SlideShare a Scribd company logo

Materializing dataprivacy in sap .. how?

Nico J.W. Kuijper ECMm BPMs ERMp, profile picture
Nico J.W. Kuijper ECMm BPMs ERMp

This document discusses the implementation of data privacy measures within SAP systems, focusing on compliance with the EU General Data Protection Regulation (GDPR) that becomes enforceable on May 25, 2018. It highlights the importance of identifying personal data, obtaining explicit consent for processing, and the obligations regarding data breaches and erasure rights. The presentation provides practical examples and tools to help organizations set up effective data privacy practices within their SAP environments.

Data & Analytics
Related topics:
Data Privacy
1 of 48
Downloaded 30 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
May 10, 2016 Implementing data privacy measures in SAP Nico J.W. Kuijper, D&IM Services SAP Archiving, Information Lifecycle Management, ECM & (SAP) Data Privacy Consultant Email: nico.kuijper@d-im-services.com - Phone: +31(0)20 615 82 89 Member of the International Association of Privacy Professionals
May 10, 2016 Page 1 Subject and scope of this presentation This presentation is about data privacy seen in the context of SAP data. A data privacy project covers many different legal, organizational and technical aspects - however in this presentation we focus only on (some of the) SAP instruments and practices regarding the enforcement of data privacy regulations (like the new EU GDPR) in SAP systems.
May 10, 2016 Page 2
May 10, 2016 Page 3 Why is this topic relevant for SAP using companies? On Thursday, 14 April 2016, the European Parliament adopted the General Data Protection Regulation (GDPR). The GDPR comes into effect on 25 May 2018 and companies have 24 months to become GDPR compliant. When you are using SAP systems you might be interested in what needs to be done to apply the new EU data privacy laws to your SAP systems, in particular how to handle your SAP data according the new data privacy law. Official EU publication of the EU GDPR: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC You can read the full legislative text of the EU GDPR here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52012PC0011
May 10, 2016 Page 4 The risks of non-compliance with the EU GDPR Not complying with the EU GDPR (General Data Protection Regulation) leads to significant fines and compliance risks. The EU created two tiers of maximum fines for companies violating the GDPR. The higher fine threshold is four percent of an undertaking’s worldwide annual turnover or 20 million euros, whichever is higher. The lower threshold fine is two percent of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher. You can read the full legislative text of the EU GDPR here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52012PC0011
May 10, 2016 Page 5 What is considered privacy relevant information? There are many elements of personal information. Some examples are name, gender, age, date of birth, marital status, citizenship, languages spoken, veteran status, disabled status, IP address (some jurisdictions), business and personal -addresses, - phone numbers, -email addresses, internal identification numbers, credit card and bank account numbers, government-issued identification numbers (social security, drivers license numbers, etc.) and identity verification information, etc. It is important to remember business data elements can be considered personal information as well. “Personal data” is defined as “any information relating to an identified or identifiable natural person”
May 10, 2016 Page 6 The General Data Protection Regulation in short The highlights of the EU GDPR are displayed above and require an update of your privacy program On the next slides we focus on the translation of some of the GDPR articles to the SAP context
May 10, 2016 Page 7 The identification of personal data in SAP The GDPR requires the designation of a data protection officer and the execution of DPIA’s. One of his/her tasks? Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits. DPIAs (Data Privacy Impact Assessments) are used to identify potential privacy issues, evaluate whether the benefits of a project outweigh its risks, implement privacy by design, conduct internal auditing for compliance with legal, regulatory, industry and organizational standards. Do you know how to identify, monitor and audit the use of personal data in SAP?
May 10, 2016 Page 8 Explicit consent for processing personal data in SAP The GDPR requires explicit consent for the processing of (special categories of) personal data. How to request or trigger explicit consent regarding personal data (to be) processed in SAP?
May 10, 2016 Page 9 Erasure or blocking of personal data (right to be forgotten) Under GDPR Article 17, controllers must erase personal data “without undue delay” if the data is no longer needed, the data subject objects to the processing, or the processing was unlawful. Do you know how to erase or block personal data in SAP in a consistent way?
May 10, 2016 Page 10 The transfer of personal data out of the EU The GDPR makes clear that it is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country. It also imposes hefty monetary fines for transfers in violation of the Regulation. Do you know how to restrict the (unlawful) transfer of personal data stored in SAP systems?
May 10, 2016 Page 11 Protect personal data in non productive systems The GDPR encourage data pseudonymization - defined as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information”. Data encryption, pseudo- and anonymization, etc. are means of protecting the rights of individuals while also allowing controllers to benefit from the data’s utility – in the SAP context e.g. the use of SAP data in test and quality assurance systems. Do you know how to (pseudo) anonymize or encrypt personal data in non productive SAP systems?
May 10, 2016 Page 12 Data breach notifications within 72 hours “Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” In the event of a personal data breach, data controllers must notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” Do you know how to prevent and/or detect a data breach in SAP or control the download of privacy relevant data from SAP systems?
May 10, 2016 Page 13 Information security = information privacy? The term information privacy refers to the handling, controlling, sharing and disposal of personal information while the term information security includes a very wide range of activities both physical and administrative that protect not only personal information, but any type of information or information asset that supports a business. The difference between information privacy and information security supports the statement, “You can have security without privacy…but you cannot have privacy without security.” For example, a secure computer with solid access controls may be secure however if access controls were not assigned correctly privacy may become an issue. In these slides we focus mainly on the protection of privacy relevant SAP information.
May 10, 2016 Page 14
May 10, 2016 Page 15 Mitigating the violation of data privacy laws in SAP Organizations handling privacy relevant data in the context of SAP systems might need some practical guidance on how to mitigate the risk of violating data privacy regulations. In this section we show some of the practical examples on how to mitigate the risk of violating data privacy regulations in SAP environments.
May 10, 2016 Page 16 Some examples of data privacy measures in SAP Data privacy topic Applicable to SAP system, functionality or data Supporting SAP functionality Supporting 3rd party functionality Data privacy impact assessment on SAP data SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. AIS (Audit system), special reports, GRC, etc. Activate explicit consent for processing of personal data SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. Standard SAP Restrict / limit access to privacy relevant data SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. Standard SAP Blocking of privacy relevant data (if can’t be deleted) SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. Standard SAP Destruction of privacy relevant SAP data SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. SAP ILM RM (part of standard SAP) Data encryption, masking, anonymizations, etc. Privacy relevant data in all NON productive SAP systems SAP TDMS 4.0 EPI-USE, Dolphin, etc. Data protection & prevention of data leakage (outside SAP) SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. SAP Authorizations, AIS (Audit system). External DLP solution providers like Secude, etc. Monitor unlawful access to privacy relevant or sensitive data in SAP SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. Read Access Logging (RAL), SAP Enterprise Threat detection, etc. Different external solution providers Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access
May 10, 2016 Page 17 Conducting data privacy impact assessments in SAP Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access Context: organizations handling privacy relevant (personal) data are obliged to execute DPIA‘s (Data Privacy Impact Assessments) under the EU GDPR. Organizations need to evaluate the personal data they have; categorizing the data so they are clear where the personal and sensitive data resides and where other less important data sits in the company. What are some of the instruments that can support you in conducting a DPIA on SAP data?
May 10, 2016 Page 18 Some Data Privacy Impact Assessment questions In a DPIA different types of questions might be raised such as: • What data is collected and from which source(s) and why? • Where and how the recorded data is stored (in SAP). • Who (roles/individuals) has access (consulting, updating, etc.) to the data? • What the data is used for, and how it passes both between systems and to data consumers. • How long should data be retained? • Who is responsible for the data at both an operational and a strategic level. It is not always easy to answer some of these questions when you are using a system with a impressive data model and broad functionality like SAP. Where is privacy relevant data actually stored in SAP?
May 10, 2016 Page 19 DPIA’s in SAP – Identify privacy relevant data (I) There are reports available in SAP to identify where in the data model of SAP privacy relevant information could be stored (including your custom developments). Categorizing the data so that it becomes clear where the personal and sensitive data resides in SAP is an important step in your Data Privacy Impact Assessment.
May 10, 2016 Page 20 DPIA’s in SAP – Identify privacy relevant data (II) Another useful step is to identify if you actually store privacy relevant data in SAP – and this should be assessed at least once a year. Audit Information System reports can support you in this task.
May 10, 2016 Page 21 DPIA’s in SAP – Identify privacy relevant data (III) Once it is clear where privacy relevant data is stored in SAP, you want to know who has access to it and the type of actions that can be executed by the users/roles (this can be done using e.g. GRC and other tools). It is also relevant to check who can access privacy relevant data directly on database level using a table browser like e.g. SE16 – often used as backdoor to access data.
May 10, 2016 Page 22 Supporting data privacy assessments in SAP Once organisations understand just what personal data they have, they should then ensure that regular risk assessments are completed to understand the degree of threat imposed on the company when processing privacy relevant data in SAP. There are many tools and reports available in SAP that can support you in conducting your Data Privacy Impact Assessment in SAP in a structured way, we just scratched on the surface of the possibilities. Knowing (and measuring) your risks is key for a solid data privacy program.
May 10, 2016 Page 23 Explicit consent for processing of personal data Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access Context: the GDPR requires explicit consent for the processing of personal data. There are different options available in SAP to enforce the explicit consent for the processing of privacy relevant data.
May 10, 2016 Page 24 Data privacy – requesting explicit consent in SAP 24 Individuals have rights when it comes to the collection & processing of personal information. Consent and choice are two of those rights. As a result, organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information. There are different options in SAP to request explicit consent for the storage and processing of personal data in for example HCM (employee data and in e-recruiting), ECC, SRM, CRM, IS*, etc. Processing personal data in SAP without explicit consent is unlawful and should be avoided.
May 10, 2016 Page 25 Blocking of personal data in SAP Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access Context: the GDPR gives data subjects the right to have their personal data erased. However, personal data sometimes cannot be erased due to data consistency rules, other (overruling) legislation. In some cases privacy relevant (master)data must be blocked for further access and/or processing in SAP.
May 10, 2016 Page 26 Blocking privacy relevant data 26 SAP delivers business functions for the blocking of personal (business partner) data that can’t be deleted instantly for different reasons (SAP data consistency or data must be preserved longer due to overruling legal or fiscal legislation, etc.).
May 10, 2016 Page 27 Right to be forgotten and erasure of personal SAP data Context: the GDPR gives data subjects the right to have their personal data erased, provided that certain conditions are met. SAP offers > 100 so called data destruction objects for the rule based and compliant erasure of privacy relevant SAP data (for e.g. ECC6, CRM, SRM, IS*, etc.). This is delivered by the SAP functionality called SAP ILM (Information Lifecycle Management). Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access
May 10, 2016 Page 28 Placing information under corporate control Definition of a ‘RECORD’ SOX GAAP EU GDPR BASEL II/III HIPAA Etc. Corporate information that is subjected to legislation must be managed as a “record” using records management principles in order to manage, preserve and destruct the information according rules
May 10, 2016 Page 29 Introduction of SAP ILM The lifecycle of information (put under corporate control) can be managed with SAP Information Lifecycle management (ILM). SAP ILM is currently the only SAP tool to manage the lifecycle of SAP data and documents in a controlled way using records management & retention policies.
May 10, 2016 Page 30 Data destruction objects For the controlled destruction of privacy relevant SAP data and documents, SAP ILM offers so called data destruction objects. Alone in SAP module HCM we find more then 100 data destruction objects, and the SAP HCM data destruction objects can (in most of the cases) be used without additional SAP license implications.
May 10, 2016 Page 31 Retention policy: manage the lifecycle of your data Privacy relevant data should be managed in alignment with other legislation based on retention rules. Other (overruling) legislation – e.g. tax regulation – might require the preservation of privacy relevant data, blocking e.g. the destruction of financial data containing privacy relevant data. With SAP ILM we can harmonize this and apply specific policies for specific types of SAP data.
May 10, 2016 Page 32 Data destruction in SAP Based on the defined retention rules in SAP ILM it is possible to comply with the GDPR rule to destroy privacy relevant SAP data in a controlled way.
May 10, 2016 Page 33 Data protection in non productive SAP systems Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access Context: the GDPR prohibit the unauthorized access to personal data and encourage the (pseudo) anonymization of data when possible. How do you give developers, testers and contract workers access to a non-production system without endangering your data privacy and data security regulations? Encrypting or (pseudo) anonymization might be the answer.
May 10, 2016 Page 34 Data protection in context and some terminology Even if great care is taken to set up authorizations, design roles and isolate duties in the production environment, these authorizations do not work in non-production systems. How do you give developers, testers and contract workers access to a non-production system without endangering data privacy and data security? Data encryption or (pseudo)anonymization might be the answer. Terminology explained We speak of anonymity if the identity of a person is not known or if a person does not wish to make his identity known. Pseudonymization and anonymization are both techniques by means of which the identity of a person can no longer be traced. Pseudonymization is a procedure by means of which identifying data with a particular algorithm are replaced by encrypted data (the pseudonym). The algorithm can always calculate the same pseudonym for a person, by means of which information about the person, also from various sources, can be combined. Pseudonymization distinguishes itself in this way from anonymization, because linking information to a person, from various sources, is not possible with anonymization. (source wikipedia.org)
May 10, 2016 Page 35 SAP TDMS 4.0: scramble privacy relevant data SAP offers, with SAP TDMS 4.0, the option to scramble privacy relevant data in non productive SAP systems. (see SAP slide of TDMS 4.0 above)
May 10, 2016 Page 36 3rd party solutions for SAP data encryption Other (SAP certified 3rd party) vendors do deliver data encryption and (pseudo)anonymization tools for SAP data as well. Note: under the GDPR, a data breach (especially data theft) of encrypted data still must be reported to the authorities – data security remains of vital importance in al cases.
May 10, 2016 Page 37 Data theft & data leakage prevention of SAP data Context: the GDPR also introduces the need for organizations to prepare a data breach notification plan in the event that something does actually go wrong. However, it is vital to prevent data leakage! How can you actually prevent that privacy relevant SAP data can be “leaked” and distributed outside your organization? Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access
May 10, 2016 Page 38 Is privacy relevant data leaving your SAP system? Privacy relevant data should only be downloaded from SAP when authorized (ensure a adequately configured authorization concept). Misuse of personal data by the download function and/or the XXL/ALV List Viewer is prohibited under the GDPR (considered a data breach/data leakage). Even with appropriate SAP authorizations it is often difficult to control what happens with the data outside the controlled SAP environment – however there are tools to overcome that hurdle.
May 10, 2016 Page 39 Data leakage prevention in SAP 39 Not many companies are aware of what sensitive/privacy relevant data is leaving their systems. Often, that sensitive information is sent to unsecure locations such as unprotected mobile devices, and public cloud environments. There are 3rd party tools that can block the download of sensitive data from SAP – not only useful for compliance with regulations, but also to protect your IP, etc.
May 10, 2016 Page 40 Controlled access to downloaded SAP data (1) 40 With 3rd party software you can combine SAP authorizations (controlling access to privacy relevant data in SAP) with MS Digital Right Management (controlling access to privacy relevant data outside the SAP environment). With this concept you can protect SAP data even when it is leaving SAP.
May 10, 2016 Page 41 Controlled access to downloaded SAP data (2) 41 Using these kind of SAP certified 3rd party tools, you can get a grip on the sensitive / privacy relevant data that is leaving your SAP systems in a controlled and auditable way.
May 10, 2016 Page 42 Monitor the access to privacy relevant SAP data Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access Context: a data breach covers under the GDPR different unauthorized activities. Unauthorized access to & processing of privacy relevant data (not only by hackers also by the employees of the organization) is considered a data breach that must be reported within 72 hours. How can you actually detect that privacy relevant SAP data has been accessed unauthorized? SAP delivers different instruments to monitor the unlawful access of privacy relevant SAP data.
May 10, 2016 Page 43 Monitoring databreaches in SAP If data is leaked, companies must inform the Data Protection Authority (DPO) within two working days of them being aware of the breach. All data breaches must be sufficiently documented. So organizations must indicate exactly where in the systems breaches have taken place and what consequences they have. They must also inform the owners of the leaked data. SAP offers a standard tool (as part of NetWeaver) to monitor the unauthorized access to (privacy relevant) data – even if this is “just looking” at privacy relevant data. The name of the tool is RAL (Read Access Logging) and it can monitor the access to data from many different channels.
May 10, 2016 Page 44 RAL (Read Access Logging) - 1 With RAL you can define and categorize the logging purpose, domains and object yourself.
May 10, 2016 Page 45 RAL (Read Access Logging) - 2 Access to privacy relevant SAP data via different channels (Gui, internet, RFC) can be logged in a flexible way so that you can determine what needs to be logged in detail. RAL can help you significantly in detecting and logging data breaches in SAP.
May 10, 2016 Page 46 Closure In this presentation we presented some of the available options in SAP to mitigate data privacy risks Looking for expertise to enforce data privacy in your SAP systems? Don’t hesitate to consult us!
May 10, 2016 Page 47 Nico J. W. Kuijper, D&IM Services SAP Archiving, Information Lifecycle Management, ECM & (SAP) Data Privacy Consultancy Email: nico.kuijper@d-im-services.com - Phone: 0031(0)20 615 82 89 DISCLAMER. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. D&IM Services assumes no responsibility for errors or omissions in this document, except if such damages were caused intentionally or grossly negligent.

More Related Content

PDF
GDPR & SAP: practical data governance & management activities
Nico J.W. Kuijper ECMm BPMs ERMp
 
PPTX
Webianr: GDPR: How to build a data protection framework
Leigh Hill
 
PDF
Data Protection Forum Brussels 230517 - Implementing GDPR
John M Walsh
 
PPTX
De impact van de GDPR op de reissector
Bart Van Den Brande
 
PDF
Beginning your General Data Protection Regulation (GDPR) Journey
Microsoft Österreich
 
PPT
Building a register of data processing
Tim Gough
 
PDF
GDPR and Hadoop
Janosch Woschitz
 
PDF
Data- and database security & GDPR: end-to-end offer
Capgemini
 
GDPR & SAP: practical data governance & management activities
Nico J.W. Kuijper ECMm BPMs ERMp
 
Webianr: GDPR: How to build a data protection framework
Leigh Hill
 
Data Protection Forum Brussels 230517 - Implementing GDPR
John M Walsh
 
De impact van de GDPR op de reissector
Bart Van Den Brande
 
Beginning your General Data Protection Regulation (GDPR) Journey
Microsoft Österreich
 
Building a register of data processing
Tim Gough
 
GDPR and Hadoop
Janosch Woschitz
 
Data- and database security & GDPR: end-to-end offer
Capgemini
 

What's hot (19)

PPTX
Data Protection Forum meetup 23052017
John M Walsh
 
PDF
A practical guide to GDPR preparation
Promapp Solutions
 
PPTX
Ensuring GDPR Compliance - A Zymplify Guide
Zymplify
 
PPTX
GDPR How to get started?
Peter Witsenburg
 
PDF
Convince your board - Ten steps to GDPR compliance
Dave James
 
PDF
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
DATUM LLC
 
PPTX
GDPR: Your Journey to Compliance
Cobweb
 
PDF
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
ObservePoint
 
PDF
Building the Governance Ready Enterprise for GDPR Compliance
Index Engines Inc.
 
PDF
Building the Governance Ready Enterprise for GDPR Compliance December 2017
Index Engines Inc.
 
PDF
Your Worst GDPR Nightmare - Unstructured Data
DATAVERSITY
 
PPTX
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and Governance
IDERA Software
 
PPTX
Quick Introduction to the EU GDPR by Sami Zahran
Dr. Sami Zahran
 
PDF
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
PDF
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
PPTX
Impact on e-commerce of the GDPR- Etrade Summit 2016
Bart Van Den Brande
 
PPTX
Supporting GDPR Compliance through Data Classification
Index Engines Inc.
 
PPTX
Vuzion Love Cloud GDPR Event
Vuzion
 
PPTX
GDPR From the Trenches - Real-world examples of how companies are approaching...
Ardoq
 
Data Protection Forum meetup 23052017
John M Walsh
 
A practical guide to GDPR preparation
Promapp Solutions
 
Ensuring GDPR Compliance - A Zymplify Guide
Zymplify
 
GDPR How to get started?
Peter Witsenburg
 
Convince your board - Ten steps to GDPR compliance
Dave James
 
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
DATUM LLC
 
GDPR: Your Journey to Compliance
Cobweb
 
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
ObservePoint
 
Building the Governance Ready Enterprise for GDPR Compliance
Index Engines Inc.
 
Building the Governance Ready Enterprise for GDPR Compliance December 2017
Index Engines Inc.
 
Your Worst GDPR Nightmare - Unstructured Data
DATAVERSITY
 
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and Governance
IDERA Software
 
Quick Introduction to the EU GDPR by Sami Zahran
Dr. Sami Zahran
 
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
Impact on e-commerce of the GDPR- Etrade Summit 2016
Bart Van Den Brande
 
Supporting GDPR Compliance through Data Classification
Index Engines Inc.
 
Vuzion Love Cloud GDPR Event
Vuzion
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
Ardoq
 
Ad

Similar to Materializing dataprivacy in sap .. how? (20)

PDF
SAP insider GDPR compendium Hernan Huwyler
Hernan Huwyler, MBA CPA
 
PDF
GDPR - Sink or Swim
Guy Griffiths
 
PPT
Legal And Regulatory Dp Challenges For The Financial Services Sector
MSpadea
 
PDF
Accelerating the Path to GDPR Compliance
Hernan Huwyler, MBA CPA
 
PDF
Data Security & Data Privacy: Data Anonymization
Patric Dahse
 
PPTX
Data Privacy for Information Security Professionals Part 1
Dione McBride, CISSP, CIPP/E
 
PPTX
GDPR compliant data anonymization / pseudonymization
Patric Dahse
 
PDF
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
PDF
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
PDF
General Data Protection Regulation, a developer's story
Michelangelo van Dam
 
PPTX
GDPR training
ASL
 
PPTX
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
BrightPay Payroll and Auto Enrolment Software
 
PPTX
3A – DATA PROTECTION: ADVICE
CFG
 
PPTX
Data protection
RaviPrashant5
 
PPTX
General Data Protection Regulation (GDPR)
ControlCase
 
PPTX
General Data Protection Regulation (GDPR)
Kimberly Simon MBA
 
PPTX
GDPR security services - Areyou ready ?
Frederick Penaud
 
PPTX
Gdpr security services
Frederick Penaud
 
PPTX
GDPR Data Life Cycle
Jatin Kochhar
 
PDF
5 key steps for SMBs for reaching GDPR Compliance
Gabor Farkas
 
SAP insider GDPR compendium Hernan Huwyler
Hernan Huwyler, MBA CPA
 
GDPR - Sink or Swim
Guy Griffiths
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
MSpadea
 
Accelerating the Path to GDPR Compliance
Hernan Huwyler, MBA CPA
 
Data Security & Data Privacy: Data Anonymization
Patric Dahse
 
Data Privacy for Information Security Professionals Part 1
Dione McBride, CISSP, CIPP/E
 
GDPR compliant data anonymization / pseudonymization
Patric Dahse
 
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
General Data Protection Regulation, a developer's story
Michelangelo van Dam
 
GDPR training
ASL
 
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
BrightPay Payroll and Auto Enrolment Software
 
3A – DATA PROTECTION: ADVICE
CFG
 
Data protection
RaviPrashant5
 
General Data Protection Regulation (GDPR)
ControlCase
 
General Data Protection Regulation (GDPR)
Kimberly Simon MBA
 
GDPR security services - Areyou ready ?
Frederick Penaud
 
Gdpr security services
Frederick Penaud
 
GDPR Data Life Cycle
Jatin Kochhar
 
5 key steps for SMBs for reaching GDPR Compliance
Gabor Farkas
 
Ad

Recently uploaded (20)

PPTX
iec ppt-1 pptx icmr ppt on rehabilitation.pptx
thirishadevan81
 
PPTX
The THESIS FINAL-DEFENSE-PRESENTATION.pptx
hshakobe3
 
PPTX
modul_python (1).pptx for professional and student
putusurya12
 
PPTX
importance of Data-Visualization-in-Data-Science. for mba studnts
Tanu Arora
 
PDF
168300704-gasification-ppt.pdfhghhhsjsjhsuxush
sriram270905
 
PDF
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
 
PDF
Microsoft Core Cloud Services powerpoint
KamelAbouSaleh1
 
PPTX
Qualitative Qantitative and Mixed Methods.pptx
AhmaduMohammed
 
PDF
Capcut Pro Crack For PC Latest Version {Fully Unlocked 2025}
malikyahyah1122
 
PDF
Oracle OFSAA_ The Complete Guide to Transforming Financial Risk Management an...
Data Patrol Technologies
 
PDF
Transcultural that can help you someday.
jhongarin24
 
PPTX
climate analysis of Dhaka ,Banglades.pptx
rrawjatun
 
PDF
Introduction to the R Programming Language
Suraj Patil
 
PDF
22.Patil - Early prediction of Alzheimer’s disease using convolutional neural...
ngaviet5
 
PPTX
AI Strategy room jwfjksfksfjsjsjsjsjfsjfsj
ankitpratapsingh28
 
PDF
Mega Projects Data Mega Projects Data
saidsalah8181
 
PPTX
mbdjdhjjodule 5-1 rhfhhfjtjjhafbrhfnfbbfnb
CHINTU5000
 
PDF
[EN] Industrial Machine Downtime Prediction
Mônica N. de Resende
 
PPTX
Pilar Kemerdekaan dan Identi Bangsa.pptx
RyanSyah40
 
PDF
Business Analytics and business intelligence.pdf
khalidisah4750
 
iec ppt-1 pptx icmr ppt on rehabilitation.pptx
thirishadevan81
 
The THESIS FINAL-DEFENSE-PRESENTATION.pptx
hshakobe3
 
modul_python (1).pptx for professional and student
putusurya12
 
importance of Data-Visualization-in-Data-Science. for mba studnts
Tanu Arora
 
168300704-gasification-ppt.pdfhghhhsjsjhsuxush
sriram270905
 
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
 
Microsoft Core Cloud Services powerpoint
KamelAbouSaleh1
 
Qualitative Qantitative and Mixed Methods.pptx
AhmaduMohammed
 
Capcut Pro Crack For PC Latest Version {Fully Unlocked 2025}
malikyahyah1122
 
Oracle OFSAA_ The Complete Guide to Transforming Financial Risk Management an...
Data Patrol Technologies
 
Transcultural that can help you someday.
jhongarin24
 
climate analysis of Dhaka ,Banglades.pptx
rrawjatun
 
Introduction to the R Programming Language
Suraj Patil
 
22.Patil - Early prediction of Alzheimer’s disease using convolutional neural...
ngaviet5
 
AI Strategy room jwfjksfksfjsjsjsjsjfsjfsj
ankitpratapsingh28
 
Mega Projects Data Mega Projects Data
saidsalah8181
 
mbdjdhjjodule 5-1 rhfhhfjtjjhafbrhfnfbbfnb
CHINTU5000
 
[EN] Industrial Machine Downtime Prediction
Mônica N. de Resende
 
Pilar Kemerdekaan dan Identi Bangsa.pptx
RyanSyah40
 
Business Analytics and business intelligence.pdf
khalidisah4750
 

Materializing dataprivacy in sap .. how?

  • 1. May 10, 2016 Implementing data privacy measures in SAP Nico J.W. Kuijper, D&IM Services SAP Archiving, Information Lifecycle Management, ECM & (SAP) Data Privacy Consultant Email: nico.kuijper@d-im-services.com - Phone: +31(0)20 615 82 89 Member of the International Association of Privacy Professionals
  • 2. May 10, 2016 Page 1 Subject and scope of this presentation This presentation is about data privacy seen in the context of SAP data. A data privacy project covers many different legal, organizational and technical aspects - however in this presentation we focus only on (some of the) SAP instruments and practices regarding the enforcement of data privacy regulations (like the new EU GDPR) in SAP systems.
  • 3. May 10, 2016 Page 2
  • 4. May 10, 2016 Page 3 Why is this topic relevant for SAP using companies? On Thursday, 14 April 2016, the European Parliament adopted the General Data Protection Regulation (GDPR). The GDPR comes into effect on 25 May 2018 and companies have 24 months to become GDPR compliant. When you are using SAP systems you might be interested in what needs to be done to apply the new EU data privacy laws to your SAP systems, in particular how to handle your SAP data according the new data privacy law. Official EU publication of the EU GDPR: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC You can read the full legislative text of the EU GDPR here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52012PC0011
  • 5. May 10, 2016 Page 4 The risks of non-compliance with the EU GDPR Not complying with the EU GDPR (General Data Protection Regulation) leads to significant fines and compliance risks. The EU created two tiers of maximum fines for companies violating the GDPR. The higher fine threshold is four percent of an undertaking’s worldwide annual turnover or 20 million euros, whichever is higher. The lower threshold fine is two percent of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher. You can read the full legislative text of the EU GDPR here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52012PC0011
  • 6. May 10, 2016 Page 5 What is considered privacy relevant information? There are many elements of personal information. Some examples are name, gender, age, date of birth, marital status, citizenship, languages spoken, veteran status, disabled status, IP address (some jurisdictions), business and personal -addresses, - phone numbers, -email addresses, internal identification numbers, credit card and bank account numbers, government-issued identification numbers (social security, drivers license numbers, etc.) and identity verification information, etc. It is important to remember business data elements can be considered personal information as well. “Personal data” is defined as “any information relating to an identified or identifiable natural person”
  • 7. May 10, 2016 Page 6 The General Data Protection Regulation in short The highlights of the EU GDPR are displayed above and require an update of your privacy program On the next slides we focus on the translation of some of the GDPR articles to the SAP context
  • 8. May 10, 2016 Page 7 The identification of personal data in SAP The GDPR requires the designation of a data protection officer and the execution of DPIA’s. One of his/her tasks? Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits. DPIAs (Data Privacy Impact Assessments) are used to identify potential privacy issues, evaluate whether the benefits of a project outweigh its risks, implement privacy by design, conduct internal auditing for compliance with legal, regulatory, industry and organizational standards. Do you know how to identify, monitor and audit the use of personal data in SAP?
  • 9. May 10, 2016 Page 8 Explicit consent for processing personal data in SAP The GDPR requires explicit consent for the processing of (special categories of) personal data. How to request or trigger explicit consent regarding personal data (to be) processed in SAP?
  • 10. May 10, 2016 Page 9 Erasure or blocking of personal data (right to be forgotten) Under GDPR Article 17, controllers must erase personal data “without undue delay” if the data is no longer needed, the data subject objects to the processing, or the processing was unlawful. Do you know how to erase or block personal data in SAP in a consistent way?
  • 11. May 10, 2016 Page 10 The transfer of personal data out of the EU The GDPR makes clear that it is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country. It also imposes hefty monetary fines for transfers in violation of the Regulation. Do you know how to restrict the (unlawful) transfer of personal data stored in SAP systems?
  • 12. May 10, 2016 Page 11 Protect personal data in non productive systems The GDPR encourage data pseudonymization - defined as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information”. Data encryption, pseudo- and anonymization, etc. are means of protecting the rights of individuals while also allowing controllers to benefit from the data’s utility – in the SAP context e.g. the use of SAP data in test and quality assurance systems. Do you know how to (pseudo) anonymize or encrypt personal data in non productive SAP systems?
  • 13. May 10, 2016 Page 12 Data breach notifications within 72 hours “Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” In the event of a personal data breach, data controllers must notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” Do you know how to prevent and/or detect a data breach in SAP or control the download of privacy relevant data from SAP systems?
  • 14. May 10, 2016 Page 13 Information security = information privacy? The term information privacy refers to the handling, controlling, sharing and disposal of personal information while the term information security includes a very wide range of activities both physical and administrative that protect not only personal information, but any type of information or information asset that supports a business. The difference between information privacy and information security supports the statement, “You can have security without privacy…but you cannot have privacy without security.” For example, a secure computer with solid access controls may be secure however if access controls were not assigned correctly privacy may become an issue. In these slides we focus mainly on the protection of privacy relevant SAP information.
  • 15. May 10, 2016 Page 14
  • 16. May 10, 2016 Page 15 Mitigating the violation of data privacy laws in SAP Organizations handling privacy relevant data in the context of SAP systems might need some practical guidance on how to mitigate the risk of violating data privacy regulations. In this section we show some of the practical examples on how to mitigate the risk of violating data privacy regulations in SAP environments.
  • 17. May 10, 2016 Page 16 Some examples of data privacy measures in SAP Data privacy topic Applicable to SAP system, functionality or data Supporting SAP functionality Supporting 3rd party functionality Data privacy impact assessment on SAP data SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. AIS (Audit system), special reports, GRC, etc. Activate explicit consent for processing of personal data SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. Standard SAP Restrict / limit access to privacy relevant data SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. Standard SAP Blocking of privacy relevant data (if can’t be deleted) SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. Standard SAP Destruction of privacy relevant SAP data SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. SAP ILM RM (part of standard SAP) Data encryption, masking, anonymizations, etc. Privacy relevant data in all NON productive SAP systems SAP TDMS 4.0 EPI-USE, Dolphin, etc. Data protection & prevention of data leakage (outside SAP) SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. SAP Authorizations, AIS (Audit system). External DLP solution providers like Secude, etc. Monitor unlawful access to privacy relevant or sensitive data in SAP SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. Read Access Logging (RAL), SAP Enterprise Threat detection, etc. Different external solution providers Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access
  • 18. May 10, 2016 Page 17 Conducting data privacy impact assessments in SAP Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access Context: organizations handling privacy relevant (personal) data are obliged to execute DPIA‘s (Data Privacy Impact Assessments) under the EU GDPR. Organizations need to evaluate the personal data they have; categorizing the data so they are clear where the personal and sensitive data resides and where other less important data sits in the company. What are some of the instruments that can support you in conducting a DPIA on SAP data?
  • 19. May 10, 2016 Page 18 Some Data Privacy Impact Assessment questions In a DPIA different types of questions might be raised such as: • What data is collected and from which source(s) and why? • Where and how the recorded data is stored (in SAP). • Who (roles/individuals) has access (consulting, updating, etc.) to the data? • What the data is used for, and how it passes both between systems and to data consumers. • How long should data be retained? • Who is responsible for the data at both an operational and a strategic level. It is not always easy to answer some of these questions when you are using a system with a impressive data model and broad functionality like SAP. Where is privacy relevant data actually stored in SAP?
  • 20. May 10, 2016 Page 19 DPIA’s in SAP – Identify privacy relevant data (I) There are reports available in SAP to identify where in the data model of SAP privacy relevant information could be stored (including your custom developments). Categorizing the data so that it becomes clear where the personal and sensitive data resides in SAP is an important step in your Data Privacy Impact Assessment.
  • 21. May 10, 2016 Page 20 DPIA’s in SAP – Identify privacy relevant data (II) Another useful step is to identify if you actually store privacy relevant data in SAP – and this should be assessed at least once a year. Audit Information System reports can support you in this task.
  • 22. May 10, 2016 Page 21 DPIA’s in SAP – Identify privacy relevant data (III) Once it is clear where privacy relevant data is stored in SAP, you want to know who has access to it and the type of actions that can be executed by the users/roles (this can be done using e.g. GRC and other tools). It is also relevant to check who can access privacy relevant data directly on database level using a table browser like e.g. SE16 – often used as backdoor to access data.
  • 23. May 10, 2016 Page 22 Supporting data privacy assessments in SAP Once organisations understand just what personal data they have, they should then ensure that regular risk assessments are completed to understand the degree of threat imposed on the company when processing privacy relevant data in SAP. There are many tools and reports available in SAP that can support you in conducting your Data Privacy Impact Assessment in SAP in a structured way, we just scratched on the surface of the possibilities. Knowing (and measuring) your risks is key for a solid data privacy program.
  • 24. May 10, 2016 Page 23 Explicit consent for processing of personal data Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access Context: the GDPR requires explicit consent for the processing of personal data. There are different options available in SAP to enforce the explicit consent for the processing of privacy relevant data.
  • 25. May 10, 2016 Page 24 Data privacy – requesting explicit consent in SAP 24 Individuals have rights when it comes to the collection & processing of personal information. Consent and choice are two of those rights. As a result, organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information. There are different options in SAP to request explicit consent for the storage and processing of personal data in for example HCM (employee data and in e-recruiting), ECC, SRM, CRM, IS*, etc. Processing personal data in SAP without explicit consent is unlawful and should be avoided.
  • 26. May 10, 2016 Page 25 Blocking of personal data in SAP Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access Context: the GDPR gives data subjects the right to have their personal data erased. However, personal data sometimes cannot be erased due to data consistency rules, other (overruling) legislation. In some cases privacy relevant (master)data must be blocked for further access and/or processing in SAP.
  • 27. May 10, 2016 Page 26 Blocking privacy relevant data 26 SAP delivers business functions for the blocking of personal (business partner) data that can’t be deleted instantly for different reasons (SAP data consistency or data must be preserved longer due to overruling legal or fiscal legislation, etc.).
  • 28. May 10, 2016 Page 27 Right to be forgotten and erasure of personal SAP data Context: the GDPR gives data subjects the right to have their personal data erased, provided that certain conditions are met. SAP offers > 100 so called data destruction objects for the rule based and compliant erasure of privacy relevant SAP data (for e.g. ECC6, CRM, SRM, IS*, etc.). This is delivered by the SAP functionality called SAP ILM (Information Lifecycle Management). Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access
  • 29. May 10, 2016 Page 28 Placing information under corporate control Definition of a ‘RECORD’ SOX GAAP EU GDPR BASEL II/III HIPAA Etc. Corporate information that is subjected to legislation must be managed as a “record” using records management principles in order to manage, preserve and destruct the information according rules
  • 30. May 10, 2016 Page 29 Introduction of SAP ILM The lifecycle of information (put under corporate control) can be managed with SAP Information Lifecycle management (ILM). SAP ILM is currently the only SAP tool to manage the lifecycle of SAP data and documents in a controlled way using records management & retention policies.
  • 31. May 10, 2016 Page 30 Data destruction objects For the controlled destruction of privacy relevant SAP data and documents, SAP ILM offers so called data destruction objects. Alone in SAP module HCM we find more then 100 data destruction objects, and the SAP HCM data destruction objects can (in most of the cases) be used without additional SAP license implications.
  • 32. May 10, 2016 Page 31 Retention policy: manage the lifecycle of your data Privacy relevant data should be managed in alignment with other legislation based on retention rules. Other (overruling) legislation – e.g. tax regulation – might require the preservation of privacy relevant data, blocking e.g. the destruction of financial data containing privacy relevant data. With SAP ILM we can harmonize this and apply specific policies for specific types of SAP data.
  • 33. May 10, 2016 Page 32 Data destruction in SAP Based on the defined retention rules in SAP ILM it is possible to comply with the GDPR rule to destroy privacy relevant SAP data in a controlled way.
  • 34. May 10, 2016 Page 33 Data protection in non productive SAP systems Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access Context: the GDPR prohibit the unauthorized access to personal data and encourage the (pseudo) anonymization of data when possible. How do you give developers, testers and contract workers access to a non-production system without endangering your data privacy and data security regulations? Encrypting or (pseudo) anonymization might be the answer.
  • 35. May 10, 2016 Page 34 Data protection in context and some terminology Even if great care is taken to set up authorizations, design roles and isolate duties in the production environment, these authorizations do not work in non-production systems. How do you give developers, testers and contract workers access to a non-production system without endangering data privacy and data security? Data encryption or (pseudo)anonymization might be the answer. Terminology explained We speak of anonymity if the identity of a person is not known or if a person does not wish to make his identity known. Pseudonymization and anonymization are both techniques by means of which the identity of a person can no longer be traced. Pseudonymization is a procedure by means of which identifying data with a particular algorithm are replaced by encrypted data (the pseudonym). The algorithm can always calculate the same pseudonym for a person, by means of which information about the person, also from various sources, can be combined. Pseudonymization distinguishes itself in this way from anonymization, because linking information to a person, from various sources, is not possible with anonymization. (source wikipedia.org)
  • 36. May 10, 2016 Page 35 SAP TDMS 4.0: scramble privacy relevant data SAP offers, with SAP TDMS 4.0, the option to scramble privacy relevant data in non productive SAP systems. (see SAP slide of TDMS 4.0 above)
  • 37. May 10, 2016 Page 36 3rd party solutions for SAP data encryption Other (SAP certified 3rd party) vendors do deliver data encryption and (pseudo)anonymization tools for SAP data as well. Note: under the GDPR, a data breach (especially data theft) of encrypted data still must be reported to the authorities – data security remains of vital importance in al cases.
  • 38. May 10, 2016 Page 37 Data theft & data leakage prevention of SAP data Context: the GDPR also introduces the need for organizations to prepare a data breach notification plan in the event that something does actually go wrong. However, it is vital to prevent data leakage! How can you actually prevent that privacy relevant SAP data can be “leaked” and distributed outside your organization? Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access
  • 39. May 10, 2016 Page 38 Is privacy relevant data leaving your SAP system? Privacy relevant data should only be downloaded from SAP when authorized (ensure a adequately configured authorization concept). Misuse of personal data by the download function and/or the XXL/ALV List Viewer is prohibited under the GDPR (considered a data breach/data leakage). Even with appropriate SAP authorizations it is often difficult to control what happens with the data outside the controlled SAP environment – however there are tools to overcome that hurdle.
  • 40. May 10, 2016 Page 39 Data leakage prevention in SAP 39 Not many companies are aware of what sensitive/privacy relevant data is leaving their systems. Often, that sensitive information is sent to unsecure locations such as unprotected mobile devices, and public cloud environments. There are 3rd party tools that can block the download of sensitive data from SAP – not only useful for compliance with regulations, but also to protect your IP, etc.
  • 41. May 10, 2016 Page 40 Controlled access to downloaded SAP data (1) 40 With 3rd party software you can combine SAP authorizations (controlling access to privacy relevant data in SAP) with MS Digital Right Management (controlling access to privacy relevant data outside the SAP environment). With this concept you can protect SAP data even when it is leaving SAP.
  • 42. May 10, 2016 Page 41 Controlled access to downloaded SAP data (2) 41 Using these kind of SAP certified 3rd party tools, you can get a grip on the sensitive / privacy relevant data that is leaving your SAP systems in a controlled and auditable way.
  • 43. May 10, 2016 Page 42 Monitor the access to privacy relevant SAP data Audit SAP data privacy Enforce explicit consent Restrict data access Blocking of SAP data Destroy SAP data Encrypt, Mask, etc. Prevent SAP data leakage Monitor unlawful data access Context: a data breach covers under the GDPR different unauthorized activities. Unauthorized access to & processing of privacy relevant data (not only by hackers also by the employees of the organization) is considered a data breach that must be reported within 72 hours. How can you actually detect that privacy relevant SAP data has been accessed unauthorized? SAP delivers different instruments to monitor the unlawful access of privacy relevant SAP data.
  • 44. May 10, 2016 Page 43 Monitoring databreaches in SAP If data is leaked, companies must inform the Data Protection Authority (DPO) within two working days of them being aware of the breach. All data breaches must be sufficiently documented. So organizations must indicate exactly where in the systems breaches have taken place and what consequences they have. They must also inform the owners of the leaked data. SAP offers a standard tool (as part of NetWeaver) to monitor the unauthorized access to (privacy relevant) data – even if this is “just looking” at privacy relevant data. The name of the tool is RAL (Read Access Logging) and it can monitor the access to data from many different channels.
  • 45. May 10, 2016 Page 44 RAL (Read Access Logging) - 1 With RAL you can define and categorize the logging purpose, domains and object yourself.
  • 46. May 10, 2016 Page 45 RAL (Read Access Logging) - 2 Access to privacy relevant SAP data via different channels (Gui, internet, RFC) can be logged in a flexible way so that you can determine what needs to be logged in detail. RAL can help you significantly in detecting and logging data breaches in SAP.
  • 47. May 10, 2016 Page 46 Closure In this presentation we presented some of the available options in SAP to mitigate data privacy risks Looking for expertise to enforce data privacy in your SAP systems? Don’t hesitate to consult us!
  • 48. May 10, 2016 Page 47 Nico J. W. Kuijper, D&IM Services SAP Archiving, Information Lifecycle Management, ECM & (SAP) Data Privacy Consultancy Email: nico.kuijper@d-im-services.com - Phone: 0031(0)20 615 82 89 DISCLAMER. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. D&IM Services assumes no responsibility for errors or omissions in this document, except if such damages were caused intentionally or grossly negligent.