Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Contributors:
Table of Contents
1. BACKGROUND ............................................................................................................................. 2
2. GDPR: KEY PRINCIPLES ........................................................................................................... 2
2.1 Enshrining The Rights of Individuals ....................................................................................... 3
2.2 Protecting Personal Data Against Security Threats .............................................................. 4
2.3 Demonstrating Compliance ...................................................................................................... 5
2.4 Notification of Breaches ............................................................................................................ 5
3. WHERE DO WE START? ............................................................................................................ 6
3.1 Appoint a Data Privacy Officer and Identify Personal Data ................................................. 6
3.2 Setup Data Retention Management ........................................................................................ 7
3.3 Securing SAP and Managing Vulnerability ............................................................................ 7
4. HOW CAN HCL HELP?................................................................................................................ 8
4.1 Formal Data Analysis................................................................................................................. 8
4.2 Archive Development Kit (ADK) ............................................................................................... 8
4.3 Information Lifecycle Management (ILM) * ............................................................................ 8
4.4 Data anonymization as a Service *.......................................................................................... 9
4.5 SAP Test Data Management System (TDMS) * .................................................................... 9
4.6 UI Logging of SAP GUI for Windows (LOGWIN)................................................................... 9
4.7 Read Access Logging .............................................................................................................. 10
4.8 Database Encryption * ............................................................................................................. 10
4.9 Custom Code ............................................................................................................................ 10
5. SELECTING THE RIGHT TOOLS ............................................................................................ 11
4/20/2018 1
SAP GDPR COMPLIANCE – WHITE PAPER
1. BACKGROUND
In May 2016, the European Union (EU) adopted a newly harmonized data protection law called the
General Data Protection Regulation (GDPR).
As of May 25, 2018, GDPR will be a directly applicable law in all member states within the EU and the
European Economic Area(EEA). While GDPR does not introduce many substantially new concepts, it
increases the compliance requirements of data controllers and personal data processors.
In summary, GDPR aims to harmonize data protection requirements across Europe. Customers
(“controllers” as defined by Art. 4 (7) of the GDPR) and service providers (“processors” as defined by
Art. 4 (8) of the GDPR) must implement many new legal requirements, which will substantially affect
their businesses.
Controllers and processors each need to verify which obligations under the GDPR apply to them and
how to implement them accordingly.
For organizations preparing to comply with the GDPR, Article 5 outlines the key data privacy principles
to be followed:
The use of any data collected must be specific, explicit and legitimate.
Use of the data should be limited to the purpose for which the data was requested.
Organizations need to reasonably ensure that personal data is accurate and up to date.
4/20/2018 2
SAP GDPR COMPLIANCE – WHITE PAPER
1. The right to be informed about how the data that they provide will be used.
2. The right of access to their personal data and how it is processed.
3. The right to rectification if the data held is inaccurate or incomplete (including instances where
data has been disclosed to third parties).
4. The right to erasure - or ‘the right to be forgotten’ - individuals can request that their personal
data be deleted.
5. The right to restrict processing - where just enough information about an individual is held but
not processed.
6. The right to data portability so individuals can obtain and reuse their personal data for their
own purposes across different services.
7. The right to object to processing in the form of profiling for instance, direct marketing and
processing for purposes of scientific/historical research and statistics.
GDPR Article 17 - Right to erasure (‘right to be forgotten’) - Individuals have the right to
have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and
only applies in certain circumstances.
1. the personal data is no longer necessary for the purpose which you originally collected or processed
it for;
2. you are relying on consent as your lawful basis for holding the data, and the individual withdraws
their consent;
3. you are relying on legitimate interests as your basis for processing, the individual objects to the
processing of their data, and there is no overriding legitimate interest to continue this processing;
4. you are processing the personal data for direct marketing purposes and the individual objects to
that processing;
5. you have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the
1st principle);
6. you must do it to comply with a legal obligation; or
7. you have processed the personal data to offer information society services to a child.
4/20/2018 3
SAP GDPR COMPLIANCE – WHITE PAPER
Protecting personal data against security threats is specifically declared as a core requirement of
the GDPR.
GDPR talks about integrating the “necessary safeguards into the processing” (GDPR Article 25(1),
“Data protection by design and by default”), and accounting for risks presented by processing, “in
particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or
access to personal data transmitted, stored or otherwise processed” (GDPR Article 32(2), “Security
of processing”).
Protecting data during transmission is explicitly called out in this context—to avoid possible leakage
and minimize these risks.
GDPR Article 32(1) — “Security of processing” states that an organization must implement
appropriate technical and organizational measures to ensure a level of security appropriate to the risk,
including inter alia as appropriate:
4/20/2018 4
SAP GDPR COMPLIANCE – WHITE PAPER
Article 25 of GDPR specifies that companies are expected to demonstrate that they have addressed
“Data Protection by Design and Default”.
This means that organizations will need to invest in technology, processes and training to secure
and manage personal data. This also requires that organizations undergo regular third-party audits
to ensure that controls are enforced and can submit this evidence to the regulator upon request.
Under Article 33 of the GDPR guidelines, organizations have a responsibility to report data breaches
to relevant supervisory authorities within 72 hours of the organization becoming aware of it.
If the breach is sufficiently serious, the organization should also notify the public. Failure to report
breaches could result in a significant fine up to 10 million Euros or 2 percent of an organization’s
global turnover.
4/20/2018 5
SAP GDPR COMPLIANCE – WHITE PAPER
3. WHERE DO WE START?
For successful implementation of GDPR in SAP systems, there are three essential areas that needs to be
covered:
The General Data Protection Regulation (GDPR) states that personal information constitutes any
information relating to an identifiable person.
This includes a variety of information from names to any information that can identify an individual.
Personal data may show up in any number of documents in the SAP systems and the first step is to
find a competent authority to pinpoint the personal data stored in SAP and document them for
handling.
Hence, it is essential for any organization as a first step to setup a ‘Data Privacy Office’ and a
designated Data Privacy Officer(DPO).
GDPR is explicit about the tasks that DPOs are required to perform. They include the following:
a) Inform and advise the organization and its employees of their data protection obligations
under the GDPR.
b) Monitor the organization’s compliance with the GDPR and internal data protection policies
and procedures. This will include monitoring the assignment of responsibilities, awareness
training, and training of staff involved in processing operations and related audits.
c) Define and Identify ‘personal’ data in SAP landscape.
4/20/2018 6
SAP GDPR COMPLIANCE – WHITE PAPER
d) Advise on the necessity of data protection impact assessments (DPIAs), the manner of their
GDPR compliance tools implementation and outcomes.
e) Serve as the contact point to the data protection authorities for all data protection issues,
including data breach reporting.
f) Serve as the contact point for individuals (data subjects) on privacy matters, including
subject access requests.
Data minimization is a key GDPR privacy principle. In short, it states that organizations should
collect only the smallest amount of personal data for the shortest period and delete it quickly after
it has served its purpose. Less data held means less data to protect.
Hence a Data retention mechanism based on the organization’s need to retain the transactional
data needs to be setup in SAP systems.
The implementation of GDPR must lead to a redesign of the processes for managing user access to
the components of your SAP landscape and governance rules regarding access to personal data.
HCL will provide technical expertise to assess and advise suitable SAP solutions to achieve GDPR
compliance. However, it would be the responsibility of Data Protection officer (DPO) to validate and
confirm, the implemented solution meets GDPR compliance standards.
4/20/2018 7
SAP GDPR COMPLIANCE – WHITE PAPER
GDPR is so vast, such that there is no single solution in the market to address all compliance areas.
Product solutions only address a subset of it, often small.
Hence based on the priorities set by the organization’s Data Privacy Office to cover GDPR compliance
requirements, HCL can leverage various supplementary products delivered by SAP or other SAP-verified
third parties. Some of the products HCL can provide expertise or offer to implement are:
After a personal data identification of ECC system is performed by the Data privacy Office managed
by your organization, HCL provides a service where we investigate all SAP systems with the results
of the personal data identification to find all tables and archival objects for which data retention
rules or pseudonymization needs to be applied.
4/20/2018 8
SAP GDPR COMPLIANCE – WHITE PAPER
a) Data as a service, where cloud providers could give access to anonymized user profile data
for advertising purposes, or telecommunication providers give access to anonymized
location data for city planning purposes.
b) Telemetry and IoT, where car fleet managers could share anonymized car usage patterns
with manufacturers, or energy suppliers could provide smart meter analytics based on
anonymized usage data.
c) Healthcare, where hospitals could make anonymized patient data available for researchers
and insurers
d) Archiving, where insurers could store anonymized historical data to be able to keep it even
after the legal deletion periods
4/20/2018 9
SAP GDPR COMPLIANCE – WHITE PAPER
SAP HANA has comprehensive encryption capabilities for data at rest and in motion.
a) The new column encryption: you specify which columns in a table should be encrypted.
b) Real-time data anonymization lets you gain analytic insights from your data while
protecting the privacy of individuals.
c) Native masking techniques such as dynamic table masking, dynamic view masking etc.
MSSQL provides many data encryption methods can be applied such as Transparent Data
Encryption(TDE), Transport Layer Security (TLS) etc.
* Indicates products for which additional licenses may be required and to be procured by your
organization.
4/20/2018 10
SAP GDPR COMPLIANCE – WHITE PAPER
Based on the suggested tools, the Data Privacy Office of your organization can choose to implement the
various tools based on its usage to satisfy the GDPR compliance needs.
The below table maps the Technical components against solution aspects, described to achieve
compliance to GDPR requirements.
Additional information about the GDPR is available on the official GDPR website of the EU.
Thank You
4/20/2018 11