Workshop dataprivacy in SAP Ing. Nico J.W. Kuijper MSc. CIPP/EU SAP information & data governance/management consultant, (SAP) Data Privacy Consultant Certified by the International Association of Privacy Professionals nico.kuijper@d-im-services.com +31 20 615 82 89 Disclaimer: the author of this presentation does not provide any legal advice regarding data privacy with this presentation. In this presentation personal opinions, practical experiences on the fulfillment of data protection requirements and possible instruments are discussed. This presentation contains some pictures/slides from public available sources and SAP presentations. March 29, 2018
Disclaimer: The information contained in this presentation is for general guidance only and provided on the understanding that the author is not herein engaged in rendering legal advice. As such, it should not be used as a substitute for legal consultation. The author accepts no liability for any actions taken as response hereto. It is the responsibility your organization to adopt measures that deems appropriate to achieve GDPR compliance. vcv March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 1
Questions to the audiance Is your organization currently ready for / compliant with the GDPR? Yes? No? Not sure? How are other companies doing? https://www.gartner.com/newsroom/id/3701117 Who should be responsible for data privacy in your view? Business? IT? Both? On what level should data privacy be addressed in the organization? Strategic level? Tactical level? Operational level? All these levels above? March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 2
Analogy: processing financial transactions Key elements: Fiscal law, etc. Tax officer • Legislation • Legal/fiscal authority • C-Level executive • Internal control function • Governance & policies • Management layer C-level • Record/bookkeeping executives • Operations/execution layer (CFO) • Money flow in/out • External stakeholders Policy Financial Head of Finance Controller Bookkeeping system Processing financial transactions € out € in External stakeholder(s) stakeholder(s) Clerk March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 3
Analogy: processing privacy relevant data DPA GDPR Key elements: (Data Privacy Legislation • Legislation Authority) • Legal authority • C-Level executive • Internal control function • Governance & policies • Management layer C-level • Record/bookkeeping system executives • Operations/execution layer & tools (CIO/CDO) • Dataflow in/out • External stakeholders Policy (e.g. data subjects, external controllers & processors) DPO Data controller (Data privacy Officer) Privacy “bookkeeping” Processing privacy relevant data Data out Data in Stakeholder(s) External like data stakeholder(s) subjects Data processor Article on data privacy bookkeeping: https://executive-people.nl/587119/privacy-boekhouding.html March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 4
The roadmap to GDPR compliance Key questions Idenfity the context of privacy relevant data Where (systems) is privacy relevant data used/stored? How & where is it processed (business process)? For what (lawful) purpose? What are the relevant (legal/fiscal) retention rules? Document outcome in your data register & records and retention scheme Assess & prioritize privacy risks What are the identified privacy risks (PIA)? Gap analysis regarding organizational & technical measures Evaluate risks, measures & prioritize. Develop and execute a privacy program How to mitigate the identified privacy risks? What are our data privacy policies and procedures? How do we govern/evaluate (ongoing) data privacy? Technical measures : What are the appropriate privacy enhancing tools? Implement technical measures based on defined policies Etc. March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 5
Presentation focus area: PET in the context of SAP The presentation has a main focus on privacy enhancing technology available in SAP and will touch also some of the data privacy relevant processes this technology can be used for. We will not focus on governance, relevant data privacy processes, roles and responsibilities, etc. March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 6
Part 1 – GDPR key aspects put into context March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 7
GDPR Article 24(1): the GDPR Key aspects The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: https://gdpr-info.eu/ and here in different languages: Directive 95/46/EC (General Data Protection Regulation) http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 8
The nature, scope, context, purpose, risk of processing personal data & appropriate measures Determine risks of Determine risks of Identify the Identify the Identify Identify Identify the Identify the Identify the context: Identify the context: processing the data processing the data context: determine context: determine where where purpose for purpose for determine the determine the and implement and implement the lawful basis the lawful basis privacy privacy processing processing retention and retention and appropriate appropriate for processing for processing relevant relevant personal data personal data deletion periods deletion periods (technical) (technical) data lives data lives (identify (identify (displayed: a few (displayed: a few and triggers and triggers measures measures in your in your relevant relevant examples of a examples of a (some examples) (some examples) SAP SAP business business lawful basis) lawful basis) system system processes ) processes ) SAP ILM RM SAP ILM RM Delete after Delete after Consent Consent Consent Consent withdrawn withdrawn management management consent consent Personal Personal SAP ILM RM SAP ILM RM data data (in SAP) (in SAP) Authorization Authorization Purpose(s) of Purpose(s) of Legal Legal concept concept processing processing obligation obligation Retain Retain personal data personal data based on based on Data masking Data masking legal legal retention retention contract contract times per times per country country Anonymization Anonymization NL x years NL x years DE y years DE y years Data breach Data breach prevention & prevention & detection detection Etc. Etc. March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 9
What is considered privacy relevant data? Identify 10 where privacy relevant data lives in your SAP “ 'personal data' means any information relating to an system identified or identifiable natural person 'data subject'; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person ” Art. 4 Sec. 1 GDPR What does this mean for SAP Business Suite and SAP S/4HANA? Data in SAP Business Suite and SAP S/4HANA is or might become personal data. A Sales Order is linked to the Business Partner (ID). The sales order itself could contain additional personal data – or can reveal personal Personal data (purchases person X). data (in SAP) Combinations of attributes might become personal data – as soon as it is possible to identify the person behind. Example: information combined from ECC, CRM, BW, etc. “Personal data” is defined as “any information relating to an identified or identifiable natural person” March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 10
Recommend
More recommend