WHITE PAPER EU General Data Protection Regulation Compliance

Transcription

1 WHITE PAPER EU General Data Protection Regulation Compliance

2 Table of Contents 1. SAP is ready for GDPR Data Protection Processes Data Protection Thresholds Technical & Organizational Security Measures Supply Chain Compliance SAP Products will be ready for GDPR SAP Products support customer GDPR readiness 08 2

3 Summary The General Data Protection Regulation (GDPR) is a far-reaching and comprehensive regulation that protects the individual rights of data subjects in the European Union (EU). SAP, our customers, our partners, and our competitors must all be ready to comply when it becomes effective in May The GDPR replaces Data Protection Directive 95/46/EC, and is designed to harmonize data privacy, processing, and monitoring laws across Europe. Stronger, more uniform rules on data protection mean citizens have more control over their personal data. Businesses worldwide will benefit from having just one set of rules for operating in the EU. Of course, there are consequences for non-compliance with new rules, and it is important to be aware of these in order to plan accordingly. Depending on the violation, companies can expect punitive fines for non-compliance. For example, a company could be fined up to 10 million or 2% of their annual global turnover for things like not having their records in order, for failing to notify the supervising authority and data subject about a breach, or for not conducting an impact assessment. More substantial infringements carry heavier penalties - up to 20 million or 4% of an organization's annual revenue (whichever is greater). Getting ready for GDPR compliance can be an opportunity for businesses of all kinds to re-evaluate their current processes and systems, and drive digital transformation. Building compliance into processes and systems during this effort enables readiness for current and future market demands and requirements. Simply put, SAP implements internal processes to ensure our own GDPR readiness, and we offer many solutions for customers that support digital transformation, end-to-end data protection operations, and ability to comply with the new legislation. 3

4 1. SAP is ready for GDPR SAP s GDPR compliance readiness project is a global, cross-board effort. Our Data Protection and Privacy Office (DPPO) governs our approach, and IT Security ensures we protect data controlled by us and our customers. Data Protection Management System Data Protection Agreements Procedure Enrolment Tool Process Supply Chain Audits GDPR Legal Standards Thresholds System Education and Awareness Data Protection Officer Data Privacy Technical Security Standards 1.1. Data Protection Processes GDPR applies to all companies processing personal data of data subjects in the European Union, regardless of the company s location. For this reason, SAP has developed and implemented a Data Protection Management System (DPMS). The DPMS ensures that we manage the complex requirements of data protection in a centralized and structured way. It covers technical and organizational measures and strictly follows an annual "Plan-Do-Check-Act" cycle that includes more than 150 audits each year. SAP developed and implemented the Procedure Enrolment Tool (PET) to help teams meet the GDPR requirement that companies maintain a record of the data processing activities they have been responsible for. Data Protection Stewards in all business units are trained to use the PET to ensure the proper enrolment, documentation, control, and maintenance of their procedures. This process supports GDPR compliance and creates business value, because it enables transparency, consistency, and replicability through central documentation and standardization. 4

5 1.2. Data Protection Thresholds Our Data Protection Officer leads the Data Protection and Privacy Office. This team collaborates with all business areas, to ensure that SAP complies with all relevant data protection laws, in every jurisdiction, wherever we do business. SAP s Data Protection Management System is annually certified by the British Standards Institute (BS10012), which describes the fundamentals for setting up and driving a data protection management system. The certificate, and a comprehensive annual audit report, is available on our Cloud Trust Center website. Our Intra-Group Data Protection Agreement is based on the EU Standard Contractual Clauses. It forms a legally binding agreement between SAP global entities, affiliates and subsidiaries and by this a lawful mechanism for transferring personal data from within to outside the EU and European Economic Area. It applies to transfers and processing of personal data, whether internal, external, or on behalf of customers, and provides a baseline protection of cross border personal data transfers Technical & Organizational Security Measures The pillars of our strategy are security recommendations, regular checks, continuous monitoring, and employee awareness. Ongoing privacy education and awareness training gives all SAP employees access to the information they need to recognize and properly handle personal information, on a day-to-day basis. The entire SAP workforce worldwide receives personalized data protection and information security-focused training. Our technologies and processes are designed to protect computers, networks, and information, including personal data, from general cyber threats such as unauthorized access and disclosure or vulnerabilities and attacks from cyber criminals. Data protection and privacy standards are addressed at the systems level. Data Protection is a corporate requirement from the SAP Board. Our major functional systems & operational processes ensure that SAP lines of business comply with GDPR requirements Supply Chain Compliance For data transfers and processing between SAP SE and/or our global affiliates and subsidiaries, including processing data on behalf of customers, SAP has established an Intra-Group Data Protection Agreement. It provides for a lawful mechanism to transfer personal data outside the EU/European Economic Area, based on the EU Standard Contractual Clauses. For data transfers to and processing by 3rd party sub processors, we ensure that we are GDPR compliant by means of our Master Data Protection Agreement. Regular audits of our vendors also support our compliance strategy. 5

6 2. SAP Products will be ready for GDPR The bottom line: SAP knows our customers need to operate our products in compliance with relevant national or regional legislation. We focus on providing DPP functionality to our customers, to support them in the operation of our products and services in compliance with applicable global legal requirements. 6

7 SAP s Cyber, Data Center, and Product Security standards for both on-premise and cloud software are among the most stringent in the industry. Our security strategy follows a holistic approach focusing on processes, technology, and people. The latest versions of SAP software feature enhanced and simplified Data Protection and Privacy (DPP) functionality, and so customers will need to be running these versions to benefit from this. We encourage you to visit our Cloud Trust Center webpage. Here you will find up to date general information about security, data protection and compliance, along with current compliance certificates. Some examples of our software s functionality that directly supports GDPR compliance are: Consent management mechanisms (if applicable) Information Lifecycle Management (if applicable) Reporting of personal data to an identified data subject Restricted access to personal data Our Data Protection and Privacy Corporate Requirements apply to everything we develop. The GDPR s concept of privacy by design and default is therefore reflected in our internal and customer-facing products and solutions. Legal requirements have been translated into explicit DPP requirements in Product Standard Security. In addition, a Data Protection Compliance Evaluation (DPCE) needs to be performed to define measures that may help customers ensure compliance with the applicable DPP requirements. Masking of personal data Read access logging to special categories of personal data Change logging of personal data Simplified deletion of personal data! No single solution (or even single-vendor solution) can address all aspects and complexities of GDPR. 7

8 3. SAP Products support customer GDPR readiness Meeting the standards of GDPR is not an isolated technical challenge. It is an opportunity to reshape operations and drive digital transformation across the organization. A holistic approach that weaves compliance into business operations and all elements of the data lifecycle, is central to responding to GDPR. This includes overall governance, assessments and surveys, defining, implementing, and monitoring policies and controls, and managing access to personal data in a compliant way. SAP does not provide legal advice, and so we accompany customers through each step of the journey toward GDPR compliance as trusted partners. SAP s extensive set of solutions enable end-to-end governance and assurance through a central, unified framework, and help govern and operationalize GDPR requirements. An SAP-supported GDPR Program supports protection and creation of business value. Protect Value: Respect laws and regulations Reduce losses and exposure to fines Create Value: Improve overall management and agility Release maintenance budget for Reduce organizational and individual risk, link to business planning/mission development & innovation Enhance reputation, talent retention Improve governance and internal controls A smaller, better organized IT toolset Address user privilege administration 8

9 No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. See for 9 / additional trademark information and notices. 9