GDPR - what it means & the practicalities of

implementation in a SAP landscape

Melissa Dielman

SAPience.be TECHday 2017

1
 Our Experience
+100 senior SAP Experts (BE, NL, SI, …)
International orientation
Excellent capabilities in all classic SAP
modules and business Processes.
Market Leader: HANA, GRC, ALM
Market Maker for innovative solutions:
▪ SAP (S/4)HANA EM
▪ Big Data, IoT & Analytics
▪ SAP Hybris C4C
▪ User Experience
▪ S/4HANA on Azure Private Cloud
Inspire
by
Experience
Get Inspired
Passionate about SAP, business
processes and innovations
Nurturing personal development
Lean organisation
AQM Certified
PCoE Certified
Outstanding client satisfaction
Committed to excellence consulting
Trusted advisor for a long term journey
Proud to be Expertum
Data Protection
SAPience.be TECHday 2017 3
Data Breaches

SAPience.be TECHday 2017 4

Penalties

SAPience.be TECHday 2017 5

Reputational Risk

SAPience.be TECHday 2017 6

Compliance

SAPience.be TECHday 2017 7

Do you know which personal data you are storing?

Which data is GDPR relevant?

Where it sits?
Who can & is accessing it?

SAPience.be TECHday 2017 8

Eén op de drie bedrijven is goed bekend met GDPR
Belgische IT-professionals zijn slecht
voorbereid
Belgische IT-professionals lijken
nauwelijks op de hoogte te zijn van
de GDPR, die op 25 mei 2018 in
werking treedt. Van hen kent 32
procent de naam, zonder te weten
wat het inhoudt, terwijl 16 procent er
zelfs nog nooit van heeft gehoord.
Gezien de mogelijke financiële
sancties bij het niet naleven, is dit
zorgwekkend
SAPience.be TECHday 2017
De lage mate van bewustzijn bij
Belgische werknemers vertaalt zich
ook in een gebrek aan vertrouwen
om aan de GDPR te kunnen voldoen.
29 % van de IT-professionals in België
gelooft niet dat hun organisatie zich
in mei 2018 volledig aan de
verordening zal kunnen houden
Van de IT-beleidsmakers in België
erkent respectievelijk 33% er geen
vertrouwen in te hebben dat de
verantwoordelijken voor de
verwerking van persoonsgegevens
binnen hun organisatie op de hoogte
zijn van de veranderende
regelgeving.
Een op de vijf Belgische IT-
professionals (19 procent) kan niet
met zekerheid zeggen of de
voorbereidingen binnen hun bedrijf
al zijn begonnen. Dit is een serieus
probleem, aangezien de bedrijven
minder dan een jaar hebben om
compliant te zijn en de kans op
zware financiële sancties en
reputatieschade groot is als dit niet
lukt.
9
What is GDPR?
SAPience.be TECHday 2017 10
Context
Data is the currency of today's digital
economy. Collected, analysed and
moved across the globe, personal data
has acquired enormous economic
significance. According to some
estimates, the value of European
citizens' personal data has the potential
to grow to nearly €1 trillion annually by
2020.
SAPience.be TECHday 2017
The new EU rules will offer flexibility
to businesses to make use of the
business intelligence the data
offers, all while protecting
individuals' fundamental rights.
The Regulation promotes techniques such
as anonymisation (removing personally
identifiable information where it is not
needed), pseudonymisation (replacing
personally identifiable material with artificial
identifiers), and encryption (encoding
messages so only those authorised can
read it) to protect personal data. This will
encourage the use of "big data" analytics,
which can done using anonymised or
pseudonymised data
11
What is GDPR?
The GDPR is intended to unify the privacyregulation in the whole of Europe. The processing of
European personal data will need to comply to the same regulations in every memberstate of
the EU as of may 2018. Thus simplifying and allowing closer control on cross-border data
processing.
BUT: each country define do its own specificities at ratification.

All companies that collect personal data: all information that allows to identify a person

In force as off 25/5/2018

Non-compliance Fines 4% of annual turnover, or 20mio€ whichever is the greater -> board
level concern

SAPience.be TECHday 2017 12

Which information?
Personal data”: “any information relating to an identified or identifiable
natural person”
• ID card nrs, phonenrs, email, address, social media addresses, credit
cards, bank accounts,…
• Name, gender, age, date of birth, marital status, citizenship, languages
spoken, disabled status,…

SAPience.be TECHday 2017 13

Key components
Right to be forgotten
Protection of sensitive data
Notification of Data breaches within 72 hours
Transparancy/approval of data subjects
Data Integrity

Data protection impact assesments

Data protection Officer

SAPience.be TECHday 2017 14

Data integrity
Lawful, Fairness and Transparency
Purpose Limitation
Data Minimization
Integrity and Confidentiality
Accuracy
Storage Limitation

SAPience.be TECHday 2017 15

Steps to take
SAPience.be TECHday 2017 16
1. Identification
Data elements: map which data has been stored, the business reason, the origin,
storage location, risk impact, retention requirement, required data approval, who
has access, and data sharing parties.
(data protection impact assessment)

Partners: when you supply/exchange data, cloud providers,… It is your responsibility

to ensure GDPR is complied with.

How
What? Why? Where? Who?
long?

Access Risk
Where used? User approval Change & remove
Management Management

SAPience.be TECHday 2017 17

2. Datasubject approval (1/2)
Rights of the datasubject
• Right to review the stored data
• Right to request correction or deletion
• Right to refuse direct marketing
• Right to refuse automated decision making & profiling
• Right to move data from one service provider to another

SAPience.be TECHday 2017 18

2. Datasubject approval (2/2)
Improve Privacy statements:
• Legal foundation for the data processing
• The duration for which you will keep the data
• Wether you share the data outside of the EUR
• Complaints are the be reported to and handled by the local Privacycommission

Faster access for data verification:

• Request needs to be processed within 30 days, instead of 45 days
• The person needs to be informed of the storage duration of the data
• Inacurate data should be corrected when requested

Request explicit consent (the right way)

Minors need to approve through legal guardian (verified)

SAPience.be TECHday 2017 19

3. DPIA? DPO?
DPIA:
• Data Protection Impact Assessment is required to demonstrate your
compliance.
• Evidence of compliance is your responsibility
• Regular updates needed

DPO:
• Data privacy Officer for companies that conduct a large amount of data
processing on a daily basis – sensitive personal data or not. It doesn’t get more
specific than that.

SAPience.be TECHday 2017 20

4. Right to be forgotten
• The right to be forgotten implies that data that is no longer business
relevant, is to be removed from the records*

• Taking into account legal requirements on identification &

accountability
✓ Block/Anonymize data after certain period of inactive time – limited access only
✓ Delete data after legal retention term

• Specific to data elements

* or if subject objects to the processing, or the processing was unlawful

SAPience.be TECHday 2017 21

5. Protection of Sensitive Data
• Identify sensitive data elements

• Prevent access through authorizations

• Scramble data in test systems

SAPience.be TECHday 2017 22

6. Data breach notification
• Within 72hours
• Identify scope & cause
• Asses relevance
• Inform Privacy Commission

• Define reaction process, involved persons,…

• Define controls to identify data breach

SAPience.be TECHday 2017 23

7. Define & Document Processes
• Storing data
• Processing data
• Accessing data
• Responding to data requests
• Responding to data breaches
• Archiving personal data
• Periodic update of data log

SAPience.be TECHday 2017 24

GDPR in SAP

SAPience.be TECHday 2017

8 key steps

SAPience.be TECHday 2017 26

SAPience.be TECHday 2017 27
Identify: Which Data?
• Most Data in SAP Business Suite and SAP S/4HANA might become personal data.
A Sales Order is linked to the Business Partner (ID). The sales order itself contains
additional personal data –so the whole Sales Order is to be protected.

• Combinations of attributes might become personal data –as soon as it is

possible to identify the person behind.

• ECC, BI, CRM, SRM, HR.

SAPience.be TECHday 2017 28

Where used?
• Once the relevant master data fields are identified, the storage and (business)
usage of these data fields needs to be mapped
• For standard & custom developments (fields, tables, programs)
• For protection and for “right to insight”
• Keep in mind impact of system upgrades, new developments,…

SAP solution
• SAP ABAP: list all the tables containing fields with personal information in the program
Where-Used List for Domain in Tables
• Custom development to identify, link & report on data elements
• 3rd party solutions

SAPience.be TECHday 2017 29

Insight in data use

• Data subjects have the right to see which data is stored on them
• Request corrections

• Manual process /automated tool?

SAP solution
• Custom report
• 3rd party solutions

SAPience.be TECHday 2017 30

Consent Management

• New SAP tools using social media integration, Hybris, HR Tools and ILM have
consent documentation included

SAP solution
• Process Control- Policies
• Process Control – Documentation
• Your CRM/SRM?
• Any database

SAPience.be TECHday 2017 31

Limit your scope

SAPience.be TECHday 2017

Archiving
• Limit the available data to the required minimum
• TCO reduction
• Less data to protect
• Selective Archiving on objects, filter criteria
• For test & productive systems
• Secure access to archive through authorizations

SAP solution
• SAP archiving

SAPience.be TECHday 2017 33

Authorize
Limit access to sensitive data:
• Use a solid, flexible and clear authorization concept
• Define a strict access management policy and process
• Consistent across SAP applications & dbase layer (ECC, S/4HANA, HANA, BW, HR, FIORI, CRM,…)

• Restrict access to blocked data elements

• Restrict access to data reports
• Store data extracts at secure locations
• Implement sufficient security parameters to prevent unauthorized access

SAP solution
• SAP Access Control

SAPience.be TECHday 2017 34

Sensitive data access
Production Data:
• Authorized data processers
(selective end-users)
• Authorized data consultants: end-
users & IT
• Unauthorized users
SAPience.be TECHday 2017
Test Data:
• All users are “GDPR unauthorized”
• Data must remain meaningful & fit
for testing
• Restrict access to PRD-alike
• Anonymize test data, consistently
35
Protect personal data in productive systems
Anonymization

• In case the subject requests so

• Field based
• Selective, finetuning of authorization
• Does not change underlying data
• Keeping historical data in reporting SAP solution
• Regardless of access path
• Multiple systems in sync • SAP UI Masking
• Mass maintenance

SAPience.be TECHday 2017 36

SAPience.be TECHday 2017 37
Protect personal data in non productive systems
• No business need -> needs to be handled differently
• Pseudonymization/scrambling
• Data can still be used, without link to persons
• Needed for test systems & development systems
• Respecting syntax/configuration requirements

• Recognizable by situation/combination of data elements needs to be removed !

• Make test data a selective set/ data copy

SAP Solution:
• SAP TDMS: Test Data Migration Server

SAPience.be TECHday 2017 38

SAPience.be TECHday 2017 39
Data blocking/removal
• When data is no longer active or needed for its primary purpose, the data needs to be
“inactivated”. Yet legal retention periods require traceability of interactions.
• Per organization per document type, data type, diff retention periods will be taken into
account.

SAP Solution:
• SAP ILM (Information Lifecycle Manager)
• Define data specific policies (blocking & retention)
• Trace data lifecycle
• Inactivate data
• Archive & delete
• Delete from archived data (based on timestamp)

SAPience.be TECHday 2017 40

Data Breach notification
• Continuous monitoring of who accesses specific data elements
• Insight to data usage – authorization finetuning
• Alert when not compliant to predefined rules
• Document data breach
• Impact analysis – cause & extent of breach
• Inform data owners

SAP Solution:
• Read Access Logging, UI Logging or SAP Process Control to identify possible data breach
• Identify access to data elements
• Define all possible approaches
• SAP Process Control/Risk Management for response follow-up

SAPience.be TECHday 2017 41

DPIAs, Processes,…
Data Privacy Impact Assessments
• Show compliancy
• Document controls
• Test controls
• Process & Policy Documentation
• Issues & action plans

Controls
• Controls on user access (role based)
• Controls on data reading

Consent management
• Automated for internal use
• Documentation for external
• Response policies Data breach

SAPience.be TECHday 2017 42

Other SAP Solutions to explore
• Fraud Management: big data analysis on complex patterns to identify breach
• Data Services / Information Steward
• Tagging and profiling of data across SAP and non-SAP landscapes
• Analyze repositories for types of data
• Leverage lineage analysis to create transparency on data flows
• Manage personal data accuracy & consistency
• Process Mining by Celonis: Powered by HANA, understand and visualize in real-
time which business processes ‘touch’ personal data
• Enterprise Threat Detection: Security monitoring of your SAP business systems

SAPience.be TECHday 2017 43

SAPience.be TECHday 2017 44
Thank you!

SAPience.be TECHday 2017 45