GDPR is coming. Is your SAP environment ready?

1 July 2017

Julien Delvat

Julien Delvat

SAP S/4HANA Consultant
"According to new research from the UK & Ireland SAP User Group, around 86% of users have yet to grasp the implications of GDPR as it relates to their existing and future SAP inventory” [1][2]. Let’s look at what GDPR is and how to brace yourself before impact. 
 

Does your organization operate in the EU or sell goods or services to EU citizens? If the answer is yes then you need to ensure that your organization is compliant with the General Data Protection Regulation (GDPR) by May 25th 2018, otherwise it could be subject to a potential fine of up to 4% of its worldwide turnover! 
 

What is GDPR? 

Julien-GDPR-and-SAP-content.jpgThe General Data Protection Regulation (GDPR) is less a new regulation than a collection and update of all the previously existing data protection regulations in force in the EU. What is important to recognize is that this regulation is not limited to EU organizations, but globally to all organizations, small and large, collecting data on any EU citizen. This covers any personal data (employee information, customer address and purchase history, even their email and IP addresses) and sensitive personal data (genetic and biometric data). 

The GDPR defines guidelines for: 

  • Right to be forgotten 

  • Extra-Territoriality 

  • Consent 

  • Access to Law Enforcement 

  • Joint Liability of Controllers and Processors 

  • Fines and Penalties 

  • Mandatory Breach Notification 
     

How does it impact my organization? 

In order to comply with GDPR, your organization needs to have a clear definition of processors and controllers for your data. In addition, practices need to be put in place to ensure that any data breach is reported within 72 hours. 

Controllers need to prove the implementation of proper policies, keep record of processing activities, define privacy by design and by default, etc. For processors, the legal obligations are more limited [3]. Which raises the question: when your system is hosted in the cloud, is your provider a processor or a controller? 

Should your organization fail to comply with GDPR, it could be subject to expensive fines: 20 million euros or 4% of global turnover, whichever is the greater!  


Typical Questions 

Can EU data be sent outside the EU? 

Data transfer outside the EU is subject to strict conditions. The flow of Personal Data within the EU is in principle “freely allowed” 

Does an organisation need Safe Harbour to transfer EU Personal Data to US? 

There are several mechanisms to enable the transfer of EU Personal Data to the US. 

Does Data Privacy legislation for data residency requires Personal Data to be stored in a specific country? 

Storage of EU Personal Data is allowed anywhere within the EU and not limited to a single EU country. There may be restrictions but not from data privacy legislation. 

Are IP address & log-files forms of Personal Data? 

Yes, several jurisdictions in Europe treat IP addresses and other log files as Personal Data. 


How does GDPR impact your SAP environment? 

SAP is well aware of the potential impact of the GDPR on its customers. Talking to the Financial Times about the new regulation, SAP’s head of products and innovation at SAP, and a member of the executive board, Bernd Leukert said “The more bureaucracy, the more complexity you have in your business segment, the harder it is to grow fast, and speed is what matters these days” [4]. 

Consider your SAP system: where would personal data be stored?  

  • Personnel: ECC – HR / SuccessFactors / FieldGlass 

  • Customer: ECC – SD + FI-CO / CRM / Hybris 

  • Reporting: BW 

Most of these applications’ security and risk can be controlled with SAP GRC. However, as noticed in the UK and Ireland SAP User Group (UKISUG) survey evaluating the readiness of its members against the new rules: “just under half of its users (47%) said they use GRC for governance [1]”. On top of this, a Symantec / Blue Coat report states that “98% of cloud applications don’t come close to being GDPR ready” [6]. This leads many organizations wondering where to start their GDPR journey. 


What can you do to prepare for GDPR? 

Define roles and responsibility 

Firms need to appoint a “Data Processing Officer” (DPO) reporting directly to the CEO or the board.  

Assess your readiness 

Look into your organization’s data and evaluate where, and for how long EU citizen data is kept, and for what purpose. 

Set up processes 

Processes, at every level, need to be created or updated to support CIAR: Confidentiality, Integrity, Availability, and Resilience. For instance, how to process an EU citizen’s request to remove their personal data? What steps should be taken to meet the 72 hours deadline to notify a data breach? [6] 

Deploy innovations 

SAP is already working on enabling its platform for GDPR. For instance, removal of Personal Data is supported in some areas of ECC EhP8, GRC, CRM, HCM, PLM, SCM, etc.[8] 

Participate 

Join your local SAP User Group and contribute to customer influence council on Data Protection [9].  

Stay informed 

You can read the official EU regulation [10] or updates on how to implement it [11]. 

 

 

Sources: 

[1] UKISUG - How can SAP users prepare for GDPR?
https://www.sapusers.org/news/407/how-can-sap-users-prepare-for-gdpr  
[2] Diginomica - SAP users still haven’t grasped the implications of GDPR 
http://diginomica.com/2017/06/09/sap-users-still-havent-grasped-implications-gdpr/  
[3] Preparing for the GDPR – Unlocking the EU General Data Protection Regulation 
https://www.whitecase.com/publications/article/chapter-2-preparing-gdpr-unlocking-eu-general-data-protection-regulation 
[4] Financial Times - SAP raises fears over EU data privacy rules
https://www.ft.com/content/22d5e078-d9a1-11e6-944b-e7eb37a6aa8e?mhq5j=e3 
[5] Prepare for the new EU General Data Protection Regulation and co-innovate with SAP GRC 
https://blogs.sap.com/2016/07/29/prepare-for-the-new-eu-general-data-protection-regulation-and-co-innovate-with-sap-grc/ 
[6] Symantec | Blue Coat – Shadow Data Report 
http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B2f3a44c7-7445-442a-9425-de48041ab3c9%7D_ShadowDataReport_1H_2016_Digital-Screen_compressed.pdf?elqTrackId=389f24b124ac4773817eeef500ae7c5e&elqaid=6893&elqat=2  
[7] Diginomica - GDPR: Building a Platform Over The Data Breach 
http://diginomica.com/2017/04/04/gdpr-building-platform-data-breach/  
[8] SAP Innovation Discovery 
https://zinnovationdiscovery-supportportal.dispatcher.hana.ondemand.com/#/innovations  
[9] ASUG Customer Influence - Data Protection Impact Assessments with SAP GRC Suite 
https://influence.sap.com/ct/s.bix?c=09A0122C-944D-4863-9481-FE1F1AC8B41E  
[10] Regulation (EU) 2016/679 of the European Parliament and of the Council
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:FULL  
[11] Information Commissioner’s Office – Overview of the General Data Protection Regulation (GDPR) 
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/  
 
View comments

Comments

Blog post currently doesn't have any comments.

About the author

Julien Delvat

SAP S/4HANA Consultant

With over 15 years’ experience of developing cost management applications at SAP Labs France, coupled with significant experience of architecting, designing and implementing these systems for clients across the globe and industries, Julien is perfectly placed to offer Bluefin’s customers unrivalled expertise in the colliding worlds of finance and technology. It’s not with good reason he’s known as a ‘Costing Geek’!

When it comes to collaborating with clients, Julien likes to get under an organisation’s skin. He wants to know what makes a company tick, what their priorities are and what the reality is on the ground. Doing this assists him to build information systems that reflect their true business needs.

Julien’s contributions to the SAP Financials community have been recognized through publications in professional blogs and journals like SCN.com and SAP Expert, as well as multiple speaking and panel opportunities at conferences like SAP Financials, SAP Controlling, Sapphire / ASUG, and SAP TechEd. He is most passionate about his roles as an ASUG volunteer for the Financials community and as an SAP Mentor, working as a trusted advisor to build new communication channels between SAP and its customers.