GDPR in SAP. June, Igor Gregurec

Similar documents
SAP Innovation Forum Portugal GDPR Compliance Program Focus Use Cases

Ready for the GDPR, Ready for the Digital Economy Fast-Track Your Midsized Business for the Digital Economy While Addressing GDPR Requirements

EU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018

WHITE PAPER EU General Data Protection Regulation Compliance

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

General Data Protection Regulation (GDPR) A brief guide

What is GDPR and Should You Care?

Dealing with the EU Data Protection Regulation in Practice. William Long, Partner Sidley Austin LLP February 11, 2016

SAP and SAP Ariba Solution Support for GDPR Compliance

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

BROOKS PERSONAL TRAINING

GDPR 7 questions you should ask technology vendors about GDPR

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,

Accountability under the GDPR: What does it mean for Boards & Senior Management?

Nissa Consultancy Ltd Data Protection Policy

GDPR & SMART PIA. Wageningen University Feb 2017

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

EU General Data Protection Regulation: Are you ready?

Preparing for the GDPR

PERSPECTIVE. GDPR - An industry and geography agnostic regulation. Abstract

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

The GDPR and its requirements for implementing data protection impact assessments (DPIAs)

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

EU General Data Protection Regulation in the digital age: Are you ready?

General Data Protection Regulation

Preparing for the General Data Protection Regulation (GDPR)

SAP experience Day Pronti per il GDPR? - 15 febbraio 2018

GDPR POLICY. This policy complies with the requirements set out in the GDPR, which will come into effect on

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

An Introduction to GDPR and How To Prepare

A COMPANION DOCUMENT TO THE GDPR READINESS DECISION TREE QUESTIONS AND ANALYSIS. April 19, 2017

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

GDPR: A PRAGMATIC APPROACH

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

The operational consequences of new EU data protection regulation In a SAP user access management context

Guidance on the General Data Protection Regulation: (1) Getting started

General Data Protection Regulation - Explained

Getting Ready for the GDPR

General Data Protection Regulation

What does the GDPR mean for recruitment?

Data Protection (internal) Audit prior to May (In preparation for that date)

Documenting data processing: The EDPS guide to ensuring accountability

Data protection in light of the GDPR

More information at cventconnect.com/europe/mobileapp

GDPR Impacts on Digital Transformation

General Data Protection Regulation (GDPR) Key considerations and implications for brokers

GENERAL DATA PROTECTION REGULATION Guidance Notes

GDPR factsheet Key provisions and steps for compliance

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

DATA PROTECTION POLICY

General Data Protection Regulation. Jim Sneddon GDPR-P, CISSP

Data Protection Policy

WHAT DOES THE GDPR MEAN FOR HR PROFESSIONALS?

Genera Data Protection Regulation and the Public Sector

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

EU General Data Protection Regulation (GDPR) Tieto s approach and implementation

GDPR: Are You Ready? Mapping the Road to GDPR Compliance. March 2018

Bulkington, Nuneaton & Bedworth (BNB) BNB U3A Data Protection Policy

ACCENTURE BINDING CORPORATE RULES ( BCR )

Data Protection Policy. UK Policy May 2018

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

GDPR: What Every MSP Needs to Know

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

Preparing for the General Data Protection Regulation (GDPR)

SOLUTION BRIEF HELPING ADDRESS GDPR CHALLENGES WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

EU GDPR: European Union General Data Privacy Regulation

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR

GDPR Factsheet - Key Provisions and steps for Compliance

Privacy Policy RSL Ireland Ltd & Refrigeration Products (1999) Ltd

General Personal Data Protection Policy

EU GENERAL DATA PROTECTION REGULATION

AmCham EU s Recommendations on GDPR Implementation

Privacy Policy 2018 VERSION 1.0

KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

EU General Data Protection Regulation

New General Data Protection Regulation - an introduction

GDPR is coming soon. Are you ready. Steven Ringelberg.

GDPR Webinar : Overview & practical compliance steps. 23 October 2017

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes

Welcome. Chair s address Barry Warne, hlw Keeble Hawson. GDPR Seminar- Sarah Power, hlw Keeble Hawson

GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES

Foundation trust membership and GDPR

Ready for GDPR? Five steps to turn compliance into your advantage

Getting ready for GDPR. A guide to General Data Protection Regulations

The General Data Protection Regulation and associated legislation. Part 1: Guidance for Community Pharmacy. Version 1: 25th March 2018

Privacy Policy. To invest significant resources in order to respect your rights in connection with Personal Data about you:

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

CNPD Training: Data Protection Basics

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION

Preparation Guide to the New European General Data Protection Regulation

Get ready. A Guide to the General Data Protection Regulation (GDPR) elavon.ie

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

OFFICIAL. Date 18 April 2018 Pacific Quay, Glasgow General Data Protection Regulation (GDPR) Police Scotland Preparedness Item Number 11.

A summary of the implications of the General Data Protection Regulations (GDPR)

Transcription:

GDPR in SAP June, 2017 Igor Gregurec

Agenda GDPR rules GDPR compliance approach Example SAP solutions for GDPR compliance Lifecycle of personal data Fines and trends 2

The New EU Data Protection Rules Since May 2016, an EU Regulation and Directive governs the protection of personal data The Regulation entered into force on 24 May 2016, it shall apply from 25 May 2018. The Directive has entered into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.

GDPR is one of the most far reaching pieces regulation, ever The following must be made provision for: Creation of an independent Data Protection Officer with compliance, cyber, business procedure oversight Purpose of data processing + lawful reason for doing it Data protection risk impact assessment, prior approval for high risks Data protection by design, by default Information notices, policy implementation Data breach notifications Data retention consent requirements, right to erasure Data profiling restrictions (especially automated) Data portability, machine readable format Data protection audits

1. Data Tagging, Delete, Retention & Blocked Access Personal information are safely deleted/stored after employees have left the company or following a consent request ILM: Tagging SAP data across environments, deletes, secure archives PowerDesigner PD: Tagging non-sap data across environments Tagging of personal data Deletion of SAP data, document the systems & procedures for deletion of non-sap data Archiving of SAP data, document the systems & procedures for non-sap data for legal purposes with retention periods Safe (separate, managed, blocked) storage of archived data Based on Information Lifecycle Management, PowerDesigner and Process Control

2. Processing and Storing of Personal Data, Data Privacy Rights - Lawful basis Data Privacy includes the following rights of the natural person (data subject): Their data can only be processed if one of the grounds on the left can be shown per process They have the right to request blocking of their data, and deleting of their data The risk associated with processing their data has to be assessed Their data is safeguarded, ensuring that only the defined and currently agreed processing in the required scope will take place (minimising to as little data as possible) The data is deleted as soon as all legal retention periods have passed, and the data is blocked during the time in which it is kept for legal reasons only They can get all relevant information on their data undergoing processing They have the right to get incorrect data corrected 10 Based on Process Control

3. Data Breaches Accidental or malicious GDPR: An accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data Processors must report breaches to controllers Controllers must report breaches to the supervisory authority (within 72 hours) and affected data subjects if at risk Failures can result in punitive fines per sensitive breach Breach Monitor configuration changes Consistently apply patches and updates Monitor logs for anomalies and attacks Review critical access and relevant transactions Govern access and manage identities Protect data inside / outside the application Ensure appropriate policies and training DLP IAM Mature from rigid preventive controls to agile detective controls Connecting with business partners and to equipment take into account state of the art. cost of implementation...appropriate technical measures.. 7

4. Data Protection Impact Assessment The DPIA GDPR requires: A formalised process to identify non-compliant risks PIA carried out on any high risk processing, before it is commenced A description of the processing activities and purpose an assessment of the need for and proportionality of the processing risks arising and mitigations are documented and dealt with especially safeguards and security measures to protect personal data and comply with GDPR Examples: large scale processing or profiling of any personal data. DPO s advice on carrying out a PIA must be sought. Authority must be consulted before processing is carried out on high unmitigated risk. Based on Risk Management and Process Control

5. Assist you with demonstrating your GDPR Certification Document governance requirements Favourable measures of demonstrating compliance would be operating a regular audit program including for example: Privacy by design Privacy impact assessments (and managed consequences) Engaging a DPO and giving them adequate resources and independence, Controller selection process, and regular review of service providers (data processors) for data processed Manage the use of sub-processors, vendors Use of e.g. pseudonymisation, encryption (so called state of the art technologies), access governance Certification of data processing (especially cloud where individual audits are not feasible) Regulator: Accountability, good governance, sustainable procedures..when in doubt, get a DPO Based on Process Control and Risk Management

Example GDPR Cockpit you might build

Example - GDPR Compliance Approach

Compliance Approach Phase 1 (1H2017) Audit and Gap Analysis: Where is my personal data, what is my baseline risk? 1 2 3 Identify personal data locations stored or processed internally, or by 3 rd parties Determine lawful purposes processes touching data consent procedures & policy management Risk assess processes lawful user access to data, cyber security risk retention requirements and management Gap analysis, strategic direction, program of work Information Lifecycle Management* PowerDesigner Information Steward Celonis Process Control Risk Management

Compliance Approach Phase 2.1 (2H2017) Set up Business as Usual Program: Implement data & procedures management 4 5 6 Tagging for consent, consent management erasure, porting & no-process retention archive & destroy Data security technology for DLP and IAM breach management incl. 3 rd parties data minimization, accuracy, unlawful viewing New processes & lawful purpose consent policy, risk assessments, data security 3 rd party contracts Data security, consent and procedure management Information Lifecycle Management* PowerDesigner Information Steward Celonis Process Control, AC, DAM, SSO/IDM Risk Management, CRM links Enterprise Threat Detection, RAL

Compliance Approach Phase 2.2 (1H2018) Embed DPO, Compliance Status: Accountability, governance, repeatable processes 7 8 9 DPO engagement DPIA and compliance signoff DPO sanctions certification Governance process evidence accountability transparency policy Regulator communication procedures audit procedures breach notification policy (country, industry) Ready for Regulator Information Lifecycle Management* PowerDesigner Information Steward Celonis Process Control, AC, DAM, SSO/IDM Risk Management, CRM links Enterprise Threat Detection, RAL BI Cockpit, Audit Management

Core SAP Solutions for GDPR Compliance GDPR is so vast no single solution in the market can address all of it. Furthermore, there is no single most important area to focus on first. SAP have the unique advantage of best of breed solutions when used together to enable you to demonstrate your GDPR compliance: Process Control (PC): The single most important custodian of GDPR compliance, providing ongoing digital evidence to the supervising authority of for example breach management, compliant policies & privacy notices and procedures, lawful exclusions, DPIA results (and assessment), controls (with automated monitoring across SAP and non-sap systems), challenge responses, audit evidence (AM for full audits) and action management, lawful purpose per process, third party and contract management, processor/sub-processor management. Information Lifecycle Management (ILM)*, PowerDesigner (PD): ILM is A powerful SAP-only tool for tagging personal data across multiple environments and managing the procedures for deleting and archiving with defensible legal retention requirements. PD covers non-sap data tagging (not deleting). Information Steward: Mature data profiling and metadata management tool providing contiguous interrogation of the location of personal data across the estate for SAP and non-sap systems, as well as assisting in managing personal data accuracy and consistency. Celonis: Cutting edge HANA-powered process mining technology to understand and visualize which processes actually touch personal data, as opposed to the ones you think do, with real-time cross-platform big data surveillance for SAP and non-sap systems. Read Access Logging (RAL)* or Enterprise Threat Detection (ETD): Data Loss Prevention. RAL will monitor, log and categorise read access to personal data for SAP systems. HANA-powered ETD is a big-data real-time security event detection and management tool for application-level access processing and pattern analysis - provides real time breach, inappropriate access, investigation and remediation plus dashboarding. AC, DAM, IDM/SSO, HR: Id & Access Management. Managing lawful user access to personal data is a core requirement of GDPR either in active business systems, contracted processors, archives, as part of employee enrolment, or contract management. SAP provides robust best of breed solutions. Customer Relationship Management (CRM): Customer-facing solution to track and manage consent requests, regulator dialogues. BI for Cockpit: Develop a dashboard that provides the single place to go for real-time GDPR compliance status, with drill-through into topic details.

Example Personal Data in SAP Business Suite

Lifecycle of personal data handled 17

Last but not least The GDPR carries massive fines -- up to 20 million or 4% of your company's global gross revenue, for a single violation Say you re DPO at JetBlue. What happens to your company (and your career), when a DPA determines your team violated the GDPR and levies a fine of $256,000,000? (That s 4% of 2016 gross revenue.) Germany Enacts GDPR Implementation Bill Facebook received a $122 million fine from the European Union s antitrust regulators, who say the social media giant provided misleading information during its 2014 acquisition of the messenger app WhatsApp 18

Altima d.o.o. Horvatova 80A, HR-10010 Zagreb, Hrvatska T +385 1 6408 000, F +385 1 6408 001 www.altima.hr, info@altima.hr

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback