Published on April 20, 2018

SAP GDPR COMPLIANCE – WHITE PAPER

Getting your SAP Landscape GDPR Compliant

Author: Prashanth Shankarr N, Technical Architect

Contributors:

1. Shanmuga Sundaram P, Lead Consultant

2. Balasubramaniyan Thiyagarajan, Basis Architect

Reviewer: Arvind Prabhu Shankar S, Project Manager

 SAP GDPR COMPLIANCE – WHITE PAPER

Table of Contents

1. BACKGROUND ............................................................................................................................. 2
2. GDPR: KEY PRINCIPLES ........................................................................................................... 2
2.1 Enshrining The Rights of Individuals ....................................................................................... 3
2.2 Protecting Personal Data Against Security Threats .............................................................. 4
2.3 Demonstrating Compliance ...................................................................................................... 5
2.4 Notification of Breaches ............................................................................................................ 5
3. WHERE DO WE START? ............................................................................................................ 6
3.1 Appoint a Data Privacy Officer and Identify Personal Data ................................................. 6
3.2 Setup Data Retention Management ........................................................................................ 7
3.3 Securing SAP and Managing Vulnerability ............................................................................ 7
4. HOW CAN HCL HELP?................................................................................................................ 8
4.1 Formal Data Analysis................................................................................................................. 8
4.2 Archive Development Kit (ADK) ............................................................................................... 8
4.3 Information Lifecycle Management (ILM) * ............................................................................ 8
4.4 Data anonymization as a Service *.......................................................................................... 9
4.5 SAP Test Data Management System (TDMS) * .................................................................... 9
4.6 UI Logging of SAP GUI for Windows (LOGWIN)................................................................... 9
4.7 Read Access Logging .............................................................................................................. 10
4.8 Database Encryption * ............................................................................................................. 10
4.9 Custom Code ............................................................................................................................ 10
5. SELECTING THE RIGHT TOOLS ............................................................................................ 11

4/20/2018 1
 SAP GDPR COMPLIANCE – WHITE PAPER

1. BACKGROUND

In May 2016, the European Union (EU) adopted a newly harmonized data protection law called the
General Data Protection Regulation (GDPR).

As of May 25, 2018, GDPR will be a directly applicable law in all member states within the EU and the
European Economic Area(EEA). While GDPR does not introduce many substantially new concepts, it
increases the compliance requirements of data controllers and personal data processors.

In summary, GDPR aims to harmonize data protection requirements across Europe. Customers
(“controllers” as defined by Art. 4 (7) of the GDPR) and service providers (“processors” as defined by
Art. 4 (8) of the GDPR) must implement many new legal requirements, which will substantially affect
their businesses.

Controllers and processors each need to verify which obligations under the GDPR apply to them and
how to implement them accordingly.

2. GDPR: KEY PRINCIPLES

For organizations preparing to comply with the GDPR, Article 5 outlines the key data privacy principles
to be followed:

 Personal data should be processed fairly and transparently by organizations.

 The use of any data collected must be specific, explicit and legitimate.

 Use of the data should be limited to the purpose for which the data was requested.

 Organizations need to reasonably ensure that personal data is accurate and up to date.

4/20/2018 2
 SAP GDPR COMPLIANCE – WHITE PAPER

2.1 Enshrining the Rights of Individuals

GDPR Articles 15-22 outlines the following rights for individuals:

1. The right to be informed about how the data that they provide will be used.
2. The right of access to their personal data and how it is processed.
3. The right to rectification if the data held is inaccurate or incomplete (including instances where
data has been disclosed to third parties).
4. The right to erasure - or ‘the right to be forgotten’ - individuals can request that their personal
data be deleted.
5. The right to restrict processing - where just enough information about an individual is held but
not processed.
6. The right to data portability so individuals can obtain and reuse their personal data for their
own purposes across different services.
7. The right to object to processing in the form of profiling for instance, direct marketing and
processing for purposes of scientific/historical research and statistics.

GDPR Article 17 - Right to erasure (‘right to be forgotten’) - Individuals have the right to
have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and
only applies in certain circumstances.

1. the personal data is no longer necessary for the purpose which you originally collected or processed
it for;
2. you are relying on consent as your lawful basis for holding the data, and the individual withdraws
their consent;
3. you are relying on legitimate interests as your basis for processing, the individual objects to the
processing of their data, and there is no overriding legitimate interest to continue this processing;
4. you are processing the personal data for direct marketing purposes and the individual objects to
that processing;
5. you have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the
1st principle);
6. you must do it to comply with a legal obligation; or
7. you have processed the personal data to offer information society services to a child.

4/20/2018 3
 SAP GDPR COMPLIANCE – WHITE PAPER

2.2 Protecting Personal Data Against Security Threats

Protecting personal data against security threats is specifically declared as a core requirement of
the GDPR.

GDPR talks about integrating the “necessary safeguards into the processing” (GDPR Article 25(1),
“Data protection by design and by default”), and accounting for risks presented by processing, “in
particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or
access to personal data transmitted, stored or otherwise processed” (GDPR Article 32(2), “Security
of processing”).

Protecting data during transmission is explicitly called out in this context—to avoid possible leakage
and minimize these risks.

GDPR Article 32(1) — “Security of processing” states that an organization must implement
appropriate technical and organizational measures to ensure a level of security appropriate to the risk,
including inter alia as appropriate:

1. The pseudonymization and encryption of personal data.

2. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing
systems and services.
3. The ability to restore the availability and access to personal data in a timely manner in the event of
a physical or technical incident.
4. A process for regularly testing, assessing, and evaluating the effectiveness of technical and
organizational measures for ensuring the security of the processing.

4/20/2018 4
 SAP GDPR COMPLIANCE – WHITE PAPER

2.3 Demonstrating Compliance

Article 25 of GDPR specifies that companies are expected to demonstrate that they have addressed
“Data Protection by Design and Default”.

This means that organizations will need to invest in technology, processes and training to secure

GDPR Article 25 — “Data protection by design and default”: Control exposure

to personal data.

1. Control accessibility – who is accessing data and how.

2. Minimize data being processed in terms of amount of data collected, extent of processing,
storage period, and accessibility.
3. Include safeguards for control management integrated into processing.

and manage personal data. This also requires that organizations undergo regular third-party audits
to ensure that controls are enforced and can submit this evidence to the regulator upon request.

2.4 Notification of Breaches

Under Article 33 of the GDPR guidelines, organizations have a responsibility to report data breaches
to relevant supervisory authorities within 72 hours of the organization becoming aware of it.

If the breach is sufficiently serious, the organization should also notify the public. Failure to report
breaches could result in a significant fine up to 10 million Euros or 2 percent of an organization’s
global turnover.

GDPR Article 33 — “Notification of a personal data breach to the supervisory

authority”:

1. Detect and notify of breach in a timely manner (72 hours).

2. Assess impact on and identification of personal data records concerned.
3. Describe measures to address breach.

4/20/2018 5
 SAP GDPR COMPLIANCE – WHITE PAPER

3. WHERE DO WE START?

For successful implementation of GDPR in SAP systems, there are three essential areas that needs to be
covered:

3.1 Appoint a Data Privacy Officer and Identify Personal Data

The General Data Protection Regulation (GDPR) states that personal information constitutes any
information relating to an identifiable person.

This includes a variety of information from names to any information that can identify an individual.

'personal data' means any information relating to an identified or identifiable natural

person 'data subject'; an identifiable person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that person”

- Art. 4 Sec. 1 GDPR

Personal data may show up in any number of documents in the SAP systems and the first step is to
find a competent authority to pinpoint the personal data stored in SAP and document them for
handling.

Hence, it is essential for any organization as a first step to setup a ‘Data Privacy Office’ and a
designated Data Privacy Officer(DPO).

GDPR is explicit about the tasks that DPOs are required to perform. They include the following:

a) Inform and advise the organization and its employees of their data protection obligations
under the GDPR.
b) Monitor the organization’s compliance with the GDPR and internal data protection policies
and procedures. This will include monitoring the assignment of responsibilities, awareness
training, and training of staff involved in processing operations and related audits.
c) Define and Identify ‘personal’ data in SAP landscape.

4/20/2018 6
 SAP GDPR COMPLIANCE – WHITE PAPER

d) Advise on the necessity of data protection impact assessments (DPIAs), the manner of their
GDPR compliance tools implementation and outcomes.
e) Serve as the contact point to the data protection authorities for all data protection issues,
including data breach reporting.
f) Serve as the contact point for individuals (data subjects) on privacy matters, including
subject access requests.

3.2 Setup Data Retention Management

Data minimization is a key GDPR privacy principle. In short, it states that organizations should
collect only the smallest amount of personal data for the shortest period and delete it quickly after
it has served its purpose. Less data held means less data to protect.

Hence a Data retention mechanism based on the organization’s need to retain the transactional
data needs to be setup in SAP systems.

3.3 Securing SAP and Managing Vulnerability

The implementation of GDPR must lead to a redesign of the processes for managing user access to
the components of your SAP landscape and governance rules regarding access to personal data.

This may include measures such as:

a) Time-sliced data for refresh of non-production environments.

b) Pseudonymization of data in non-production and production environments.
c) Encryption of underlying databases and backup files.
d) Logging and proactive monitoring of user access to personal data.

HCL will provide technical expertise to assess and advise suitable SAP solutions to achieve GDPR
compliance. However, it would be the responsibility of Data Protection officer (DPO) to validate and
confirm, the implemented solution meets GDPR compliance standards.

4/20/2018 7
 SAP GDPR COMPLIANCE – WHITE PAPER

4. HOW CAN HCL HELP?

GDPR is so vast, such that there is no single solution in the market to address all compliance areas.
Product solutions only address a subset of it, often small.

Hence based on the priorities set by the organization’s Data Privacy Office to cover GDPR compliance
requirements, HCL can leverage various supplementary products delivered by SAP or other SAP-verified
third parties. Some of the products HCL can provide expertise or offer to implement are:

4.1 Formal Data Analysis

Proving that all types of personal data have been identified is essential to meet GDPR compliance.
In any system of a certain age where no individual can have a 100% overview, it is necessary to
perform a formal data analysis which can identify archival objects, standard tables and custom (Z)
tables where personal data could be stored.

After a personal data identification of ECC system is performed by the Data privacy Office managed
by your organization, HCL provides a service where we investigate all SAP systems with the results
of the personal data identification to find all tables and archival objects for which data retention
rules or pseudonymization needs to be applied.

4.2 Archive Development Kit

The Archive Development Kit (ADK), which is delivered with SAP NetWeaver, is the technical
framework and basis for SAP’s data archiving solution. ADK is the standard SAP solution for simple
data archiving and retention mechanism for all SAP standard objects.

4.3 Information Lifecycle Management

ILM* is an enhancement of SAP’s standard ADK where it offers the following additional
functionalities:
a) Simplified and flexible setup of residence & retention rules for each ILM-enabled archival
objects.
b) Storage of archived data in SAP certified WORM storage systems.
c) Simplified blocking, masking & deletion of customer data.
d) Legal hold management system etc.
e) E-discovery

4/20/2018 8
 SAP GDPR COMPLIANCE – WHITE PAPER

4.4 Data anonymization

Data Anonymization* is an SAP HANA web service in the cloud that enables anonymization of data
sets. This service has two advanced anonymization methods: differential privacy and k-anonymity.
Your data is anonymized on the fly by this new web service, with no data being stored at any time
on SAP servers.

Some potential use cases are:

a) Data as a service, where cloud providers could give access to anonymized user profile data
for advertising purposes, or telecommunication providers give access to anonymized
location data for city planning purposes.
b) Telemetry and IoT, where car fleet managers could share anonymized car usage patterns
with manufacturers, or energy suppliers could provide smart meter analytics based on
anonymized usage data.
c) Healthcare, where hospitals could make anonymized patient data available for researchers
and insurers
d) Archiving, where insurers could store anonymized historical data to be able to keep it even
after the legal deletion periods

4.5 SAP Test Data Management System

TDMS* Enables creation of small, easy-to-maintain non-production environment using extracts of
business data thereby, minimized infrastructure and maintenance expenses, while complying with
GDPR regulations by scrambling sensitive and/or Personal data.

4.6 UI Logging of SAP GUI for Windows (LOGWIN)

LOGWIN allows you to track personal data access using SAP GUI for windows and logs the relevant
information for security purposes which can be tracked back to who accessed the data, which data
was accessed, when it was accessed.

4/20/2018 9
 SAP GDPR COMPLIANCE – WHITE PAPER

4.7 Read Access Logging

Read access logging allows you to track personal data access in all SAP Screens, WebDynpro
applications & RFC’s. It logs the relevant information for security purposes which can be tracked
back to who accessed the data, which data was accessed, when it was accessed.

4.8 Database Encryption

HCL can leverage standard built-in encryption tools of different database vendors such as:
1. SAP HANA*
2. Microsoft SQL
3. Oracle* etc.

SAP HANA has comprehensive encryption capabilities for data at rest and in motion.
a) The new column encryption: you specify which columns in a table should be encrypted.
b) Real-time data anonymization lets you gain analytic insights from your data while
protecting the privacy of individuals.
c) Native masking techniques such as dynamic table masking, dynamic view masking etc.

MSSQL provides many data encryption methods can be applied such as Transparent Data
Encryption(TDE), Transport Layer Security (TLS) etc.

Oracle provides various encryption techniques to address GDPR challenges:

a) Encrypt Data-at-rest Using Transparent Data Encryption.
b) Encrypt Data-in-Transit using Oracle Database Network Encryption and Data Integrity.

4.9 Custom Code

HCL also offers to build customized programs in SAP to achieve certain areas of compliance which
does not fall within the scope of the tools implemented based on the requirements.
Custom programs can be developed to cover the following:
1. Pseudonymization of personal data identified in SAP.
2. Map, Search & download Personal data reports into PDF to address ‘Right of Access’.

* Indicates products for which additional licenses may be required and to be procured by your
organization.

4/20/2018 10
 SAP GDPR COMPLIANCE – WHITE PAPER

5. SELECTING THE RIGHT TOOLS

Based on the suggested tools, the Data Privacy Office of your organization can choose to implement the
various tools based on its usage to satisfy the GDPR compliance needs.

The below table maps the Technical components against solution aspects, described to achieve
compliance to GDPR requirements.

Tool/ Solution Related GDPR Requirement

ILM (or) ADK GDPR Articles 15-22
Formal Data Analysis GDPR Article 4 Sec 1
SAP Test Data Management System (TDMS) GDPR Articles 15-22
LOGWIN 100 (or) RAL GDPR Article 33
Database Encryption GDPR Article 32
Data Anonymization GDPR Article 32

Additional information about the GDPR is available on the official GDPR website of the EU.

Thank You

4/20/2018 11