"According to new research from the UK & Ireland SAP User Group, around 86% of users have yet to grasp the implications of GDPR as it relates to their existing and future SAP inventory” . Let’s look at what GDPR is and how to brace yourself before impact.
Does your organization operate in the EU or sell goods or services to EU citizens? If the answer is yes then you need to ensure that your organization is compliant with the General Data Protection Regulation (GDPR) by May 25th 2018, otherwise it could be subject to a potential fine of up to 4% of its worldwide turnover!
What is GDPR?
The General Data Protection Regulation (GDPR) is less a new regulation than a collection and update of all the previously existing data protection regulations in force in the EU. What is important to recognize is that this regulation is not limited to EU organizations, but globally to all organizations, small and large, collecting data on any EU citizen. This covers any personal data (employee information, customer address and purchase history, even their email and IP addresses) and sensitive personal data (genetic and biometric data).
The GDPR defines guidelines for:
Right to be forgotten
Access to Law Enforcement
Joint Liability of Controllers and Processors
Fines and Penalties
Mandatory Breach Notification
How does it impact my organization?
In order to comply with GDPR, your organization needs to have a clear definition of processors and controllers for your data. In addition, practices need to be put in place to ensure that any data breach is reported within 72 hours.
Controllers need to prove the implementation of proper policies, keep record of processing activities, define privacy by design and by default, etc. For processors, the legal obligations are more limited . Which raises the question: when your system is hosted in the cloud, is your provider a processor or a controller?
Should your organization fail to comply with GDPR, it could be subject to expensive fines: 20 million euros or 4% of global turnover, whichever is the greater!
Can EU data be sent outside the EU?
Data transfer outside the EU is subject to strict conditions. The flow of Personal Data within the EU is in principle “freely allowed”
Does an organisation need Safe Harbour to transfer EU Personal Data to US?
There are several mechanisms to enable the transfer of EU Personal Data to the US.
Does Data Privacy legislation for data residency requires Personal Data to be stored in a specific country?
Storage of EU Personal Data is allowed anywhere within the EU and not limited to a single EU country. There may be restrictions but not from data privacy legislation.
Are IP address & log-files forms of Personal Data?
Yes, several jurisdictions in Europe treat IP addresses and other log files as Personal Data.
How does GDPR impact your SAP environment?
SAP is well aware of the potential impact of the GDPR on its customers. Talking to the Financial Times about the new regulation, SAP’s head of products and innovation at SAP, and a member of the executive board, Bernd Leukert said “The more bureaucracy, the more complexity you have in your business segment, the harder it is to grow fast, and speed is what matters these days” .
Consider your SAP system: where would personal data be stored?
Most of these applications’ security and risk can be controlled with SAP GRC. However, as noticed in the UK and Ireland SAP User Group (UKISUG) survey evaluating the readiness of its members against the new rules: “just under half of its users (47%) said they use GRC for governance ”. On top of this, a Symantec / Blue Coat report states that “98% of cloud applications don’t come close to being GDPR ready” . This leads many organizations wondering where to start their GDPR journey.
What can you do to prepare for GDPR?
Define roles and responsibility
Firms need to appoint a “Data Processing Officer” (DPO) reporting directly to the CEO or the board.
Assess your readiness
Look into your organization’s data and evaluate where, and for how long EU citizen data is kept, and for what purpose.
Set up processes
Processes, at every level, need to be created or updated to support CIAR: Confidentiality, Integrity, Availability, and Resilience. For instance, how to process an EU citizen’s request to remove their personal data? What steps should be taken to meet the 72 hours deadline to notify a data breach? 
SAP is already working on enabling its platform for GDPR. For instance, removal of Personal Data is supported in some areas of ECC EhP8, GRC, CRM, HCM, PLM, SCM, etc.
Join your local SAP User Group and contribute to customer influence council on Data Protection .
You can read the official EU regulation  or updates on how to implement it .
 UKISUG - How can SAP users prepare for GDPR?
 Diginomica - SAP users still haven’t grasped the implications of GDPR
 Preparing for the GDPR – Unlocking the EU General Data Protection Regulation
 Financial Times - SAP raises fears over EU data privacy rules
 Prepare for the new EU General Data Protection Regulation and co-innovate with SAP GRC
 Symantec | Blue Coat – Shadow Data Report
 Diginomica - GDPR: Building a Platform Over The Data Breach
 SAP Innovation Discovery
 ASUG Customer Influence - Data Protection Impact Assessments with SAP GRC Suite
 Regulation (EU) 2016/679 of the European Parliament and of the Council
 Information Commissioner’s Office – Overview of the General Data Protection Regulation (GDPR)