SAP insider GDPR compendium Hernan Huwyler

GDPR Digest
8 resources to help you plan and optimize
your GDPR compliance initiatives
Sponsored by
April 9-10 • Copenhagen
April 24-25 • Chicago

INTRODUCTION
The EU’s impending General Data Protection Regulation (GDPR) is a game changer for any
organization that does business in Europe, and becoming compliant is no small feat.
To help, SAPinsider has assembled eight popular pieces for SAP professionals. They provide
both strategic and tactical insights into how you can better plan and drive your GDPR compliance
initiatives. Sponsored by GDPR Bootcamp for SAP Customers, an event running April 9-10 in
Copenhagen and April 24-25 in Chicago, this asset is the perfect complement to the event, which
offers two days of in-depth sessions and endless opportunities to build your professional network,
ensuring that you make better business decisions, and get access to the top technologists working
with SAP solutions.
This compendium is merely the tip of the iceberg and barely scratches the surface of what you can
tap into at GDPR Bootcamp for SAP Customers. Step one is to absorb the content in this collection
and then step two is for you (and your team) to join SAPinsider at this important event. Between
this collection and the educational and networking experience at the event, you will be positioned
to successfully complete your next project and advance your career.
I truly hope that this content benefits you and I hope that you will take the next step and join me in
April.
Kind regards,
Kendall Hatch
Conference Producer
P.S. Early registration rates are in effect, so sign up soon to lock in the lowest price!
GDPR DIGEST

4
10
13
17
26
53
72
94
How to Prepare Your SAP System for the New European Union General Data
Protection Regulation
by Hernan Huwyler, Risk and Compliance Expert | September 21, 2016
Be Compliant, Stay Compliant
How Policies, Procedures, Protocol, and People Help You Tackle GDPR
by James Baird | SAPinsider, Volume 18, Issue 4 | November 7, 2017
Learn How to Prepare Your User Access Review to Comply with the General Data
Protection Regulation (GDPR)
by Hernan Huwyler, Risk and Compliance Expert | July 24, 2017
Meeting Modern Data Protection Requirements
How SAP Business Suite Helps You Comply with the Latest Data Protection Regulations
by Volker Lehnert | SAPinsider, Volume 18, Issue 3 | August 24, 2017
Case Study: How SAP implemented the General Data Protection Regulation with
SAP GRC Solutions
by Mary-Luise Wagener, SAP SE
Are You Ready for the General Data Protection Regulation (GDPR)? How to Build a
Data Retention Plan and Use Encryption and Other Toolsets to Support GDPR
By James Baird, Sr., Dolphin
GDPR: What You Need from SAP to Help Demonstrate Company-Wide Compliance
By Stephanie Gruber, SAP America
GDPR, SAP Solutions for GRC and Security, and You
By Marie-Luise Wagener, SAP SE; Chris Radkowski, SAP; and Rashi Mittal, SAP
GDPR DIGEST
CONTENTS

GDPR DIGEST
4 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
How to Prepare Your SAP System for the
New European Union General Data Protection
Regulation
by Hernan Huwyler, Risk and Compliance Expert
September 21, 2016
Learn how to change your practices within your SAP environment so that they comply with the new
data General Data Protection Regulation (GDPR) privacy regulation.
Key Concept
The new European Union General Data Protection Regulation (GDPR) will become effective on May
25, 2018. Companies using European personal data, both inside and outside of Europe, are adjusting
practices, privacy controls, and parameters in SAP environments to comply with this regulation. New
policies are being implemented to protect sensitive personal information that is kept in the customer,
client, employee, and candidate master, and that is sometimes transferred to or from service providers.
Preparation to comply with the new European General Data Protection Regulation (GDPR) needs
to start now. Consequences of mishandling personal data will significantly increase, since non-
complying organizations face fines of up to 4 percent of the global annual turnover or €20 million,
whichever is higher. Even though this regulation becomes effective in May 2018, requirements and
practices to protect sensitive data are already defined, and they bring major challenges. Furthermore,
it also applies to organizations based outside the European Union if they process personal data of
European residents.
Note
Global annual turnover is the revenue of a company or the amount of money a company generates
around the world. It establishes the calculation bases for a fine related to a data protection regulation
breach. Fines are calculated following the accounting principles for gross and net sales (from
discounts and taxes). Using the basis of calculation in similar regulations, the revenue is taken from
ordinary activities and after turnover taxes and discounts.
This requirement creates many career opportunities for SAP experts and consultants. Being the first
to communicate and to address these compliance risks is a critical factor.

GDPR DIGEST
A comprehensive risk analysis about current data collection, transfer, use, and disposal against the
new GDPR requirements needs to be performed to prioritize the preparation plans. This article serves
as a roadmap to prepare your SAP system to comply with the GDPR.
1. Define In-Scope SAP Data
Personal information is any data relating to an individual, including names, email addresses,
identification numbers, bank details, medical information, and even a photo or an IP address. The
GDPR also broadens personal information to biometric and genetic data.
A preparation plan starts by identifying all the SAP environments, clients, master data tables, and
fields containing personal information of European residents, even customized z-tables and z-fields.
All SAP systems such as SAP ERP Central Component (ECC), Business Intelligence (BI), Customer
Relationship Management (CRM), and other solutions should be included in the preparation project.
Backups, legacy systems, and archives of SAP databases should also be included in the planning.
Digitized documents integrated into SAP containing private information should also be covered.
The quantity and quality of sensitive personal data to protect largely differs between industries and
legal areas. Certain sectors, such as healthcare, insurance, banking, recruitment, and marketing, deal
with a high volume and wide variety of personal information. These sectors need to comply with
stricter industry rules and regulations. As a general reference, personal information is stored in global
master tables for customers (KNA1, KNBK, KNVK), vendors (LFA1, LFBK), addresses (ADRC, ADR2,
ADR3, ADR6), business partners (BP000, BP030), users (USR03), and credit cards (VCNUM). Other
master data tables containing employment, date of birth, citizenship, identification number, tax, and
credit data should be scoped. Also, some solutions as SAP Patient Relationship Management keep
very sensitive information. The information system repository in SAP ABAP can be used to list all
the tables containing fields with personal information in the program Where-Used List for Domain in
Tables (RSCRDOMA).
Personal information on employees is stored in SAP HCM infotypes. It typically includes personal
data for ethnic origin, military status, and disability (infotypes 0002 and 0077), severely challenged
persons (infotype 0004), addresses (infotype 0006), bank details (infotype 0009), related person
(infotype 0021), internal medical services (infotype 0028 with all the subtypes), and residence status
(infotype 0094). Personal information from applicants is usually included in the employee base. The
SAP country-specific features may widen the scope of personal information.
During the scope planning, it is important to validate with the business owners why the personal
information is collected for the impact assessment. Confirming the specific and legitimate needs
of keeping personal information with business experts is highly advisable. Also, understanding the
business need for each type of information helps to define responsible contact and data retention

GDPR DIGEST
requirements and to show how data is transferred and interfaced between the SAP system and
other systems and organizations. Reducing the amount of personal information will facilitate the
preparation by mitigating risk in the SAP system.
2. Audit the Access Rights to Transactions and Authorization
Objects
Once it is understood where personal information is stored, it can be protected accordingly. Since the
new GDPR applies to more data from non-European organizations, the review of the access rights
needs to be updated, improved, and well documented. User roles and access permissions should be
adjusted to the least privilege.
The access rights audit consists of the review of transaction codes and the authorization objects
with their field values. The transaction codes to access the data in scope and its reports for roles
and users should be validated with business process owners. All unnecessary and unused roles and
transactions should be revoked.
As a general reference, the main transaction codes to access master data tables include:
• Create, change and display customers, prospects, and contact persons (XD0*, VD0*, VAP*) and
reporting-related lists (S_ALR_87012179, S_ALR_87012180)
• Create, change, and display vendors (XK0*, MK0*) and reporting-related lists (S_ALR_87012086)
• Create, change, and display employee (PA10, PA20, PA30) and applicant (PB10, PB20, PB30) files
• Create and maintain bank master data (FI01, FI02, FI06) and business partners (BP, BUP1)
• Maintain general tables (SE11, SM30, SM31)
• Browse data (SE16) and display a table (SE16N)
After the transactions granted to users and roles are adjusted, the review focuses on access to
objects. It can be done by using SAP GRC solutions and other tools. Reviewing the access to objects
by roles and users is the most effective approach for this work.
3. Obtain or Update Consent from SAP Users
An explicit notification for the personal data collected and used should be given by all the European
SAP users. This requirement may be implemented by setting a data privacy pop-up message at
the SAP log-on screen with a specific consent message ensuring opt-in and withdraw choices. The
pop-up message should be specific to address this requirement, should be clearly written in the local
language to explain the use of personal information, and should ask for an action from the user. The
consent message displayed to users should inform about the type of personal data that is collected,

GDPR DIGEST
processed, disclosed, and transferred, and how their activity is logged. Users should also be informed
about their rights, for instance, to access and to correct their own personal information. Transaction
SUIM or report RSUSR002 can be used to filter which users should provide consent, for instance,
users located in the European Union.
When personal data is transferred from an SAP system to third parties, such as insurance and
medical companies, the consent should cover these cases.
4. Monitor How an SAP System Exports and Transfers
Personal Data
Compliance for the new GDPR requires auditing of SAP logs to detect risky behaviors by users. All
downloads of private information should be strictly justified by a business need, protected, erased
when it is no longer needed, and authorized by the compliance function. For instance, exportation
of reports by the SAP List Viewer (ALV) without business justification is considered a data breach to
report.
The preparation project should plan how, by whom, and how often the SAP security logs will be
reviewed for downloaded data with private information. The protection of downloaded sensitive
information outside the SAP system is a related issue to address in a readiness plan.
The GDPR recognizes data transfer mechanisms to recipients outside the European Union, such
as the adherence to an approved Code of Conduct. SAP services, including cloud storage, remote
access, and global employee databases, need to implement a lawful data transfer mechanism. SAP
experts should review the business operations to identify circumstances in which private information
is transferred to recipients located outside Europe.
5. Define Action Plans to Anonymize Personal Data
The GDPR recommends the use of data pseudonymization to prevent unauthorized access to
personal data. Pseudonymization is a technique whereby the personal data records are replaced by
dummy codes to make it impossible to identify the people in question. Pseudonymization still allows
some authorized relevant users to display the original master data. Pseudonymization is generally
used by SAP Healthcare solutions to protect the identity of patients.
It is particularly relevant for non-productive environments when granting access to developers,
testers, functional analysts, and contract workers. Encryption and data scrambling are also valid
action plans. SAP delivers solutions for protecting data in development and testing environments
(e.g., SAP TDMS HCM 4.0). Data scrambling is a technique used to scramble critical data sets, so the
original personal data is no longer visible to the users of the non-productive systems copied from
production.
The preparation project should consider how to assure that personal data does not leave the
productive environment.

GDPR DIGEST
The GDPR brings in privacy-by-default and privacy-by-design approaches to encourage privacy to be a
cornerstone of software and services development. Contracting with SAP developers will be required
to assure that the appropriate security strategy is set at the conceptual design. Tendering of new
developments should consider the impact of these requirements.
6. Define Action Plans to Block and Erase Personal Data
The GDPR requires organizations to erase personal data without undue delay when it is no longer
needed or when an employee, client, or other third party objects to the inclusion of the data and
exercises the right to be forgotten. Personal information is not erased in an SAP system, but is
blocked to comply with document retention rules and to maintain the data integrity between tables.
Once it is recoded in an SAP system, data cannot be properly erased in a legal sense. Blocking
information prevents further retrieval or processing.
SAP delivers enhancement packages to block master data until an expiration date (e.g., ERP_CVP_
ILM_1). Access to blocked data can be granted to admin users for reversals. SAP Information
Lifecycle Management (SAP ILM) addresses the process to delete information after business rules
are met. SAP experts should plan how to address the blocking and deletion requirements to license
the proper business solution and to adjust the data management policy.
7. Ask for Advice and Support
Many organizations are required to appoint a lead for data protection and security. This data
protection officer role is expected to set the rules for data privacy and to provide evidence of controls.
SAP experts could benefit from this new position to get advice and training about processing data
and conducting internal reviews and data privacy risk assessments.
Legal advisors specializing in data privacy can help an organization validate the preparation plan,
in particular setting the scope, data retention requirements, and cross-border data transfers. SAP
experts need legal advice to support data protection by setting security features and blocking or
deleting of personal data. Liaising with functional analysts is also advisable to identify realistic action
plans since they understand the user needs and behaviors.
There are many additional stakeholders to properly prepare for the GDPR since it places many
responsibilities at the senior executive level. The regulation creates and increases compliance
obligations on controllers to document processing activities and to implement policies. Departments
responsible for risk management, audit, and compliance will be interested in supporting a preparation
project.
The financial and human budget for preparation will vary significantly depending on the seriousness
and complexity of the privacy risks. Getting the support from upper management is critical for the
success of the preparation efforts.

GDPR DIGEST
Experts in SAP systems should lead organizations to prepare changes in policies, people, and control
practices to adopt the data protection principles mandated by the GDPR. It affects anyone based in the
European Union or handling personal data of European Union residents. Identifying available options in
the SAP system to mitigate the related compliance risks should start now. The scale of sanctions and
legal requirements means that actual compliance is a must.
For more general information about the preparedness for the GDPR, go to: https://www.linkedin.com/
pulse/ready-new-eu-general-data-protection-regulation-6-huwyler-mba-cpa?trk=prof-post.
Hernan Huwyler is a CPA and MBA who specializes in risk management,
compliance, and internal controls for multinational companies. He works in
developing IT and SAP controls to address regulatory and legal requirements in
European and American companies. He served as Risk Management and Internal
Control Director for Veolia, leading governance practices in Iberia and Latin
America. He previously worked for Deloitte, ExxonMobil, Baker Hughes, and Tenaris.

GDPR DIGEST
How Policies, Procedures, Protocol, and People Help You Tackle GDPR
by James Baird | SAPinsider, Volume 18, Issue 4
November 7, 2017
The General Data Protection Regulation (GDPR) — a new data privacy regulation in Europe — will
affect any organization that handles the personal data of EU residents, regardless of whether
it is located in the EU. With the regulation going into effect in May 2018, and stiff fines for non-
compliance, now is the time to establish a process for adherence. Learn how SAP customers can
ensure compliance with the GDPR by focusing on four critical areas: policies, procedures, protocol,
and people.
The General Data Protection Regulation (GDPR) is a new privacy regulation in Europe that protects the
personal data for any individual based in the European Union (EU), regardless of citizenship or where
the data is held. It applies to any organizations located inside or outside the EU if they offer goods
or services to — or monitor the behavior of — EU data subjects. The GDPR will be enforced in May
2018 and outlines strict fines for companies found to be out of compliance. Now is the time for SAP
customers to establish a process for adhering to the necessary requirements.
To be compliant — and stay compliant — with the GDPR, companies need to be mindful of four critical
areas: policies, procedures, protocol, and people (see Figure 1).
1. Policies
Identify a risk team to conduct a risk assessment. Evaluate and determine which data falls under the
GDPR, where that data resides, and how it moves through the system. Once the inventory of personal
data is complete, establish a policy for handling that data in compliance with the regulation. There
should also be a policy around proper security controls to prevent external or internal exposure of
personal data. All potential risks should be categorized and relayed to data stewards or owners before
a specific policy is put in place.
2. Procedures
Existing procedures for collecting and storing data must be adapted to be fully GDPR compliant. In
some cases, this may require an overhaul of existing procedures. In others, retained information may
no longer be required, thus eliminating some procedures altogether. Examples of well-established
procedures that will need to be reexamined include informing individuals when and why personal data

GDPR DIGEST
is collected and requesting that individuals give explicit consent to retain personal information.
3. Protocol
Develop a protocol for how you will handle situations in which individuals want to invoke the GDPR.
You need to consider areas such as: Who will be responsible for handling inbound requests? What is
the procedure for addressing said request? What are the cases where information needs to be kept
for legal, business, or other reasons? Each area should be thoroughly considered with the protocol
clearly communicated to all key stakeholders.
4. People
Educate your customers, vendors, and employees about the GDPR and relay the steps you are taking
to safeguard their personal information. Let them know how much you value their privacy and your
role as the custodian of their personal data. Be sure to give them peace of mind that you are taking
the regulation seriously and approaching it carefully and swiftly. In the end, they will thank you — and
your organization can rest assured that you are in full compliance.
Figure 1: Policies, procedures, protocol, and people are critical to GDPR compliance

GDPR DIGEST
The GDPR will affect SAP customers worldwide, regardless of whether they are located in the EU.
With strict fines and regulations, non-compliance could be costly for the unprepared company.
By building your approach to the GDPR around these four critical areas, you can ensure that your
company is compliant and stays compliant in the future. To learn more, visit www.dolphin-corp.com/
compliance.
James Baird
Senior Data Consultant
Dolphin Enterprise Solutions Corporation

GDPR DIGEST
Learn How to Prepare Your User Access Review
to Comply with the General Data Protection
Regulation (GDPR)
by Hernan Huwyler, Risk and Compliance Expert
July 24, 2017
Reviewing the user and database access in your SAP system to prepare for the new General Data
Protection Regulation (GDPR) in the European Union has some particular requirements. Controls
should be reinforced on user and database rights to access tables with personal information.
Documentation, validation, and coordination should also be more comprehensive.
Key Concept
Organizations holding or processing personal data of European Union residents should align their
SAP system access review with the General Data Protection Regulation (GDPR) readiness project to
focus on rights to display, list, and download tables with personal information. SAP system managers
should perform the access controls in collaboration with the compliance and the operations
departments.
Compliance with the General Data Protection Regulation (GDPR) requires improving SAP data
governance in companies collecting, using, and transferring personal data of European Union (EU)
residents. These new privacy rules become effective on May 25, 2018, and also apply to companies
based outside the EU if they offer products or services in the EU single market.
The review of who has access to what (also called access certification) to comply with this regulation
needs to be performed by a control methodology that differs from the one normally used. The
access review for GDPR compliance should cover master data of employees, candidates, vendors,
contractors, clients, suppliers, and business partners, as well as any other standard or custom table
or table field containing personal information (see my previous SAP Experts article, “How to Prepare
Your SAP System for the New European Union General Data Protection Regulation.” This article
contains tips to adjust and improve the user access review to comply with the GDPR.
Note
For more information about GDPR, attend SAPinsider’s GDPR Bootcamp for SAP Customers in
Copenhagen and Chicago. For more information about this bootcamp, click here.

GDPR DIGEST
Performing the SAP user access review for GDPR compliance has particularities. While the review
of access to create, change, and delete transactions, critical object authorizations, and segregation
of duties is performed by frequent well-defined controls, the review of listing and display access for
personal information is generally not covered in depth. SAP system managers have developed strong
access controls over displaying sensitive financial information in budgets and business planning
over time. However, access to personal information has gotten much less attention. The user and
database access review should now consider the need to align controls to the GDPR project and the
documentation for compliance.
It is important that SAP system managers interview the GDPR sponsors in organizations, such as
the compliance officer and the legal department, to clarify their expectations and requirements.
Some organizations focused on monitoring personal information or processing sensitive data on
a large scale should appoint a data protection officer as the leading privacy sponsor. SAP system
managers involved in access security should closely communicate with these GDPR sponsors. This
communication with the GDPR sponsors ultimately allows SAP system managers to engage the
business line in supporting changes.
During the early stages of a GDPR compliance project, personal information is mapped for SAP-
system and non-SAP-system data. This task allows the identification and classification of all personal
information processed by an organization to populate an inventory. Also, where data privacy breach
risks are high, a privacy impact assessment is done to allow identification of risks and prioritization of
control actions.
The privacy impact assessment covers risks of users exporting or downloading tables or reports
containing personal information. The assessment covers the unauthorized access to critical tables
and the transmission of databases with personal information inside and outside the organization. It
also covers current and recommended control practices for key risks.
The resulting inventory of personal data processed in the SAP environments is the starting point for
a proper access review for the GDPR. Be sure to ask for the personal information inventory and the
impact assessment when performing the SAP access review. SAP system managers should also ask
to receive any update or change on these documents.
The inventory of personal data should assign a responsible senior process manager as the data
owner. This data owner is accountable for performing and documenting the access review for each
respective SAP module. The data owners are not usually part of the SAP or the IT departments,
but rather, they are part of the department relevant for each SAP module (for instance, a CFO or an
accounting process manager for SAP Financial Accounting [FI] and Controlling [CO]). Be sure to get
a final validation of the user review for the data owners of all SAP modules under the scope of the
GDPR.

GDPR DIGEST
Access of employees should be controlled against the acknowledgment of the data privacy policy
and the consents. Policies and consents are being updated to include the new data privacy principles
set by the GDPR. The consents describe the purpose and how the personal data is used. Contacting
the legal and compliance departments can be helpful in coordinating the access review under
solid control practices. Following standard controls to ensure compliance with the GDPR and other
requirements, such as Sarbanes-Oxley, other privacy laws, and internal polices, avoids duplicating
tasks.
SAP roles should be updated to limit access to reports and transactions displaying personal
information to those with a legitimate purpose (the principle of least privilege or need to know). User
and database roles granting access to view sensitive personal data, such as the employees’ medical
history and trade union association, should be limited to only a few intended users and compared
against the explicit consents given by such employees. Any right allowing listing and exporting of a
large amount of personal information should be properly justified by the data owner who knows about
its business requirements. The data owner who is assigned in the personal data inventory should also
act as a role custodian for each SAP module as a best practice.
Some categories of users create high privacy risks. The data owners should properly analyze and
validate these groups of users. In general, users related to these business functions are exposed to
high risks:
• Human resources, including recruiting
• Marketing, billing, and customer management
• Accounts receivable and payable, and treasury
• SAP system administration and development
• Auditing and controlling
• Outsourced functions to external consultants and other vendors
In practice, SAP system managers may identify many needs to revoke viewing accesses for roles
and users. If the importance of the GDPR project is not well communicated across an organization,
operational areas may start to resist the project. In this case, SAP system managers should ask for
support of the GDPR sponsors to communicate both the risks of data misuse and the compliance
requirements. It is important to document how the accesses are revoked during the review by
creating user access forms.
Access of third-party vendors such as contractors, consultants, and other non-employees should
be matched against the existence of confidentiality and privacy clauses in their contracts. Also, the
roles assigned to them should be minimal to perform their contractual obligations if they need to
display or manage personal information in the SAP systems. These roles also include access to also

GDPR DIGEST
include the testing and productive environments and access to backups of SAP data. Privileges granted
to developers, including object permissions, should also be closely reviewed when accessing the SAP
system involves personal information of employees, clients, suppliers, and other third parties.
The access review for displaying, listing, and extracting personal information in SAP systems is a
critical control to comply with the GDPR. It requires changing how the user review is performed for all
SAP systems. A breach of data privacy is and will remain at the top of business risks that SAP system
managers need to prevent. SAP system managers have a relevant role to protect not only personal data
but also the reputation of their organizations.
Hernan Huwyler is a CPA and MBA who specializes in risk management,
compliance, and internal controls for multinational companies. He works in
developing IT and SAP controls to address regulatory and legal requirements in
European and American companies. He served as Risk Management and Internal
Control Director for Veolia, leading governance practices in Iberia and Latin
America. He previously worked for Deloitte, ExxonMobil, Baker Hughes, and Tenaris.

GDPR DIGEST
Meeting Modern Data Protection Requirements
How SAP Business Suite Helps You Comply with the Latest Data Protection
Regulations
by Volker Lehnert | SAPinsider, Volume 18, Issue 3
August 24, 2017
As the volume of data collected by organizations continues to increase, so too do regulations
designed to protect data from misuse, particularly when it comes to personal data. One of these is
the European General Data Protection Regulation (GDPR), which goes into full effect on May 25th,
2018, and has global implications — it applies to any company that processes the personal data of
people in the EU, whether or not that company is physically located within the EU. Learn how basic
technical features and security safeguards included with SAP Business Suite applications help you
comply with key areas of the GDPR data protection legislation and avoid the risk of steep fines due to
violations.
Modern business systems are a treasure trove of highly sensitive information, such as the names,
contact information, and various financial and health details for an organization’s current and
former employees and family members, as well as valuable information about business partners,
shareholders, and customers. As the volume and types of data collected continue to increase through
smart devices, social media, and other technologies, so too have laws and regulations designed to
protect this data from misuse.
One of these regulations is the European General Data Protection Regulation (GDPR) — a regulation
intended to strengthen the protection of personal data for individuals within the European Union (EU).
The GDPR goes into full effect on May 25th, 2018, replacing the existing data protection directive
95/46/EC with a wider scope and increased penalties for non-compliance. In particular, the GDPR
significantly broadens the definition of personal data and it applies to any company — whether that
company is physically located within or outside of the EU — that processes data, offers services or
goods, or monitors the behavior of people in the EU.
The GDPR will have global implications, changing IT landscapes worldwide. So, what does this mean
for those processing data with SAP Business Suite applications? This article shows you how basic
technical features and security safeguards included with SAP Business Suite applications help you
comply with key areas of the GDPR data protection legislation. In particular, we will look at how
SAP Business Suite helps you cover legal grounds for processing personal data, ensure the rights

GDPR DIGEST
of data subjects (those whose personal data is being processed), and establish key technical and
organizational measures (see the sidebar for a note about terminology in this article).
It is important to understand the distinction between the various types of measures discussed in this
article:
• An organizational measure is an action or a sequence of actions that controls the behavior of
people, such as management advice, procedure guidelines, and training.
• A technical measure is a configuration, feature, or software that controls something technical,
such as authentication or encryption.
• Combined technical and organizational measures (TOMs) describe a holistic set of appropriate
data protection safeguards. For example, a sophisticated authentication mechanism is
worthless when passwords are shared, so an additional organizational measure is required with
procedural guidelines that prohibit people from sharing passwords.
Before diving into the details of the legal grounds specified by the GDPR, however, it is critical to first
understand the GDPR’s definition of personal data.
The GDPR Definition of Personal Data — And Why It Matters
With the GDPR, all companies within its defined material and territorial scope that deal with the
personal data of EU residents must comply with its requirements.
The GDPR’s definition of personal data is quite broad — “any information relating to an identified
or identifiable natural person” is included within its scope.1
Simply put, an “identifiable person” is
identified by attributes such as last name, first name, telephone number, address, age, gender, and
profession.
With this definition, a significant amount of data can be considered personal data. While neither the
broad definition of personal data nor its scope are in themselves business critical, violations are
subject to administrative fines of up to 4% of the fined company’s worldwide turnover.
Now that the scope — and implications — of what constitutes personal data in the context of the
GDPR is clear, let’s examine the legal grounds defined in the GDPR for processing personal data, and
the role SAP features and functionality can play in covering them.

GDPR DIGEST
Covering Legal Grounds for Processing Personal Data
According to the GDPR, the processing of personal data is lawful if at least one of the following
grounds applies (see Figure 1):
• The data subject has given consent
• A contract requires the processing
• The controller (in most cases, the legal entity responsible) is subject to a legal obligation to do so
• If vital or public interests are involved
• If there is a legitimate interest
Figure 1: According to the European General Data Protection Regulation (GDPR), processing
personal data is lawful if at least one of these specified conditions is met
Contract
Legal
obligation
Legitimate
interest
Public
interest
Consent
Protect
vital
interest
Legal
grounds for
processing
personal
data
Here, we take a closer look at each of these conditions, and the ways in which SAP Business Suite
applications can help you meet them.

GDPR DIGEST
Consent
Consent is an agreement between a data subject and a controller, in which the data subject formally
agrees to the processing of personal data — via a signature or by actively clicking on a checkbox,
for example. SAP Business Suite supports the documentation of consent with two features:
the Marketing Permissions feature in the SAP Customer Relationship Management (SAP CRM)
application and the Marketing Permissions feature for customer master data available with SAP
NetWeaver 7.40.
Contract
A contract between the data subject and the controller defines the purpose of the processing of
personal data — for example, a contract between an advertiser and a media company would require
personal data to settle the contract and payment, and the processing would then be limited to that
purpose. If the controller wants to process additional personal data or use it for purposes other than
the one specified in the contract — for example, if the media company wants to sell that data to other
companies — additional, specific consent from the data subject is required.
Most business activities performed using SAP Business Suite applications are based on contracts.
SAP Business Suite applications enable you to prove the existence of a contract using transactional
or master data — for example, you can view existing sales contracts or payment transactions.
Legal Obligation
The processing of data due to legal obligation — for example, the reporting of salary figures to
tax authorities — must be proven by organizational measures, meaning any documentation that
describes processes, guidelines, or directives that control people’s behavior. For example, you could
document processing activities using SAP governance, risk, and compliance (GRC) solutions and then
link to that information from SAP Business Suite.
Vital and Public Interest
The processing of data due to vital interest is not a typical scenario for SAP Business Suite
customers. This condition might apply if data processing is required to provide medical care for
an unconscious person, for instance, and the GDPR also mentions “epidemics,” “humanitarian
emergencies,” and “natural and man-made disasters” as valid grounds.2
While the SAP for Healthcare
industry solutions and the Industrial Hygiene and Safety component of SAP Environment, Health, and
Safety Management partially process data based on these grounds, the existence of these grounds
must be proven by organizational measures, such as documentation stored in SAP GRC solutions.
The processing of personal data based on public interest applies in cases of relevant national or EU
law, such as police checking personal data during an inquiry. Similar to vital interest, public interest is
a legal ground that must be documented organizationally.

GDPR DIGEST
Legitimate Interest
The processing of personal data based on legitimate interest requires balancing legally protected
interests to determine whether the interests of processing the data are more important than the data
protection rights of the data subject. By nature, this is something that cannot be solved by automated
means and must be covered by organizational measures. Solid reasoning and documentation are
particularly important in this case, since the merits of “legitimate interest” can often be challenged.
Ensuring the Rights of Data Subjects
The GDPR defines numerous rights for data subjects that organizations must ensure. While some of
these rights can only be ensured by organizational measures, here we’ll highlight some that require
a technical measure — a configuration, feature, or solution that controls something technical — or at
least technical support, and look at how SAP Business Suite applications can help.3
Blocking and Deletion of Personal Data
Based on our experience at SAP, one of the most impactful rights defined by the GDPR is the blocking
and deletion of personal data that is no longer required within the purpose defined for the processing.
According to the GDPR, personal data must be deleted after the primary purpose of the processing
has ended. If the data must be retained to comply with retention periods required by other legislation
— such as tax legislation — access to it must be blocked or restricted, and it must be kept only for the
duration of the longest legal retention period, after which it must be deleted.
To help with this task, as of SAP NetWeaver 7.40, SAP Business Suite applications provide simplified
blocking and deletion functionality that is based on SAP Information Lifecycle Management (SAP
ILM). All SAP Business Suite applications include required SAP ILM objects that enable the transfer
of data to an archive, which fulfills the blocking requirement. In addition, all SAP Business Suite
applications support the “end of purpose” check, also based on SAP ILM, that is triggered from central
personal master data sets, such as central business partner, customer, and vendor master data. With
this check enabled, all applications registered with a central personal master data set are triggered
to check whether they still need that data — if no longer needed, the data is marked as blocked and
access is restricted.
Restricting the Processing of Personal Data
Another requirement specified by the GDPR is the ability to restrict the processing of personal data
based on a data subject’s request while keeping the data available for the establishment, exercise, or
defense of legal claims — for instance, if you want a legal clarification due to incorrect data that led to
a wrong business decision.
The blocking and deletion functionality included with SAP Business Suite applications can be
configured to address this requirement by leaving only data in the system that is relevant to the

GDPR DIGEST
defined processing purpose and must be processed. SAP ILM also provides a legal hold functionality
that can be used to retain relevant data as needed.
Providing Access to Personal Data in a Readable Format
The GDPR also specifies the right of data subjects to have access to any of their personal data that is
undergoing processing. SAP Business Suite enables organizations to provide data subjects with this
information through its reporting tools. Currently, SAP is changing from application-specific reporting
to a centralized approach, which will allow for centralized reporting on data that is undergoing
processing. Regardless of the reporting approach, the decision about which data to report remains
with the company using the SAP software, so a detailed, customized, and specific configuration will
be required.
In addition, data subjects have the right to obtain any personal data undergoing processing in
machine-readable format, which is easily provided by the download functionality available with SAP
Business Suite reporting tools.
Establishing Technical and Organizational Measures
In addition to meeting legal requirements for processing personal data and ensuring the specified
rights of data subjects, the GDPR requires businesses to establish technical and organizational
measures (TOMs) to ensure the protection of personal data. While the GDPR does not list specific
required TOMs — it gives only example definitions — it clearly requires that appropriate TOMs be
implemented and reviewed on a regular basis (for more on related documentation and controlling
requirements, see the sidebar “Documentation and Controlling Become Key”).
Documentation and Controlling Become Key
With the European General Data Protection Regulation (GDPR), organizations are required to not
only implement technical and organizational measures to safeguard the personal data they are
processing, but also document in a record of processing activities how they have done it and why
they chose certain measures.* They must also document the controls that are in place to regularly
verify that the safeguards are appropriate, and for any new processing of personal data, they need to
conduct impact assessments to evaluate how that processing will affect the protection of personal
data.** Software such as SAP governance, risk, and compliance (GRC) solutions that bundles the
requirements of regulations such as Sarbanes-Oxley, the US Food and Drug Administration, and the
GDPR can help you significantly simplify and manage these tasks.
* See Article 30 in the GDPR (http://data.europa.eu/eli/reg/2016/679/oj).
** See Article 35 in the GDPR (http://data.europa.eu/eli/reg/2016/679/oj).

GDPR DIGEST
So how do you know which TOMs to implement to ensure GDPR compliance? Fortunately, there
is existing legislation that can provide guidance — for example, the TOMs specified by Germany’s
current Federal Data Protection Act (BDSG)4
can serve as a useful guideline for establishing basic
safeguards for processing personal data (see Figure 2).
Figure 2: The measures required by Germany’s Federal Data Protection Act (BDSG) are a useful
guideline for meeting European General Data Protection Regulation (GDPR) requirements
Technical and
Organizational Measures Content
Physical Access Control Prevent unauthorized persons from gaining access to data process-
ing systems with which personal data is processed or used.
Authentication Secure procedures to enable system access based on personal au-
thentication.
Authorization Procedures allowing differentiation in which data can be
accessed and in which mode.
Disclosure Control Ability to document all access to personal data.
Change Control Ability to document all changes to personal data.
Transmission Control Procedures and safeguards for the transmission of personal data,
such as encryption during transmission.
Job Control Data controller must ensure that the data processor is following in-
structions and guidelines. This organizational task has some techni-
cal aspects, such as system auditing.
Availability Control Procedures such as backup, disaster recovery, and business conti-
nuity.
Data Separation Personal data collected for a specified purpose must be separated
from personal data collected for other purposes.
SAP Business Suite applications provide built-in features and functionality that support most of the
TOMs listed in Figure 2 (the only area that is not supported is the physical access control, which
relates to preventing unauthorized physical access to buildings or rooms where personal data is
processed). To give you an idea of how SAP Business Suite provides this support, we’ll take a closer
look at three key TOMs that, based on our experience, are required by the GDPR.
Data Separation
Based on our experience at SAP, the purpose limitation requirement set by the GDPR is a precondition
for several technical measures. It requires the ability to separate data by attributes so that data
collected for one purpose remains separate from data collected for another purpose — a separation
also required to support the data subject’s right of access, blocking and deletion requirements,
and system access for transmission of data. It also establishes the assumption that all access —
including access by persons, machines, software logic, and any kind of transmission — must be
controlled by authorizations defined by purpose.

GDPR DIGEST
For this reason, the personal data to be processed needs attributes that reflect the purpose of the
processing, which can be reflected by the line organizational attributes used to define organizational
structures in SAP Business Suite (see Figure 3). Line organizational attributes can be used to separate
the data controller, which is usually a single legal entity — a company code, for example. In a group
of companies, it is critical to organize the data in a way that separates a single legal entity from any
other data.
Figure 3: Some of the line organizational attributes used by SAP Business Suite to define
organizational structures can be used to reflect processing purpose
Plant
SalesCompany Code
Bank Area
Purchasing
Business Area
Valuation Area
Division
Distribution Channel
Distribution
Maintenance
Shipping Point
Cost Center
Organizational Position
Valuation Area
and Division
Plant
Transportation
To define compliant authorizations, to organize system interfaces, to block and delete personal data,
and to fulfill transparency requirements, a properly maintained line organizational software setup is
required that reflects the legal entity or controller that processes that data. Our experience indicates
that organizations must often adapt or even rethink their master data structures to meet this
requirement.
Authorization
Remember the challenges involved in avoiding or mitigating authorization and segregation-of-duties
(SoD) conflicts in the early days of the Sarbanes-Oxley Act? Authorizations that comply with data
protection regulations such as GDPR are even harder to achieve.
To comply with GDPR, any access on personal data needs to follow a strict basic authorization
concept.5
Essentially, access to personal data should be granted only if the user has a reason to

GDPR DIGEST
handle that data according to the predefined purpose of the data processing. In addition, any access
should be at least separated by the legal entity or controller that processes that data, and also by
process organizational attributes such as order type. SAP Business Suite includes a traditional
technical authorization concept that allows separation by these types of attributes.
Transmission Control
To safeguard the security of personal data, proper encryption during transmission is required, but it is
even more important to avoid illegal transmissions. This means that you need to identify any interface
in a system dealing with personal data, document the interface, and provide authorizations ensuring
that only designated personal data is accessed according to the purpose of the processing — this
includes any data access that takes place over remote function call (RFC) connections.
To help make RFC communications more secure, SAP introduced the Unified Connectivity (UCON)
concept, a basic functionality included with SAP NetWeaver and, in turn, SAP Business Suite.6
Conclusion
So what will happen after May 25th, 2018? Some discussions between lawyers and regulatory
authorities have focused on how the GDPR will be enforced outside the European Economic Area,
while others are centered on whether supervisory authorities will, in fact, impose fines up to 4% of
the annual turnover if a company is in violation of the GDPR. Regardless of the answers to these
questions, the well-known quote from US Deputy Attorney General Paul McNulty holds true: “If you
think compliance is expensive, try non-compliance.”
Learn more about the GDPR at www.eugdpr.org and http://data.europa.eu/eli/reg/2016/679/oj.
1
See Article 4, Section 1, in the GDPR (http://data.europa.eu/eli/reg/2016/679/oj).
2
See Recital 46 in the GDPR (http://data.europa.eu/eli/reg/2016/679/oj).
3
For a complete list of rights, see http://data.europa.eu/eli/reg/2016/679/oj.
4
View the full text of Germany’s Federal Data Protection Act (BDSG), which was enacted to implement the
European data protection directive 95/46/EC, at www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html.
5
For a detailed discussion of basic authorization concepts, see Authorizations in SAP Software: Design and
Configuration by Volker Lehnert and Katharina Stelzner (SAP PRESS, 2011).
6
For more on the Unified Connectivity (UCON) concept for RFC communication, see the article “Secure
Your System Communications with Unified Connectivity” in the January-March 2014 issue of SAPinsider
(SAPinsiderOnline.com).
Volker Lehnert (volker.lehnert@sap.com) is Product Owner of Data Protection
and Privacy for SAP Business Suite and SAP S/4HANA. Please note that he is
not a lawyer, and he does not provide legal advice. In this article, he shares his
personal opinion on data protection requirements and features based on his 11
years of experience in customer projects and his 5 years of experience in the
development of data protection features.

GDPR DIGEST
Marie-Luise Wagener, SAP SE
Case Study: How SAP implemented the General
Data Protection Regulation with SAP GRC
Solutions
1Public© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Public
What are the legal requirements and potential consequences in case of violations?
What do I need to know and understand?
Who needs to be involved?
Is this a project or an implementation?
How can SAP GRC help?
What are key success factors?
Wrap-up
Agenda

GDPR DIGEST
Public
This is what is out there …
Source: www.google.de
3 days later
3 days
later:
Public
About us …
87,800
SAP employees worldwide
180
countries
25
industries
37
languages
130
country offices
15,000+
partner companies worldwide

GDPR DIGEST
What are the legal requirements?
Public
Overview
Source: http://www.eugdpr.org/
The EU General Data Protection Regulation (GDPR)
replaces the Data Protection Directive
95/46/EC (1995)
Purpose:
▪ Harmonize data privacy laws across Europe
▪ Protect and empower all EU citizens data privacy
▪ Reshape the way organizations across the region
approach data privacy

GDPR DIGEST
Public
In a nutshell
▪ Approved 14th of April 2016
▪ Altogether 88 pages
▪ 99 Articles
▪ Legislative Act
▪ In force 20 days after its publication in the
EU Official Journal
▪ Enforcement date: 25 May 2018
Public
Territorial Scope ▪ Increased Territorial Scope
(extra-territorial applicability)
• Extended jurisdiction of GDPR:
Applies to all companies processing the
personal data of data subjects residing in the
Union, regardless of the company’s location
• Applies to the processing of personal data
of data subjects in the EU by a controller or
processor not established in the EU, where the
activities relate to: offering goods or services to
EU citizens (irrespective of whether payment is
required) and the monitoring of behavior that
takes place within the EU.
• Non-EU businesses processing the data of EU
citizens will also have to appoint a
representative in the EU

GDPR DIGEST
Public
Key Definitions
▪ Personal Data (Art.4-1):
any information relating to an identified or identifiable natural
person (“data subject”)
an identifiable natural person is one who can be identified, directly
or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier
or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural
person
▪ Data Controller (Art.4-7):
Entity (natural or legal person, public authority, agency or other body)
that determines the purposes, conditions and means of the
processing of personal data
▪ Data Processor (Art.4-8):
Entity (natural or legal person, public authority, agency or other body)
that processes data on behalf of the Data Controller
Public
Penalties
▪ Penalties (Art.83)
• Organizations in breach of GDPR can be fined up to 4%
of annual global turnover (of preceding financial year)
or €20 Million (whichever is higher)
• For each individual case
• There is a tiered approach to fines e.g., a company can be
fined 2% of annual global turnover (of preceding financial
year) or €10 Million (whichever is higher) for not
sufficiently fulfilling obligations
• These rules apply to both controllers and processors

GDPR DIGEST
Public
Consent
▪ Consent (Art.7)
• Conditions for consent: strengthened
• The request for consent shall be presented in a
manner which is clearly distinguishable from the
other matters, in an intelligible and easily
accessible form, using clear and plain language
• The data subject shall have the right to withdraw
his or her consent at any time
• It shall be as easy to withdraw as to give consent

GDPR DIGEST
Public
Breach
▪ Breach Notification (Art.33)
• In the case of a personal data breach, the controller
shall without undue delay and, where feasible, not
later than 72 hours after having become aware of it,
notify the personal data breach to the supervisory
authority …
• … unless the personal data breach is unlikely to result
in a risk to the rights and freedoms of natural persons
• Where the notification to the supervisory authority is not
made within 72 hours, it shall be accompanied by
reasons for the delay
• The processor shall notify the controller without
undue delay after becoming aware of a personal data
breach
Public
Rights
▪ Right of Access (Art.15)
• The data subject shall have the right to obtain from the controller
confirmation as to whether or not personal data concerning him or
her are being processed, and, where that is the case, access to
the personal data …
• Purpose
• Category
• Anticipated period for which the personal data will be stored
• Where data is processed and by whom
• Request rectification or erasure of personal data or restriction
of processing
• The controller has to provide a copy of the personal data, free
of charge, in an electronic format

GDPR DIGEST
Public
Rights (cont.)
▪ Right to be Forgotten (Art.17)
• The data subject shall have the right to obtain from the controller
the erasure of personal data concerning him or her without undue
delay and the controller shall have the obligation to erase personal
data without undue delay …
• Personal data are no longer necessary in relation to the
purposes for which they were collected or otherwise processed
• Data subject withdraws consent on which the processing is
based … and where there is no legal ground for processing
• Data subject objects to the processing … and where there is no
legal ground for processing
• Personal data have been unlawfully processed
• Personal data have to be erased for compliance with a legal
obligation …
Public
Rights (cont.)
▪ Right to Data Portability (Art.20)
• The data subject shall have the right to receive the personal data
concerning him or her, which he or she has provided to a
controller, in a structured, commonly used and machine-readable
format and have the right to transmit those data to another
controller without hindrance from the controller to which the
personal data have been provided …

GDPR DIGEST
Public
Rights (cont.)
▪ Data Protection by Design and by Default (Art.25)
• … time of the determination of the means for processing and at
the time of the processing itself, implement appropriate technical
and organizational measures, such as pseudonymization,
which are designed to implement data-protection principles, such
as data minimization, in an effective manner and to integrate the
necessary safeguards into the processing …
Public
Rights (cont.)
▪ Designation of Data Protection Officer (Art.37)
…The controller and the processor shall designate a data
protection officer in any case where:
• The processing is carried out by a public authority or
body, except for courts acting in their judicial capacity;
• The core activities of the controller or the processor
consist of processing operations …
DPO must have expert knowledge of data protection law
and practices … be … staff member or on basis of service
contract …
The controller or the processor shall publish the contact
details of the data protection officer and communicate them
to the supervisory authority

GDPR DIGEST
Public
People
Pretty much everyone …
incl. every employee dealing with data …

GDPR DIGEST
Public
Data
Where is the data and what kind of data do we control
or process?
▪ Data Localization
- System Landscape
- Data recording
- Data distribution
▪ Data Classification
▪ First name
▪ Last name
▪ Date of birth
▪ Place of birth
▪ Gender
▪ Email address
(private/business)
▪ Log-in name
▪ Images w. identifiable persons
▪ SAP user ID
▪ SAP personal ID
▪ Social security number
▪ Driver's license details
▪ Position
▪ Mobile Device ID
▪ Telephone number
▪ IP address/browser
▪ Credit Card numbers
e.g.,
Is this a project or implementation?

GDPR DIGEST
Public
Its actually a bit of both …
You need to understand the data requirements you are dealing with
- and -
You have to make sure that the technical requirements are in place and
ready to use
Public
Preparation
1. Data Mining
Check the data you are processing with regards to personal data
of data subjects
2. Data Retention Analysis
Check data on legal retention requirements
3. Consent Management
Check on consent requirements
(In case of a company’s legitimate interest in control and risk
management activities, there is no additional consent required)
4. Technical preparation
Check the system capabilities with regards to data blocking/
archiving, deletion and information retrieval, etc.

GDPR DIGEST
Public
Realization
Realization Example:
… get your GRC system ready
▪ For GRC 10.1, SP 15 is required
▪ Please refer to SAP Note
2382181 – Data Protection in Access Control, Process Control and
Risk Management
Public
Switch
▪ Activate ILM in the Switch Framework via SFW5
▪ Set up roles and authorizations
▪ You need to activate the following services in SICF:
ILM_AUDIT_AREA
IRM_POLICIES

GDPR DIGEST
Public
ILM Enablement
▪ Global ILM enablement in IMG via SPRO for the respective components
To activate blocking or deletion of personal data on RM or PC, the
shared component GRC needs to be activated
Public
ILM Objects
▪ Determine settings for individual ILM associated entity entries
An ILM object
contains the settings
for ILM rules
Block – means to hide from everyone except designated admins
Destroy – means to destroy information completely after certain period of time
Select either legal entity (maintenance view GRFNLEGALENT- from the general tab of the org unit) or
country (also on organizational unit of RM and PC). But do not select both.

GDPR DIGEST
Public
ILMARA
▪ Transaction ILMARA
Definition of ILM Residence Rules and/or Retention Rules
Public
IRMPOL
▪ Transaction IRMPOL
Definition of ILM Residence Rules and/or Retention Rules
To set up the respective policies for every individual object, you will have
to utilize your results from the Data Retention Analysis.

GDPR DIGEST
Public
Additional Topics
Additional topics we already tackle at SAP Global GRC:
▪ Segregation of duties/Authorizations – Security Concept
▪ Regular entitlement reviews
▪ Frontend integration in data breach and security incident
management solutions
▪ User trainings
▪ Controls on
- System parameter and respective changes
- RFC destinations
- Custom-table logging
- Etc.
Public
Entitlement Review
Based upon:
▪ Organizational
Structure
▪ Table HRP1852
▪ Macro

GDPR DIGEST
Public
Custom Tables
Control: Check on logging of custom tables as per DD02L
Public
rec/client
Control: Check setting of rec/client via table TPFET

GDPR DIGEST
Public
RECCLIENT
Control: Check setting of RECCLIENT via table TMSPCONF
Public
Plan
One thing is for sure …
You need a plan!

GDPR DIGEST
Public
Bad news first …
there is not a “THE GDRP” solution …
there is no single solution that addresses all complex GDPR
aspects …
But …
there are definitely GRC and other SAP solutions to support you!

GDPR DIGEST
Public
Solution Overview
Public
SAP GRC Access Control
▪ Provision of analysis for users and roles with critical and sensitive
access
▪ Definition and categorization of security design and roles for personal
data
▪ Incorporation of policies in provisioning processes for training and
assignments
▪ Periodic reviews of roles and users with access to GDPR data
▪ Transparency and insights on user activity for applications and roles
with access to GDPR data
▪ Options for properly monitored privileged users for GDPR-relevant
transactions

GDPR DIGEST
Public
SAP GRC Process Control
▪ Management of GDPR-related policies including approval,
distribution, acceptance, and reporting
▪ Management of data privacy impact assessments (creation,
distribution, reporting), raising issues if needed
▪ Association of GDPR requirements with internal controls over data
privacy in a central repository
▪ Scheduling of recurring performance of controls (manual or
automated) and evaluation of control effectiveness
▪ Provisioning of ongoing/real-time reporting in the context of GDPR
compliance to DPO and other relevant stakeholders
Public
SAP GRC Risk Management
▪ Management of GDPR-related risks, assessments, mitigations, and
reporting
▪ Association of GDPR risks with internal controls as mitigations in
a central repository to gain transparency and to monitor risk-control
coverage
▪ Scheduling of recurring risk assessments and validations
▪ Provisioning of ongoing/real-time reporting in the context of GDPR
compliance to DPO and other stakeholders

GDPR DIGEST
Public
Data Privacy Impact Survey
Workflow-based reusable
automated assessments

GDPR DIGEST
Public
Do you rememberwhen SOX (Sarbanes Oxley Act)
section404becameeffective...
back in 2006…
…?
Public
(cont.)
This is similar.

GDPR DIGEST
Public
Compliance
“If you think Compliance is expensive, try Non-Compliance.”
by Paul McNulty, U.S. Deputy Attorney General
Public
Challenges
Be aware of the challenges …
▪ The overall implementation effort is significant, complex, and broad
▪ Do not underestimate the initial effort to assess your current status
versus regulatory requirements and thereof resulting gaps
▪ Data management is usually complex in times of Big Data and comes
with a lot of aspects to consider, e.g., internal and external data,
privacy by design, consent, storage, access, usage, retention, deletion,
etc.
▪ Do not neglect the change management aspects (organizational,
policies, procedures, training, and communication, etc.)
▪ This is not a one time effort – consider sustainability and also ongoing
costs of this program

GDPR DIGEST
Public
Recommendations
A journey towards GDPR compliance
▪ Hoping you have already started …
▪ Slice and dice – multiple workstream strategy with respective work
packages
▪ Start with high-risk areas based upon a Data Privacy Impact
Assessment for example
▪ Consider retention/residence periods while prioritizing
▪ Make sure to have a dedicated program office with experts from
Data Protection and Privacy as well as IT
▪ Consider your ROI by centralizing and automating compliance
processes
Wrap-up

GDPR DIGEST
Public
Where to Find More Information
SAP GRC External – www.SAP.com/grc
SAP Risk Management Help – https://help.sap.com/viewer/p/SAP_RISK_MANAGEMENT
SAP Process Control Help – https://help.sap.com/viewer/p/SAP_PROCESS_CONTROL
SAP Software Developer Network (SDN) – http://sdn.sap.com
SAP Service Marketplace* – http://service.sap.com
SAP Product Availability Matrix (PAM)* – http:// support.sap.com/pam
SAP Partner Edge Portal – https://partneredge.sap.com/en/welcome.html
* Requires login credentials to the SAP Service Marketplace
Public
Key points to take home
Have a dedicated program office with DPO and IT
Your solution approach has to be sustainable
Start with high-risk areas
Slice and dice – Consider multiple and parallel workstreams
Perform a detailed data retention analysis
Data Mining: Know where your data resides
Gap Analysis: Check legal requirements with regards to your current
state

GDPR DIGEST
Questions?
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components
of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated
companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are
set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release
any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,
and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The
information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various
risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
and they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company)
in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
See http://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
© 2018 SAP SE or an SAP affiliate company. All rights reserved.

GDPR DIGEST
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2018 Wellesley Information Services. All rights reserved.
Are You Ready for the General Data Protection
Regulation (GDPR)? How to Build a Data Retention
Plan and Use Encryption and Other Toolsets to
Support GDPR
James Baird, Sr.
Dolphin
1
• Walk through the ramifications of the regulatory changes and learn what aspects your
data retention plan needs to cover
• Hear how to make legal, risk, IT, and business departments work together to understand
the policies and how to apply them to online information in SAP systems
• Learn to identify changes to the business or to SAP environment that can impact
retention and trigger the need to review retention rules
• Learn to leverage retention as part of a larger data management strategy that lowers the
total cost of ownership of SAP systems, increases productivity, and reduces risk
• Learn how encryption can be leveraged to support GDPR for good data stewardship
In This Session
Dolphin does not provide audit advice or counsel pertaining to this subject or
any related legislation or compliance issue. We always recommend that you
consult your qualified audit professional.

GDPR DIGEST
22
• General Data Protection Regulation Overview
• Retention Policy Challenges
• Applying Privacy Policies in SAP Systems
• Case Study
• Wrap-up
What We’ll Cover
33
 General Data Protection Regulation
Overview

GDPR DIGEST
4
• The General Data Protection Regulation (GDPR) (www.eugdpr.org/) is a new privacy
regulation in Europe that protects the personal data for any individual that is citizen or
based in the EU, regardless of citizenship or where the data is being held.
• This regulation will be enforced on May 25, 2018
• GDPR carries more regulatory weight than the previous 95/46/EU directive on data
privacy, which it replaces. There are strict fines for companies found to be out of
compliance.
EU General Data Protection Regulation
5
• GDPR applies to any organization inside or outside the EU if they offer goods or services
to, or monitor the behavior of, EU data subjects
• Organizations must:
 Protect that information while it is under their stewardship
 Purge data when it is no longer needed or when the individual requests its destruction
• The same obligations and penalties apply to Data Controllers and Data Processors such
as shared services providers or websites that track an individual’s digital activities
• Penalties for non-compliance are up to 20,000,000 EUR or 4% of total worldwide annual
turnover of the preceding year (whichever is higher)
Global Compliance and GDPR
5

GDPR DIGEST
6
When Can Personal Data Be Kept?
Data owner consents to the
retention of data
Buying a product
Approved process – maybe
Website cookies
Criminal Records
Legal Case/Holds
Employee Benefit
records
To process a contract
To meet legal requirements
To protect vital or public
interest
To meet legitimate business
needs
7
✓ Breach Notification
✓ Right to Access
✓ Right to be Forgotten
✓ Data Portability
✓ Privacy by Design
What Are the Rights of the Data Subject?

GDPR DIGEST
8
• Must be appointed on the basis of professional
qualities and, in particular, expert knowledge
on data protection law and practices
• May be a staff member or an external service
provider
• Contact details must be provided to the relevant DPA
• Must be provided with appropriate resources to carry
out their tasks and maintain their expert knowledge
• Must report directly to the highest level of management
• Must not carry out any other tasks that could results in a conflict of interest
New Role: Data Protection Officer (DPO)
9
• Have your risk team evaluate how the regulation
(GDPR) will apply to the business and act quickly
to take appropriate action
• This assessment will require collaboration between
diverse lines of business:
 Line of Business data owners (Finance, HR,
Sales, Marketing, etc.)
 Legal
 IT
 Audit
 External experts can also be engaged to help
assess risk and develop a plan
Assessing Risk
Business
ITLegal
Audit

GDPR DIGEST
10
• Determine what is personnel and sensitive data (IAPP) (International Association of
Privacy Professionals)
 Customer, consumers, vendor, employee … data) – in SAP and outside SAP
• Determine where personnel and sensitive data can be:
 In database or archived data (SAP)
 In emails
 On backups
 On computer
Sample: Privacy Impact Assessment
11
• Evaluated the situation, processes and procedures to handle sensitive data and make
updates
 This can be how data is transferred to company
 How data is put into the system (Process such as PTS…)
 How data access and by whom
 How it stored
 *** When it is destroyed and why***
• Update Process and Procedures (this can included training)
• Review training and communication methods both internally and externally – see where
updates need to be made
• Take action to secure data
• Repeat
Sample: Privacy Impact Assessment (cont.)

GDPR DIGEST
12
GDPR Overview
Personal information should only be kept
as long as there is a legitimate business interest
that ties to why the data was gathered
Fundamental
Rights
Individual
Expectations
Business
Interests
Business
1313
 Retention Policy Challenges

GDPR DIGEST
14
• A retention policy is a protocol within an organization for retaining information for
operational use while ensuring adherence to the laws and regulations concerning them
• It is the first step in protecting an organization’s data against financial, civil, and criminal
penalties
What Is a Retention Policy?
15
Retention Challenges
Complex
Retention
Requirements
Protect
Privacy
Lengthy
Retention
Periods

GDPR DIGEST
16
• Majority of data is retained for financial
audits (i.e., SOX) but other regulations
can impact retention periods:
 GDPR: General Data Protection
Regulation (EU)
 HIPPA: Health Information
Protection Act (USA HIPAA)
 PII: Personally Identifiable
Information
 PIPEDA: Personal Information
Protection & Electronic Documents
Act
 PHIA: Personal Health Information
Act
 PCI DSS: Payment Card Industry
Data Security
Global Regulations
17
• Retention is increasingly important as audits become more complex
• Organizations must retain data for variable periods of time
• Multi-national companies need to balance different retention requirements for different
jurisdictions
• Retention policies can be tracked in SAP GRC environment, once they are aligned with
SAP data
Retention for Various Periods
Health 30 years+
7 yearsFinancial
10 yearsAcademi
c
? yearsLegal

GDPR DIGEST
18
• In the event of legal action a small
subset of data must be retained
indefinitely
• Data archive and purge activities
must exclude data that is subject
to legal holds
• The complexity of legal holds keeps
many companies from purging data
at all
Legal Holds
19
• Retention policies should be reviewed when:
 New systems are added to IT landscape
(such as cloud)
 Business goes through a transformation:
 Merger or acquisition that adds new data
responsibilities
 Divestiture can have legal rules governing how
data is handled
 New laws and regulations are put in place (SOX,
SAF-T, GDPR …)
 Increased threats from hackers going after
personnel and business data
 New or updated functionality – such as updates
in SAP GRC
 Other reasons
Review Retention Policies for Electronic Data

GDPR DIGEST
20
1. Work with Legal to understand recent changes to Data Retention policies and regulations
2. Work with IT and business groups to understand the impact of policies (such as on
electronic data sources and records)
3. Automate the retention process to ensure continual data management
4. Tie in SAP GRC for tracking, monitoring retention policies
5. Ensure you have the ability to access retained data (including documents/attachments)
easily to support the Right for Information
6. Ensure there is an approved process for purging data – use workflows to ensure
appropriate approvals are collected
7. Implement a regular review process (annually at least) to ensure retention
policies are kept up to date
A Retention Action Plan!
2121
 Applying Privacy Policies
in SAP Systems

GDPR DIGEST
22
Case
Management
Disposition
Audits
Blocking
Encryption
Data/Document
Purge
Data Inventory &
Privacy
Footprint
Retention
Compliance
Access
Protection
A 5-Step Approach to GDPR Compliance
Legal
Assessment
Privacy Impact
Analysis/
Statement
System
Readiness
Assessment
Implementation
Application
Reporting
Analysis
Focus:
Retention
and Access
OngoingEnablement
23
• Focus areas:
 Retention
 Access Control
• Other aspects of GDPR
(e.g., notice of breach, etc.)
need to be considered separately
Applying Privacy Policies to SAP Data and Documents
Personal Data?
Intended
Purpose?
Delete
Retention
Periods?
No Action
Block
No Action
yes
yes
yes
no
no
no

GDPR DIGEST
24
• Erasure or Purge: Irreversible and adequate deletion of personal data
after retention period (period of time during which personal information
must be retained as required by law) is expired
• Blocking/Encryption/Masking: Method of preventing access to personal
data that is no longer necessary for the primary purposes for which it
was collected
25
Methods by which to restrict the processing
of personal data in such a manner that the
personal data is unavailable to users and
cannot be subject to further processing
operations or changes
GDPR sec. 67

GDPR DIGEST
26
What Else Do You Need for GDPR?
Access
Restrictions
Ongoing
Management
Automated
eDiscovery
27
• Both online and archived transactional data
• Related unstructured documents must also be located
 Documents contain another level of privacy data
• Responsibility extends to both types of information and the discovery solution must
support both together to produce a usable report
eDiscovery Tools – SAP Environment

GDPR DIGEST
2828
 Case Study
29
• Business need to meet Privacy Data such as:
 Delete HR information data and attachments according
to complex retention rules
 Extract HR information to support litigation
• Benefits
 Ensured privacy requirements are met
 Lowered cost of storage of long term data
 Increased speed in response to litigation
Manage Complex Retention Rules
The largest diversified
provider of post-acute
care services in the
United States

GDPR DIGEST
3030
 Wrap-Up
31
Benefits of Retention Management Solutions for GDPR
Lower
Costs
Reduce the cost of
storing data and
documents for long
periods
Increase
Productivity
Simplify the process of
retaining data and documents
according to legal
requirements
Reduce
Risk
Secure data and documents
and flexibly comply with
legal retention requirements

GDPR DIGEST
32
• Official Journal of the European Union – Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016
 http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
• The European Union General Data Protection Regulation homepage
 www.eugdpr.org/
• James Baird, “Be Compliant, Stay Compliant: How Policies, Procedures, Protocol, and
People Help You Tackle the GDPR,” (SAPinsider, November 2017).
 http://sapinsider.wispubs.com/Assets/Articles/2017/November/SPI-Be-Compliant-Stay-
Compliant
Where to Find More Information
3333
Key Points to Take Home
 Retention policies must be applied to online information (data and documents)
in SAP systems and related systems, just as they are to paper-based
documents
 Different data requires different retention periods and is subject to different
regulations and audits
 Legal, Risk, IT, and Business must work together to understand the policies
and how to apply them to online information in SAP systems
 Retention policies must be reviewed regularly to ensure compliance with
regulations
 Changes to the business or to SAP environment can impact retention and
therefore retention rules should be reviewed whenever there is a major
change

GDPR DIGEST
3434
Key Points to Take Home (cont.)
 Using third-party tools can improve compliance by automating the archiving
and purging of information according to retention rules
 Retention should be part of a larger data management strategy that lower the
total cost of ownership of SAP systems, increases productivity, and reduce
risk
3535
Please remember to complete
your session evaluation
Thank You
Any Questions?

t
James Baird,
Senior Information Consultant
james.baird@dolphin-corp.com
Your Turn!

GDPR DIGEST
36
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.
36
Disclaimer
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2018 Wellesley Information Services. All rights reserved.

GDPR DIGEST
Stephanie Gruber, SAP America
GDPR: What You Need from SAP to Help Demonstrate Company-Wide
Compliance
1CUSTOMER© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Customer
Legal Disclaimer
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This
presentation is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to
pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned
therein. This document, or any related presentation and SAP's strategy and possible future developments, products and/or platforms directions
and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information on this
document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a
warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular
purpose, or noninfringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no
responsibility for errors or omissions in this document, and shall have no liability for damages of any kind including without limitation direct,
special, indirect, or consequential damages that may result from the use of this document. This limitation shall not apply in cases of intent or
gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from
expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and
they should not be relied upon in making purchasing decisions.
NOTE: The information contained in this presentation is for general guidance only and provided on the understanding that
SAP is not herein engaged in rendering legal advice. As such, it should not be used as a substitute for legal consultation.
SAP SE accepts no liability for any actions taken as response hereto.
It is the customer’s responsibility to adopt measures that the customer deems appropriate to achieve GDPR compliance.

GDPR DIGEST
Customer
General Data Protection Regulation Requirements and Impact
Managing GDPR Compliance with SAP Solutions
Data Privacy and Protection at SAP
SAP Solutions for GDPR Wrap-up
Appendix
Agenda
Customer
Top of Mind Challenges

GDPR DIGEST
Customer
Cybersecurity vs. Data privacy
is different thanCybersecurity
Risk
Loss, deletion, abuse
Protection of information against
unauthorized access through
computing environments
Responsible
Information Security Officer
Data Privacy
Risk
Infringement of personal rights
Responsible
Data Privacy Officer
Protection of individuals with
regard to the processing of
personal data
Technical and
Organizational
Measures (TOMs)
General Data Protection Regulation
Requirements and Impact

SAP insider GDPR compendium Hernan Huwyler

SAP insider GDPR compendium Hernan Huwyler

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to SAP insider GDPR compendium Hernan Huwyler

Similar to SAP insider GDPR compendium Hernan Huwyler (20)

More from Hernan Huwyler, MBA CPA

More from Hernan Huwyler, MBA CPA (20)

Recently uploaded

Recently uploaded (20)

SAP insider GDPR compendium Hernan Huwyler