GDPR Compliance – Good News for SAP GRC Customers

The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. Compliance is mandatory. The new regulation applies to any organization that offers goods or services to people in the EU, including any organization that monitors or processes or holds personal data of EU residents.

GDPR in a Nutshell

It is no surprise that many organizations, including most SAP customers, are now taking this regulation very seriously, if not scrambling to put acceptable GDPR compliant processes in place. Penalties for non-compliance are significant. In general, the regulation is intended to provide EU individuals with control and protection of their personal data. The parts of the regulation, at a high level, include provisions for:

• Lawful Processing – Capturing, storing, and processing of personal data requires a legal basis (i.e. a contract, consent, or legitimate interest), must be kept accurate, and stored only as long as needed.
• Individual Rights – Self-service applications are suggested for personal data-related information requests. Rights apply across all systems, including those of third parties. Individuals should not be charged and business must inform individuals in less than one month of data acquisition.
• Accountability – Ability to show evidence of regulation compliance-supporting actions. Data protection must be the highest priority. Appointing a Data Protection Officer (DPO) is mandatory for many companies.
• Breach Notification – Includes mandatory authority notification within 72 hours of a breach including communication to affected individuals.
• Demonstration of Compliance – Organizations must be ready to demonstrate processes, procedures, and capabilities deployed and enforced for complying to the regulation. This includes appropriate and adequate codes of conduct, policies to ensure accountability, and capable supporting processes and systems.

For brevity, the above is a condensed list of GDPR requirements. A GDPR expert should be consulted to fully understand regulation requirements as well as for the assessment of your company’s ability to comply to the regulation.  The need for appropriate policies and procedures for GDPR compliance is obvious.

The Role of Information Technology for GDPR Compliance

From a data processing standpoint, the requirements can be broken into three types of processes:

• Data management – A large portion of GDPR requirements includes the need to ensure that customer and employee data is securely stored, with special attention given to ensuring data accuracy and high quality is maintained, and ensuring the data is consistently used across your organization and your processing partners. The data needs to be adequately protected, and archived and/or deleted in accordance with the regulation.
• Access control – Access to customer and employee data needs to be strictly defined, monitored, controlled, and restricted. The same access management is required for business applications such as CRM and HR systems that consume the data, as well as to the users of these systems.
• Business systems – Business process and analytical applications must not only comply with controls that restrict access to potentially sensitive personal, but also must abide by laws and regulations restricting the methods used for acquiring, storing, processing, and deleting personal data in accordance with GDPR. Business processes need to be designed to ensure GDPR compliance, and the company needs to be able to ensure and demonstrate that defined processes are followed. Exceptions to standard processes must also be defined and monitored.

GDPR compliance will require a high degree of awareness and understanding by the people throughout the organization and the organization’s processing partners. The Information Technology function has a vast role in establishing the processes and process controls that will enable compliance and minimize risk.

Application Support for GDPR

SAP provides applications designed to enable organizations to digitally establish and enforce processes for GDPR compliance.

• Access Governance - Many companies have deployed SAP Governance, Risk, and Compliance (GRC) to restrict access to applications that access, process, and display personal data. GRC is designed to help establish standard enterprise-wide processes in areas of corporate risk and provides needed audit processes.
• Process Governance – The ability to show or prove compliant processes is an important and mandatory part of the regulation. Just as important is the ability to demonstrate that standard processes are being followed by employees, and exceptions to standard processes are detected and controlled.  Process mining and analytics are provided by Celonis PI, while real-time process monitoring is provided by SAP Intelligent Business Operations (IBO). These toolsets can be used in both SAP and non-SAP systems.
• Data Governance – Of utmost importance is the company’s ability to properly manage the sensitive personal data collected during the normal course of running their businesses. Data management also includes processes for ensuring that personal data is accurate and stays accurate. Rules need to be set and enforced for how the data is used and by whom. Personal data needs to be deleted once its intended (legal) purpose is complete. Failure to establish data governance over personal data is a potentially huge risk to all organizations and can result in significant fines. SAP Information Steward and SAP Information Lifecycle Management provide the processes for establishing a highly-governed data and information strategy required for GDPR compliance in both SAP and non-SAP system.

Time is Running Out

The new regulations go into effect in May 2018. Fortunately, many companies have already established data protection programs and processes that get them a portion of the way to GDPR compliance. In fact, much of the new regulation could be viewed as simply using systems and controls that a company should already have in place for general security and risk mitigation purposes. Regardless of whether a company has a solid security foundation in place or if they need a major overhaul of their data security, all companies are advised to comply with GDPR well before the May deadline.

Chet Harter is a Digital Business Transformation specialist at SAP with a heavy background in manufacturing and distribution management practice and systems.