SAP Database and Data Management Portfolio/SAP GRC Solutions Ready for the GDPR, Ready for the Digital Economy Fast-Track Your Midsized Business for the Digital Economy While Addressing GDPR Requirements
2
Table of Contents 4 Defining Data Privacy for the Digital Age What Does This Mean for Your Business? GDPR Challenges and Opportunities How Can SAP Help? 6 10 Questions to Ask Yourselves About GDPR Readiness 7 Better Data Management Improves Business Outcomes Understand Where Personal Data Resides Understand How Personal Data is Processed Enhance Data Quality Take Charge of Your Master Data Address Data Retention and Deletion Requirements 9 Better Corporate Governance Improves Business Outcomes Streamline Access Control Enhance Control Monitoring Keep Personal Data Secure Manage Compliance Processes across the organization 11 Next Steps 3
Ready for the GDPR, Ready for the Digital Economy Explore How Solutions and Services from SAP and Our Partners Can Help You Prepare The deadline for enforcement of the General Data Protection Regulation (GDPR) is only a matter of months away, and businesses of every size will be affected. The severe financial penalties for non-compliance have been well publicized, yet the new regulation also represents a wider opportunity to transform the way you handle data and manage risk and compliance so that your organization is in better shape to compete in the digital economy. On the following pages, discover some of the ways that SAP and our partners can help our midsized customers to accelerate their digital transformation journey and address GDPR requirements along the way. DEFINING DATA PRIVACY FOR THE DIGITAL AGE Today s digital world is driven by data. All our actions, transactions and interactions whether via social media, smart devices or connected machines leave a trail of potentially exploitable personal information about our tastes, preferences and likely future behavior. This data explosion has raised new concerns about data privacy and security, and updated legislation was required to protect individuals from misuse of their personal data in this modern digital age. In response, the General Data Protection Regulation (GDPR) will be enforced from 25 May 2018 and has been described as one of the most far-reaching pieces of regulation ever. Although specifically designed to protect the data and fundamental privacy of all EU citizens, its reach is global. The GDPR applies to all companies processing personal data of individuals, who are in the EU, regardless of the company s location. The detailed requirements of the GDPR are well documented elsewhere, but in essence the regulation has increased focus on two key areas: individual rights and accountability. WHAT DOES THIS MEAN FOR YOUR BUSINESS? The GDPR will potentially affect every business that processes personal data, and not just the largest companies. At one end of the scale, this could be simply how you handle your internal employee data; at the other end, it could have dramatic and far-reaching effects on how you process and store customer data across multiple markets. Either way, your organization needs to be ready to show compliance in two key areas by the enforcement date and beyond. The first is the ability to deal effectively with individuals rights such as data rectification and erasure. The second is the new principle of accountability: demonstrating how compliance is achieved on an ongoing basis through documentary evidence. THE GDPR CHALLENGES AND OPPORTUNITIES The GDPR will have implications across the business and is not only an IT issue; it could affect everything from finance, HR, risk and compliance management, and security, to sales, marketing, and customer service. At SAP, we believe this is an opportunity to look at the bigger picture and view regulatory compliance within the wider context of digital transformation and the future direction of your business. Every organization needs to be fit for digital business to compete effectively. The requirements of the GDPR can therefore serve as a useful accelerator to harnessing the full value of your data by channelling resources into the right areas. Compliance is mandatory, but instead of thinking of the GDPR as an unavoidable cost, consider it as a valuable investment in your digital future. 4
HOW CAN SAP HELP? No matter where you are on your GDPR journey, SAP and our partners can help. We offer a wide range of integrated data management and governance, risk, and compliance (GRC) solutions that cover SAP and non-sap applications and work with your existing infrastructure investments to streamline and automate processes. As the clock ticks, we can also provide practical advice and guidance on assessing your current SAP landscape, and help you identify which solutions could have the greatest short-term impact on your GDPR compliance program. We cannot guarantee GDPR compliance, of course, as it is about more than software and you are responsible for adopting the measures you deem appropriate to achieve compliance. However, we can give you the tools and capabilities you need to accelerate your journey, automate compliance processes, and become a more agile digital business in better shape for longterm success. Browse the following pages to find out more. 5
10 Questions to Ask Yourselves About GDPR Readiness 1. Does the management team understand the potential impact of the GDPR? 2. Have you undertaken an information audit to document what personal data you hold, where it came from, and with whom you share it? 3. Have you reviewed your current privacy notices and planned any changes required? 4. Do your current procedures cover individual rights such as the deletion of personal data or its provision in a commonly used format? 5. Have you decided how you will handle GDPR data access requests? 6. Have you defined and documented the lawful basis for your data processing activity in the GDPR? 7. Have you reviewed how you seek, record and manage consent in line with GDPR requirements? 8. Do you need to put systems in place to verify individuals ages and obtain parental or guardian consent? 9. Do you have the right procedures in place to detect, report, and investigate data breaches? 10. Have you considered whether you need to formally designate a Data Protection Officer, and where the role will sit in your organization? 6
Better Data Management Improves Business Outcomes Simplify Your Compliance Efforts with End-to-End Data Management The successful digital business relies on information excellence. It follows that the more effectively you manage data across the organization, the more straightforward it will be to address your GDPR requirements. SAP offers a range of integrated enterprise information management (EIM) and data management solutions to help you understand, integrate, cleanse, manage, associate, and archive your data (see Figure 1). These solutions help you accelerate and scale your efforts to address GDPR requirements, and provide a strong foundation to address digital business needs such as workforce engagement, supplier collaboration, and improving customer experiences. UNDERSTAND WHERE PERSONAL DATA RESIDES The first step in any data management initiative is to understand the current state of your data. SAP Information Steward software combines data profiling, metadata, stewardship, and governance capabilities into a single solution that enables you to understand: What systems are collecting personal data What formats are being used for personal data How personal data is being categorized and tagged If personal data is accurate and consistent across sources UNDERSTAND HOW PERSONAL DATA IS PROCESSED The GDPR also requires companies to understand how personal data flows through business processes and applications. While most companies have business process models as part of their enterprise architecture, SAP PowerDesigner software enables you to reverse engineer and document the existing processes and data models. With a clear picture of how processes are actually running, even after years of customization, you can truly understand: What business processes are using personal data Whether those processes include third-party entities What applications support those processes If there are undocumented variant subprocesses ENHANCE DATA QUALITY Addressing GDPR requirements for rights to data access, rectification, portability, and erasure is much harder if there are no standards for formats and definitions used across the systems acquiring, processing, and storing personal data. SAP Data Services software provides best-in-class functionality for data integration, quality, and cleansing that helps you: Standardize formats to ensure consistency across systems Cleanse personal data to ensure accuracy Match and consolidate multiple records to simplify data management Implement checks during data entry to ensure quality and consistency over time TAKE CHARGE OF YOUR MASTER DATA To ensure data quality and consistency across your organization, consolidate and centrally govern your master data with the SAP Master Data Governance application. This single application simplifies management, reduces total cost of ownership, and enables you to: Consolidate master data from any SAP and non-sap system and create a single best record Centrally create and maintain master data across heterogeneous systems Leverage a verifiable audit trail of when, why, and by whom master data is changed Replicate master data across on-premise and cloud systems ADDRESS DATA RETENTION AND DELETION REQUIREMENTS While the GDPR has specific requirements around deletion of personal data, based on a legal basis for processing and individuals rights to erasure, other regulations require a legal hold of data for activities like tax reporting and e-discovery. The SAP Information Lifecycle Management (SAP ILM) component can help you simplify management of archiving, retention, and destruction of personal data to address the evergrowing, constantly evolving list of country and industry regulations. The software enables you to: Define appropriate policies and rules for archiving, deletion and retention that incorporate requirements from multiple regulations Setup access controls and encryption of archived data Reduce the cost and risk of data access and portability requests by automating data collection Maintain audit trails and reporting capabilities for documenting deletion of personal data 7
Figure 1: Solutions for Information Excellence and Compliance for SAP Throughout the Personal Data Lifecycle SAP Process Control application Use assessments and surveys for ownership, status, and data privacy impacts. Manage and monitor policies and controls. Governance, risk, compliance, and security solutions SAP Access Control application Control or block user access to sensitive data and business processes. Support compliant user provisioning. Business systems SAP Information Lifecycle Management component Retention, blocking, and deletion of sensitive data for ABAP -based SAP systems. Database and data management solutions SAP Data Services and SAP Information Steward software Tagging, profiling, and accuracy of personal data across landscapes. Acquisition Processing Archiving Deletion 46% Higher revenue growth for organizations that recognize information as a strategic key asset SAP Performance Benchmarking 8
Better Corporate Governance Improves Business Outcomes Simplify Compliance Efforts with End-to-End Governance, Risk and Control The GDPR isn t just about data management. Many of the articles in the regulation are related to business procedures associated with policies, controls, record keeping, and the accountabilities of different roles and entities. To avoid costly penalties, governance of policies, processes, and people must be clearly defined and documented. Just as the successful digital business relies on information excellence, it also relies on governance excellence. This requires a robust, consistent and holistic approach across the enterprise. Based on the three lines of defence model, SAP offers a range of governance, risk, and compliance (GRC) solutions that allow different parts of the organization to work together cohesively within an integrated framework. The solutions enable the organization to automate its risk, compliance, and audit management processes and to monitor the enforcement of policies and effectiveness of controls. This can greatly assist in addressing GDPR requirements as part of day-to-day business operations moving forward. STREAMLINE ACCESS CONTROL To meet GDPR compliance, you need to know who has access to your data. The SAP Access Control application automates the process of managing and validating user access to applications and data all with minimal support from IT. Automatically detect and remediate access-risk violations across SAP and non-sap systems Embed compliance checks and mandatory risk mitigation into business processes Automate reviews of user access, role authorizations, risk violations, and control assignments Create a comprehensive audit trail of user and role-based access control activities ENHANCE CONTROL MONITORING The GDPR also requires companies to continually monitor compliance and quickly respond to issues. The SAP Process Control application automates the monitoring of controls and policies and provides best-practice workflows for the notification of exceptions. This allows you to identify, prioritize and remediate any regulatory issues including GDPR and many other requirements quickly and effectively. Document policies and controls centrally and map them to all relevant requirements of the regulation Evaluate control design and operating effectiveness, and raise, track and remediate issues Perform automated, exception-based monitoring across heterogeneous application landscapes Improve accountability and decision-making with workflow sign-off and analytics KEEP PERSONAL DATA SECURE Secure data storage is a key GDPR requirement. Cyberattacks can come both from inside and outside the organization, and to react quickly and effectively, you need actionable information in real time. The SAP Enterprise Threat Detection application provides real-time security monitoring to help you protect the integrity of your critical business processes and prevent theft or manipulation of business data. Gather events from the landscape Evaluate attack-detection patterns React on critical alerts Gain an overview of the threat situation 9
MANAGE COMPLIANCE PROCESSES ACROSS THE ORGANIZATION Anyone in the Data Protection Officer (DPO) role will face the challenge of managing several systems across the landscape. With SAP Cloud Platform, customers can easily assemble the centralized DPO Cockpit that will allow the DPO to control all the relevant GDPR processes from consent capture and data-tagging, through privacy impact assessment to breach monitoring. 50% Decrease in audit cycle time with automated and continuous management of controls SAP Performance Benchmarking 10
Next Steps Ready for the Digital Economy, Ready for the GDPR: Explore How Solutions and Services from SAP and Our Partners Can Help To thrive in today s digital economy, organizations need the ability to sense, respond, learn, adapt and predict to meet and create customer demand in the moment of opportunity. Data is at the core of this digital transformation, and the GDPR provides a timely catalyst for improvement. In the previous pages, we have highlighted just some of the solutions available from SAP and our partners to help you get your business fit for the digital economy and fit for the GDPR. If you would like to find out more about the portfolio or discuss any of our solutions in more detail, please get in touch today or contact your local SAP Partner. 11
12
www.sap.com/contactsap 2017 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. See http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.