GDPR in SAP

June, 2017

Igor Gregurec

© 2

012

Alti

ma

Agenda

GDPR rules

GDPR compliance approach

Example – SAP solutions for GDPR compliance

Lifecycle of personal data

Fines and trends

2

© 2

012

Alti

ma

The New EU Data Protection Rules

Since May 2016, an EURegulation and Directivegoverns the protection ofpersonal data

The Regulation enteredinto force on 24 May 2016,it shall applyfrom 25 May 2018.

The Directive has enteredinto force on 5 May 2016and EU Member States haveto transpose it into theirnational law by 6 May 2018.

© 2

012

Alti

ma

GDPR is one of the most far reaching piecesregulation, ever

The following must be made provision for:

Creation of an independent Data Protection Officerwith compliance, cyber, business procedure oversight

Purpose of data processing + lawful reason for doing it

Data protection risk impact assessment, prior approval forhigh risks

Data protection by design, by default

Information notices, policy implementation

Data breach notifications

Data retention consent requirements, right to erasure

Data profiling restrictions (especially automated)

Data portability, machine readable format

Data protection audits

© 2

012

Alti

ma

1. Data Tagging, Delete, Retention & Blocked Access

• Tagging of personal data

• Deletion of SAP data, document the systems & procedures for deletion of non-SAP data

• Archiving of SAP data, document the systems & procedures for non-SAP data for legal purposes with retention periods

• Safe (separate, managed, blocked) storage of archived data

Personal information are safely deleted/stored after employees have left the company or following a consent request

Based on Information Lifecycle Management,

• ILM: Tagging SAPdata across environments,deletes, secure archives

PowerDesigner and Process Control

• PD: Tagging non-SAPdata across environments

PowerDesigner

© 2

012

Alti

ma

2. Processing and Storing of Personal Data, Data Privacy Rights -Lawful basis

Based on Process Control

10

Data Privacy includes the following rights of the naturalperson (data subject):

• Their data can only be processed if one of the grounds on the leftcan be shown – per process

• They have the right to request blocking of their data, anddeleting of their data

• The risk associated with processing their data has to be assessed

• Their data is safeguarded, ensuring that only the defined and currently agreed processing in the required scope will take place(minimising to as little data as possible)

• The data is deleted as soon as all legal retention periods have passed, and the data is blocked during the time in which it is keptfor legal reasons only

• They can get all relevant information on their data undergoingprocessing

• They have the right to get incorrect data corrected

© 2

012

Alti

ma

3. Data BreachesAccidental or malicious

7

GDPR:• An “accidental or unlawful

destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”

• Processors must report breachesto controllers

• Controllers must report breaches tothe supervisory authority (within 72hours) and affected data subjects if atrisk

• Failures can result in punitive fines persensitive breach

Breach

DLP IAM

Monitor configuration changes

Consistently apply patches and updates

Monitor logs for anomalies and attacks

Review critical access and

relevant transactions

Govern access and manage identities

Protect data inside /

outside the application

Ensure appropriate policies and training

Mature from rigid preventive controls to

agile detective controls

Connecting with business partners and to

equipment

“…take into account state of the art….cost of implementation....appropriate technical

measures..”

© 2

012

Alti

ma

4. Data Protection Impact AssessmentThe DPIA

GDPR requires:• A formalised process to identify non-compliant risks

• PIA carried out on any high risk processing, before it is commenced

• A description of the processing activities and purpose

• an assessment of the need for and proportionality of the processing

• risks arising and mitigations are documented and dealt with

• especially safeguards and security measures to protectpersonal data and comply with GDPR

Examples: large scale processing or profiling of any personal data.DPO’s advice on carrying out a PIA must be sought.Authority must be consulted before processing is carried out on highunmitigated risk.

Based on Risk Management and Process Control

© 2

012

Alti

ma

5. Assist you with demonstrating your GDPR CertificationDocument governance requirements

Favourable measures of demonstrating compliance would be operatinga regular audit program including for example:• Privacy by design

• Privacy impact assessments (and managed consequences)

• Engaging a DPO and giving them adequate resources and independence,

• Controller selection process, and regular review of serviceproviders (data processors) for data processed

• Manage the use of sub-processors, vendors

• Use of e.g. pseudonymisation, encryption (so called state of the arttechnologies), access governance

• Certification of data processing (especially cloud where individual audits arenot feasible)

Based on Process Control and Risk ManagementRegulator: “Accountability, good governance, sustainable procedures”………..when in doubt, get a DPO

© 2

012

Alti

ma

Example GDPR Cockpit you might build

© 2

012

Alti

ma

Example - GDPR Compliance Approach

© 2

012

Alti

ma

Compliance Approach Phase 1 (1H2017)Audit and Gap Analysis: Where is my personal data, what is my baseline risk?

Gap analysis, strategic direction, program of work

1

• Identify personal data locations• stored or processed• internally, or by 3rd parties

2

• Determine lawful purposes• processes touching data• consent procedures & policy management

3

• Risk assess processes• lawful user access to data, cyber security risk• retention requirements and management

Info

rmat

ion

Life

cycl

eM

anag

emen

t*

Pow

erD

esig

ner

Info

rmat

ion

Stew

ard

Celo

nis

Proc

ess

Cont

rol

Risk

Man

agem

ent

© 2

012

Alti

ma

Compliance Approach Phase 2.1 (2H2017)Set up Business as Usual Program: Implement data & procedures management

Data security, consent and procedure management

4

• Tagging for consent, consent management• erasure, porting & no-process• retention archive & destroy

5

• Data security technology for DLP and IAM• breach management incl. 3rd parties• data minimization, accuracy, unlawful viewing

6

• New processes & lawful purpose• consent policy, risk assessments, data security• 3rd party contracts

Info

rmat

ion

Life

cycl

eM

anag

emen

t*

Pow

erD

esig

ner

Info

rmat

ion

Stew

ard

Celo

nis

Proc

ess

Cont

rol,

AC,D

AM,S

SO/I

DM

Ris

kM

anag

emen

t,CR

Mlin

ks E

nter

pris

eTh

reat

Det

ectio

n,RA

L

© 2

012

Alti

ma

Compliance Approach Phase 2.2 (1H2018)Embed DPO, Compliance Status: Accountability, governance, repeatable processes

Ready for Regulator

7

• DPO engagement• DPIA and compliance signoff• DPO sanctions certification

8

• Governance process evidence• accountability• transparency policy

9

• Regulator communication procedures• audit procedures• breach notification policy (country, industry)

Info

rma

tion

Life

cycl

eM

an

ag

em

en

t*

Po

we

rDe

sig

ner

Info

rma

tion

Ste

wa

rd

Ce

lon

is

Pro

cess

Co

ntr

ol,

AC

,DA

M,S

SO

/IDM

Ris

kM

an

ag

em

en

t,C

RM

links

En

terp

rise

Th

rea

tDe

tect

ion

,RA

L

BI

Co

ckp

it,A

ud

itM

an

ag

em

en

t

© 2

012

Alti

ma

GDPR is so vast no single solution in the market can address all of it. Furthermore, there is no single most important area to focus on first. SAPhave the unique advantage of best of breed solutions when used together to enable you to demonstrate your GDPR compliance: Process Control (PC): The single most important custodian of GDPR compliance, providing ongoing digital evidence to the supervising

authority of for example breach management, compliant policies & privacy notices and procedures, lawful exclusions, DPIA results (andassessment), controls (with automated monitoring across SAP and non-SAP systems), challenge responses, audit evidence(AM for full audits) and action management, lawful purpose per process, third party and contract management, processor/sub-processormanagement.

Information Lifecycle Management (ILM)*, PowerDesigner (PD): ILM is A powerful SAP-only tool for tagging personal data across multipleenvironments and managing the procedures for deleting and archiving with defensible legal retention requirements. PD covers non-SAPdata tagging (not deleting).

Information Steward: Mature data profiling and metadata management tool providing contiguous interrogation of the location of personaldata across the estate for SAP and non-SAP systems, as well as assisting in managing personal data accuracy and consistency.

Celonis: Cutting edge HANA-powered process mining technology to understand and visualize which processes actually ‘touch’ personaldata, as opposed to the ones you think do, with real-time cross-platform big data surveillance for SAP and non-SAP systems.

Read Access Logging (RAL)* or Enterprise Threat Detection (ETD): Data Loss Prevention. RAL will monitor, log and categorise read accessto personal data for SAP systems. HANA-powered ETD is a big-data real-time security event detection and management tool forapplication-level access processing and pattern analysis - provides real time breach, inappropriate access, investigation and remediationplus dashboarding.

AC, DAM, IDM/SSO, HR: Id & Access Management. Managing lawful user access to personal data is a core requirement of GDPR eitherin active business systems, contracted processors, archives, as part of employee enrolment, or contract management.SAP provides robust best of breed solutions.

Customer Relationship Management (CRM): Customer-facing solution to track and manage consent requests, regulator dialogues. BI for Cockpit: Develop a dashboard that provides the single place to go for real-time GDPR compliance status, with drill-through into topic

details.

Core SAP Solutions for GDPR Compliance

© 2

012

Alti

ma

ExamplePersonal Data in SAP Business Suite

© 2

012

Alti

ma

Lifecycle of personal data handled

17

© 2

012

Alti

ma

Last but not least

The GDPR carries massive fines -- up to €20 million or 4% of your company's global gross revenue, for a single violation

Say you’re DPO at JetBlue. What happens to your company (and your career), when a DPA determines your team violated the GDPR and levies a fine of $256,000,000? (That’s 4% of 2016 gross revenue.)

Germany Enacts GDPR Implementation Bill

Facebook received a $122 million fine from the European Union’s antitrust regulators, who say the social media giant provided misleading information during its 2014 acquisition of the messenger app WhatsApp

18

Altima d.o.o.

Horvatova 80A, HR-10010 Zagreb, Hrvatska

T +385 1 6408 000, F +385 1 6408 001

www.altima.hr, info@altima.hr