Sei sulla pagina 1di 8

How to accelerate your

GDPR readiness with

SAP Process Control
Leveraging SAP GRC to prepare for the
General Data Protection Regulation (GDPR)
Introduction Contents
Getting your SAP environment ready for
Section 1: Managing personal data
Section 2: Privacy by Design
From May 2018, the General Data Protection Regulation Section 3: Data Protection Impact Assessments (DPIAs)
(GDPR) will dramatically change the way organisations
Section 4: GDPR controls, policies & reporting
handle personal data - with huge penalties in store for
businesses failing to comply. Summary

Businesses running SAP ERP systems hold a wide range of

personal information and must therefore take steps to ensure
their SAP environment remains fully secure.

While this represents a significant challenge, the tools that

sit within SAP’s Governance, Risk and Compliance (GRC)
suite can help you prepare for GDPR and ensure you stay
compliant after the deadline has passed.

The SAP Process Control tool in particular will be a key asset

in your journey. SAP Process Control effectively acts as an
organisation’s controls hub, improving your visibility and
control of compliance right across your business.

It will enable you to document controls, test strategies and

evaluate effectiveness through constant monitoring – all while
providing actionable insights through advanced reporting
functionality. But as we’ll explore in this guide, other tools
in the SAP GRC arsenal, such as SAP Access Control can be
leveraged further for GDPR compliance.

In this eBook, we’ll look at some of the key considerations

your business needs to make ahead of the GDPR deadline -
and identify just how SAP Process Control can help speed up
your readiness for the new regulations.

‘Businesses running SAP ERP systems hold a wide range of

personal information and must therefore take steps to ensure
their SAP environment remains fully secure.’
Section 1
Managing personal data Managing access to personal data in SAP While you might be using your SAP Access Control tool to
To help manage access to personal data, you can define do a periodic access review every year or every six months,
Whether it’s contractor bank details, employees’ sick leave one-sided risks in SAP’s Access Control tool. This will create a for GDPR-relevant personal data that you hold in your SAP
history or customer contact information, an organisation’s control that you can run periodically to check that the people environment, you’ll want to be doing that more frequently –
SAP platform typically plays host to a wide range of sensitive with access to these sensitive data sets are appropriate. This perhaps even once a month.
personal data likely to fall under GDPR jurisdiction. will allow you to create a whitelist of sensitive access relevant
from a GDPR perspective. You can then monitor that specific You can also monitor the effectiveness of that periodic access
Unfortunately, there isn’t a definitive list of every single piece list and perform periodic access reviews on each item. review process, as well as apply workflow escalation where
of data that would be considered sensitive under the new your GDPR relevant access is included in a request. So, if
regulations, so your organisation is going to need to first If you identify that people outside of this whitelist have access you have automated provisioning in place with SAP Access
understand what personal information you hold, then take a to these areas, then you can take remediating actions; either Control, you can route specific requests to a different path,
viewpoint on whether that personal information will need to removing access or adding them to the whitelist. which can be approved by your DPO (Data Protection Officer)
be treated differently moving forwards. if necessary.

However, there is a strong possibility that at some point in

the past you will have defined processes and procedures for
dealing with data privacy. This work shouldn’t be overlooked.
The likelihood is, if you were carrying out those processes
exactly as you described them initially, you would be a lot
closer to compliance than you might think.

Before taking a blank sheet of paper and looking at how

you’re going to approach GDPR, you should first revisit
your data protection processes and start to implement your
original plan, if it’s not in place already. GDPR is effectively
nothing new - yes there are bigger penalties in place, but it’s
actually just applying a bigger stick to a set of requirements
that, broadly speaking, should have been in place for some
Section 2
Privacy by Design
‘Privacy by Design’ is an approach to projects that promotes In order to adequately assess the impact of any projects or It’s important to ensure that both business and IT staff
privacy and data protection compliance from the start and business changes on a particular application, it is important understand these requirements and to also apply controls
then throughout the whole process. Often data protection to have them classified from a data privacy perspective. that make sure the PIA process is operating effectively.
is seen as an afterthought and therefore projects are not Many companies struggle with this if they do not have a
managed as they should be. coherent IT asset register, which is up to date and considers Supporting Privacy by Design with SAP GRC
the data that the application or asset holds. Privacy Impact Assessments can be completed in both SAP
Privacy Impact Assessments (PIAs) are an integral part of Process Control or SAP Risk Management, while the self-
taking a Privacy by Design approach. The concept of Privacy A good start for this is to send out a scoping survey of some assessment functionality within the tools can be used to
by Design calls into question the differences between a PIA sort to ask the relevant application owners to provide that complete initial scoping questions that will determine whether
and a DPIA (Data Protection Impact Assessment). We’ll cover assessment. This can then be used as a starting point for a DPIA is also required (or not).
DPIAs in the next section. assessments and planning what sort of follow up actions
may be required. You can distribute the PIA and those scoping questions
A PIA can reduce the risks of harm to individuals through the through workflow. You may go one step further and integrate
misuse of their personal information. It can also help you to You’ll have no doubt carried out a PIA if you’ve rolled out SAP the distribution of those questions with an external project
design more efficient and effective processes for handling HCM or indeed any HR system project. And, if your business management tool.
personal data. The PIA is common for Human Resources (HR) is global, you might be familiar with the need to look at the
departments and holds a lot of relevance in the preparation specific data privacy requirements of the countries in which The figures below give an example of how this might be
for GDPR. you operate. A similar approach to a broader set of projects - handled within a process control solution. It may be based
any that affect sensitive data - is required to maintain GDPR upon a particular policy that is part of your policy library or
compliance. through a risk assessment as part of a project or through a
periodic control that is operated against the known IT asset
Fig 1: Example GDPR survey Fig 2: SAP Process Control central repository
landscape on a regular basis. Regardless of the source, the
functionality exists to be able to send out a questionnaire
or assessment survey to get insight from the appropriate
members of your business teams.

You can also track the completion of your PIA. Once you’ve
captured everything within SAP Process Control, you’ll have a
view on whether any self-assessments have been completed
in their entirety - then you can use the tool to escalate issues
and plan remediation activities where required.

Tracking everything in this central repository is going to give

you the ability to carry out status reporting, which is also
going to evidence your governance process around PIAs.
Section 3
Data Protection Impact Assessments Facilitating the DPIA using SAP Process Control
(DPIAs) SAP Process Control can support the DPIA Governance
process, again offering self-assessment functionality similar
A DPIA is a form of PIA in a specific format required by the to a PIA. Additional information can be captured and
GDPR. The creation of a new project could initially trigger the stored within SAP Process Control where a DPIA is required.
need for a PIA, then consequently the need for a DPIA, if the Effectively, you can expand an existing PIA with further detail
screening questions yield certain results. Essentially, a DPIA and drive the whole process through workflow.
is a critical tool when implementing data processing systems
to ensure you comply with the General Data Protection With SAP Process Control, you can automate many aspects
Regulation (GDPR). of the process using workflow paths and routes that can be
configured to trigger outcomes based upon responses. For
A DPIA is mandatory when processing is, ‘likely to result in example, a DPO can validate when you’re using your central
a high risk to the rights and freedoms of natural persons’. controls repository to collate data and then subsequently for
Failure to conduct a DPIA, to conduct one incorrectly, or fail to audit and review.
consult the supervisory authority where required could all lead
to GDPR penalties.

A DPIA will be required if the PIA determines that some of the

data is large-scale or high-risk enough to pose a significant
threat of harm to the individual, should a disclosure occur.

Fig 3: Example ‘Disclosure survey’ Fig 4: Example ‘Data protection impact assessment (DPIA)’
Section 4
GDPR controls, policies & reporting
A key element of GDPR preparation is creating a control Putting a tool such as SAP GRC Process Control at the heart
framework that helps you demonstrate your ongoing of your GDPR compliance efforts will also pay dividends
compliance. should your organisation be subjected to a compliance audit.
By capturing and storing GDPR-related documentation and
With the significant consequences of non-compliance, it’s controls-related data, you are storing up the information
essential to put a number of controls in place that allow you required by the regulator on an ongoing basis. A proactive
to understand whether or not you’re meeting your compliance approach like this is likely to make your first GDPR
objectives. compliance audit a lot less painful than it could be.

Examples may include: Fig 5: Example ‘Self-assessment’

• Exception monitoring of encryption control settings
• Self-assessments for breach detection controls and
pseudo anonymisation
• Sample checking for internal breach registration, breach
escalation and notification
• Reporting controls around PIA and DPIA completion
• Third party risk management surveys and self-assessments
• Training completion and user responsibility
• Policy and awareness training distribution
• Surveys to test understanding and adherence
• Controls over the data catalogue
• Exception reporting for legal retention periods
• Subject access request turnaround times
• Controls over data transfers outside EEA

The management, automation and monitoring of controls

is the core competency of SAP Process Control and the Fig 6: Example ‘Data Protection Office’
tool offers a lot of flexibility in this respect. The controls you
define to manage your risk to non-compliance from a GDPR
perspective will often be quite specific to your organisation.
However, SAP Process Control has been designed with the
flexibility required to support the management and operation
of controls in complex environments.

With so much noise around the General Data Protection Regulation (GDPR) it can be difficult to know where to turn for
guidance. The important thing to remember is that the need for a robust strategy for data protection and controls across your
SAP landscape is nothing new. It’s just that the consequences of managing this badly are becoming much more severe.

However you decide to approach GDPR, the right tools, processes and skill-sets are going to be key. The SAP GRC suite
can help you automate and streamline your approach, yet technology alone will only take you so far. Experience of
designing and implementing security, compliance and data protection strategies in SAP environments is critical. There will
be many self-appointed GDPR experts offering one-size-fits-all solutions to make you compliant. But without a thorough
understanding of the nuances and complexities of your organisation, such attempts would be a wasted investment. Be sure
to tread carefully.

The suggestions outlined in this guide are aimed to provide some key technology-focused insights to help you in your
journey. But this is by no means an exhaustive set of recommendations. We suggest looking at GDPR readiness through the
lens of people and process too. If you’d like to understand how this could be applied to your organisation, please get in touch.

We hope you enjoyed the guide.

About Turnkey
Turnkey Consulting is a specialist GRC and IT security company that combines business consulting with technical implementation to deliver information security solutions in support of SAP
systems. It focuses on the delivery of specialised services in support of SAP solutions in the areas of security, governance, risk and compliance (GRC).

It works with service providers, audit partners and SAP clients directly to provide the security controls and solutions that safeguard and complement a company’s implementation of an SAP
system. Clients include some of the world’s largest blue-chip companies alongside systems integrators and a number of government agencies.

Turnkey’s global offices:

United Kingdom | United States | Australia | Germany | Malaysia

Head Office
Turnkey Consulting Ltd
58 Ayres Street

T: +44 (0)207 288 2578