Although security is trending in today’s ICT world, GDPR is proving to be the hottest topic of the last few months. And the coming year. All SAP running companies are faced with a compliance need in quite a complex and somewhat vague European regulation.
GDPR stands for “Global Data Protection Regulation”. Aimed at increasing the privacy of individuals you deal with as a company. Big Data solutions are enabling increased storage and processing of information (data elements) on all the individuals they interact with, from far through social media behaviour and communication and from close through sales and purchasing processes. Yet, not everybody is happy with the intensified collection of information on their individual by anyone for any reason. Therefore the GDPR aims at giving people more control on the data stored on them.
Is this new? Not entirely. You’ve seen more and more documents where you need to fill in personal data include a section to offer the choice for the further distribution and usage of our data. You’ve seen the battle with Google to enforce their right to be forgotten, the right to correct or remove data from the internet. We’ve seen Germany as a frontrunner in the protection of information gathering and analysis on their employees, the free transfer of data…
GDPR is aimed at providing one European Standard for the Data Protection of personal information.
And it cannot be ignored: non-compliance results in hefty fines of 4% of the annual turnover, or max 20mio€. Due Date May 2018 … . A proper wake-up call!
So what to do? Most companies are in the phase of “scoping” with the aid of legal advice.
Answering questions on the organizational impact (Do we need a DPO? Which Public Authority should we refer to? Which partners need to provide or receive compliance confirmation?).
Next step will be the Identification: which data elements are we storing, for which business purpose, where, who do we exchange the data with, how, …
Followed by a review on the approvals: do we have approvals of the data subject to store and use this data? How can we respond to a request for insights of the personal data? Requests for correction? Do our Privacy statements need updates?
So far these efforts are the same for all your IT systems.
Next step is to dive deeper into SAP:
- Restrict and monitor authorizations to sensitive data
- Block or anonymise inactive data, or data that was requested to be removed
- Scramble Test data
- Set up alerts for possible data breaches
- And ensure a consistent approach across your complete SAP landscape.
SAP offers a wide range of products to address parts of the GDPR puzzle. We believe that a solid understanding of SAP and Data access and the right choice of tools, the expenditure on new software will be reasonable. But the effort to assess the impact, get organized, implement all necessary procedures and tools will take up all (or more) of the coming 12 months. Reaching May 2018 in a jiffy…