How to Prepare Your SAP System for the New European Union General Data Protection Regulation. Learn how to change your practices within your SAP environment so that they comply with the new
data General Data Protection Regulation (GDPR) privacy regulation
As a general reference, the main transaction codes to access master data tables include:
• Create, change and display customers, prospects, and contact persons (XD0*, VD0*, VAP*) and
reporting-related lists (S_ALR_87012179, S_ALR_87012180)
• Create, change, and display vendors (XK0*, MK0*) and reporting-related lists (S_ALR_87012086)
• Create, change, and display employee (PA10, PA20, PA30) and applicant (PB10, PB20, PB30) files
• Create and maintain bank master data (FI01, FI02, FI06) and business partners (BP, BUP1)
• Maintain general tables (SE11, SM30, SM31)
• Browse data (SE16) and display a table (SE16N)
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
SAP insider GDPR compendium Hernan Huwyler
1. GDPR Digest
8 resources to help you plan and optimize
your GDPR compliance initiatives
Sponsored by
April 9-10 • Copenhagen
April 24-25 • Chicago
2. INTRODUCTION
The EU’s impending General Data Protection Regulation (GDPR) is a game changer for any
organization that does business in Europe, and becoming compliant is no small feat.
To help, SAPinsider has assembled eight popular pieces for SAP professionals. They provide
both strategic and tactical insights into how you can better plan and drive your GDPR compliance
initiatives. Sponsored by GDPR Bootcamp for SAP Customers, an event running April 9-10 in
Copenhagen and April 24-25 in Chicago, this asset is the perfect complement to the event, which
offers two days of in-depth sessions and endless opportunities to build your professional network,
ensuring that you make better business decisions, and get access to the top technologists working
with SAP solutions.
This compendium is merely the tip of the iceberg and barely scratches the surface of what you can
tap into at GDPR Bootcamp for SAP Customers. Step one is to absorb the content in this collection
and then step two is for you (and your team) to join SAPinsider at this important event. Between
this collection and the educational and networking experience at the event, you will be positioned
to successfully complete your next project and advance your career.
I truly hope that this content benefits you and I hope that you will take the next step and join me in
April.
Kind regards,
Kendall Hatch
Conference Producer
P.S. Early registration rates are in effect, so sign up soon to lock in the lowest price!
GDPR DIGEST
3. 4
10
13
17
26
53
72
94
How to Prepare Your SAP System for the New European Union General Data
Protection Regulation
by Hernan Huwyler, Risk and Compliance Expert | September 21, 2016
Be Compliant, Stay Compliant
How Policies, Procedures, Protocol, and People Help You Tackle GDPR
by James Baird | SAPinsider, Volume 18, Issue 4 | November 7, 2017
Learn How to Prepare Your User Access Review to Comply with the General Data
Protection Regulation (GDPR)
by Hernan Huwyler, Risk and Compliance Expert | July 24, 2017
Meeting Modern Data Protection Requirements
How SAP Business Suite Helps You Comply with the Latest Data Protection Regulations
by Volker Lehnert | SAPinsider, Volume 18, Issue 3 | August 24, 2017
Case Study: How SAP implemented the General Data Protection Regulation with
SAP GRC Solutions
by Mary-Luise Wagener, SAP SE
Are You Ready for the General Data Protection Regulation (GDPR)? How to Build a
Data Retention Plan and Use Encryption and Other Toolsets to Support GDPR
By James Baird, Sr., Dolphin
GDPR: What You Need from SAP to Help Demonstrate Company-Wide Compliance
By Stephanie Gruber, SAP America
GDPR, SAP Solutions for GRC and Security, and You
By Marie-Luise Wagener, SAP SE; Chris Radkowski, SAP; and Rashi Mittal, SAP
GDPR DIGEST
CONTENTS
4. GDPR DIGEST
4 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
How to Prepare Your SAP System for the
New European Union General Data Protection
Regulation
by Hernan Huwyler, Risk and Compliance Expert
September 21, 2016
Learn how to change your practices within your SAP environment so that they comply with the new
data General Data Protection Regulation (GDPR) privacy regulation.
Key Concept
The new European Union General Data Protection Regulation (GDPR) will become effective on May
25, 2018. Companies using European personal data, both inside and outside of Europe, are adjusting
practices, privacy controls, and parameters in SAP environments to comply with this regulation. New
policies are being implemented to protect sensitive personal information that is kept in the customer,
client, employee, and candidate master, and that is sometimes transferred to or from service providers.
Preparation to comply with the new European General Data Protection Regulation (GDPR) needs
to start now. Consequences of mishandling personal data will significantly increase, since non-
complying organizations face fines of up to 4 percent of the global annual turnover or €20 million,
whichever is higher. Even though this regulation becomes effective in May 2018, requirements and
practices to protect sensitive data are already defined, and they bring major challenges. Furthermore,
it also applies to organizations based outside the European Union if they process personal data of
European residents.
Note
Global annual turnover is the revenue of a company or the amount of money a company generates
around the world. It establishes the calculation bases for a fine related to a data protection regulation
breach. Fines are calculated following the accounting principles for gross and net sales (from
discounts and taxes). Using the basis of calculation in similar regulations, the revenue is taken from
ordinary activities and after turnover taxes and discounts.
This requirement creates many career opportunities for SAP experts and consultants. Being the first
to communicate and to address these compliance risks is a critical factor.
5. GDPR DIGEST
5 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
A comprehensive risk analysis about current data collection, transfer, use, and disposal against the
new GDPR requirements needs to be performed to prioritize the preparation plans. This article serves
as a roadmap to prepare your SAP system to comply with the GDPR.
1. Define In-Scope SAP Data
Personal information is any data relating to an individual, including names, email addresses,
identification numbers, bank details, medical information, and even a photo or an IP address. The
GDPR also broadens personal information to biometric and genetic data.
A preparation plan starts by identifying all the SAP environments, clients, master data tables, and
fields containing personal information of European residents, even customized z-tables and z-fields.
All SAP systems such as SAP ERP Central Component (ECC), Business Intelligence (BI), Customer
Relationship Management (CRM), and other solutions should be included in the preparation project.
Backups, legacy systems, and archives of SAP databases should also be included in the planning.
Digitized documents integrated into SAP containing private information should also be covered.
The quantity and quality of sensitive personal data to protect largely differs between industries and
legal areas. Certain sectors, such as healthcare, insurance, banking, recruitment, and marketing, deal
with a high volume and wide variety of personal information. These sectors need to comply with
stricter industry rules and regulations. As a general reference, personal information is stored in global
master tables for customers (KNA1, KNBK, KNVK), vendors (LFA1, LFBK), addresses (ADRC, ADR2,
ADR3, ADR6), business partners (BP000, BP030), users (USR03), and credit cards (VCNUM). Other
master data tables containing employment, date of birth, citizenship, identification number, tax, and
credit data should be scoped. Also, some solutions as SAP Patient Relationship Management keep
very sensitive information. The information system repository in SAP ABAP can be used to list all
the tables containing fields with personal information in the program Where-Used List for Domain in
Tables (RSCRDOMA).
Personal information on employees is stored in SAP HCM infotypes. It typically includes personal
data for ethnic origin, military status, and disability (infotypes 0002 and 0077), severely challenged
persons (infotype 0004), addresses (infotype 0006), bank details (infotype 0009), related person
(infotype 0021), internal medical services (infotype 0028 with all the subtypes), and residence status
(infotype 0094). Personal information from applicants is usually included in the employee base. The
SAP country-specific features may widen the scope of personal information.
During the scope planning, it is important to validate with the business owners why the personal
information is collected for the impact assessment. Confirming the specific and legitimate needs
of keeping personal information with business experts is highly advisable. Also, understanding the
business need for each type of information helps to define responsible contact and data retention
6. GDPR DIGEST
6 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
requirements and to show how data is transferred and interfaced between the SAP system and
other systems and organizations. Reducing the amount of personal information will facilitate the
preparation by mitigating risk in the SAP system.
2. Audit the Access Rights to Transactions and Authorization
Objects
Once it is understood where personal information is stored, it can be protected accordingly. Since the
new GDPR applies to more data from non-European organizations, the review of the access rights
needs to be updated, improved, and well documented. User roles and access permissions should be
adjusted to the least privilege.
The access rights audit consists of the review of transaction codes and the authorization objects
with their field values. The transaction codes to access the data in scope and its reports for roles
and users should be validated with business process owners. All unnecessary and unused roles and
transactions should be revoked.
As a general reference, the main transaction codes to access master data tables include:
• Create, change and display customers, prospects, and contact persons (XD0*, VD0*, VAP*) and
reporting-related lists (S_ALR_87012179, S_ALR_87012180)
• Create, change, and display vendors (XK0*, MK0*) and reporting-related lists (S_ALR_87012086)
• Create, change, and display employee (PA10, PA20, PA30) and applicant (PB10, PB20, PB30) files
• Create and maintain bank master data (FI01, FI02, FI06) and business partners (BP, BUP1)
• Maintain general tables (SE11, SM30, SM31)
• Browse data (SE16) and display a table (SE16N)
After the transactions granted to users and roles are adjusted, the review focuses on access to
objects. It can be done by using SAP GRC solutions and other tools. Reviewing the access to objects
by roles and users is the most effective approach for this work.
3. Obtain or Update Consent from SAP Users
An explicit notification for the personal data collected and used should be given by all the European
SAP users. This requirement may be implemented by setting a data privacy pop-up message at
the SAP log-on screen with a specific consent message ensuring opt-in and withdraw choices. The
pop-up message should be specific to address this requirement, should be clearly written in the local
language to explain the use of personal information, and should ask for an action from the user. The
consent message displayed to users should inform about the type of personal data that is collected,
7. GDPR DIGEST
7 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
processed, disclosed, and transferred, and how their activity is logged. Users should also be informed
about their rights, for instance, to access and to correct their own personal information. Transaction
SUIM or report RSUSR002 can be used to filter which users should provide consent, for instance,
users located in the European Union.
When personal data is transferred from an SAP system to third parties, such as insurance and
medical companies, the consent should cover these cases.
4. Monitor How an SAP System Exports and Transfers
Personal Data
Compliance for the new GDPR requires auditing of SAP logs to detect risky behaviors by users. All
downloads of private information should be strictly justified by a business need, protected, erased
when it is no longer needed, and authorized by the compliance function. For instance, exportation
of reports by the SAP List Viewer (ALV) without business justification is considered a data breach to
report.
The preparation project should plan how, by whom, and how often the SAP security logs will be
reviewed for downloaded data with private information. The protection of downloaded sensitive
information outside the SAP system is a related issue to address in a readiness plan.
The GDPR recognizes data transfer mechanisms to recipients outside the European Union, such
as the adherence to an approved Code of Conduct. SAP services, including cloud storage, remote
access, and global employee databases, need to implement a lawful data transfer mechanism. SAP
experts should review the business operations to identify circumstances in which private information
is transferred to recipients located outside Europe.
5. Define Action Plans to Anonymize Personal Data
The GDPR recommends the use of data pseudonymization to prevent unauthorized access to
personal data. Pseudonymization is a technique whereby the personal data records are replaced by
dummy codes to make it impossible to identify the people in question. Pseudonymization still allows
some authorized relevant users to display the original master data. Pseudonymization is generally
used by SAP Healthcare solutions to protect the identity of patients.
It is particularly relevant for non-productive environments when granting access to developers,
testers, functional analysts, and contract workers. Encryption and data scrambling are also valid
action plans. SAP delivers solutions for protecting data in development and testing environments
(e.g., SAP TDMS HCM 4.0). Data scrambling is a technique used to scramble critical data sets, so the
original personal data is no longer visible to the users of the non-productive systems copied from
production.
The preparation project should consider how to assure that personal data does not leave the
productive environment.
8. GDPR DIGEST
8 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
The GDPR brings in privacy-by-default and privacy-by-design approaches to encourage privacy to be a
cornerstone of software and services development. Contracting with SAP developers will be required
to assure that the appropriate security strategy is set at the conceptual design. Tendering of new
developments should consider the impact of these requirements.
6. Define Action Plans to Block and Erase Personal Data
The GDPR requires organizations to erase personal data without undue delay when it is no longer
needed or when an employee, client, or other third party objects to the inclusion of the data and
exercises the right to be forgotten. Personal information is not erased in an SAP system, but is
blocked to comply with document retention rules and to maintain the data integrity between tables.
Once it is recoded in an SAP system, data cannot be properly erased in a legal sense. Blocking
information prevents further retrieval or processing.
SAP delivers enhancement packages to block master data until an expiration date (e.g., ERP_CVP_
ILM_1). Access to blocked data can be granted to admin users for reversals. SAP Information
Lifecycle Management (SAP ILM) addresses the process to delete information after business rules
are met. SAP experts should plan how to address the blocking and deletion requirements to license
the proper business solution and to adjust the data management policy.
7. Ask for Advice and Support
Many organizations are required to appoint a lead for data protection and security. This data
protection officer role is expected to set the rules for data privacy and to provide evidence of controls.
SAP experts could benefit from this new position to get advice and training about processing data
and conducting internal reviews and data privacy risk assessments.
Legal advisors specializing in data privacy can help an organization validate the preparation plan,
in particular setting the scope, data retention requirements, and cross-border data transfers. SAP
experts need legal advice to support data protection by setting security features and blocking or
deleting of personal data. Liaising with functional analysts is also advisable to identify realistic action
plans since they understand the user needs and behaviors.
There are many additional stakeholders to properly prepare for the GDPR since it places many
responsibilities at the senior executive level. The regulation creates and increases compliance
obligations on controllers to document processing activities and to implement policies. Departments
responsible for risk management, audit, and compliance will be interested in supporting a preparation
project.
The financial and human budget for preparation will vary significantly depending on the seriousness
and complexity of the privacy risks. Getting the support from upper management is critical for the
success of the preparation efforts.
9. GDPR DIGEST
9 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
Experts in SAP systems should lead organizations to prepare changes in policies, people, and control
practices to adopt the data protection principles mandated by the GDPR. It affects anyone based in the
European Union or handling personal data of European Union residents. Identifying available options in
the SAP system to mitigate the related compliance risks should start now. The scale of sanctions and
legal requirements means that actual compliance is a must.
For more general information about the preparedness for the GDPR, go to: https://www.linkedin.com/
pulse/ready-new-eu-general-data-protection-regulation-6-huwyler-mba-cpa?trk=prof-post.
Hernan Huwyler is a CPA and MBA who specializes in risk management,
compliance, and internal controls for multinational companies. He works in
developing IT and SAP controls to address regulatory and legal requirements in
European and American companies. He served as Risk Management and Internal
Control Director for Veolia, leading governance practices in Iberia and Latin
America. He previously worked for Deloitte, ExxonMobil, Baker Hughes, and Tenaris.
10. GDPR DIGEST
10 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
Be Compliant, Stay Compliant
How Policies, Procedures, Protocol, and People Help You Tackle GDPR
by James Baird | SAPinsider, Volume 18, Issue 4
November 7, 2017
The General Data Protection Regulation (GDPR) — a new data privacy regulation in Europe — will
affect any organization that handles the personal data of EU residents, regardless of whether
it is located in the EU. With the regulation going into effect in May 2018, and stiff fines for non-
compliance, now is the time to establish a process for adherence. Learn how SAP customers can
ensure compliance with the GDPR by focusing on four critical areas: policies, procedures, protocol,
and people.
The General Data Protection Regulation (GDPR) is a new privacy regulation in Europe that protects the
personal data for any individual based in the European Union (EU), regardless of citizenship or where
the data is held. It applies to any organizations located inside or outside the EU if they offer goods
or services to — or monitor the behavior of — EU data subjects. The GDPR will be enforced in May
2018 and outlines strict fines for companies found to be out of compliance. Now is the time for SAP
customers to establish a process for adhering to the necessary requirements.
To be compliant — and stay compliant — with the GDPR, companies need to be mindful of four critical
areas: policies, procedures, protocol, and people (see Figure 1).
1. Policies
Identify a risk team to conduct a risk assessment. Evaluate and determine which data falls under the
GDPR, where that data resides, and how it moves through the system. Once the inventory of personal
data is complete, establish a policy for handling that data in compliance with the regulation. There
should also be a policy around proper security controls to prevent external or internal exposure of
personal data. All potential risks should be categorized and relayed to data stewards or owners before
a specific policy is put in place.
2. Procedures
Existing procedures for collecting and storing data must be adapted to be fully GDPR compliant. In
some cases, this may require an overhaul of existing procedures. In others, retained information may
no longer be required, thus eliminating some procedures altogether. Examples of well-established
procedures that will need to be reexamined include informing individuals when and why personal data
11. GDPR DIGEST
11 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
is collected and requesting that individuals give explicit consent to retain personal information.
3. Protocol
Develop a protocol for how you will handle situations in which individuals want to invoke the GDPR.
You need to consider areas such as: Who will be responsible for handling inbound requests? What is
the procedure for addressing said request? What are the cases where information needs to be kept
for legal, business, or other reasons? Each area should be thoroughly considered with the protocol
clearly communicated to all key stakeholders.
4. People
Educate your customers, vendors, and employees about the GDPR and relay the steps you are taking
to safeguard their personal information. Let them know how much you value their privacy and your
role as the custodian of their personal data. Be sure to give them peace of mind that you are taking
the regulation seriously and approaching it carefully and swiftly. In the end, they will thank you — and
your organization can rest assured that you are in full compliance.
Figure 1: Policies, procedures, protocol, and people are critical to GDPR compliance
12. GDPR DIGEST
12 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
Be Compliant, Stay Compliant
The GDPR will affect SAP customers worldwide, regardless of whether they are located in the EU.
With strict fines and regulations, non-compliance could be costly for the unprepared company.
By building your approach to the GDPR around these four critical areas, you can ensure that your
company is compliant and stays compliant in the future. To learn more, visit www.dolphin-corp.com/
compliance.
James Baird
Senior Data Consultant
Dolphin Enterprise Solutions Corporation
13. GDPR DIGEST
13 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
Learn How to Prepare Your User Access Review
to Comply with the General Data Protection
Regulation (GDPR)
by Hernan Huwyler, Risk and Compliance Expert
July 24, 2017
Reviewing the user and database access in your SAP system to prepare for the new General Data
Protection Regulation (GDPR) in the European Union has some particular requirements. Controls
should be reinforced on user and database rights to access tables with personal information.
Documentation, validation, and coordination should also be more comprehensive.
Key Concept
Organizations holding or processing personal data of European Union residents should align their
SAP system access review with the General Data Protection Regulation (GDPR) readiness project to
focus on rights to display, list, and download tables with personal information. SAP system managers
should perform the access controls in collaboration with the compliance and the operations
departments.
Compliance with the General Data Protection Regulation (GDPR) requires improving SAP data
governance in companies collecting, using, and transferring personal data of European Union (EU)
residents. These new privacy rules become effective on May 25, 2018, and also apply to companies
based outside the EU if they offer products or services in the EU single market.
The review of who has access to what (also called access certification) to comply with this regulation
needs to be performed by a control methodology that differs from the one normally used. The
access review for GDPR compliance should cover master data of employees, candidates, vendors,
contractors, clients, suppliers, and business partners, as well as any other standard or custom table
or table field containing personal information (see my previous SAP Experts article, “How to Prepare
Your SAP System for the New European Union General Data Protection Regulation.” This article
contains tips to adjust and improve the user access review to comply with the GDPR.
Note
For more information about GDPR, attend SAPinsider’s GDPR Bootcamp for SAP Customers in
Copenhagen and Chicago. For more information about this bootcamp, click here.
14. GDPR DIGEST
14 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
Performing the SAP user access review for GDPR compliance has particularities. While the review
of access to create, change, and delete transactions, critical object authorizations, and segregation
of duties is performed by frequent well-defined controls, the review of listing and display access for
personal information is generally not covered in depth. SAP system managers have developed strong
access controls over displaying sensitive financial information in budgets and business planning
over time. However, access to personal information has gotten much less attention. The user and
database access review should now consider the need to align controls to the GDPR project and the
documentation for compliance.
It is important that SAP system managers interview the GDPR sponsors in organizations, such as
the compliance officer and the legal department, to clarify their expectations and requirements.
Some organizations focused on monitoring personal information or processing sensitive data on
a large scale should appoint a data protection officer as the leading privacy sponsor. SAP system
managers involved in access security should closely communicate with these GDPR sponsors. This
communication with the GDPR sponsors ultimately allows SAP system managers to engage the
business line in supporting changes.
During the early stages of a GDPR compliance project, personal information is mapped for SAP-
system and non-SAP-system data. This task allows the identification and classification of all personal
information processed by an organization to populate an inventory. Also, where data privacy breach
risks are high, a privacy impact assessment is done to allow identification of risks and prioritization of
control actions.
The privacy impact assessment covers risks of users exporting or downloading tables or reports
containing personal information. The assessment covers the unauthorized access to critical tables
and the transmission of databases with personal information inside and outside the organization. It
also covers current and recommended control practices for key risks.
The resulting inventory of personal data processed in the SAP environments is the starting point for
a proper access review for the GDPR. Be sure to ask for the personal information inventory and the
impact assessment when performing the SAP access review. SAP system managers should also ask
to receive any update or change on these documents.
The inventory of personal data should assign a responsible senior process manager as the data
owner. This data owner is accountable for performing and documenting the access review for each
respective SAP module. The data owners are not usually part of the SAP or the IT departments,
but rather, they are part of the department relevant for each SAP module (for instance, a CFO or an
accounting process manager for SAP Financial Accounting [FI] and Controlling [CO]). Be sure to get
a final validation of the user review for the data owners of all SAP modules under the scope of the
GDPR.
15. GDPR DIGEST
15 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
Access of employees should be controlled against the acknowledgment of the data privacy policy
and the consents. Policies and consents are being updated to include the new data privacy principles
set by the GDPR. The consents describe the purpose and how the personal data is used. Contacting
the legal and compliance departments can be helpful in coordinating the access review under
solid control practices. Following standard controls to ensure compliance with the GDPR and other
requirements, such as Sarbanes-Oxley, other privacy laws, and internal polices, avoids duplicating
tasks.
SAP roles should be updated to limit access to reports and transactions displaying personal
information to those with a legitimate purpose (the principle of least privilege or need to know). User
and database roles granting access to view sensitive personal data, such as the employees’ medical
history and trade union association, should be limited to only a few intended users and compared
against the explicit consents given by such employees. Any right allowing listing and exporting of a
large amount of personal information should be properly justified by the data owner who knows about
its business requirements. The data owner who is assigned in the personal data inventory should also
act as a role custodian for each SAP module as a best practice.
Some categories of users create high privacy risks. The data owners should properly analyze and
validate these groups of users. In general, users related to these business functions are exposed to
high risks:
• Human resources, including recruiting
• Marketing, billing, and customer management
• Accounts receivable and payable, and treasury
• SAP system administration and development
• Auditing and controlling
• Outsourced functions to external consultants and other vendors
In practice, SAP system managers may identify many needs to revoke viewing accesses for roles
and users. If the importance of the GDPR project is not well communicated across an organization,
operational areas may start to resist the project. In this case, SAP system managers should ask for
support of the GDPR sponsors to communicate both the risks of data misuse and the compliance
requirements. It is important to document how the accesses are revoked during the review by
creating user access forms.
Access of third-party vendors such as contractors, consultants, and other non-employees should
be matched against the existence of confidentiality and privacy clauses in their contracts. Also, the
roles assigned to them should be minimal to perform their contractual obligations if they need to
display or manage personal information in the SAP systems. These roles also include access to also
16. GDPR DIGEST
16 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
include the testing and productive environments and access to backups of SAP data. Privileges granted
to developers, including object permissions, should also be closely reviewed when accessing the SAP
system involves personal information of employees, clients, suppliers, and other third parties.
The access review for displaying, listing, and extracting personal information in SAP systems is a
critical control to comply with the GDPR. It requires changing how the user review is performed for all
SAP systems. A breach of data privacy is and will remain at the top of business risks that SAP system
managers need to prevent. SAP system managers have a relevant role to protect not only personal data
but also the reputation of their organizations.
Hernan Huwyler is a CPA and MBA who specializes in risk management,
compliance, and internal controls for multinational companies. He works in
developing IT and SAP controls to address regulatory and legal requirements in
European and American companies. He served as Risk Management and Internal
Control Director for Veolia, leading governance practices in Iberia and Latin
America. He previously worked for Deloitte, ExxonMobil, Baker Hughes, and Tenaris.
17. GDPR DIGEST
17 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
Meeting Modern Data Protection Requirements
How SAP Business Suite Helps You Comply with the Latest Data Protection
Regulations
by Volker Lehnert | SAPinsider, Volume 18, Issue 3
August 24, 2017
As the volume of data collected by organizations continues to increase, so too do regulations
designed to protect data from misuse, particularly when it comes to personal data. One of these is
the European General Data Protection Regulation (GDPR), which goes into full effect on May 25th,
2018, and has global implications — it applies to any company that processes the personal data of
people in the EU, whether or not that company is physically located within the EU. Learn how basic
technical features and security safeguards included with SAP Business Suite applications help you
comply with key areas of the GDPR data protection legislation and avoid the risk of steep fines due to
violations.
Modern business systems are a treasure trove of highly sensitive information, such as the names,
contact information, and various financial and health details for an organization’s current and
former employees and family members, as well as valuable information about business partners,
shareholders, and customers. As the volume and types of data collected continue to increase through
smart devices, social media, and other technologies, so too have laws and regulations designed to
protect this data from misuse.
One of these regulations is the European General Data Protection Regulation (GDPR) — a regulation
intended to strengthen the protection of personal data for individuals within the European Union (EU).
The GDPR goes into full effect on May 25th, 2018, replacing the existing data protection directive
95/46/EC with a wider scope and increased penalties for non-compliance. In particular, the GDPR
significantly broadens the definition of personal data and it applies to any company — whether that
company is physically located within or outside of the EU — that processes data, offers services or
goods, or monitors the behavior of people in the EU.
The GDPR will have global implications, changing IT landscapes worldwide. So, what does this mean
for those processing data with SAP Business Suite applications? This article shows you how basic
technical features and security safeguards included with SAP Business Suite applications help you
comply with key areas of the GDPR data protection legislation. In particular, we will look at how
SAP Business Suite helps you cover legal grounds for processing personal data, ensure the rights
18. GDPR DIGEST
18 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
of data subjects (those whose personal data is being processed), and establish key technical and
organizational measures (see the sidebar for a note about terminology in this article).
It is important to understand the distinction between the various types of measures discussed in this
article:
• An organizational measure is an action or a sequence of actions that controls the behavior of
people, such as management advice, procedure guidelines, and training.
• A technical measure is a configuration, feature, or software that controls something technical,
such as authentication or encryption.
• Combined technical and organizational measures (TOMs) describe a holistic set of appropriate
data protection safeguards. For example, a sophisticated authentication mechanism is
worthless when passwords are shared, so an additional organizational measure is required with
procedural guidelines that prohibit people from sharing passwords.
Before diving into the details of the legal grounds specified by the GDPR, however, it is critical to first
understand the GDPR’s definition of personal data.
The GDPR Definition of Personal Data — And Why It Matters
With the GDPR, all companies within its defined material and territorial scope that deal with the
personal data of EU residents must comply with its requirements.
The GDPR’s definition of personal data is quite broad — “any information relating to an identified
or identifiable natural person” is included within its scope.1
Simply put, an “identifiable person” is
identified by attributes such as last name, first name, telephone number, address, age, gender, and
profession.
With this definition, a significant amount of data can be considered personal data. While neither the
broad definition of personal data nor its scope are in themselves business critical, violations are
subject to administrative fines of up to 4% of the fined company’s worldwide turnover.
Now that the scope — and implications — of what constitutes personal data in the context of the
GDPR is clear, let’s examine the legal grounds defined in the GDPR for processing personal data, and
the role SAP features and functionality can play in covering them.
19. GDPR DIGEST
19 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
Covering Legal Grounds for Processing Personal Data
According to the GDPR, the processing of personal data is lawful if at least one of the following
grounds applies (see Figure 1):
• The data subject has given consent
• A contract requires the processing
• The controller (in most cases, the legal entity responsible) is subject to a legal obligation to do so
• If vital or public interests are involved
• If there is a legitimate interest
Figure 1: According to the European General Data Protection Regulation (GDPR), processing
personal data is lawful if at least one of these specified conditions is met
Contract
Legal
obligation
Legitimate
interest
Public
interest
Consent
Protect
vital
interest
Legal
grounds for
processing
personal
data
Here, we take a closer look at each of these conditions, and the ways in which SAP Business Suite
applications can help you meet them.
20. GDPR DIGEST
20 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
Consent
Consent is an agreement between a data subject and a controller, in which the data subject formally
agrees to the processing of personal data — via a signature or by actively clicking on a checkbox,
for example. SAP Business Suite supports the documentation of consent with two features:
the Marketing Permissions feature in the SAP Customer Relationship Management (SAP CRM)
application and the Marketing Permissions feature for customer master data available with SAP
NetWeaver 7.40.
Contract
A contract between the data subject and the controller defines the purpose of the processing of
personal data — for example, a contract between an advertiser and a media company would require
personal data to settle the contract and payment, and the processing would then be limited to that
purpose. If the controller wants to process additional personal data or use it for purposes other than
the one specified in the contract — for example, if the media company wants to sell that data to other
companies — additional, specific consent from the data subject is required.
Most business activities performed using SAP Business Suite applications are based on contracts.
SAP Business Suite applications enable you to prove the existence of a contract using transactional
or master data — for example, you can view existing sales contracts or payment transactions.
Legal Obligation
The processing of data due to legal obligation — for example, the reporting of salary figures to
tax authorities — must be proven by organizational measures, meaning any documentation that
describes processes, guidelines, or directives that control people’s behavior. For example, you could
document processing activities using SAP governance, risk, and compliance (GRC) solutions and then
link to that information from SAP Business Suite.
Vital and Public Interest
The processing of data due to vital interest is not a typical scenario for SAP Business Suite
customers. This condition might apply if data processing is required to provide medical care for
an unconscious person, for instance, and the GDPR also mentions “epidemics,” “humanitarian
emergencies,” and “natural and man-made disasters” as valid grounds.2
While the SAP for Healthcare
industry solutions and the Industrial Hygiene and Safety component of SAP Environment, Health, and
Safety Management partially process data based on these grounds, the existence of these grounds
must be proven by organizational measures, such as documentation stored in SAP GRC solutions.
The processing of personal data based on public interest applies in cases of relevant national or EU
law, such as police checking personal data during an inquiry. Similar to vital interest, public interest is
a legal ground that must be documented organizationally.
21. GDPR DIGEST
21 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
Legitimate Interest
The processing of personal data based on legitimate interest requires balancing legally protected
interests to determine whether the interests of processing the data are more important than the data
protection rights of the data subject. By nature, this is something that cannot be solved by automated
means and must be covered by organizational measures. Solid reasoning and documentation are
particularly important in this case, since the merits of “legitimate interest” can often be challenged.
Ensuring the Rights of Data Subjects
The GDPR defines numerous rights for data subjects that organizations must ensure. While some of
these rights can only be ensured by organizational measures, here we’ll highlight some that require
a technical measure — a configuration, feature, or solution that controls something technical — or at
least technical support, and look at how SAP Business Suite applications can help.3
Blocking and Deletion of Personal Data
Based on our experience at SAP, one of the most impactful rights defined by the GDPR is the blocking
and deletion of personal data that is no longer required within the purpose defined for the processing.
According to the GDPR, personal data must be deleted after the primary purpose of the processing
has ended. If the data must be retained to comply with retention periods required by other legislation
— such as tax legislation — access to it must be blocked or restricted, and it must be kept only for the
duration of the longest legal retention period, after which it must be deleted.
To help with this task, as of SAP NetWeaver 7.40, SAP Business Suite applications provide simplified
blocking and deletion functionality that is based on SAP Information Lifecycle Management (SAP
ILM). All SAP Business Suite applications include required SAP ILM objects that enable the transfer
of data to an archive, which fulfills the blocking requirement. In addition, all SAP Business Suite
applications support the “end of purpose” check, also based on SAP ILM, that is triggered from central
personal master data sets, such as central business partner, customer, and vendor master data. With
this check enabled, all applications registered with a central personal master data set are triggered
to check whether they still need that data — if no longer needed, the data is marked as blocked and
access is restricted.
Restricting the Processing of Personal Data
Another requirement specified by the GDPR is the ability to restrict the processing of personal data
based on a data subject’s request while keeping the data available for the establishment, exercise, or
defense of legal claims — for instance, if you want a legal clarification due to incorrect data that led to
a wrong business decision.
The blocking and deletion functionality included with SAP Business Suite applications can be
configured to address this requirement by leaving only data in the system that is relevant to the
22. GDPR DIGEST
22 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
defined processing purpose and must be processed. SAP ILM also provides a legal hold functionality
that can be used to retain relevant data as needed.
Providing Access to Personal Data in a Readable Format
The GDPR also specifies the right of data subjects to have access to any of their personal data that is
undergoing processing. SAP Business Suite enables organizations to provide data subjects with this
information through its reporting tools. Currently, SAP is changing from application-specific reporting
to a centralized approach, which will allow for centralized reporting on data that is undergoing
processing. Regardless of the reporting approach, the decision about which data to report remains
with the company using the SAP software, so a detailed, customized, and specific configuration will
be required.
In addition, data subjects have the right to obtain any personal data undergoing processing in
machine-readable format, which is easily provided by the download functionality available with SAP
Business Suite reporting tools.
Establishing Technical and Organizational Measures
In addition to meeting legal requirements for processing personal data and ensuring the specified
rights of data subjects, the GDPR requires businesses to establish technical and organizational
measures (TOMs) to ensure the protection of personal data. While the GDPR does not list specific
required TOMs — it gives only example definitions — it clearly requires that appropriate TOMs be
implemented and reviewed on a regular basis (for more on related documentation and controlling
requirements, see the sidebar “Documentation and Controlling Become Key”).
Documentation and Controlling Become Key
With the European General Data Protection Regulation (GDPR), organizations are required to not
only implement technical and organizational measures to safeguard the personal data they are
processing, but also document in a record of processing activities how they have done it and why
they chose certain measures.* They must also document the controls that are in place to regularly
verify that the safeguards are appropriate, and for any new processing of personal data, they need to
conduct impact assessments to evaluate how that processing will affect the protection of personal
data.** Software such as SAP governance, risk, and compliance (GRC) solutions that bundles the
requirements of regulations such as Sarbanes-Oxley, the US Food and Drug Administration, and the
GDPR can help you significantly simplify and manage these tasks.
* See Article 30 in the GDPR (http://data.europa.eu/eli/reg/2016/679/oj).
** See Article 35 in the GDPR (http://data.europa.eu/eli/reg/2016/679/oj).
23. GDPR DIGEST
23 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
So how do you know which TOMs to implement to ensure GDPR compliance? Fortunately, there
is existing legislation that can provide guidance — for example, the TOMs specified by Germany’s
current Federal Data Protection Act (BDSG)4
can serve as a useful guideline for establishing basic
safeguards for processing personal data (see Figure 2).
Figure 2: The measures required by Germany’s Federal Data Protection Act (BDSG) are a useful
guideline for meeting European General Data Protection Regulation (GDPR) requirements
Technical and
Organizational Measures Content
Physical Access Control Prevent unauthorized persons from gaining access to data process-
ing systems with which personal data is processed or used.
Authentication Secure procedures to enable system access based on personal au-
thentication.
Authorization Procedures allowing differentiation in which data can be
accessed and in which mode.
Disclosure Control Ability to document all access to personal data.
Change Control Ability to document all changes to personal data.
Transmission Control Procedures and safeguards for the transmission of personal data,
such as encryption during transmission.
Job Control Data controller must ensure that the data processor is following in-
structions and guidelines. This organizational task has some techni-
cal aspects, such as system auditing.
Availability Control Procedures such as backup, disaster recovery, and business conti-
nuity.
Data Separation Personal data collected for a specified purpose must be separated
from personal data collected for other purposes.
SAP Business Suite applications provide built-in features and functionality that support most of the
TOMs listed in Figure 2 (the only area that is not supported is the physical access control, which
relates to preventing unauthorized physical access to buildings or rooms where personal data is
processed). To give you an idea of how SAP Business Suite provides this support, we’ll take a closer
look at three key TOMs that, based on our experience, are required by the GDPR.
Data Separation
Based on our experience at SAP, the purpose limitation requirement set by the GDPR is a precondition
for several technical measures. It requires the ability to separate data by attributes so that data
collected for one purpose remains separate from data collected for another purpose — a separation
also required to support the data subject’s right of access, blocking and deletion requirements,
and system access for transmission of data. It also establishes the assumption that all access —
including access by persons, machines, software logic, and any kind of transmission — must be
controlled by authorizations defined by purpose.
24. GDPR DIGEST
24 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
For this reason, the personal data to be processed needs attributes that reflect the purpose of the
processing, which can be reflected by the line organizational attributes used to define organizational
structures in SAP Business Suite (see Figure 3). Line organizational attributes can be used to separate
the data controller, which is usually a single legal entity — a company code, for example. In a group
of companies, it is critical to organize the data in a way that separates a single legal entity from any
other data.
Figure 3: Some of the line organizational attributes used by SAP Business Suite to define
organizational structures can be used to reflect processing purpose
Plant
SalesCompany Code
Bank Area
Purchasing
Business Area
Valuation Area
Division
Distribution Channel
Distribution
Maintenance
Shipping Point
Cost Center
Organizational Position
Valuation Area
and Division
Plant
Transportation
To define compliant authorizations, to organize system interfaces, to block and delete personal data,
and to fulfill transparency requirements, a properly maintained line organizational software setup is
required that reflects the legal entity or controller that processes that data. Our experience indicates
that organizations must often adapt or even rethink their master data structures to meet this
requirement.
Authorization
Remember the challenges involved in avoiding or mitigating authorization and segregation-of-duties
(SoD) conflicts in the early days of the Sarbanes-Oxley Act? Authorizations that comply with data
protection regulations such as GDPR are even harder to achieve.
To comply with GDPR, any access on personal data needs to follow a strict basic authorization
concept.5
Essentially, access to personal data should be granted only if the user has a reason to
25. GDPR DIGEST
25 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
handle that data according to the predefined purpose of the data processing. In addition, any access
should be at least separated by the legal entity or controller that processes that data, and also by
process organizational attributes such as order type. SAP Business Suite includes a traditional
technical authorization concept that allows separation by these types of attributes.
Transmission Control
To safeguard the security of personal data, proper encryption during transmission is required, but it is
even more important to avoid illegal transmissions. This means that you need to identify any interface
in a system dealing with personal data, document the interface, and provide authorizations ensuring
that only designated personal data is accessed according to the purpose of the processing — this
includes any data access that takes place over remote function call (RFC) connections.
To help make RFC communications more secure, SAP introduced the Unified Connectivity (UCON)
concept, a basic functionality included with SAP NetWeaver and, in turn, SAP Business Suite.6
Conclusion
So what will happen after May 25th, 2018? Some discussions between lawyers and regulatory
authorities have focused on how the GDPR will be enforced outside the European Economic Area,
while others are centered on whether supervisory authorities will, in fact, impose fines up to 4% of
the annual turnover if a company is in violation of the GDPR. Regardless of the answers to these
questions, the well-known quote from US Deputy Attorney General Paul McNulty holds true: “If you
think compliance is expensive, try non-compliance.”
Learn more about the GDPR at www.eugdpr.org and http://data.europa.eu/eli/reg/2016/679/oj.
1
See Article 4, Section 1, in the GDPR (http://data.europa.eu/eli/reg/2016/679/oj).
2
See Recital 46 in the GDPR (http://data.europa.eu/eli/reg/2016/679/oj).
3
For a complete list of rights, see http://data.europa.eu/eli/reg/2016/679/oj.
4
View the full text of Germany’s Federal Data Protection Act (BDSG), which was enacted to implement the
European data protection directive 95/46/EC, at www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html.
5
For a detailed discussion of basic authorization concepts, see Authorizations in SAP Software: Design and
Configuration by Volker Lehnert and Katharina Stelzner (SAP PRESS, 2011).
6
For more on the Unified Connectivity (UCON) concept for RFC communication, see the article “Secure
Your System Communications with Unified Connectivity” in the January-March 2014 issue of SAPinsider
(SAPinsiderOnline.com).
Volker Lehnert (volker.lehnert@sap.com) is Product Owner of Data Protection
and Privacy for SAP Business Suite and SAP S/4HANA. Please note that he is
not a lawyer, and he does not provide legal advice. In this article, he shares his
personal opinion on data protection requirements and features based on his 11
years of experience in customer projects and his 5 years of experience in the
development of data protection features.
54. GDPR DIGEST
54 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
22
• General Data Protection Regulation Overview
• Retention Policy Challenges
• Applying Privacy Policies in SAP Systems
• Case Study
• Wrap-up
What We’ll Cover
33
General Data Protection Regulation
Overview
55. GDPR DIGEST
55 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
4
• The General Data Protection Regulation (GDPR) (www.eugdpr.org/) is a new privacy
regulation in Europe that protects the personal data for any individual that is citizen or
based in the EU, regardless of citizenship or where the data is being held.
• This regulation will be enforced on May 25, 2018
• GDPR carries more regulatory weight than the previous 95/46/EU directive on data
privacy, which it replaces. There are strict fines for companies found to be out of
compliance.
EU General Data Protection Regulation
5
• GDPR applies to any organization inside or outside the EU if they offer goods or services
to, or monitor the behavior of, EU data subjects
• Organizations must:
Protect that information while it is under their stewardship
Purge data when it is no longer needed or when the individual requests its destruction
• The same obligations and penalties apply to Data Controllers and Data Processors such
as shared services providers or websites that track an individual’s digital activities
• Penalties for non-compliance are up to 20,000,000 EUR or 4% of total worldwide annual
turnover of the preceding year (whichever is higher)
Global Compliance and GDPR
5
56. GDPR DIGEST
56 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
6
When Can Personal Data Be Kept?
Data owner consents to the
retention of data
Buying a product
Approved process – maybe
Website cookies
Criminal Records
Legal Case/Holds
Employee Benefit
records
To process a contract
To meet legal requirements
To protect vital or public
interest
To meet legitimate business
needs
7
✓ Breach Notification
✓ Right to Access
✓ Right to be Forgotten
✓ Data Portability
✓ Privacy by Design
What Are the Rights of the Data Subject?
57. GDPR DIGEST
57 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
8
• Must be appointed on the basis of professional
qualities and, in particular, expert knowledge
on data protection law and practices
• May be a staff member or an external service
provider
• Contact details must be provided to the relevant DPA
• Must be provided with appropriate resources to carry
out their tasks and maintain their expert knowledge
• Must report directly to the highest level of management
• Must not carry out any other tasks that could results in a conflict of interest
New Role: Data Protection Officer (DPO)
9
• Have your risk team evaluate how the regulation
(GDPR) will apply to the business and act quickly
to take appropriate action
• This assessment will require collaboration between
diverse lines of business:
Line of Business data owners (Finance, HR,
Sales, Marketing, etc.)
Legal
IT
Audit
External experts can also be engaged to help
assess risk and develop a plan
Assessing Risk
Business
ITLegal
Audit
58. GDPR DIGEST
58 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
10
• Determine what is personnel and sensitive data (IAPP) (International Association of
Privacy Professionals)
Customer, consumers, vendor, employee … data) – in SAP and outside SAP
• Determine where personnel and sensitive data can be:
In database or archived data (SAP)
In emails
On backups
On computer
Sample: Privacy Impact Assessment
11
• Evaluated the situation, processes and procedures to handle sensitive data and make
updates
This can be how data is transferred to company
How data is put into the system (Process such as PTS…)
How data access and by whom
How it stored
*** When it is destroyed and why***
• Update Process and Procedures (this can included training)
• Review training and communication methods both internally and externally – see where
updates need to be made
• Take action to secure data
• Repeat
Sample: Privacy Impact Assessment (cont.)
59. GDPR DIGEST
59 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
12
GDPR Overview
Personal information should only be kept
as long as there is a legitimate business interest
that ties to why the data was gathered
Fundamental
Rights
Individual
Expectations
Business
Interests
Business
1313
Retention Policy Challenges
60. GDPR DIGEST
60 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
14
• A retention policy is a protocol within an organization for retaining information for
operational use while ensuring adherence to the laws and regulations concerning them
• It is the first step in protecting an organization’s data against financial, civil, and criminal
penalties
What Is a Retention Policy?
15
Retention Challenges
Complex
Retention
Requirements
Protect
Privacy
Lengthy
Retention
Periods
61. GDPR DIGEST
61 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
16
• Majority of data is retained for financial
audits (i.e., SOX) but other regulations
can impact retention periods:
GDPR: General Data Protection
Regulation (EU)
HIPPA: Health Information
Protection Act (USA HIPAA)
PII: Personally Identifiable
Information
PIPEDA: Personal Information
Protection & Electronic Documents
Act
PHIA: Personal Health Information
Act
PCI DSS: Payment Card Industry
Data Security
Global Regulations
17
• Retention is increasingly important as audits become more complex
• Organizations must retain data for variable periods of time
• Multi-national companies need to balance different retention requirements for different
jurisdictions
• Retention policies can be tracked in SAP GRC environment, once they are aligned with
SAP data
Retention for Various Periods
Health 30 years+
7 yearsFinancial
10 yearsAcademi
c
? yearsLegal
62. GDPR DIGEST
62 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
18
• In the event of legal action a small
subset of data must be retained
indefinitely
• Data archive and purge activities
must exclude data that is subject
to legal holds
• The complexity of legal holds keeps
many companies from purging data
at all
Legal Holds
19
• Retention policies should be reviewed when:
New systems are added to IT landscape
(such as cloud)
Business goes through a transformation:
Merger or acquisition that adds new data
responsibilities
Divestiture can have legal rules governing how
data is handled
New laws and regulations are put in place (SOX,
SAF-T, GDPR …)
Increased threats from hackers going after
personnel and business data
New or updated functionality – such as updates
in SAP GRC
Other reasons
Review Retention Policies for Electronic Data
63. GDPR DIGEST
63 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
20
1. Work with Legal to understand recent changes to Data Retention policies and regulations
2. Work with IT and business groups to understand the impact of policies (such as on
electronic data sources and records)
3. Automate the retention process to ensure continual data management
4. Tie in SAP GRC for tracking, monitoring retention policies
5. Ensure you have the ability to access retained data (including documents/attachments)
easily to support the Right for Information
6. Ensure there is an approved process for purging data – use workflows to ensure
appropriate approvals are collected
7. Implement a regular review process (annually at least) to ensure retention
policies are kept up to date
A Retention Action Plan!
2121
Applying Privacy Policies
in SAP Systems
64. GDPR DIGEST
64 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
22
Case
Management
Disposition
Audits
Blocking
Encryption
Data/Document
Purge
Data Inventory &
Privacy
Footprint
Retention
Compliance
Access
Protection
A 5-Step Approach to GDPR Compliance
Legal
Assessment
Privacy Impact
Analysis/
Statement
System
Readiness
Assessment
Implementation
Application
Reporting
Analysis
Focus:
Retention
and Access
OngoingEnablement
23
• Focus areas:
Retention
Access Control
• Other aspects of GDPR
(e.g., notice of breach, etc.)
need to be considered separately
Applying Privacy Policies to SAP Data and Documents
Personal Data?
Intended
Purpose?
Delete
Retention
Periods?
No Action
Block
No Action
yes
yes
yes
no
no
no
65. GDPR DIGEST
65 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
24
Applying Privacy Policies to SAP Data and Documents
• Erasure or Purge: Irreversible and adequate deletion of personal data
after retention period (period of time during which personal information
must be retained as required by law) is expired
• Blocking/Encryption/Masking: Method of preventing access to personal
data that is no longer necessary for the primary purposes for which it
was collected
25
Applying Privacy Policies to SAP Data and Documents
Methods by which to restrict the processing
of personal data in such a manner that the
personal data is unavailable to users and
cannot be subject to further processing
operations or changes
GDPR sec. 67
66. GDPR DIGEST
66 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
26
What Else Do You Need for GDPR?
Access
Restrictions
Ongoing
Management
Automated
eDiscovery
27
• Both online and archived transactional data
• Related unstructured documents must also be located
Documents contain another level of privacy data
• Responsibility extends to both types of information and the discovery solution must
support both together to produce a usable report
eDiscovery Tools – SAP Environment
67. GDPR DIGEST
67 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
2828
Case Study
29
• Business need to meet Privacy Data such as:
Delete HR information data and attachments according
to complex retention rules
Extract HR information to support litigation
• Benefits
Ensured privacy requirements are met
Lowered cost of storage of long term data
Increased speed in response to litigation
Manage Complex Retention Rules
The largest diversified
provider of post-acute
care services in the
United States
68. GDPR DIGEST
68 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
3030
Wrap-Up
31
Benefits of Retention Management Solutions for GDPR
Lower
Costs
Reduce the cost of
storing data and
documents for long
periods
Increase
Productivity
Simplify the process of
retaining data and documents
according to legal
requirements
Reduce
Risk
Secure data and documents
and flexibly comply with
legal retention requirements
69. GDPR DIGEST
69 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
32
• Official Journal of the European Union – Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
• The European Union General Data Protection Regulation homepage
www.eugdpr.org/
• James Baird, “Be Compliant, Stay Compliant: How Policies, Procedures, Protocol, and
People Help You Tackle the GDPR,” (SAPinsider, November 2017).
http://sapinsider.wispubs.com/Assets/Articles/2017/November/SPI-Be-Compliant-Stay-
Compliant
Where to Find More Information
3333
Key Points to Take Home
Retention policies must be applied to online information (data and documents)
in SAP systems and related systems, just as they are to paper-based
documents
Different data requires different retention periods and is subject to different
regulations and audits
Legal, Risk, IT, and Business must work together to understand the policies
and how to apply them to online information in SAP systems
Retention policies must be reviewed regularly to ensure compliance with
regulations
Changes to the business or to SAP environment can impact retention and
therefore retention rules should be reviewed whenever there is a major
change
70. GDPR DIGEST
70 This compilation is sponsored by GDPR Bootcamp for SAP Customers, produced by SAPinsider
3434
Key Points to Take Home (cont.)
Using third-party tools can improve compliance by automating the archiving
and purging of information according to retention rules
Retention should be part of a larger data management strategy that lower the
total cost of ownership of SAP systems, increases productivity, and reduce
risk
3535
Please remember to complete
your session evaluation
Thank You
Any Questions?
t
James Baird,
Senior Information Consultant
james.baird@dolphin-corp.com
Your Turn!