GDPR in SAP June, 2017 Igor Gregurec
Agenda GDPR rules GDPR compliance approach Example SAP solutions for GDPR compliance Lifecycle of personal data Fines and trends 2
The New EU Data Protection Rules Since May 2016, an EU Regulation and Directive governs the protection of personal data The Regulation entered into force on 24 May 2016, it shall apply from 25 May 2018. The Directive has entered into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.
GDPR is one of the most far reaching pieces regulation, ever The following must be made provision for: Creation of an independent Data Protection Officer with compliance, cyber, business procedure oversight Purpose of data processing + lawful reason for doing it Data protection risk impact assessment, prior approval for high risks Data protection by design, by default Information notices, policy implementation Data breach notifications Data retention consent requirements, right to erasure Data profiling restrictions (especially automated) Data portability, machine readable format Data protection audits
1. Data Tagging, Delete, Retention & Blocked Access Personal information are safely deleted/stored after employees have left the company or following a consent request ILM: Tagging SAP data across environments, deletes, secure archives PowerDesigner PD: Tagging non-sap data across environments Tagging of personal data Deletion of SAP data, document the systems & procedures for deletion of non-sap data Archiving of SAP data, document the systems & procedures for non-sap data for legal purposes with retention periods Safe (separate, managed, blocked) storage of archived data Based on Information Lifecycle Management, PowerDesigner and Process Control
2. Processing and Storing of Personal Data, Data Privacy Rights - Lawful basis Data Privacy includes the following rights of the natural person (data subject): Their data can only be processed if one of the grounds on the left can be shown per process They have the right to request blocking of their data, and deleting of their data The risk associated with processing their data has to be assessed Their data is safeguarded, ensuring that only the defined and currently agreed processing in the required scope will take place (minimising to as little data as possible) The data is deleted as soon as all legal retention periods have passed, and the data is blocked during the time in which it is kept for legal reasons only They can get all relevant information on their data undergoing processing They have the right to get incorrect data corrected 10 Based on Process Control
3. Data Breaches Accidental or malicious GDPR: An accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data Processors must report breaches to controllers Controllers must report breaches to the supervisory authority (within 72 hours) and affected data subjects if at risk Failures can result in punitive fines per sensitive breach Breach Monitor configuration changes Consistently apply patches and updates Monitor logs for anomalies and attacks Review critical access and relevant transactions Govern access and manage identities Protect data inside / outside the application Ensure appropriate policies and training DLP IAM Mature from rigid preventive controls to agile detective controls Connecting with business partners and to equipment take into account state of the art. cost of implementation...appropriate technical measures.. 7
4. Data Protection Impact Assessment The DPIA GDPR requires: A formalised process to identify non-compliant risks PIA carried out on any high risk processing, before it is commenced A description of the processing activities and purpose an assessment of the need for and proportionality of the processing risks arising and mitigations are documented and dealt with especially safeguards and security measures to protect personal data and comply with GDPR Examples: large scale processing or profiling of any personal data. DPO s advice on carrying out a PIA must be sought. Authority must be consulted before processing is carried out on high unmitigated risk. Based on Risk Management and Process Control
5. Assist you with demonstrating your GDPR Certification Document governance requirements Favourable measures of demonstrating compliance would be operating a regular audit program including for example: Privacy by design Privacy impact assessments (and managed consequences) Engaging a DPO and giving them adequate resources and independence, Controller selection process, and regular review of service providers (data processors) for data processed Manage the use of sub-processors, vendors Use of e.g. pseudonymisation, encryption (so called state of the art technologies), access governance Certification of data processing (especially cloud where individual audits are not feasible) Regulator: Accountability, good governance, sustainable procedures..when in doubt, get a DPO Based on Process Control and Risk Management
Example GDPR Cockpit you might build
Example - GDPR Compliance Approach
Compliance Approach Phase 1 (1H2017) Audit and Gap Analysis: Where is my personal data, what is my baseline risk? 1 2 3 Identify personal data locations stored or processed internally, or by 3 rd parties Determine lawful purposes processes touching data consent procedures & policy management Risk assess processes lawful user access to data, cyber security risk retention requirements and management Gap analysis, strategic direction, program of work Information Lifecycle Management* PowerDesigner Information Steward Celonis Process Control Risk Management
Compliance Approach Phase 2.1 (2H2017) Set up Business as Usual Program: Implement data & procedures management 4 5 6 Tagging for consent, consent management erasure, porting & no-process retention archive & destroy Data security technology for DLP and IAM breach management incl. 3 rd parties data minimization, accuracy, unlawful viewing New processes & lawful purpose consent policy, risk assessments, data security 3 rd party contracts Data security, consent and procedure management Information Lifecycle Management* PowerDesigner Information Steward Celonis Process Control, AC, DAM, SSO/IDM Risk Management, CRM links Enterprise Threat Detection, RAL
Compliance Approach Phase 2.2 (1H2018) Embed DPO, Compliance Status: Accountability, governance, repeatable processes 7 8 9 DPO engagement DPIA and compliance signoff DPO sanctions certification Governance process evidence accountability transparency policy Regulator communication procedures audit procedures breach notification policy (country, industry) Ready for Regulator Information Lifecycle Management* PowerDesigner Information Steward Celonis Process Control, AC, DAM, SSO/IDM Risk Management, CRM links Enterprise Threat Detection, RAL BI Cockpit, Audit Management
Core SAP Solutions for GDPR Compliance GDPR is so vast no single solution in the market can address all of it. Furthermore, there is no single most important area to focus on first. SAP have the unique advantage of best of breed solutions when used together to enable you to demonstrate your GDPR compliance: Process Control (PC): The single most important custodian of GDPR compliance, providing ongoing digital evidence to the supervising authority of for example breach management, compliant policies & privacy notices and procedures, lawful exclusions, DPIA results (and assessment), controls (with automated monitoring across SAP and non-sap systems), challenge responses, audit evidence (AM for full audits) and action management, lawful purpose per process, third party and contract management, processor/sub-processor management. Information Lifecycle Management (ILM)*, PowerDesigner (PD): ILM is A powerful SAP-only tool for tagging personal data across multiple environments and managing the procedures for deleting and archiving with defensible legal retention requirements. PD covers non-sap data tagging (not deleting). Information Steward: Mature data profiling and metadata management tool providing contiguous interrogation of the location of personal data across the estate for SAP and non-sap systems, as well as assisting in managing personal data accuracy and consistency. Celonis: Cutting edge HANA-powered process mining technology to understand and visualize which processes actually touch personal data, as opposed to the ones you think do, with real-time cross-platform big data surveillance for SAP and non-sap systems. Read Access Logging (RAL)* or Enterprise Threat Detection (ETD): Data Loss Prevention. RAL will monitor, log and categorise read access to personal data for SAP systems. HANA-powered ETD is a big-data real-time security event detection and management tool for application-level access processing and pattern analysis - provides real time breach, inappropriate access, investigation and remediation plus dashboarding. AC, DAM, IDM/SSO, HR: Id & Access Management. Managing lawful user access to personal data is a core requirement of GDPR either in active business systems, contracted processors, archives, as part of employee enrolment, or contract management. SAP provides robust best of breed solutions. Customer Relationship Management (CRM): Customer-facing solution to track and manage consent requests, regulator dialogues. BI for Cockpit: Develop a dashboard that provides the single place to go for real-time GDPR compliance status, with drill-through into topic details.
Example Personal Data in SAP Business Suite
Lifecycle of personal data handled 17
Last but not least The GDPR carries massive fines -- up to 20 million or 4% of your company's global gross revenue, for a single violation Say you re DPO at JetBlue. What happens to your company (and your career), when a DPA determines your team violated the GDPR and levies a fine of $256,000,000? (That s 4% of 2016 gross revenue.) Germany Enacts GDPR Implementation Bill Facebook received a $122 million fine from the European Union s antitrust regulators, who say the social media giant provided misleading information during its 2014 acquisition of the messenger app WhatsApp 18
Altima d.o.o. Horvatova 80A, HR-10010 Zagreb, Hrvatska T +385 1 6408 000, F +385 1 6408 001 www.altima.hr, info@altima.hr