The Impact of GDPR on SAP: A Guide to GDPR Compliance and SAP

The General Data Protection Regulation (GDPR) was designed from the ground up to deal with the personal data challenges of a modern, digital world. It’s been many years since its introduction, but there is no doubt that it has changed the way many organisations approach personal data.

In this article, we unpack GDPR, it’s impact on organisations running SAP and advise how to ensure the organisation remains GDPR compliant.

The introduction of GDPR

Despite being warned for many years, organisations worldwide began to panic when the EU announced that in May 2018, GDPR would come into effect. Many organisations were suddenly asking, “What is GDPR compliance?” Additionally, they needed to know what steps to take to ensure they didn’t violate these new data protection laws.

GDPR is data privacy legislation that came into effect in the European Union (EU) in 2018. The aim of GDPR was to introduce data protection laws that address the privacy challenges individuals experience living in a world which operates on digital services. It did this by introducing a set of rules that limited what organisations could do with personal data if they were operating in EU member states.

The consequences for lack of GDPR compliance

With these new laws came new consequences. If it was found that an organisation was likely to have infringed upon GDPR’s data protection rules, the organisation would receive a warning. If it was confirmed that an organisation failed to comply with GDPR, they could find themselves at risk of:

  • Fines of 10 million Euros or 2% of the firm’s global turnover for minor breaches, whichever is higher.
  • Fines up to 20 million Euros or 4% of the firm’s global turnover for major breaches, whichever is higher.

How GDPR directly affected organisations running SAP

In 2017, James Baird discussed the effects the new GDPR laws would have on organisations that run SAP in his article “The Impact of GDPR for Organizations that Run on SAP” on the SAP Community blog. Baird highlighted that GDPR applies to any organisation that processes the personal data of any European resident. For SAP users, this meant that any information on an SAP system, whether contained in data or documents, that was “stored across multiple environments, systems, locations, and countries” must be properly protected and discarded.

This meant that significant changes would need to be made to ensure SAP data protection was compliant with GDPR. Here are some of the areas that were dramatically affected by this new legislation.

Consent regarding personal data gathering

Prior to GDPR, compliance laws for online data gathering were either vague or non-existent. Many organisations gathered data either under very broad consent terms, behind complicated legal language, or without even seeking consent from an individual. GDPR made it illegal to do this and required organisations to describe in very simple terms what data they were gathering from an individual.

The management of personal data

The protection of personal data became the number one priority for many organisations. This meant that any organisation running SAP needed to take steps to ensure that only authorised SAP access was permitted, and that any personal data stored on a system was encrypted. Access risk management would need to be implemented if SAP users were not already doing so.

Companies needed to meet the “right to be forgotten” mandate

Every organisation that gathered and stored the personal data of an EU citizen needed to have the ability to delete that individual’s personal data from their systems. There were a number of circumstances under which this was applicable, such as the individual withdrawing consent on the use of their data or the data had been unlawfully gathered.

Breach reporting

Prior to GDPR, there were numerous high-profile breaches that companies attempted to quietly cover up, or only announced long after the breach had occurred. GDPR made it a punishable offence to do this and required organisations to report data breaches to a Data Protection Authority (DPA) within 72 hours of them being identified, unless circumstances dictated otherwise. However, companies were still required to communicate with the DPA as soon as possible or risk fines. Information that was required included how the breach occurred, the consequences of the breach, and what measures the organisation was taking moving forward to address the breach of security.

    The enormous challenge of ensuring SAP GDPR compliance

    Due to the sheer volume of SAP tables and fields, complying with data privacy regulations (such as the GDPR, CCPA, PDPA, POPIA etc.) is an enormous challenge for many organisations. Only once the organisation has identified where personal data resides in their SAP solution, can they start to effectively classify and manage it.

    Soterion’s GRC software facilitates the creation of a data privacy rule set based on the sensitive fields defined by your organisation. By including data privacy rules in your Soterion rule set, data privacy risk becomes integrated into the Soterion Access Risk Manager and Periodic Review processes – ensuring data privacy by design.

    How companies ensured their SAP system was GDPR compliant

    Ultimately, it was up to each organisation to figure out the exact steps they would need to take to ensure their SAP systems were compliant. However, there are overarching guidelines that companies could follow to ensure they were GDPR compliant.

    The following guidelines still apply to any organisation looking to ensure GDPR compliance today.

    Step 1: Perform an audit of your SAP system
    The first step is to perform an audit of your SAP system to assess what data you have and categorise it as necessary.

    Step 2: Identify personal data stored on your SAP system
    Once you have an understanding of the data that is on your system, the second step is to classify the personal data on your system. This step is vital since personal data is the main focus of GDPR, and any failure to correctly identify and secure personal data could result in your organisation failing to comply with GDPR.

    Personal data could be information such as a first name, surname, or contact number, or can even include information such as an account name or account number. Any information that is related to an identified or identifiable natural person (a living, breathing human being) is considered personal data under GDPR.

    Step 3: Remove all unnecessary personal data and ensure that only required personal data is gathered moving forward
    Once all personal data has been identified, it’s necessary to permanently delete any unnecessary personal information on your system. This is to ensure that any data that remains on your system is reflective of the data your organisation needs in order to perform its functions. For example, while you may need a name and an email address to engage with your customers, you might not require their phone number. Deleting this category of existing personal information and ensuring that it’s not collected in the future will remove further additional compliance burdens on your organisation.

    Step 4: Encrypt necessary personal data
    If your organisation has not already done so, it’s important that you encrypt any personal data that you store on your SAP system. This is to ensure that you eliminate any further risk should any unauthorised individuals gain access to the personal data stored on your systems.

    Step 5: Develop access, retention and deletion rules
    Now that you have correctly identified, sorted, and encrypted the personal data, it is necessary to create and manage access, retention, and deletion rules that are GDPR compliant. These rules can be better understood as follows:

    • Access rules will ensure that only the authorised members of your organisation have access to the personal data. These SAP access rules will need to be customised to fit your organisation’s needs.
    • Retention rules under GDPR state that personal data is only collected, processed, and stored for as long as it is necessary for an organisation. In simpler terms, you can’t retain any personal data that your organisation doesn’t explicitly need to operate.
    • Deletion rules are simply rules that align with the GDPR “Right to be Forgotten” requirement. This means that once data is no longer necessary for an organisation, it must be deleted. In situations where personal information cannot be deleted, authorised access must be revoked.

    Step 6: Implement tools to anonymise certain categories of new data as necessary
    De-identification of personal data can also allow companies to gather limited datasets without acquiring any unnecessary identifiable information. For example, a company that is studying how a user interacts with their software might be interested in identifying certain patterns of behaviour, but may not require the specific user’s name or email address. By de-identifying information, you again eliminate any necessary exposure to GDPR.

    Step 7: Monitor and regularly audit systems and users to ensure compliance
    Once you have completed the previous steps, you may think that your system is prepared for GDPR. However, a single GDPR compliance check and updating your SAP access, security, and user rules is not enough to ensure that your SAP system is compliant. You must monitor the system and perform regular audits to ensure personal data is being gathered and stored correctly, that only authorised users have access to the data, and that security tools are logging all and any access to this data.

      Ensure SAP compliance with Soterion

      It has been more than five years since GDPR was introduced, but many more countries are moving towards enhancing privacy legislation to protect individuals and organisations, or have already introduced their own personal data privacy laws. Knowing the impact GDPR has on data protection, it’s important that your SAP system adheres to these regulations.

      Soterion offers SAP Governance, Risk, and Compliance (GRC) solutions to ensure that companies are compliant with data privacy and other regulations. Our SAP security consultants will work with your organisation to ensure that your SAP system follows the laws of any country where it operates.

      Contact us to find out more about how Soterion can ensure your organisation’s SAP system is correctly managing its risks.

      You may find this interesting