sap guide to addressing gdpr requirements for customer … · businesses are using their personal...

SAP Industry GuideSAP® Customer Data Cloud from Gigya

SAP Guide to Addressing GDPR Requirements for Customer Data Management

© 2

018

SAP

SE o

r an

SAP

affilia

te c

ompa

ny. A

ll rig

hts

rese

rved

.

1 / 20

2 / 20

Table of Contents

2 TableofContents

4 ToPreparefortheGDPR,Think “PrivacybyDesign”BestPractices

5 AbouttheGeneralDataProtectionRegulation(GDPR)

6 CustomerDataTakesHold

6 Trust — or Bust

7 Privacy by Design

8 WhatisthePotentialImpact oftheGDPR?

8 On Business

8 On IT Infrastructure

10 UnderstandingCompliance-AtAGlance

10 Consent Management

10 Customer Data Control

10 Data Localization

10 Social Compliance

10 Data Protection and Privacy Laws and Regulations

12 TheSAPCustomerDataCloudSupportsCompliancewithManyRegulations

13 UnderstandingGDPRCompliance- BytheNumbers

13 Article 7: Customer Consent

14 Article 15: Right of Access by the Customer

15 Article16:RighttoRectification

15 Article 17: Right to be Forgotten

16 Article 18: Right to Restriction of Processing

16 Article 28 (3)(G): Deletion of Inactive Data

16 Article 35: Data Protection Impact Assessment (DPIA)

17 Article 8: Conditions Applicable to a Child’s Consent in Relation to Information Society Services

18 MoreRegionalDataProtectionandPrivacyLaws

18 Data Localization

18 Russia

18 China

19 In Conclusion

©2018SAPSEoranSAPaffiliatecompany.Allrightsreserved.

3 / 20

At nearly 300 pages, the General Data Protection Regulation (GDPR) is a mountain of complex regulation that businesses must climb to survive. This summary and guide will show you how the SAP® Customer Data Cloud from Gigya can help you plan your best route to the top.

RIGHTTOBEFORGOTTEN

RIGHTTOEXPORT

NOTIFICATIONMANAGEMENT

CONSENTMANAGEMENT

FAIR PROCESSING

CROSS-BORDERPRACTICES

DEFININGPII


4 / 20

To Prepare for the GDPR, Think “Privacy by Design” Best Practices

You may have noticed that the topics of data protection and privacy and IT security are no longerlimitedtothebackoffice.Ascorporatestrategy becomes increasingly reliant on digital technologies, consumer data has become the chief currency of business in a marketplace where customer experience is edging out price and even product quality as the prime differentiatorforbrands.Butmanyconsumersharbor a growing wariness about how and why businessesareusingtheirpersonalinformation.

For example, a 2017 survey by Gigya, now part of SAP, involving more than 4,000 adults in the United States and the United Kingdom, turned up some important insights into people’s feelings about online security as well as data protection and privacy, including these statistics:

• Sixty-eight percent of respondents don’t trust brands to appropriately handle their personal information, such as name, email, location or marital status

• Sixty-nine percent of respondents are worried about device security and privacy risks with increased adoption of Internet of Things (IOT) devices

• Seventy percent of respondents use seven or fewer passwords across their many online accounts, indicating poor password hygiene habits

Governments, regulators, voters and consumer advocates across the globe are demanding an overhaul of consumer protection laws, resulting in a wave of data protection and privacy legislation that is changing the game for the digitalenterprise.Themostnotableofthesedecrees is the European Union’s General Data ProtectionRegulation(GDPR).

MORETHANTWO-THIRDSOFCONSUMERSDON’TTRUSTBRANDSWITHTHEIRPERSONALINFORMATION

68%

11%

21%

Unconcerned

Neither

Concerned


5 / 20

This comprehensive document has robust enforcement mechanisms and was created with inputfrommultipleEUmemberstates.Itwasalsoinfluencedbymassivelobbyingeffortsbymany non-European companies not established in the union but nonetheless within the scope of theregulation’sapplication.TheGDPRwasdesigned not only to standardize data protection and privacy practices across the EU, buttoinfluencehowcountriesoutsidetheEUdesign their own legislation around data protectionandprivacy.Importantly,theGDPRapplies not only to data captured and processed by EU-based businesses, but also to any organization outside the EU that processes personal data of individuals who are within the EU, irrespective of citizenship, in connection withofferinggoodsorservices.TheregulationisineffectasofMay25,2018.

What’sChanged?The regulation represents a fundamental shift in the balance of rights and obligations between consumersandbusinesses.Thereareanumberof elements to consider, including broader definitionsofpersonaldataandextendedrightsfor consumers in terms of data portability, the right to be forgotten, requirements to notify

About the General Data Protection Regulation (GDPR)

Businesses in the UK are subject to the GDPR during the Brexit process, after which the Information Commissioner’s office has set expectations that whatever replaces the law will be “essentially equivalent.”

customers – as well as authorities – of data breaches, and higher standards for obtaining and managingconsent.

Whilesignificantlylargerfinesapplywhencompanies are not in compliance, the main intention of the regulation is about giving consumerscontrolovertheirpersonaldata. PIIVersusPersonalData–ABroaderDefinitionPersonallyidentifiableinformation(PII),acommonly used term in North America, refers to a relatively narrow range of data such as name, address, birth date, Social Security number and financialinformationsuchascreditcardnumbersorbankaccounts. Personal data, in the context of the GDPR, covers a much wider range of information, and includes any informationrelatingtoanidentifiedoridentifiablenaturalperson,or“datasubject”.Thedefinitionincludes all tracking data that enables the identificationofconsumers.Forexample,theaspectof“indirectidentification”meansthatdatagatheredusingcookiescouldbeconsideredpersonaldata.Alsoincludedinthedefinitionaresocialmediaposts, photographs, lifestyle preferences and transactionhistories,andIPaddresses.


6 / 20

Customer Data Takes Hold

Enterprise customer data management solutions can be considered important to help businesses address their obligations under the GDPR.Foryears,mostonlinemarketingwasdone anonymously, marketing to IP addresses – not individuals – using tracking cookies, behavioral targeting networks, and data management platforms, without the use of consumers’personallyidentifiableinformation.

UndertheGDPR,thedefinitionof“personaldata”is expanded to include attributes not traditionally consideredPII.Moreimportantly,theconditionsfor consent are expanded to include obligating businessestoobtainunambiguousandverifiableconsent from their customers for the processing oftheirpersonaldata. Addressing these requirements usually falls outside the core competencies of systems designedtomanageanonymous,third-partydata.This is driving a new trend in digital strategy, with businesses leveraging advanced customer data management solutions to encourage consumers to identify themselves online in transparent and fair exchanges of value for information, under conditionsoftrustandsecurity.Leadingsolutionsalso enable businesses to maintain all customer information in one place, while addressing GDPR requirements to keep granular records on consumers’consentandpreferences.

To address the requirements of laws and regulations that vary by region, customer data managementprovidersareofferingholisticandstrategic solutions for:

• Presenting transparent terms, data privacy policies, and requests for permission to receive marketing communications or to take part in custom marketing activities

• Creating records of captured preferences and consent and maintaining version control of these records throughout the customer lifecycle, in order to satisfy audit requests

• Ensuring that consumer preferences are enforced accurately across every downstream service and application involved in permission-based processing of consumer data

TRUST—ORBUSTWhile it’s clear that customer identity is now the core of digital marketing, it’s important to bear in mindthatidentityisnotbinary.Today’ssavvyandmobile customers are free to engage with brands from a growing range of devices and channels, but overall are searching for convenience, value and consistency.Thenewcustomerjourneycanbeginat any time or place, and certainly doesn’t end at purchaseorconversion.

This is why the most successful businesses are incentivizing engagement by offering value propositions such as premium content or exclusive promotions to online visitors and ensuring that, once converted, customers can easily edit, amend, delete, and freeze processing of their personal data, or rescind theirconsenttostoreanduseit.

The SAP Customer Data Cloud from Gigya enables businesses to progressively build and manage rich customer identities and relationships throughout the entire buyer lifecycle.OursolutionshelpclientsaddressGDPR requirements and mitigate the risk of noncompliance by providing a centralized system for managing customer data across all marketingchannelsanddevices.


7 / 20

PRIVACYBYDESIGNThe SAP Customer Data Cloud includes three integrated products: SAP® Customer Identity, SAP Customer Consent, and SAP Customer Profile.Thesecloud-basedsoftwareproductsprovide customer registration, login, preference, and consent management, often across multiple digital properties, in order to build rich, permission-basedcustomerprofiles.Theseprofilescanbeusedforbothprofileandconsentmanagement, enabling businesses to control all of their consumer’s personal data in a transparent and centralized manner across many sitesandapps.Inordertodothisconsistentlyand at massive scale, these solutions employ a set of technical, strategic, and design principles knownas“privacybydesign.” Privacy by design, a collection of data protection andprivacybestpractices(asdefinedattheendof this document), is built into the registration-as-

Privacy ByDesign

Seven foundational

principles

Proactive not reactive;

preventive not remedial

Privacy as the default

setting

End-to-end security – full

lifecycle protection

Visibility and transparency –

keep it open

Privacy embedded in

design

Full functionality – positive-sum not zero-sum

Respect for user privacy – keep it user-

centric

a-service (RaaS) feature in SAP Customer Identity.Itisalsowoventhroughourtechnicalimplementation and product design and taught to our clients as foundational principles by our SAP ExpertServicesteam.Privacybydesignelementsinclude consent management strategy, data auditing, data extraction, data deletion, and freezingofdataprocessing. Using these principles, the SAP Customer Data Cloud can help businesses address many of the requirements of the GDPR and other data protectionandprivacyregulations.Thesebestpractices are based on self-assessments from clients’legalandbusinessteams.Theyareimportant in delivering transparency and control to customers when collecting and processing their personal data, and building trusted and long-term brand engagement and, ultimately, better relationships between businesses and theircustomers.


8 / 20

What Is the Potential Impact of the GDPR?

ONBUSINESSThis regulation has a range of requirements that significantlyimpactorganizations,butthecomponentmost likely to draw attention from the C-suite is the provisiononpenaltiesandfines.Inastarkdeparturefrom previous data protection and privacy legislation in Europe or elsewhere, the GDPR authorizes regulators to levysteepfinesofupto€20millionor4%ofannualrevenue,whicheverishigher.

ONITINFRASTRUCTUREAreYouAgileEnough?Understanding how customers’ personal data is stored and processed across your entire digital ecosystem likely requires a deep assessment of your technology stack to determinewhetheryoursystemisflexibleenoughtoconsistently obtain, track, and accurately report on customers’profile,preference,andconsentdata.Importantly, this must be done across every channel, device, and stage of the buyer journey, and across every marketing, sales, and service application processing customerdata.Askyourselfifyourcurrentcustomerdatamanagement solution has the agility to manage new deployments that address GDPR requirements and that optimizecustomerexperience.Forexample:

• Can you add new attributes to registration and login forms and the associated back-end components in a consistent and timely fashion?

• Do you have a detailed audit trail that you can easily querytoconfirmopt-insone-shops,portals,andapps?

• Do you have enhanced and intuitive preference centers that allow self-service access for customers to view, edit, download, delete and freeze processing of their personal data?

• Canyoueffectivelygovernandorchestratecustomerdata across downstream applications to maintain accurate consent settings across channels?

1. Source: International Association of Privacy Professionals: https://iapp.org/news/a/study-at-least-28000-dpos-needed- to-meet-gdpr-requirements/

Potentialfinesasapercentageofglobal turnover

Core individual rights affordedundertheGDPR

Hours given to report a data breach

Costof4%finetoacompanywith $500 million turnover

Estimated number of new dataprotectionofficersrequired in Europe1

Countries potentially in scope of regulation

New requirements in the GDPR

4%

7

72

$20million

8,000

190+

80+


https://iapp.org/news/a/study-at-least-28000-dpos-needed-to-meet-gdpr-requirements/

https://iapp.org/news/a/study-at-least-28000-dpos-needed-to-meet-gdpr-requirements/

9 / 20

AreYouFullyConnected?Large, cloud-driven technology stacks have a lot of downstream dependencies for any changes madetoaself-servicecustomerprofile.Forexample, whether a customer wants to opt out of a newsletter on your Web site, the terms of service change for your mobile app, or for any number of other actions for which the GDPR requires consent to be obtained, mechanisms must be in place to notify every applicable downstreamapplicationsotheyalwaysreflectthecurrentstateoftheprofile.Askyourselfthese questions:

• Are you storing customer consent – wherever it is given – in a centralized way?

• Do you have mechanisms in place for downstreamnotifications–suchasflexible ETL functionality and customizable WebHooks – to enable bidirectional syncing of consent across every marketing, sales and service application in both batch mode and real-time, depending on the application?

AreYouFullyUnified?Ifyourprofileandconsentdataexistsinsilos–such as email service providers, customer relationship management systems, or data

management platforms – with no easy way to sendorreceivenotificationsaboutchangestoprofilesorpreferences,it’shardtoknowifyou’rein compliance and also easy to fall out of compliancewithoutwarning.It’salsoachallengeto fully understand your customers’ cross-channel journeys, and perhaps impossible to govern and orchestrate data across your entire digitalecosystem.Thisisoftenthecaseforbusinesses that have not yet implemented dedicatedcustomerdatamanagementsolutions.

For example, ask yourself: • Doyoumaintainoneprofiledatabaseforsubscription management in your ESP solution and another for your CRM platform? Are you able to easily synchronize these records and do you have a single source of truth for the data they use?

• Are you using your DMP to drive media activation and optimization with third-party data?

• Arealltheseattributesconsistentlyunifiedtoprovide an accurate view of each customer’s consent and preferences across the business?

Understanding how customers’ personal data is stored and processed across your entire digital ecosystem will likely require a deep assessment of your technology stack to determine whether your system is flexible enough.


10 / 20

Let’s look into key considerations when assessing data protection and privacy and compliance for the GDPR and a broad range of other regulations aroundtheglobe.

CONSENTMANAGEMENTShould consent be determined to be the lawful basis for processing personal data, the GDPR requires that any mechanism for obtaining consent from consumers arguably goes far beyond current practices.Businessesmustallowcustomerstoeasilymodifytheirconsentpreferences.

Some of the preference management functions of SAP Customer Consent include:

• Storingconsentandspecifictermsofservice(TOS) version number at the time of consent

• The ability to prompt customers to re-grant consent if TOS change

• Detecting a customer’s age and preventing site or application registration if they are under the legal age of consent

• Triggering parental consent to accept customers below a minimum age

CUSTOMERDATACONTROLThe GDPR requires businesses to give individuals control over their personal data, including the ability to view, freeze, download and delete their personal data, on their own termsandfromanydevice.

SAP Customer Consent features a self-service preference center that gives consumers:

• The ability to easily update, export, and delete theirprofileandpreferencedata

• The ability to freeze or deactivate their accounts

DATALOCALIZATIONRegional data localization laws, such as the Russian Federation’s Personal Data Protection Act, generally require companies collecting personal data of citizens in that country to process and store that personal data within the country.TheSAPCustomerDataCloudhelpsclients address such laws with regional data centers in Europe and North America, as well as inAustralia,China,andRussia.

SOCIALCOMPLIANCESocial networks such as Facebook and Twitter have legal terms applicable to businesses when they implement social login on their digital properties.Forexample,uponeachlogin,businesses are required to keep the customer’s profileinsyncwithprofileandpreferencedataoneachsocialnetwork. The SAP Customer Data Cloud can be used to:

• Manage TOS for more than 25 social networks and other identity providers

• Synchronize personal data in real time between socialnetworksandcustomerprofiles

• Delete nonpublic data, according to customer permissions

DATAPROTECTIONANDPRIVACYLAWSANDREGULATIONSA number of other data protection and privacy regulations and laws around the world may be applicable to businesses with respect to their customers’personaldata.TheSAPCustomerDataCloud is designed to help businesses address the requirements of these various laws and regulations withrespecttodataprivacyandpersonaldata.

Understanding Compliance – At A Glance


11 / 20

Anti-SpamRegulations:Regional anti-spam laws have various opt-out requirements regardingvariousmarketingactivities.TheSAPCustomerData Cloud is designed to:

• Provide default support in the SAP Customer Identity registration-as-a-service user interface for opt-in and opt-out options, as well as custom support for opt-down

• Enablebusinessestoconfigurecountry-specificcustomrules for each digital property

• Help businesses address the anti-spam requirements of variouscountriesbyofferingregistration,login,andpreferencemanagementscreensthatcanbeconfiguredtoincludespecificopt-infunctionality

Children’sPrivacySAP Customer Identity features registration and authentication functions that allow businesses to prompt onlinevisitorstoconfirmtheirageandthatcanpreventregistration if the individual is below the legal age of consentintheircountry.Alsosupportedisauto-deletionofusersbelowaparticularage.

AccessibilityComplianceSAP Customer Identity allows businesses to use out-of-the-boxworkflowsthatallowvisuallyimpaireduserstonavigate online processes using only their keyboards to address some of the requirements of the Web Content Accessibility Guidelines (WCAG) and the Americans with DisabilitiesAct(ADA).

HealthcareComplianceThe SAP Customer Data Cloud is compliant with the HIPAA security rule and HIPAA privacy rule, as well as with HIPAA breachnotificationrequirements.OurcompanymaintainsaBusiness Associate Agreement (BAA) document for HIPAA-governedclientssuchashospitalsanddoctor’soffices.


12 / 20

The SAP Customer Data Cloud Supports Compliance with Many Regulations

Regulations

GDPR EU

COPPA US

Data Residency RU, CN

Privacy Shield EU-US

Privacy Bill of Rights US

Various Anti-Spam Acts CA, US, EU

Web Content Accessibility Guidelines

Global

Health Insurance Portability and Accountability Act

US


13 / 20

Understanding GDPR Compliance – By the Numbers1

ARTICLE7:CUSTOMERCONSENTConsentConsent must be explicit and unambiguous and must be obtained for each different processingactivity.

HowtheSAPCustomerDataCloudcanhelpThe registration forms available through SAP CustomerIdentityare100%customizablewithUI builder, extensible markup language, or direct API access, allowing clients to obtain separate instances of consent in order to provide:

• A lawful basis for processing (consent) • Data privacy policy and TOS adherence • Marketing and account preferences

Consent DocumentedBusinesses must provide records of the customer’s consent, including the conditions under which each customer has given their consent and the specific purpose for which consentwasobtained.Forexample:

• When creating new accounts: A customer clicks a register now button, creates a new account and clicks to accept TOS

• When reaccepting updated TOS: A customer visiting a digital property is checked for the validity of their consent settings and prompted toreaffirmtheirconsentifrequired

• When opting in or out: A customer clicks into “My Account” and makes changes to his or her profileinformation,subscriptionorcommunication preferences, or privacy settings

HowtheSAPCustomerDataCloudcanhelpTo manage evidence of consent across the entire customer journey, SAP Customer Consent obtainsandstoresfirst-partymetadatawithregistration forms, including for the intended use ofdata.

1. Disclaimer The material contained in this document is for general information purposes only and does not constitute legal or other professionaladvice.SpecificlegaladviceshouldbesoughtonanyparticularmatterincludingbutnotlimitedtoGDPR.Anyandallinformationissubjecttochangewithoutnotice.NoliabilitywhatsoeverisacceptedbySAPortheSAPCustomerDataCloudfromGigyaforanyactiontakeninrelianceontheinformationinthisdocument.


14 / 20

RighttoWithdrawConsentCustomers must be able to easily withdraw consent for the collectionorprocessingoftheirpersonaldataatanytime.

HowtheSAPCustomerDataCloudcanhelpWith our customer data management solutions in place, customerscanquicklyandeasilyaccesstheirprofile,preference, and consent settings at any time to change or withdrawconsent.Allprofile,preference,andconsentsettingsare stored securely in an audit-ready vault so that clients can prove that explicit consent was collected for the purpose of processingtheirpersonaldata.Additionally,ourintegrationswith downstream technologies enable customers’ personal dataandpreferencestobebidirectionallysynchronized.Thismeansthatanychangestoprofileandpreferencesettingsonthird-partyapplicationsarereflectedoncustomers’profilesinthe SAP Customer Data Cloud as well, centralizing consent andpreferenceenforcement.

ARTICLE15:RIGHTOFACCESSBYTHECUSTOMERCustomers must be able to be view, export and edit their personal data and preferences, as well as current and previously consented-to terms of services, data privacy policiesandmarketingactivitiesatanytime.Also,customershave the right to be provided with information about all personaldatastoredbytheapplicablebusinesses.

HowtheSAPCustomerDataCloudcanhelpOur clients can enable their customers to view and edit all of their personal data and preference and consent settings throughcustomizableprofilescreens.Thisincludesdatacollected by the SAP Customer Data Cloud, as well as information from client-requested integrations between third-partysolutionsandourproducts.

ARTICLE15:RIGHTOFACCESSBYTHECUSTOMERCustomers must be able to be view, export and edit their personal data and preferences, as well as current and previously consented-to terms of services, data privacy policies and marketingactivitiesatanytime.


15 / 20

ARTICLE16:RIGHTTORECTIFICATIONCustomersmustbeabletoeasilychangetheirprofileinformation and preference and consent settings, or correct inaccurateinformationstoredbyanybusinessontheirbehalf.Customers must also be able to request that changes be made totheirprofiles,preferencesandconsentsettingsbythebusiness on their behalf, in a reasonable amount of time and throughasimplecommunicationmethodsuchasemail.

HowtheSAPCustomerDataCloudcanhelpOursolutionsprovideprofileupdateformsandaself-service preference center to enable customers to edit their profile,preference,andconsentsettingsandmarketingopt-ins.Aclientadministratorcanalsoupdatethisinformationon the customer’s behalf through our admin console using theidentityaccesstool.Inaddition,ourintegrationswithdownstream applications are bidirectional, updating customer records with any consent settings initiated by third-partyplatforms.

ARTICLE17:RIGHTTOBEFORGOTTENCustomers have the “right to be forgotten”– that is, have their personal data erased by the business – for reasons that include:

• The information is no longer necessary in relation to the purposes for which it was originally collected

• The customer withdraws consent for the activity upon which the processing is based

• The customer objects to the purpose of personal data processing and the business cannot provide compelling, legitimate grounds to continue doing so

• The customer’s personal data was collected or processed unlawfully

• The customer’s personal data must be erased in order to comply with a legal obligation of that person’s country of origin

HowtheSAPCustomerDataCloudcanhelpOursolutionsfeaturedeletemechanismsforcustomerprofiles,easilyaccessedbyregisteredcustomers.Consoleadministra-torscanalsodeleteprofilesuponcustomers’request.

ARTICLE16:RIGHT TORECTIFICATIONCustomers must be able to easily changetheirprofileinformationand preference and consent settings, or correct inaccurate information stored by any businessontheirbehalf.


16 / 20

If a customer chooses to delete his or her account, the request is captured and stored in the SAP CustomerConsentauditlog.SAPCustomerProfilecanthensynchronizetherequestwithdownstream applications using customizable WebHooksandflexibleETLfunctionality.

ARTICLE18:RIGHTTORESTRICTION OFPROCESSINGCustomers have the right to request that businesses freeze processing of their personal data for any of the following reasons:

• The customer contests the accuracy of their personal data, in which case, processing of the customer’s personal data must cease for the period required to verify the accuracy of the information

• Personal data processing is deemed unlawful and the customer requests that their data be frozen rather than deleted

• The business is no longer processing the customer’s personal data, but the customer requires that the personal data continue to be stored by the business to establish, exercise or defend legal claims

• The customer has objected to processing of theirpersonaldata.Inthiscase,thepersonaldata should not be processed while the business’groundsforprocessingareverifiedaseither legitimate or illegitimate

Businesses are also required to inform the customer before beginning the processing of personaldataafterarestrictionislifted.

HowtheSAPCustomerDataCloudcanhelpOurclientscaneasilytagindividualprofilesasinactive when their customers request to have theiraccountsfrozen.Inthiscase,loginisprevented automatically and tagged customers canbefilteredoutofanyprocessingactivity.

Clients can leverage customizable WebHooks andETLfunctionstohelpensurethatprofilesareupdatedonthird-partysolutionsaswell.

ARTICLE28(3)(G):DELETIONOFINACTIVEDATAThe GDPR requires that businesses purge a customer’s personal data if the customer deletes theirprofile,orifthatprofilehasbeeninactiveforapredeterminedamountoftime.Allcopiesofsuch data must be purged as well, unless otherwisespecifiedbylaw.Associateddatamustalso be purged from any third-party technologies, suchasCRMorESPsolutions.

HowtheSAPCustomerDataCloudcanhelpWhen a customer’s account has been inactive for a predetermined amount of time, or if a customer chooses to delete their account information, that data is automatically purged from the SAP CustomerProfiledatabaseafteracontractuallymandatory 60-day period using scripts that can be customizedbyclients.

ARTICLE35:DATAPROTECTIONIMPACTASSESSMENT(DPIA)The GDPR requires that a data protection impact assessment (DPIA) be conducted by data controllers for any processing of data “likely to result in a high risk,” in accordance with10criteriaestablishedindraftguidelines.


17 / 20

Customer requests account deletion

Synchronize instruction and account data via

IdentitySync

Customer account marked “toBeDeleted”

The SAP Customer Data Cloud Application deletes

customer data

The DPIA process is designed to describe data processing, assess the necessity and proportionality of that processing, and help manage risks to the rights and freedoms of natural persons resulting from the processing of personal data, by assessing those risks and determiningmeasurestoaddressthem.

The DPIA should be carried out prior to any data processingthatmatchesthecriteria.Theassessment can be conducted in house or by a third-party consultant, but the data controller is ultimately responsible and must also seek the adviceofadataprotectionofficer(DPO)beforeany applicable systems begin processing personaldata.

How the SAP Customer Data Cloud can helpWhile conducting the DPIA is the obligation of the data controller, the SAP Customer Data Cloud cansupporttheeffortbystoringthemetadatareturned from the DPIA as attributes on customer accounts, including which application is processing and storing personal data for each customer identity, as well as the key associated withthatidentity.Inthisway,oursolutionscanhelp DPOs align customer data with appropriate consentmechanismsandsettings.Thisalsohelps businesses address GDPR requirements for the right to be forgotten, the freezing and deletion of accounts, and deactivation of accountsafterasetperiodofinactivity.

For example, once a request for account deletion is initiated by the customer through the SAP CustomerProfilescreen,aprocess(eitherWebHook or ETL platform) delivers the request to appropriate systems – such as marketing automation platforms or CRMs – along with data fieldsfromthemetadatalayerderivedfromtheDPIA.It’salsopossibletoinitiateareal-timeAPIcallto connected systems once a successful response isreturnedbytheWebHookorETLprocess.

ARTICLE8:CONDITIONSAPPLICABLETOACHILD’SCONSENTINRELATIONTOINFORMATIONSOCIETYSERVICESThe GDPR prohibits businesses from collecting and processing the personal data of minors without the expressconsentofaparentorguardian.Theregulationdefinestheageofconsentas16withintheEuropeanUnion,andnotbelow13elsewhere.Businessesarerequiredtomakereasonableeffortsto verify the age of online users before processing theirdata,takingintoaccountavailabletechnology.

HowtheSAPCustomerDataCloudcanhelpOurclientsareabletoconfiguretheirimplementations to ask an online visitor’s age and prevent registration if that person is below thelegalageofconsentintheircountry.SAPCustomerProfilecanalsosupportauto-deletionofusersbelowaparticularage.Additionally,ourclients can include parental consent forms on theirregistrationandloginscreens.


18 / 20

NorthAmerica

Europe Russia

China

Australia

More Regional Data Protection and Privacy Laws

Data LocalizationA number of countries, notably China and Russia, have data localization regulations, which generally require that personal data of their citizens collected in their respective countries be processed and stored within their respectivenationalborders.Alongwithdatacenters in the United States, Europe, and Australia and New Zealand, the SAP Customer Data Cloud more recently added the following data centers to support evolving data localization requirements:

ChinaThe SAP Customer Data Cloud opened a cloud-baseddatacenterinShanghaiinApril2017.Personal data stored in China will remain discrete from that stored in our other four data centers.Personaldataisreplicatedinrealtimebetween two separate data centers within

China, and each server role operates in a cluster toeliminateasinglepointoffailure.TheChinesedata center is compliant with ISO27001, ISO27018,SOC1,andSOC2.

RussiaTo help its clients address Russia’s requirement to store and process its citizens’ personal data within that country’s borders, the SAP Customer Data Cloud opened a primary Russian datacenterin2016.

AGlobalFootprintAll our data centers operate with fully redundant capacity and incorporate disaster recoverycapabilityataregionallevel.Ourworld-spanning data infrastructure helps our large digital enterprise clients drive complex, multinational strategies while keeping up with a constantlyevolvingregulatorylandscape.


19 / 20

In Conclusion

By enacting the GDPR, the European Commission isreflectingthewillofconsumerstodecideif,whenand how their personal information is collected by businessesandusedtodriverevenue.

Our products, implementation methodology, and approacharebuiltonprivacybydesignprinciples.Our goal with each rollout of our enterprise-class solutionistocreateflexible,scalableandsecurecustomer data management solutions for our clients.Wewanttoenablethemtouseourproducts’ features and functionality to help address GDPRrequirements.Wealsowanttohelpthemprovide transparent and seamless experiences to theircustomers,tobuildlastingtrustthatpaysoffinlifelongbrandloyalty.

We created this guide to show you how the SAP Customer Data Cloud can help you address GDPRrequirements.Wewantyoutoknowthatwhen it comes to meeting regulatory requirements for collecting and managing customers’personaldata,weareheretohelp.We can act as your customer data management advisors on your journey toward GDPR compliance — from planning, to implementation, to ongoing strategy for every newdeploymentinyourfuture.

To learn more about the SAP Customer Data Cloud, visit cx.sap.com/customer-data-cloud


http://cx.sap.com/customer-data-cloud

SAP Guide To Addressing GDPR Requirements-Industry Guide-enENG (18/06)

cx.sap.com

Follow all of SAP

© 2018 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.

See www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

http://cx.sap.com

https://twitter.com/sap

https://www.facebook.com/SAP

https://www.linkedin.com/company/sap

https://www.youtube.com/user/SAP

https://plus.google.com/s/sap/

sap guide to addressing gdpr requirements for customer … · businesses are using their personal...

Documents