems Extensive database of process execution SAP Test, Training and/or project systems are built on a complete copy of the production system. The access to data is possible at any time fully and partially depending on the authorization. After the processing of data, contracts or service contracts, customer data is passed on to new service providers. The historical data remains current and in the respective production systems. Processes for acquisition and contract processing generate data. The use of this data is legitimate for the respective purpose. After the process has been completed, the data is still available without restriction Test and project system only with anonymous data Personal data after expiration of legitimation to be deleted Anonymization training and testing system Delete historical data Lock and implement continuous data managment 1 Customer requests to provide information Requests for information about the affected persons concerning the storage and processing of their personal data. Information is currently available as a manual process and information can only be provided with high effort and usually not in the legally prescribed format. Structured, IT-supported processing 2 3 Request for information about personal data 4
  • 11.
    Example of InitialSituation Initial example of actual IT process & system landscape 11 Historical data in productive systems After the processing of data, contracts or service contracts, customer data is passed on to new service providers. The historical data remains current and in the respective production systems. Extensive database of process execution Processes for acquisition and contract processing generate data. The use of this data is legitimate for the respective purpose. After the process has been completed, the data is still available without restriction Customer requests to provide information Requests for information about the affected persons concerning the storage and processing of their personal data. Information must be provided in a structured, electronic form with the following specifics; the place, the reason and the recipient as well as the duration of the storage / deletion criteria. Comprehensive real data in project / test and training systems SAP Test, Training and/or project systems are built on-a complete copy of the production system. Extensive access to data is possible.  (1) To be implemented  (2) To be implemented  (3) To be implemented 6 4 3 1 Company codes in system with verified legitimation 77.000 4.200.000 ChangeInterested Persons Inactive 1.150.000 400 With supervision Critical Currently aabout. 120 p.a. Access – dark figure Data surveys with legitimation to be verified (Current year) Req. for info. (§ 34 BDSG) Supervision (§ 38 BDSG) * Number of inquiries across all service providers currently can not be determined * Change = Rejected bills of exchange and storage of data  (3) To be implemented 1 2 3 4 Companies Real data in secondary system (Access restricted / restricted access / data anonymized) 16 4 2 475.000 Customers Extensive Limited Anonym. Data Security und Data Privacy in SAP - Data Anonymization
  • 12.
    On the wayto data privacy compliance? Anonymization / pseudonymization Data Security und Data Privacy in SAP - Data Anonymization12 Why does data need to be anonymized / pseudonymized? Risk ( 1 ) Project- / Test System ( 3 ) Quality System ( 2 ) Training System • Project / test systems are built as a copy of the productive system. • The authorization structure in this system is usually not very strict. • Both internal and external employees have extensive access to data and processes. • Technical data access / direct database access is often possible. • Training systems are built as a copy of the productive system. • The authorization structure in this system is usually mediocre, depending on the training. • Usually only internal employees are trained. • Technical access to the data is usually not possible. • Quality assurance systems are built as a copy of the productive system. • The authorization structure in this system is usually very strict. • Usually, internal employees have access to these systems. • Technical access to the data is usually not possible. Probability DamagePotential 2 3 1
  • 13.
    Personal data maynot be used for a test execution of IT software. Data Security und Data Privacy in SAP - Data Anonymization Comprehensive real data in project, test and training systems "[..] Software and IT procedures are to be checked with systematically developed case constellations (test data, no personal data) according to a test plan, from which the desired result emerges. Mass tests can, if necessary, be carried out with anonymized original data after approval and specifications of the competent authority. The approval of the responsible authority for the anonymization of original data and all test results must be documented in a revision-proof manner. Source: https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/ Inhalt/_content/m/m02/m02509.html IT Baseline Protection Catalogs 13. EL on 2013, M 2.509): 13 In SAP test- or project systems, no personal data may be held. All test procedures must be carried out with anonymous data. SAP CRM Production CRM SAP ERP / IS Production ERP SAP CRM Devel. CRM SAP ERP / IS Devel. ERP SAP CRM Test CRM SAP ERP / IS Test ERP Project- system CRM Training- system CRM Project- system ERP Training- system IS- UER P Sandbox- system CRM Sandbox- system ERP Sample of SAP System Landscape
  • 14.
    AGENDA Natuvion Webcast Series DataSecurity and Data Privacy Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solutions TDA Contact 14
  • 15.
    Challenges & Solutions Knownchallenges in pseudonymization Data Security und Data Privacy in SAP - Data Anonymization15 Common Challenges Solutions Networked Systems Coherent systems must also have a synchronized database after pseudonymization. Completeness The pseudonymization must take all personal data into account (customer developments and add-ons). Speed The performance of a system changeover / anonymization is based on the deciding factor of feasibility. The pseudonymization must have no noticeable influence on the established processes. Sustainability & Complexity An SAP system landscape is subject to constant change. Data structures are modified and new data structures are added which may contain data with a person reference. External Systems / Interfaces Interfaces to non-SAP systems are subject to increased attention in the context of pseudonymization. At this point, problems can arise in the testability / functionality of the processes. TDMS (SAP SE) TDA (Natuvion) EDA (Natuvion)  Rule-based data scrambling  Single systems can be pseudonymized or anonymized.  Central control via a control system possible (SOLMAN)  Rule-based pseudonymization  System landscapes or individual systems can be selectively or completely pseudonymized.  Templates for ERP / CRM / HCM / IS-U  Central control of any SAP system  Rule-based pseudonymization and anonymization  Individual systems can be selectively pseudonymized or anonymized.  Templates for IS-U / CRM  Central control of any SAP system
  • 16.
    Scope of Anonymization Exampleof anonymization SAP ERP-IS-U / CRM Data Security und Data Privacy in SAP - Data Anonymization16 0 20 40 60 80 100 120 140 160 180 200 ERP CRM Relevant fields with personal data Standard Customer Stammdaten Transaction Data Customer-specific Developments  Names Replace Rule-based, Blend, Generate, Delete  Bank details Substitute Rule-based, generation, mixing of business customers, deletion  Date of Birth Generate Rule-based, setting of ranges, deletion  Addresses Centralized, overlapping address assignment  Communication Structures Replace Rule-based, Blend, Generate, Delete  Service Provider Replace Rule-based, Blend, Generate, Delete  SEPA-Mandates Consistent adaptation to the master data  Returns/Repayment Request Consistent adaptation to the master data  Payment Lot Consistent adaptation to the master data  Payment Program Consistent adaptation to the master data  CRM-Activities and IS-U Contacts  Automated content-dependent search of data fields with reference to a person  Integration of these fields into rule- dependent field modification
  • 17.
    Test Data Anonymization(TDA) Natuvion’s Solution: Overview Key Features of the Solution Quickly supply test systems with anonymized data Comprehensive pseudo/full anonymization on ABAP-based systems Anonymization of non SAP solutions (databanks) possible Use of value tables for using real values Extremely high conversion performance (e.g. 14 Mil. Partners within 8 Hrs.) Supply data across system boundaries, to ensure the consistency of the transferred data at all times Economically & legally certified solution Compatable with NW 7.0 systems and up Distinctive data models for ERP / IS-U / FI-CA / CRM / HCM / BW 17 Data Security und Data Privacy in SAP - Data Anonymization
  • 18.
    TDA – TestData Anonymization Practical Demonstration of a Pseudonymization Data Security und Data Privacy in SAP - Data Anonymization18 Selection Transformation Application perspective Administration perspective Data before the anonymization Data after the anonymization ?
  • 19.
    The data anonymizationcan be performed centrally from one system for all connected synchronously or on each system asynchronously. TDA – Test Data Anonymization Practical Demonstration of a Pseudonymization Data Security und Data Privacy in SAP - Data Anonymization19 Connected System Customer-Specific Developments All Personal data must be taken into account. This also affects proprietary developments and add-ons. Sustainability The permanent changes to the system landscape / data structures must be taken into account in the solution without carrying out continuous development activities. Storage tables can be supplemented easily and flexibly. Performance System anonymization within a quality or test system must be achievable in a minimum runtime frame. … Vertrag Aktivität PartnerReleati. Connec. Act. … … … … ERP CRM
  • 20.
    Introduction TDA The implementationof the solution can be carried out in a short and manageable project framework. Data Security und Data Privacy in SAP - Data Anonymization20 Concept Test Position Individualization GoLive Support  Introduction Data anonymization in the FB and record additional requirements if necessary  Survey of relevant process, authorization or UI adjustments  Delivery of transport orders  Carry out the necessary standard customizing  Create rules and variants  Display of additional functions / selection features  Customizing as a coaching approach  Development of customer- driven developments / tables  Adaptation of variants  Test management  Test execution  Key user training  End user training  Going live  Stabilization  Certification of §9 BDSG (optional)  Adhoc-Support  Support for additional product extensions  Technical release updates  Updates for new features 2 - 3 PT 5 PT 10 – 15 PT 5 PT Support Contract Project Duration: 6 – 10 Weeks 12 - 24 Months 2 - 3 PT 3 PT 3 - 2 PT 3 PT ---- Scope Test Environment Tailoring your solution Start of Regular Operation Support Contract Typical Phases of Implementation
  • 21.
    AGENDA Natuvion Webcast Series DataSecurity and Data Privacy Data Security and Privacy Policy Fields of Action: Anonymization Anonymization Solutions TDA Contact 21
  • 22.
    Natuvion GmbH Altrottstraße 31| 69190 Walldorf Fon +49 6227 73-1400 Fax +49 6227 73-1410 www.natuvion.com We look forward to answering your questions and concerns! Patric Dahse Managing Director Phone: +49 151 171 357 02 Mail: patric.dahse@natuvion.com 18 Data Security und Data Privacy in SAP - Data Anonymization Visit us on our website! Data Protection & Privacy www.professional-system-security.com/ Natuvion www.natuvion.com/

Editor's Notes

  • #12 Warum diese Kooperation