how the right hcm solutions can support your compliance journey · 2018. 2. 20. · agement (hcm)...
TRANSCRIPT
SAP WhitePaperGDPR
The Basics of GDPRHow the right HCM solutions can support your compliance journey
© 2
017
SAP
SE o
r an
SAP
affilia
te c
ompa
ny. A
ll rig
hts
rese
rved
.
1 / 14
2 / 14
Table of Contents
4 Introduction and Objectives
5 Scope
6 Impact
10 Features of SAP SuccessFactors Solutions
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR
3 / 14
In May 2016, the European Union (EU) adopted a newly harmonized data protection law called the General Data Protection Regulation (GDPR). As of May 25, 2018, the GDPR will be in force throughout all EU member states and in the European Economic Area. Any organization that collects or processes personal data of an individual within the Union is subject to this regulation, regardless of the organization’s location. While the GDPR does not introduce many substantially new concepts, it substantially increases the compliance requirements of data controllers and processors regarding their handling of personal data.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR
4 / 14
As a company, SAP is committed to ensuring compliance with the GDPR by May 25, 2018. We have been consistent in our approach to data protection as part of our general product stan-dards, and we are now extending this approach to reflect new requirements of the GDPR. As you, our customers, prepare for compliance, we have summarized the changes introduced by the GDPR, the implications of these changes, and how SAP® product features can help you imple-ment GDPR requirements.
The information contained in this documentis for general guidance only and is provided on the understanding that SAP is not herein en-gaged in rendering legal advice. The responsibili-ty to adopt appropriate measures to achieve GDPR compliance rests with your organization as controllers in terms of the GDPR, and SAP ac-cepts no liability for any actions taken as re-sponse to this document. As such, it should not be used as a substitute for legal or professional consultation.
OBJECTIVESThe GDPR aims to harmonize data protection requirements across Europe into one single EU data protection regulation. It addresses corporate bodies governed by public and private law in their capacity of either controller or processor. The new law aims to protect the rights and freedoms of natural persons, to enhance data subjects’ confidence in organizations that hold or process their personal data, and to strengthen the EU’s internal market. To this end, the GDPR provides a uniform set of rules to govern the processing of personal data across the EU. The degree of EU-wide harmonization achievable by the GDPR is, however, restricted to the extent that the regula-tion contains opening clauses that allow EU member states to set out country-specific laws and requirements for specific data processing activities. These opening clauses, therefore, may result in applying additional rules and obligations for data controllers and processors.
Introduction and Objectives
The GDPR aims to harmonize data protection requirements across Europe into one single EU data protection regulation.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR
5 / 14
MATERIAL SCOPEThe GDPR has a broad material scope covering the processing of personal data by automated means or in other structured form, including those intended for part of a filing system. The GDPR states that the regulation does not apply where natural persons process personal data ex-clusively during a purely personal, private, or household activity.
TERRITORIAL SCOPELikewise, the GDPR has a broad territorial scope and applies to any activities of a data controller or processor in the EU that comprise the pro-cessing of an individual’s personal data. Central to this is whether the controller or processor is located in the EU. The GDPR also applies to con-trollers or processors located outside the EU where the processing serves to offer goods or services to data subjects in the EU or to monitor the behavior of data subjects in the EU.
Scope
The GDPR introduces several new legal requirements that may substantially affect a controller’s or processor’s business.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR
6 / 14
LAWFUL GROUNDS FOR PROCESSINGProcessing personal data will be lawful only if one of the criteria for permission, as set forth in the GDPR, is met. In the absence of direct legal allow-ance, organizations need consent from individu-als whose data is to be processed. This consent must cover all purposes for which the organiza-tions (intending to process the data) collect and process the data and must allow for the individu-al’s right to withdraw consent at any time. This means that blanket consent or global consent is not valid for the processing ofpersonal data.
The GDPR specifies what are considered lawful grounds for the processing of personal data.These are shown in Figure 1 and described below. These are good practices to follow regardless of whether an organization is subject to the GDPR. Regulations concerning data privacy and protec-tion are ever evolving, and it is in your organiza-tion’s best interest to establish and maintain strict data privacy and protection policies. In the end, each organization must make its own inter-pretation of what it considers legal grounds for processing personal data. Chapter 2, Article 6, of the GDPR describes the lawfulness of processing as follows:
Processing shall be lawful only if and to the ex-tent that at least one of the following applies:
The GDPR introduces several new legal require-ments that may substantially affect a controller’s or processor’s business. Therefore, each control-ler or processor must verify which GDPR obliga-tion applies to them and must also ascertain how to implement the requirements accordingly.
GENERAL PRINCIPLESIn accordance with its general processing princi-ples, the GDPR requires the processing of per-sonal data to be lawful, proportionate, transpar-ent, adequate, accurate, secure, confidential, limited in time and to designated purposes, and conducted in a responsible and accountable manner. This last point means applying appropri-ate security—including technical and organiza-tional measures—to ensure integrity and confidentiality.
PERSONAL DATAThe GDPR explicitly defines what it means by the term personal data: any data that identifies or can be used to identify an individual. The term clearly includes metadata or other associated data such as IP addresses, cookies, or other iden-tifiers that may trace back to an individual. The GDPR has broadened the known catalog of spe-cial categories of personal data to include genetic data, biometric data if used to uniquely identify a natural person, and data related to criminal con-victions and offenses.
Impact
In the absence of direct legal allowance, organizations need consent from individuals whose data is to be processed.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR
7 / 14
• The data subject has given consent to the pro-cessing of his or her personal data for one or more specific purposes
• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
• Processing is necessary for compliance with a legal obligation to which the controller is subject
• Processing is necessary in order to protect the vital interests of the data subject or of another natural person
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
ACCOUNTABILITYThe GDPR aims to improve accountability of those processing personal data and increase transparency of the data being processed.Despite its similarity in substance and structure to the current data protection legislation, the GDPR will take a much tougher line in helping enforcement. Penalties for noncompliance are
Lawful grounds for processing personal dataFigure 1
CONSENT
PUBLIC INTEREST
CONTRACT
PROTECTION OF VITAL INTERESTS
LEGAL OBLIGATION
LEGIMIATE INTEREST
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR
8 / 14
remarkably high, including administrative fines of up to €20 million or 4% of an enterprise’s global annual revenue, with potential damage claims and other legal liability risks designed to incentiv-ize companies to enhance internal structures and processes to comply with the regulation.
DATA PROTECTION BY DESIGN AND BY DEFAULTUnder the terms of the GDPR, organizations must deliberately build in privacy, and both sys-tems and processes have to adopt privacy by de-fault. Organizations are obligated to ensure that the processing of personal data is for a specific purpose, and the organizations must demon-strate that data protection is at the heart of their IT framework and solution design.
TECHNICAL AND ORGANIZATIONAL SECURITYOrganizations are also obligated to implement all necessary technical and organizational measures to ensure a level of security appropriate to the risk of the processing for the data subjects. It is therefore necessary that the organization analyz-es its internal IT asset landscape to identify and map data flows. This will help to ascertain the ap-propriateness of the security framework. DATA SUBJECT RIGHTSOrganizations should be guided by the concept that the individual should know and always be able to identify what personal data is processed, by whom, for what purposes, and over what peri-od of time. Thus, data controllers will need to ac-tively provide certain general and specific infor-mation; this is in accordance with the GDPR’s revised concepts of data portability and the indi-vidual’s rights to access, refuse or object, or be forgotten. Organizations involved in processing personal data will therefore require robust inter-nal processes with designated roles.
DATA GOVERNANCEWith an onus to clearly show customers, data subjects, and regulators that they are GDPR compliant, organizations must implement a host of systemic measures to reduce the risk of viola-tion. Complexity grows when organizations need to keep track of every purpose for which personal data is being processed and when they need to ensure that all individuals have given their con-sent for each data processing use case. These measures must be built into existing IT infra-structures. Depending on the outcome of a data protection risk assessment, organizations should take measures to help maintain compliance. Such measures include the appointment of a dedicated data protection officer (DPO), the execution of privacy impact assessments (PIAs), and the adoption of regular audit procedures.
DATA RETENTION VERSUS DATA DELETIONBusiness systems, such as human capital man-agement (HCM) systems, contain combinations of a multitude of records on both employees and other individuals, such as job applicants and contractors. A company’s HCM system may, for example, store data related to job applications, payroll records, training history, compensation history, retirement plans, health information, and so on. Over time, a company’s HCM system will accumulate a considerable number of records, many of which contain personal information related to individuals.
The GDPR requires organizations to remove any personal data from their systems once this data is no longer needed for the course of business. You must do this, for example, when an employee leaves the company (including any transfer of employment to an affiliated company). In other
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR
9 / 14
cases, an employee may simply revoke their con-sent to a special data processing activity. At the same time, personal data obtained may still be lawfully processed on other legal grounds or be an integral part of records that are subject to re-tention times of 5, 10, or even 30 years. In such cases, the company needs to determine how to best store that data so it is not unnecessarily ac-cessed but can still be retrieved by authorized parties. DATA PROTECTION AS A PART OF LEGAL COMPLIANCEData protection requirements are only one sub-set of compliance requirements faced bya company. Data protection requirements need to be aligned with other applicable requirements, including tax legislation or industry-specific laws. Retention requirements are the best example.If more specific legislation defines that certain re-cords, including personal information, need to be kept for 30 years, deletion of this data is not al-lowed. Organizations need to analyze their busi-ness processes with regard to all applicable legis-lation, and establish the appropriate technical and organizational measures to achieve and maintain compliance.
ROLE OF SAP PRODUCTSAs mentioned previously, SAP has been consis-tent in our approach to data protection as part of our general product standards. We are extending this approach as related to the new requirements of the GDPR as well as improving existing standards.
Therefore, our company is committed to achieving GDPR compliance by May 25, 2018. In tandem, we are committed to developing and further improving our products to help you, our customers, meet GDPR requirements to the best of your ability.
Development measures include the ongoing en-hancement of already existing product features as well as the implementation of new requirements.
If configured properly, SAP software products can help your controllers comply with certain GDPR obligations. This is because SAP products (as a digital platform and from a solutions per-spective) are designed to help ensure the consis-tency and accuracy of data across systems. SAP solutions provide layers of assurance, appropri-ate technical and organizational measures – such as pseudonymization and encryption – and a management system of standards and best prac-tices. All these strategies help protect fundamen-tal rights and freedoms of natural persons as stated under the GDPR.
Organizations need to analyze their business processes with regard to all applicable legislation, and establish the appropriate technical and organizational measures to achieve and maintain compliance.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR
10 / 14
We will now look more specifically at howfeatures of SAP SuccessFactors solutions can support your organization’s journey toward GDPR compliance. We will examine this function-ality by looking at the lifecycle of personal data.
We can view the lifecycle of data—including personal data—as comprising three phases: the “active” phase, during which the data is pro-cessed for its intended purpose; the “retention” or “blocked” phase, during which the data should not be actively processed but can be displayed for specific reasons; and the “end-of-use” phase at the end of the data’s applicable retention peri-od. (See Figure 2.) SAP SuccessFactors solutions provide robust data protection features for all three phases.
Each organization needs to define for itself what it classifies as personal or “sensitive” data (such as special categories of personal data).Therefore, we plan to offer configuration options for SAP SuccessFactors solutions to mark data elements as personal or sensitive. Classifying data elements as personal or sensitive will facili-tate blocking, deleting, and reporting on personal or sensitive data.
ACTIVE DATA PHASEDuring the phase when you actively need person-al data in an HCM system, your company typical-ly uses it for processes such as time tracking, payroll, and performance management.
Features of SAP® SuccessFactors® Solutions
Personal data lifecycleFigure 2
Active Retention End of Use
Data processed for its intended purpose
Data displayed or processed for specific purposes only
Data purged
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR
11 / 14
READ LOGGING AND REPORTINGSAP SuccessFactors solutions log every read ac-cess to sensitive data, regardless of the channel used to read the data (for example, user inter-face, API, exports, or reporting). SAP plans to cre-ate a report for this information. The goal is to al-low authorized users to run a report that shows the personal data that was read for a specific data subject or personal data that was read by a specific user.
CHANGE LOGGING AND REPORTINGAny changes made to personal data (including corrections) are automatically tracked in SAP SuccessFactors solutions. The SAP SuccessFac-tors Employee Central solution, for example, cap-tures all changes made to personal data by de-fault. You can define yourself whether or not to track changes to metadata framework (MDF)-based objects. The software tracks all changes regardless of the channel used to make the change (user interface, API, or imports).
SAP plans to create a “change log report” that will display all changes made to personal data in the format “before value” and “after value.” We plan for the software to provide additional infor-mation depending on the functional subarea to explain the context of a change. The goal is to al-low authorized users to run a report that shows changes to sensitive data for a specific data sub-ject or changes to sensitive data by a specific user.
PERMISSIONSSAP SuccessFactors solutions offer a compre-hensive permission control, called role-based permissions (RBPs), to help keep personal data secure. With RBPs, you can set up a very fine-grained authorization concept following the “need to know” principle, including the ability to define separate permissions for displaying, changing, and deleting data. You should regularly confirm that the rationale to grant permissions still applies.
The main elements of RBPs are permission roles and permission groups.
• Permission role controls the access rights that an employee or group of employees has to the application or employee data. RBPs allow you to grant a role to a specific employee, a manag-er, a group, or all employees in the company.
• Permission group is used to define groups of employees who share specific attributes. You can use various attributes to select the group members – for example, a user’s department, country, or job code. Groups can be static or dynamic.
• How are roles and groups related? While roles define what is allowed, the groups define who is allowed to do it (granted users) and for whom (target users).
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR
12 / 14
PERSONAL DATA REPORTINGThere may be cases in which you need to report on personal data stored within the SAP Success-Factors solution for a specific data subject. For example, an (ex-)employee might request a copy of all their personal data stored in the HR system, for what purpose the data is being used, and how long it will be retained. SAP plans to develop an “information report” to display this information. The report is designed to be associated with spe-cific permissions to help ensure only authorized persons can run the report. The goal is for the system to also track when the report was run, by whom, and whether it was downloaded.
RETENTION DATA PHASEOnce there is no longer a business need to pro-cess personal data, it is advisable to delete – or at least restrict – access to it to minimize risk of data loss or breach. There may be cases where you no longer need to actively process the per-sonal data but need to retain it for compliance reasons. Retention periods include legal, regula-tory, contractual, or statutory retention require-ments. The blocking and deletion of personal data in business software tends to be complex. This is largely due to the number of retention reg-ulations that need to be taken into account, but also because the same data is used for different processes by different users. When restricting the use of personal data, you may need to consider not just the kind of data, but the “age” of the data. For example, performance feedback is not effec-tive-dated, but it does have a validity for a specif-ic year (that is, performance is evaluated for a calendar year).
Once there is no longer a business need to process personal data, it is advisable to delete—or at least restrict— access to the data to minimize risk of data loss or breach.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR
13 / 14
BLOCKINGYou can use blocking to restrict access to histori-cal personal data within a retention period that is still in the system. In some cases, one role may need to still have access to the data, while you may block access for another role. RBPs in SAP SuccessFactors solutions already have the option to restrict the permissions for a role to the current data only (that is, no historical records). Planned enhancements for RBPs in-clude the ability to define a time period for which the history should be visible, including the ability to define different intervals of time restrictions based on country as well as employee status (ac-tive/inactive). This is needed because different countries may have different rules about how long certain data can be accessed.
MASKINGYou can use masking to hide (or mask) field con-tents on the user interface. If data is masked, it will be displayed as asterisks (********* [Click to View]) to the user. Only in the case when the user explicitly clicks on the masked field will itbe displayed. You can switch on masking per field, which helps you not expose personal or even sensitive data by default.
Note: You can use field-level permissions to re-strict the access to specific fields as well.
END-OF-USE PHASEThe cost of data storage continues to decline. This tends to discourage organizations from in-vesting in effort to remove data that is no longer needed. Nevertheless, organizations are legally obliged to delete personal data at the end of the applicable retention period.
Organizations are legally obliged to delete personal data at the end of the applicable retention period.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
The Basics of GDPR
14 / 14
DATA PURGINGPurging personal or sensitive data when it is no longer needed for business purposes is a good risk management strategy – and one of the re-quirements of the GDPR.
SAP SuccessFactors solutions offer a “data re-tention management” tool that enables you to purge obsolete data and inactive users from SAP SuccessFactors solutions. You can create busi-ness rules to specify exceptions or dependen-cies, as well as an approval workflow for oversight of data purge requests. SAP plans to enhance the existing data retention management tool so that you can flexibly define retention configuration by time period and country for each data retention object at a minimum. Each product within the SAP SuccessFactors solutions may offer addi-tional criteria to define purge rules, such as divi-sion, department, location, and so on.
When executing a data purge request, the soft-ware will check for dependencies in all compo-nents and purge the data accordingly. The purge
configurations are provided at the functional object level, and you can group multiple purge objects into a data retention group. You can con-figure retention times at data retention group lev-el based on different parameters – such as coun-try level and employee data type (active/inactive).
DATA PORTABILITY AND EXPORTUnder GDPR, data controllers across all industry sectors will be required to provide personal data to individuals—or even directly to competitors—in a structured, machine-readable format. For more information on this requirement, see also the Guidelines to the Article 29 Data Protection Working Party document on the right to data portability.
SAP SuccessFactors solutions already make all personal data for a data subject available for reporting.
You can download and export reporting data, for example, in .CSV and .XLS format.
MORE INFORMATIONContact your partner
For information on GDPR and SAP go to www.sap.com/gdpr
For further information on data privacy and protection at SAP view, www.sap.com/security.
You can reference the full text of the General Data Protection Regulation (Regulation (EU) 2016/679)
vQ417 © 2017 SAP SE or an SAP affiliate company. All rights reserved.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
See http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
www.sap.com/contactsap