how is gdpr relevant for us companies
TRANSCRIPT
DoingBusinessinEurope?EUGeneralDataProtectionRegulation(GDPR) isthemostimportantchangein dataprivacyregulationin20years.WhatyouneedtoknowanddobyFriday,May25,2018.
AgendaAboutNatuvionIntroductiontoEUGeneralDataProtectionRegulation(GDPR)11stepsyouneedtotakebeforeFriday,May25,2018HowSAPandNatuvioncapabilitiescanexpediteandsimplifyyourGDPRcomplianceGDPRworkshop:willyoursbefree?Questionandanswer
2
3
SAPRecognizedExpertsinSecurityandGDPROfficelocations:Walldorf,Berlin,Munich,Vienna,andNewYork
Rapidlygrowing:morethan60 employees
SAPCo-Innovation-ProgramforDataProtectionandPrivacyMulti-citySAPcustomerworkshops
InnovationpartnerforDataProtectionandPrivacy
ThreeYearsofSuccessfulSAP/GDPRImplementationsStrategicITSecurity,DataProtectionandPrivacyManagement
Accelerator1|DataAnonymizationEngine[TDA]
Accelerator2|MassDataDecommissioningSystem
Accelerator3|Templates forSAPInformationRetrievalSolution
InformationLifecycleManagement[ILM]CompetenceCenter
AboutNatuvion|SAPPartnerforGDPR
Technology Manufacturing Automotive EnergyPharmaceutical Beverages Banking InsuranceRetail
Natuvion GmbHAltrottstraße 31 | 69190 WalldorfFon +49 6227 73-1400Fax +49 6227 73-1410
www.natuvion.com
YourExperts Today
Patric DahseGeschäftsführer
Fon: +49 151 171 357 02Mail: [email protected]
18
PatricDahseCEO/FounderNatuvion Americas Inc.19W.34thStreet,Suite1018NewYork,NY10001,USAT+49(0)6227.73-1400F+49(0)[email protected]
Areasofexpertise§ DataProtectionandPrivacy§ SAPTransformation
BenjaminSpiesITLawyer,Partner,SKWSchwarzRechtsanwälte,Wittelsbacherplatz180333Munich,GermanyT+49(0)89.28640-108F+49(0)[email protected]
Areasofexpertise§ IT-Law§ DataSecurityRights
WhatisGDPR?
5
EUGeneralDataProtectionRegulation(GDPR)1. DesignedtoharmonizedataprivacylawsacrossEurope,GDPRprotects
andempowersallEUcitizensbygivingthemmoresayoverwhatcompaniesdowiththeirdata.
2. MakesdataprotectionlegislationmoreconsistentandclearacrosstheEU,savingacollective€2.3billionayear.
3. ReplacesDataProtectionDirective1995(fromoptionaltoregulated).TheenforcementdateisFriday,May25,2018.
4. Organizationsinnon-compliance willfaceyearlytime-consuminginvestigations, heavyfines,uptotwoyearsinprison,andmore.
5. Reversestheburden-of-proof tothedetrimentofdataprocessingcompanies.Companiesneedtostrategicallyshiftfocustorecognizeindividualrights.
6. Significantlyincreasestheneedforsystematicsolutionsthatallowforacomprehensivedocumentationofmeasures.AchievingcompliancewillrequireupdatingSAPandothertechnicalsolutions.
SummaryofGDPRKeyFacts
6
1. Enhancedrightsofdatasubjects
2. Increaseddutyforprotectingdata
3. Mandatorydatabreachreporting
4. Significantpenaltiesfornon-compliance
7
CompliancewithGDPRintheUnitedStatesHowisGDPRrelevantforUScompanies?Whathappensincasesofnon-compliance?
GDPRnotonlyappliestoorganizationslocatedwithintheEU,butitalsoappliestoorganizationslocatedoutside oftheEUiftheyoffergoodsorservicesto,ormonitorthebehaviorof,EUdatasubjects.
AppliestoallcompaniesprocessingandholdingthepersonaldataofdatasubjectsresidingintheEU,regardlessofcompany'slocation.
Organizationscanbefinedupto4%ofannualglobalturnover,or 20,000,000Euros,fornon-compliance. Theowners,shareholders,ormembersofacorporationcanbeheldpersonallyliableforcorporatedebts (Art.82).GlobalDataTraffic
8
HealthData*
E-mailAddress
Name&Address IPAddress
BiometricData* Camera
Records
AccessRegistration
IrisScan*
MembershipofLaborOrganization*
Username&Password
SmartMeterData
Legal|KeyPrinciplesoftheProtectionofPersonalDataPrinciple1:Lawfulness,Fairness,andTransparency• Consumerconsentiscritical.• Shiftsdatacontrolbacktotheindividual.
Principle2:DataMinimization• Adequate,relevant,andlimitedtowhatisnecessaryinrelationtothe
purposesforwhichtheyareprocessed.
Principle3:DataSecurity• Appropriatetechnicalandorganizationalmeasuresshallbetaken
againstunauthorizedorunlawfulprocessingofpersonaldata,aswellasagainstaccidentalloss,destructionof,ordamagetopersonaldata.
Principle4:Accuracy• Personaldatashallbeaccurateand,wherenecessary,keptup-to-date.
Principle5:Accountability• DataProtectionOfficersgovernadherencetoregulation.• Databreachnotificationbecomesmandatory.• Heightenedrequirementsforprocessors.
9
Juridical/Organizational
ITRelevantinScope
ITRelevant
1.Awareness
2.DataOverview360Degree
3.PrivacyStatement
4.IndividualRights
5.ListofProcedures
6.Consent
7.Children
8.DataPrivacyViolations
9.PIAandDPbyD
10.DataProtectionOfficer
11.International
PreparingforGDPR:11StepsYouNeedtoTake
NatuvionRecommends|BiggestImpactonITLandscape
10
1.Awareness
2.Dataoverview360degree
3.PrivacyStatement
4.IndividualRights
5.Listof Procedures
6.Consent
7.Children
8.DataPrivacyViolations
9.PIAandDPbyD
10.DataProtection Officer
11.International
Therighttorectification
Therighttoerasure
Therighttobe
informed
4.IndividualRights
Therightofaccess
Therighttodataportability
Therighttorestrict
processing
99GDPRArcticles– e.g.,SixRightsofIndividuals
11
RightofAccess|Art.15• Information
• Copy
Rectification|Art.16• Correction
• Completion
Deletion|Art.17• Personresponsible
• 3rdparty(tobeforgotten)
Restrictions|Art.18• Restrictionofprocessing
• Blocking
Portability|Art.20• Extraction
• Automatictransferto3rdparty
Objections|Art.21• General
• Directmarketing
LEGAL|Onemonthdeadline(Exception:abletobeextendedbytwomonths)
LEGAL|Costsdatamustbeprovidedfreeofcharge(Exception:misuse)
AnonymizationdrivesefficiencyandreducescostswhenimplementingGDPRrequirements(Art.5)
SAP&NatuvionOfferFeaturesThatEnableanAffectiveDataGovernanceModel
NatuvionsimplifiestheGDPRcomplianceprocess!
Thereare99GDPRarticlesandmanytechnicalSAPsolutions.Natuvion simplifiestheprocessbyprovidingaroadmapofthestepsyouneedtocompletewiththetechnicaltoolstoexpediteadatagovernanceprogram.
12
Fieldsof Action
Comprehensiverealdatainproject/testandtrainingsystems
Historicaldatainproductivesystems
Extensivedatabaseofprocessexecution
Testandprojectsystemonlywithanonymousdata
Anonymizationtrainingandtestingsystem
DeletehistoricaldataLockandimplement
continuousdatamanagment
Customerrequeststoprovideinformation
Requestforinformationaboutpersonaldata
NatuvionDCS
(Dataselectionand data deletion)
SAPILM
(Datalockinganddatadeletion)
NatuvionTDA
(Pseudonymizationofsystemsanddata)
NatuvionEDA
(Testdatagenerationandduplication)
SAPTDMS
(Pseudonymizationofsystemsanddata)
NatuvionDDI
(Datainformationandsearch)
SAPIRF
(Datainformationandsearch)
SAPLT2.0
(Dataselectionanddatadeletion)
SAPArchiving
(Dataselectionanddatadeletion)
SAPILMDecommissioning
(Systemreplacement)
Personaldataafterexpirationoflegitimationtobedeleted
Conformaluseofapproval&consent
Conformaluseofapprovalandconsent
SAPConsent
(Collection&processingofconsent)
Structured,IT-supportedprocessing
ComingSoon
SAPRAL&SAPUILogging
(DataAccessLogging&Monitoring)
SAPUIMasking
(DataMasking/Blocking)
SAPRAL/SAPUILogging
(DataAccessLogging&Monitoring)
DeletionArticle17– CustomerM&AExampleHistoricalDatainProductiveSystem
“BeForgotten”
Art. 5 Abs. (1) e)
Identification of the data subject shall only be possible for aslong as is necessary for the purposes for which it is processed.
Art. 17
The person concerned has the right to require the personresponsible to immediately delete any personal data relating tohim. The responsible person is obliged to immediately deletepersonal data.• Fulfillment of purpose• Revocation of consent• Opposition to processing• Unlawful processing (including children) Allrelevantdatamustbedeletedfromtheproductivesystem.
Apure"concealment"ofthedataisnotsufficient.
RighttobeForgotten
SAPERP/CRM/IS*Production
IT-System
Transferofdataatserviceprovidercharge
BuKrs Designation
0400 Business1
0600 Business2
0800 Business3
Production
IT-System
0800 Business3
Fullhistoricaldatatransfertonewserviceproviders
13
TechnicalProcedure|Dependingontheprojectrequirements,selectivedataerasurecanbeperformedinthreedifferentvariants.
DataProtectionandDataPrivacy – Cyber SecurityWeek - ASUG/SAP/Natuvion14
Big-Bang* Object Batch
Typingthedata(keydefinition)Deletedatawithoptimizedperformance(within40hours)ReorganizationofthedatabasePossibilityofdatarecovery
Typingthedata(keydefinition)DeletingthedatawithlowprocessspeedObjectdeletionwithlowperformancePossibilityofdatarecovery
Step-by-stepdeletionofdataonfixeddatesUniquedatatypingDeletetabletype-orientedDeletewithoptimizedperformancePossibilityofdatarecovery
Variant1 Variant2 Variant3
Variant1-3SelectiveDeletion
DSOHH
*Big-Bangisthemosteffectiveerasureprocess.Deletionofdataisgenerallypossibleinlessthan40hours.
DeletionArticle17– CustomerApproaches
3000BUKRS
15
TechnicalProcedure|Dataerasureconsistsofadatashiftanddataerasureorclean-uppoweredbyNatuvion’sdataconversionserver.
Integrated System(s)SAPCRM/SAPERP
1000BUKRS2000BUKRS3000BUKRS4000BUKRS
IntegratedSystem(s)SAPCRM/SAPERP
1000BUKRS2000BUKRS4000BUKRS
IntegratedSystem(s)SAPCRM/SAPERP
1000BUKRS2000BUKRS4000BUKRS
Selection LogicalDeletion PhysicalDeletion
1 2 3
BluePrint Test1 Test2 GP GL Deletion
DeletionArticle17– MassDataDecommissioning
P
P
A
A
A
A
A
A
P
ArchiveSystem
OutputControl
A
P
A
Contract-/PostalControl
CSS
CustomerSelfServices
ELKOProcessing
SAPERP
(Classic/HR)
SAP
SAPCRM
SAP
SAP
ERP
(Industry)
SAPBW
SAPBO
SAP
SAP
Managementofinterests&acquisitions
DataExchange
CreditCheck
Mailgateway
DataProcessinginMajorITSystems
(Insurance/Energy/Banking/Telecommunications…)
DeletionArticle17– ILMCompetencyCenter
SAPreleasedanewInformation-Lifecycle-Managementfeature.
NatuvionhasthefirstexperiencedconsultantsavailableviatheILMCompetencyCenter
Therelevantdatamustbedeletedfromtheproductivesystem
aftercompletionoftheeventorafterexpirationofthedeadline.
StandardProcessofContractManagement
Prospectmanagement,acquire process,andcreditcheck
Contractmanagementofanongoingbusinessrelationship
(billing,receivablesmanagement,claimsmanagement,etc.)
Contractendandfinalsettlement
Contractinitiation
(initiationcancellation,changeoftenant,andcontractchange)
1
2
3
4
A=ArchiveSystem
P=Output/Print
16
17
ManagementofRetentionRules:AutomatedDataStorageandDestruction� Datastorageaccordingtoactiverules.� Destroythedataassoonastheretentiontimeisreached.� Datadestructiondirectlyfromthedatabaseorthearchive.
“DataCluster”perRetentionPeriod� Generationofvariousarchivefileswiththecorrespondingexpirationdate
accordingtothedefinedretentionperiod.
E-Discovery� Searchforinformationrelatedtolitigation.
LegalHold� Preventearlydatadestructioninlegalcases.
• Simplifiedblockinganddeletionofpersonaldata.
• FunctionalityisbasedonSAPInformationLifecycleManagement.
• WithSAPILM,businesspartnerdatacannotonlybeblockedordeleted,buttransactionaldatacanalsobedestroyed.
NatuvioncansupportASUGmembersexclusivelywithpredefinedtemplatesandblueprints orimplementationsupportviatheNatuvionInternationalILMCompetencyCenter.
New!SAPILMBlocking&Deletion
InformationLifecycleManagement – CompetencyCenter
RightofAccessArticle15– New!SAPIRFGenericSmartSearchArt.15“Rightofaccessbythedatasubject”- Thedatasubjectshallhavetherighttoobtainfromthecontrollerconfirmationastowhetherornotpersonaldataconcerninghimorherarebeingprocessed,and,ifthatisthecase,accesstothepersonaldataplusotherdetails.Solution“InformationRetrievalFramework“– GenericSmartSearch.
18
Extractoftherisks/challengesofnewtransparencyobligationsstarting in2018
1
2
3
4
X
GDPRArt.12Abs.3(timelimits)/GDPRArt.13/14/15(scope)
OrganizationorCompetition
SinglePerson
EnergieversorgerExample(current)
Ø41Tage
RetailCustomer=currentprocessingtimeave. 41days.GDPR=onemonthwithmorecomplexreportingrequirements.
Averageworkingtime(day)forInformationRequestArt.15GDPR
KW26 KW13KW03KW46KW36
48
19 19
59
Privacypolicystatementmustincludememory/eraseddataFinekitforsupervisoryauthorities,associations,competitors,andaffectedpersons.
LackofimplementationofadeclaredstatusquoPurposeofbreachofconformity:high(personal)riskofliability.
Individualororganizationrequestsinformation/requestsdatatransmissionWithinonemonth,informationand/ortransmissionmustbeprovided.
Supervisoryauthority/courtmeetsad-hocorderforimplementationImmediateimplementationofdataprotectionconditionsandrequirementsapply.
Inthecaseofadelay,nonconformity,orincorrectanswerPublicdisputes/announcement,monetaryandsustainableimpact,andreputationdamage.
19
NewinaNetweaverpatch:SAPInformationRetrieval Framework– GenericSmartSearch
UsingSAPIRFtogetherwithNatuvion‘sblueprintsanddatamodels,quicklyidentifyGDPR-protectedpersonaldataacrosshereogeneouslandscapes.
SearchingforData
� Thesearchcanbecarriedoutaccordingtodefinedentrycriteria
(partner,customer,order,etc.).
� Datamodelscanbestoredindifferentversionsandvariants.
� Thesearchcanbeperformedcentrallyonallconnectedsystems.
� Thesearchjobsareexecutedasynchronouslyinthesystem.
OutputofResults
� Theexecutedsearchjobspersisttheresultsintheirowntables
(possiblytheirownclients).
� Thisdatawillbedeletedafterthedeadline.
� Resultprocessingcanbefilteredand/ormodified.
� OutputofdataALVgrid(SAPstandard).
� Connectionofothertechnologiespossible(SAPFiori,UI5,HCP).
� Formintegrationnotstandard.
• Realtimedatavisibilityacrossfragmenteddatasources.
• Basetechnology(SAPBASIS)isincludedinthelicensecosts
ofSAPBusinessSuite.
• DatasearchfordefineddatamodelsonallsystemsinSAP
BusinessSuite.
• Connectionofnon-SAPsystemsandwebservicespossible.
• UseofBASISfunctionality“GenericSmartSearch.”
• UseoftheILMobjects(tablescope/grouping)and
derivationofthereadingpaths.
• Rule-basedsearchandexclusionofvalues/results.
NatuvioncansupportASUGmembersexclusivelyeitherwithpredefinedtemplates(datamodels),blueprints,
and/orimplementationsupportasaco-innovationdevelopmentpartnerforIRF.
FunctionalityOverview
SAPStandard-
Technology
InformationRetrievalFramework- Blueprint&DataModels
Anonymize&PseudonymizewithNatuvion’sCertified“TDA”1. Anonymizerealdatainproject,test,andtrainingsystemssotheyarenotrelevantforGDPR.
2. PseudonymizedatainproductiontoexpediteGDPRprocessing.
20
NopersonaldatamaybeheldinSAPtestorprojectsystems.Alltestproceduresmustbecarriedoutwithanonymousdata.
SAPCRMProduction
CRM
SAPERP/IS
Production
ERP
SAPCRMDevel.
CRM
SAPERP/ISDevel.
ERP
SAPCRMTest
CRM
SAPERP/ISTest
ERP
Project-system
CRM
Training-system
CRM
Project-system
ERP
Training-system
IS-UERP
Sandbox-system
CRM
Sandbox-system
ERP
SampleofSAPSystemLandscape
Art.5- Principlesrelatingtopersonaldataprocessing
1. Personaldatamustbe:
a) processedlawfully,fairly,andinatransparentmannerinrelationtothedatasubject(“lawfulness,fairness,andtransparency”);
b) collectedforspecified,explicit,andlegitimatepurposesandnotfurtherprocessedinawayincompatiblewiththosepurposes;furtherprocessingofpersonaldataforarchivingpurposesinthepublicinterest,orscientificandhistoricalresearchpurposesorstatisticalpurposesshall,inaccordancewithArticle83(1),notbeconsideredincompatiblewiththeinitialpurposes;(“purposelimitation”);
PrinciplesArticle5
21
Concept TestPosition Individualization Golive
§ Introductiondataanonymizationinthedepartmentandrecordadditionalrequirements,ifnecessary.
§ Surveyofrelevantprocess,authorization,orUIadjustments.
§ Deliveryoftransportorders.§ Carryoutthenecessary
standardcustomizing.§ Createrulesandvariants.
§ Displayofadditionalfunctionsorselectionfeatures.
§ Customizingasacoachingapproach.
§ Developmentofcustomer-drivendevelopments/tables.
§ Adaptationofvariants.
§ Testmanagement§ Testexecution§ Keyusertraining§ Endusertraining§ Golive§ Stabilization§ Certificationof§9German
FederalDataProtectionAct(optional)
2- 3PD 5PD 10- 15PD 5PD
ProjectDuration:6to10Weeks
2- 3PD 3PD 3- 2PD 3PD
Scope TestEnvironment TailoringYourSolution StartofRegularOperation
TypicalPhasesofImplementation
ASUGoffer- Natuvion’sCertified“TDA”
ASUGMember
22
Historicaldatainproductive
systems
Aftertheprocessingofdata,contracts,orservicecontracts,customerdataispassedontonewserviceproviders.
Thehistoricaldataremainscurrentandintherespectiveproductionsystems.
Extensivedatabaseof
processexecution
Processesforacquisitionandcontractprocessinggeneratedata.Theuseofthisdataislegitimatefortherespectivepurpose.
Aftertheprocesshasbeencompleted,thedataisstillavailablewithoutrestriction.
Customerrequeststoprovide
information
Requestsforinformationabouttheaffectedpersonsconcerningthestorageandprocessingoftheirpersonaldata.
Informationmustbeprovidedinastructured,electronicformwiththefollowingspecifics:place,reason,andrecipient,aswellasdurationofthestorage/deletioncriteria.
Comprehensiverealdatain
project/testandtraining
systems
SAPtest,training,and/orprojectsystemsarebuiltonacompletecopyoftheproductionsystem.
Theaccesstodataispossibleatanytime,extensivelyandpartiallydependingontheauthorization.
û (1)Tobeimplemented û (2)Tobeimplemented û (3)Tobeimplemented
64 3
1
Companycodesinsystemwithverifiedlegitimation
77.000
4.200.000
ChangeInterestedPersons Inactive
1.150.000
400
WithSupervision
Critical
Currentlyabout120p.a.
Access– darkfigure
Datasurveyswithlegitimationtobeverified
(CurrentYear)
Rightofaccessbythedatasubject(§ 15GDPR)
*Numberofinquiriesacrossallserviceproviderscurrentlycannotbedetermined.
*Change=Rejectedbillsofexchangeandstorageofdata
û (0)Tobeimplemented
1 20 3
Companies
Realdatainsecondarysystem(Accessrestricted/restrictedaccess/data
anonymized)
16
42
475.000Customers
Extensive Limited Anonym.
CustomerExampleUsingTDAReducedRiskbyRemovingNon-ProdSAPSystemsOutofGDPRFocus
ServicesimRahmenderVorbereitung,Planung,Umsetzungund
ÜberwachungderEU-GDPR
23
Duringaone-dayworkshop,expertsfromNatuvion—alongwithadataprotectionexpert—willexamineand
analyzethedataprotectionlawsituationwithinyourcompany'sSAPsystemlandscape.Inaddition,weworkwith
youtodevelopawell-foundedapproachthatwillhelpyoumeetthemoststringentlegalrequirements.
OneDayWorkshop:GDPRRoad-MapandPrioritizationforSAPSystemLandscapesSpecialOpportunity forASUGMembers
ContactPatric Dahse - [email protected]
Natuvion GmbHAltrottstraße 31 | 69190 WalldorfFon +49 6227 73-1400Fax +49 6227 73-1410
www.natuvion.com
QuestionandAnswer
Patric DahseGeschäftsführer
Fon: +49 151 171 357 02Mail: [email protected]
18 DataSecurityundDataPrivacyinSAP- DataSecurityundDataPrivacy
PatricDahseCEO/Founder
Natuvion Americas Inc.19W.34thStreet,Suite1018NewYork,NY10001USA
T+49(0)6227.73-1400F+49(0)[email protected]
http://www.natuvion.com/en/north-america
Areasofexpertise:§ DataProtection&Privacy§ SAPTransformation
BenjaminSpiesITLawyer,Partner
SKWSchwarzRechtsanwälteWittelsbacherplatz180333MunichGermany
T+49(0)89.28640-108F+49(0)[email protected]
Areasofexpertise:§ IT-Law§ DataSecurityRights
26
RisksandConsequencesofNon-CompliancewithGDPRFinesandAdditionalConsequences
1. ViolationofNotificationRequirement:Fineriskincreasesasmorerulesareviolated.AdministrativeFinesUndercurrentdirectives,certainviolationscanbefinedupto300k€.GDPRfinesareupto20,000,000Euros($23,138,200)or 4%oftheannualglobalturnoverofthecompanyforthepreviousfiscalyear,whicheverisgreater.An"incident"maybeassevereasanactualdataleak,orassimpleasajustifiedcomplaintwiththecompetentsupervisoryauthority.
2. ImprisonmentUptotwoyearsimprisonmentfordataprotectionoffenses.
3. DamageClaimsIncaseofadatabreach,damageclaimsfromdatasubjectscaneasilyapproachsignificantlevels.Theowners,shareholders,ormembersofacorporationcanbeheldpersonallyliableforcorporatedebts.
4. FailureoftheInsuranceIfthemanagerhasnotcompliedwiththestatutoryprovisions,anexistinginsurancewillrefusetopay.
5. DamagedReputationCouldresultfromadatabreachaffectingcustomers,suppliers,andemployees.
6. CommunicationofPersonalDataBreachesIfdataistransferredintothewronghands,thedatacontrollermustwarntheaffecteddatasubjectsimmediatelyinwriting.Ifthisinvolvesdisproportionateeffort,therewillbepubliccommunication.
Probability
PotentialN
egativeIm
pact
RiskAssessment
FinesmayriseproportionatelytoreachthemaximumGDPRfinescompared
tocurrentdirective.
1
2
3
45
6
7