SAP Data Privacy and GDPR Compliance
General Data Protection Regulation (GDPR)
SAP Data Privacy and GDPR Compliance: The GDPR is a comprehensive document created with input from multiple European Union (EU) member states and has robust enforcement mechanisms. The GDPR was designed not only to standardize privacy practices across the EU, but to influence how countries outside the EU design their own legislation around data protection and privacy. Importantly, the GDPR applies not only to data captured and processed by EU-based businesses, but also to any organization outside the EU that processes personal data about EU customers in connection with offering goods or services to European customers.
The GDPR was approved in April 2016 and replaces the existing Data Protection Directive as of May 25th, 2018. In short, the regulation’s aim is to protect data privacy for all European citizens.
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries.
Personal Data and Data Subject Rights
When referring to the term Personal Data in the context of GDPR, it covers a wide range of information. The definition includes all tracking data which enables identification of natural persons, referred to as data subjects. For example, the aspect of “indirect identification” means that data gathered using cookies could be considered personal data. Also included in the definition are social media posts, photographs, lifestyle preferences and transaction histories, and IP addresses.
The GDPR ensures data subject rights that influence an entire digital ecosystem. Below are a few examples that indicate what is required:
- The right to be forgotten ensures the right of data subjects to request erasure of their personal data.
- The right to access and the data portability requirement ensures the data subject’s right to request information about all personal data that the data controller stores about them, and to receive a copy of the whole data set in a readable, electronic format, free of charge.
- An audit trail provides documentary evidence of the sequence of activities, such as data changes, relating to the personal data of a data subject.
When a service collects or processes personal data, even potentially, compliance with GDPR is a requirement.
GDPR introduces special categories of personal data, namely sensitive personal data, that require additional implementation effort. Bank account data is an example of sensitive personal data. SAP Upscale Commerce uses a universal payment gateway for payment processing.
GDPR Overview
What is GDPR ?
General Data Protection Regulation (EU Regulation 2016/679) is a cumulative compliance requirement toward EU Data protection. A unified framework instead of individual country specific regulation with EU. GDPR comes into effect from 25th of May 2018. It gives individual the control and protection of their personal data
Who is impacted ?
Any company that does business with European citizens – regardless of the location gets impacted with GDPR. It also applies to Natural persons, irrespective of their nationality or place of residence in the EU.
What information does the GDDPR Applies to?
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible on a specific criteria.
The GDPR refers to sensitive personal data as “special categories of personal data” (Article 9 of EU GDPR regulation). These categories are broadly the same as those in Data protection act, (DPA) with some minor changes to it.
Possible Impact of non-compliance.
Penalty up to 4% of annual global revenue or €20 million whichever is greater
1.1. GDPR Requirement for Personal / Special Personal Data management.
GDPR has a well-defined requirement to protect the personal & special personal data with some new rights for individuals and also strengthens some of the rights that currently exist under the DPA.
1. The right of access | 2. The right to rectification | 3. The right to erase | 4. The right to restrict processing |
5. The right to restrict processing | 6. The right to data portability | 7. The right to object | 8.Rights in relation to automated decision making and profiling |
1.2. SAP Solution for the GDPR compliance
There is no single solution to GDPR compliance; however, combination of multiple compliance product stacks from SAP & SAP Partner extension can address the overall GDPR requirement.
The below picture depicts a High-level overview of the SAP Solution covering the critical aspects of Data Management and Security.
2. SAP ILM – Solution to GDPR Data management
Data management in accordance with GDPR has two critical requirement; Data retention and Right to be forgotten. Data retention requirement can be addressed by the standard SAP ILM feature , which defines policies, rules and destruction of qualified data at end of the retention period. SAP ILM blocking and deletion functionality addresses the requirement around “Right to Be Forgotten”, which means delete the data that has fulfilled the intended purpose and when deletion is not possible for data that are required for legal/compliance, then block the data to allow the Display access by the authorized person.
2.1. SAP ILM Capabilities of GDPR
- Manage all archiving, retention and deletion policies across the enterprise
- Automate deletion of data based on policies
- Enforce retention policies required by other regulations
- Execute e-discovery and set legal holds
- Use secure ILM*-aware storage (partner offerings)
Regulatory alignment | Complexity | Cost | |||
End-of-purpose check utilized as a major step towards the “right to erasure” in SAP systems | Reduced with preconfigured content and optimized IT landscapes | Lowered through reduced hardware demands and software maintenanc |
2.2. Data lifecycle at a Glance
The typical SAP data lifecycle space from data creation to data destruction and until End of Business, the data is active in database. The inactive data qualifies for archiving once the data surpasses the resident time and the archived data qualifies for destruction at the end of retention period.
With GDPR compliance requirement, it is mandatory to comply with the critical requirement of deletion of data that is no longer required for the given business purpose. This mandates an additional control in the system that would allow defining a status “End-of-Purpose”.
SAP ILM with enhanced feature addresses the GDRP requirement to Block and Delete the data that are no longer required in the system and has reached the End-of-Purpose.
2.3. Simplified Blocking and Deletion using SAP ILM
“ILM” Business function along with “ILM Blocking and Deletion” Business function along with relevant business function for ERP enables the following:
- Define sophisticated policies and rules for archiving, deletion and retention that incorporate requirements from multiple regulations
- Delete both personal data and any associated content such as invoices, emails, and social media content
- Setup access controls and encryption of archived data
- Reduce the cost and risk of data access and portability requests by automating data collection
- Maintain audit trails and reporting capabilities for documenting deletion of personal data
2.4. ILM Blocking and Deletion process for live data in database:
The approach to configure and use simplified blocking and deletion depicted below, if this 5 step process is followed, then the data that has reached the End of Purpose can be either deleted (if all retention requirements are met) or can be blocked if the data is required for an legal and compliance requirement.
2.4.1. End of Purpose Check (EoP)
An end of purpose check determines whether data is still relevant for business activities based on the retention period defined for the data.The retention period of data consists of the following phases:
Phase one:The relevant data is actively used.
Phase two: The relevant data is actively available in the system.
Phase three: The relevant data to be retained for other reasons.
Blocking of data prevents the business users of SAP applications from displaying and using data that may include personal data and is no longer relevant for business activities.
Blocking of data can affect system behavior in the following ways:
- Display: The system does not display blocked data.
- Change: It is not possible to change a business object that contains blocked data.
- Create: It is not possible to create a business object that contains blocked data.
- Copy/Follow-Up: It is not possible to copy a business object or perform follow-up activities for a business object that contains blocked data.
- Search: It is not possible to search for blocked data or to search for a business object using blocked data in the search criteria.
2.5. ILM Blocking and Deletion process of data in archive:
Similar to that on blocking and deletion of the data in the database; Blocking of archived data (after end-of-business) is possible if there is a request from data subject to delete the data and destruction of data is not possible due to legal requirement by enabling blocking functionality and additional authorization control at the retention rule. Only authorized users can display the data in archive that is blocked.
Conclusion :
SAP ILM is the solution to address the critical requirement around Lawful processing and comply with the individual rights for the personal and special personal data.
In addition, on broader perspective, though there is no single solution from SAP to address all compliance requirement, SAP customers can achieve GDPR compliance by using the various SAP data management and compliance/Security products.
FAQs – Unraveling the Queries :
- Is GDPR compliance only for European companies?
- No, GDPR applies to any organization that processes the personal data of EU residents, regardless of its location.
- What steps can employees take to contribute to SAP data privacy?
- Employees can contribute by attending data privacy training, reporting any security concerns promptly, and adopting best practices in data handling.
- How often should organizations conduct data audits for SAP systems?
- Regular data audits are recommended, with the frequency depending on the scale of data processing and changes in organizational structures.
- Are there SAP modules specifically designed for GDPR compliance?
- Yes, SAP offers modules and tools designed to facilitate GDPR compliance, including consent management and data encryption features.
- Can SAP users erase personal data upon user request?
- Yes, GDPR grants individuals the right to request the erasure of their personal data, and SAP users should have mechanisms in place to honor these requests.