You are on page 1of 45

GDPR - what it means & the practicalities of

implementation in a SAP landscape
Melissa Dielman

SAPience.be TECHday 2017
1

Our Experience Get Inspired

+100 senior SAP Experts (BE, NL, SI, …) Passionate about SAP, business
International orientation processes and innovations
Nurturing personal development
Excellent capabilities in all classic SAP Lean organisation
modules and business Processes.
Market Leader: HANA, GRC, ALM AQM Certified
Market Maker for innovative solutions: PCoE Certified
▪ SAP (S/4)HANA EM
▪ Big Data, IoT & Analytics Outstanding client satisfaction
▪ SAP Hybris C4C Committed to excellence consulting
▪ User Experience Trusted advisor for a long term journey
▪ S/4HANA on Azure Private Cloud
Inspire Proud to be Expertum

by
Experience

Data Protection
SAPience.be TECHday 2017 3

Data Breaches

SAPience.be TECHday 2017 4

be TECHday 2017 5 .Penalties SAPience.

Reputational Risk SAPience.be TECHday 2017 6 .

Compliance SAPience.be TECHday 2017 7 .

Do you know which personal data you are storing? Which data is GDPR relevant? Where it sits? Who can & is accessing it? SAPience.be TECHday 2017 8 .

zonder te weten verordening zal kunnen houden al zijn begonnen. aangezien de bedrijven zelfs nog nooit van heeft gehoord. minder dan een jaar hebben om Gezien de mogelijke financiële Van de IT-beleidsmakers in België compliant te zijn en de kans op sancties bij het niet naleven. terwijl 16 procent er probleem. Van hen kent 32 in mei 2018 volledig aan de voorbereidingen binnen hun bedrijf procent de naam. SAPience. verwerking van persoonsgegevens binnen hun organisatie op de hoogte zijn van de veranderende regelgeving.be TECHday 2017 9 . die op 25 mei 2018 in gelooft niet dat hun organisatie zich met zekerheid zeggen of de werking treedt. Een op de vijf Belgische IT- nauwelijks op de hoogte te zijn van 29 % van de IT-professionals in België professionals (19 procent) kan niet de GDPR. Dit is een serieus wat het inhoudt.Eén op de drie bedrijven is goed bekend met GDPR De lage mate van bewustzijn bij Belgische IT-professionals zijn slecht Belgische werknemers vertaalt zich voorbereid ook in een gebrek aan vertrouwen Belgische IT-professionals lijken om aan de GDPR te kunnen voldoen. is dit erkent respectievelijk 33% er geen zware financiële sancties en zorgwekkend vertrouwen in te hebben dat de reputatieschade groot is als dit niet verantwoordelijken voor de lukt.

What is GDPR? SAPience.be TECHday 2017 10 .

personal data has acquired enormous economic business intelligence the data identifiable information where it is not significance. personally identifiable material with artificial to grow to nearly €1 trillion annually by identifiers). According to some offers. analysed and to businesses to make use of the as anonymisation (removing personally moved across the globe. Collected. and encryption (encoding 2020.be TECHday 2017 11 . pseudonymisation (replacing estimates.Context Data is the currency of today's digital The new EU rules will offer flexibility The Regulation promotes techniques such economy. the value of European citizens' personal data has the potential individuals' fundamental rights. messages so only those authorised can read it) to protect personal data. all while protecting needed). This will encourage the use of "big data" analytics. which can done using anonymised or pseudonymised data SAPience.

All companies that collect personal data: all information that allows to identify a person In force as off 25/5/2018 Non-compliance Fines 4% of annual turnover.What is GDPR? The GDPR is intended to unify the privacyregulation in the whole of Europe.be TECHday 2017 12 . Thus simplifying and allowing closer control on cross-border data processing. BUT: each country define do its own specificities at ratification. The processing of European personal data will need to comply to the same regulations in every memberstate of the EU as of may 2018. or 20mio€ whichever is the greater -> board level concern SAPience.

disabled status. phonenrs.… • Name.Which information? Personal data”: “any information relating to an identified or identifiable natural person” • ID card nrs. age. bank accounts. credit cards. gender.be TECHday 2017 13 . date of birth. marital status. social media addresses. email. citizenship. address. languages spoken.… SAPience.

be TECHday 2017 14 .Key components Right to be forgotten Protection of sensitive data Notification of Data breaches within 72 hours Transparancy/approval of data subjects Data Integrity Data protection impact assesments Data protection Officer SAPience.

Data integrity Lawful. Fairness and Transparency Purpose Limitation Data Minimization Integrity and Confidentiality Accuracy Storage Limitation SAPience.be TECHday 2017 15 .

be TECHday 2017 16 .Steps to take SAPience.

(data protection impact assessment) Partners: when you supply/exchange data. the origin. risk impact. How What? Why? Where? Who? long? Access Risk Where used? User approval Change & remove Management Management SAPience. cloud providers.be TECHday 2017 17 . and data sharing parties. retention requirement.… It is your responsibility to ensure GDPR is complied with. who has access. Identification Data elements: map which data has been stored. storage location. the business reason.1. required data approval.

be TECHday 2017 18 . Datasubject approval (1/2) Rights of the datasubject • Right to review the stored data • Right to request correction or deletion • Right to refuse direct marketing • Right to refuse automated decision making & profiling • Right to move data from one service provider to another SAPience.2.

Datasubject approval (2/2) Improve Privacy statements: • Legal foundation for the data processing • The duration for which you will keep the data • Wether you share the data outside of the EUR • Complaints are the be reported to and handled by the local Privacycommission Faster access for data verification: • Request needs to be processed within 30 days. instead of 45 days • The person needs to be informed of the storage duration of the data • Inacurate data should be corrected when requested Request explicit consent (the right way) Minors need to approve through legal guardian (verified) SAPience.2.be TECHday 2017 19 .

SAPience. • Evidence of compliance is your responsibility • Regular updates needed DPO: • Data privacy Officer for companies that conduct a large amount of data processing on a daily basis – sensitive personal data or not.3. DPIA? DPO? DPIA: • Data Protection Impact Assessment is required to demonstrate your compliance. It doesn’t get more specific than that.be TECHday 2017 20 .

is to be removed from the records* • Taking into account legal requirements on identification & accountability ✓ Block/Anonymize data after certain period of inactive time – limited access only ✓ Delete data after legal retention term • Specific to data elements * or if subject objects to the processing.be TECHday 2017 21 . or the processing was unlawful SAPience.4. Right to be forgotten • The right to be forgotten implies that data that is no longer business relevant.

Protection of Sensitive Data • Identify sensitive data elements • Prevent access through authorizations • Scramble data in test systems SAPience.be TECHday 2017 22 .5.

Data breach notification • Within 72hours • Identify scope & cause • Asses relevance • Inform Privacy Commission • Define reaction process.be TECHday 2017 23 .6.… • Define controls to identify data breach SAPience. involved persons.

be TECHday 2017 24 . Define & Document Processes • Storing data • Processing data • Accessing data • Responding to data requests • Responding to data breaches • Archiving personal data • Periodic update of data log SAPience.7.

GDPR in SAP SAPience.be TECHday 2017 .

8 key steps SAPience.be TECHday 2017 26 .

SAPience.be TECHday 2017 27 .

The sales order itself contains additional personal data –so the whole Sales Order is to be protected. SAPience.Identify: Which Data? • Most Data in SAP Business Suite and SAP S/4HANA might become personal data. BI. A Sales Order is linked to the Business Partner (ID). CRM. HR. • ECC. SRM. • Combinations of attributes might become personal data –as soon as it is possible to identify the person behind.be TECHday 2017 28 .

new developments.be TECHday 2017 29 .Where used? • Once the relevant master data fields are identified. the storage and (business) usage of these data fields needs to be mapped • For standard & custom developments (fields. link & report on data elements • 3rd party solutions SAPience.… SAP solution • SAP ABAP: list all the tables containing fields with personal information in the program Where-Used List for Domain in Tables • Custom development to identify. programs) • For protection and for “right to insight” • Keep in mind impact of system upgrades. tables.

Insight in data use • Data subjects have the right to see which data is stored on them • Request corrections • Manual process /automated tool? SAP solution • Custom report • 3rd party solutions SAPience.be TECHday 2017 30 .

Policies • Process Control – Documentation • Your CRM/SRM? • Any database SAPience.be TECHday 2017 31 .Consent Management • New SAP tools using social media integration. HR Tools and ILM have consent documentation included SAP solution • Process Control. Hybris.

be TECHday 2017 .Limit your scope SAPience.

filter criteria • For test & productive systems • Secure access to archive through authorizations SAP solution • SAP archiving SAPience.Archiving • Limit the available data to the required minimum • TCO reduction • Less data to protect • Selective Archiving on objects.be TECHday 2017 33 .

flexible and clear authorization concept • Define a strict access management policy and process • Consistent across SAP applications & dbase layer (ECC. CRM. HANA. S/4HANA. HR.…) • Restrict access to blocked data elements • Restrict access to data reports • Store data extracts at secure locations • Implement sufficient security parameters to prevent unauthorized access SAP solution • SAP Access Control SAPience.be TECHday 2017 34 . FIORI. BW.Authorize Limit access to sensitive data: • Use a solid.

Sensitive data access Production Data: Test Data: • Authorized data processers • All users are “GDPR unauthorized” (selective end-users) • Data must remain meaningful & fit • Authorized data consultants: end. consistently SAPience. for testing users & IT • Restrict access to PRD-alike • Unauthorized users • Anonymize test data.be TECHday 2017 35 .

Protect personal data in productive systems Anonymization • In case the subject requests so • Field based • Selective. finetuning of authorization • Does not change underlying data • Keeping historical data in reporting SAP solution • Regardless of access path • Multiple systems in sync • SAP UI Masking • Mass maintenance SAPience.be TECHday 2017 36 .

SAPience.be TECHday 2017 37 .

Protect personal data in non productive systems • No business need -> needs to be handled differently • Pseudonymization/scrambling • Data can still be used. without link to persons • Needed for test systems & development systems • Respecting syntax/configuration requirements • Recognizable by situation/combination of data elements needs to be removed ! • Make test data a selective set/ data copy SAP Solution: • SAP TDMS: Test Data Migration Server SAPience.be TECHday 2017 38 .

SAPience.be TECHday 2017 39 .

SAP Solution: • SAP ILM (Information Lifecycle Manager) • Define data specific policies (blocking & retention) • Trace data lifecycle • Inactivate data • Archive & delete • Delete from archived data (based on timestamp) SAPience. diff retention periods will be taken into account. data type. the data needs to be “inactivated”. Yet legal retention periods require traceability of interactions.be TECHday 2017 40 .Data blocking/removal • When data is no longer active or needed for its primary purpose. • Per organization per document type.

Data Breach notification • Continuous monitoring of who accesses specific data elements • Insight to data usage – authorization finetuning • Alert when not compliant to predefined rules • Document data breach • Impact analysis – cause & extent of breach • Inform data owners SAP Solution: • Read Access Logging. UI Logging or SAP Process Control to identify possible data breach • Identify access to data elements • Define all possible approaches • SAP Process Control/Risk Management for response follow-up SAPience.be TECHday 2017 41 .

be TECHday 2017 42 .DPIAs. Processes.… Data Privacy Impact Assessments • Show compliancy • Document controls • Test controls • Process & Policy Documentation • Issues & action plans Controls • Controls on user access (role based) • Controls on data reading Consent management • Automated for internal use • Documentation for external • Response policies Data breach SAPience.

understand and visualize in real- time which business processes ‘touch’ personal data • Enterprise Threat Detection: Security monitoring of your SAP business systems SAPience.Other SAP Solutions to explore • Fraud Management: big data analysis on complex patterns to identify breach • Data Services / Information Steward • Tagging and profiling of data across SAP and non-SAP landscapes • Analyze repositories for types of data • Leverage lineage analysis to create transparency on data flows • Manage personal data accuracy & consistency • Process Mining by Celonis: Powered by HANA.be TECHday 2017 43 .

be TECHday 2017 44 .SAPience.

be TECHday 2017 45 .Thank you! SAPience.