O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

GDPR & SAP: practical data governance & management activities

The GDPR is all about how to govern and manage your privacy relevant data in SAP systems. Many companies are strugling to adapt and align their (SAP) information governance and practical information management activities with the GDPR legislation.
Read this GDPR presentation presented for the Dutch SAP user group to learn more about some of the practical governance and management activities you can prepare for SAP systems in order to comply with the GDPR

Livros relacionados

Gratuito durante 30 dias do Scribd

Ver tudo
  • Seja o primeiro a comentar

GDPR & SAP: practical data governance & management activities

  1. 1. November 15, 2017 VNSG Focusgroep Data Management Data governance and data management aspects around data privacy in SAP Ing. Nico J.W. Kuijper MSc. SAP information & data governance/management, (SAP) Data Privacy Consultant Email: nico.kuijper@d-im-services.com - Phone: +31(0)20 615 82 89 Member of the International Association of Privacy Professionals (IAPP(®)) and ISACA(®) Disclaimer: the author of this presentation does not provide any legal advice regarding data privacy with this presentation. In this presentation personal opinions, practical experiences on the fulfillment of data protection requirements and possible instruments are discussed. This presentation contains some slides from public available sources and SAP presentations.
  2. 2. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 1 vcv
  3. 3. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 2 Why is it needed to protect our (data) privacy? Source: https://youtu.be/F7pYHN9iC9I
  4. 4. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 3 Questions to the audiance Is your organization currently ready for / compliant with the GDPR?  Yes?  No?  Not sure? Who should be responsible for data privacy in your view?  Business?  IT?  Both? On what level should data privacy be addressed in the organization?  Strategic level?  Tactical level?  Operational level?  All these levels above? How are other companies doing? https://www.gartner.com/newsroom/id/3701117
  5. 5. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 4 Analogy: processing financial transactions € in € out Bookkeeping system Fiscal law, etc. C-level executives (CFO) Processing financial transactions Clerk Financial Controller stakeholder(s) External stakeholder(s) Tax officer Head of Finance Policy Key elements: • Legislation • Legal/fiscal authority • C-Level executive • Internal control function • Governance & policies • Management layer • Record/bookkeeping • Operations/execution layer • Money flow in/out • External stakeholders
  6. 6. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 5 Analogy: processing privacy relevant data Data in Data out Privacy “bookkeeping” GDPR Legislation C-level executives (CIO/CDO) Processing privacy relevant data Data processor DPO (Data privacy Officer) External stakeholder(s) DPA (Data Privacy Authority) Data controller Stakeholder(s) like data subjects Article on data privacy bookkeeping: https://executive-people.nl/587119/privacy-boekhouding.html Policy Key elements: • Legislation • Legal authority • C-Level executive • Internal control function • Governance & policies • Management layer • Record/bookkeeping • Operations/execution layer • Dataflow in/out • External stakeholders (e.g. data subjects, external controllers & processors)
  7. 7. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 6 GDPR Article 24(1): accountability You can read the full legislative text of the EU GDPR here: https://gdpr-info.eu/
  8. 8. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 7 Roadmap to GDPR compliance. Case: data minimization, deletion/masking Data-discovery in SAP (D)PIA: Privacy impact assessments Policy implementation: Case: data deletion Policy development: Case: data deletion Key questions: • Where is the data? • How is it processed? • Why do I need data governance? • How can I use a policy when implementing data management instruments?
  9. 9. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 8 Roadmap to GDPR compliance. Case: data minimization, deletion/masking Data-discovery in SAP Key questions: • Where is the data? • How is it processed? • Why do I need data governance? • How can I use a policy when implementing data management instruments? Do you currently know if and where you held privacy relevant data in SAP systems?
  10. 10. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 9 What is considered privacy relevant information? “Personal data” is defined as “any information relating to an identified or identifiable natural person” “'personal data' means any information relating to an identified or identifiable natural person 'data subject'; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person” Art. 4 Sec. 1 GDPR What does this mean for SAP Business Suite and SAP S/4HANA?  Data in SAP Business Suite and SAP S/4HANA is or might become personal data. A Sales Order is linked to the Business Partner (ID). The sales order itself could contain additional personal data – or can reveal personal data (purchases person X).  Combinations of attributes might become personal data – as soon as it is possible to identify the person behind. Example: information combined from ECC, CRM, BW, etc.
  11. 11. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 10 First things first Detect the privacy relevant data living in SAP systems 1 • There are tools in the market available to detect if and where privacy relevant information lives in SAP systems. SAP promotes e.g. Information steward, Celonis, etc. • Tip: a practical quick to use tool could be a (commercially) available report that verifies data elements in SAP used to store (sensitive) privacy relevant information. There are multiple variants that can check the existence of privacy relevant data for different area’s / modules.
  12. 12. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 11 (Another) useful tool to detect privacy relevant data in SAP (II) 1 The output of this report can show if privacy relevant information is actually used in your system. This information can be used as a starting point to (objectively) assess the actual use of privacy relevant data in SAP systems. The report also identifies the so called “data destruction objects”
  13. 13. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 12 Next step: populate your data privacy register, and start with data privacy “book keeping” Example of a simple data privacy register template is provided by the EDPS. Source: https://edps.europa.eu/data-protection/our-work/publications/other-documents/register-template-0_en
  14. 14. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 13 How privacy “book keeping” could look like in SAP There are many different tools to administer, monitor and control different data privacy aspects. SAP promotes SAP GRC, and is thinking abot the development of a data protection cockpit. There are also many NON SAP tools on the market, delivered by e.g. Truste, Nymity, etc.
  15. 15. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 14 Roadmap to GDPR compliance. Case: data minimization, deletion/masking Data-discovery in SAP (D)PIA: Privacy impact assessments Key questions: • Where is the data? • How is it processed? • Why do I need data governance? • How can I use a policy when implementing data management instruments?
  16. 16. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 15 Now we detected the data, whats next? Conduct a privacy impact assessment There are many different (D)PIA tools and templates. One example: www.isaca.org/GDPR-DPIA A (D)PIA can be seen as a kind of risk assessment to identify how privacy relevant data in handled (by the different business processes) in your organization. Based on the outcome you can define improvements in different area’s (like data protection, policies/procedures, etc.).
  17. 17. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 16 Roadmap to GDPR compliance. Case: data minimization, deletion/masking Data-discovery in SAP (D)PIA: Privacy impact assessments Policy development: Case: data deletion Key questions: • Where is the data? • How is it processed? • Why do I need data governance? • How can I use a policy when implementing data management instruments?
  18. 18. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 17 Case: data minimization & deletion Source: IAPP (International Association of Privacy Professionals) IT department (execution): • We can do (more) housekeeping • E.g. delete obsolete logs/emails • Using SAP ILM tools to destruct business data Data governance & policy development is needed BEFORE you implement & use data management instruments like SAP ILM. Do you have data governance in place?
  19. 19. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 18 Complexity of having different purposes, dependencies, laws requires … information governance Purpose Active availability Blocking period Master data Dependent on other purposes With related data Until last related retention period ends g in this example: pension law Payment details Dependent on other purposes With related data Until last retention period for payment details ends g e.g. tax law Communication details Dependent on other purposes With related data With master data Marketing Marketing Until consent is revoked or missing renewal after x years None Data: purchase contract for iPhone & maintenance Processing purchase contract Processing maintenance Until end of maintenance requirements Until last related retention period ends g e.g. tax law Data: purchase contract for “The Divine Comedy“ Processing purchase contract During processing of purchase contract, possibly for reporting purposes Until last related retention period ends g e.g. tax law Data: contract for works Processing contract for works During processing of contract for works, possibly for reporting purposes Until last related retention period ends g e.g. contract law Data: employment contract Processing employment relationship During time of employment and for processing end of employment Attention: deadlines of pensions, pensions offices,…
  20. 20. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 19 Manage data as records – know what (not) to keep - What type of information? - How long should it be preserved? - Long term storage (save/unchangeable)
  21. 21. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 20 Roadmap to GDPR compliance. Case: data minimization, deletion/masking Data-discovery in SAP (D)PIA: Privacy impact assessments Policy development: Case: data deletion Key questions: • Where is the data? • How is it processed? • Why do I need data governance? • How can I use a policy when implementing data management instruments?
  22. 22. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 21 Policy driven erasure or blocking of personal data Under GDPR Article 17, controllers must erase personal data “without undue delay” if the data is no longer needed (purpose), the data subject objects to processing, or the processing was unlawful. GDPR Article 5: purpose limitation and data minimization: do not collect/keep data without a clear purpose
  23. 23. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 22 SAP ILM RM: applying retention rules in SAP (1)  ILM Policies are the instruments to translate (differentiated) external legal & fiscal retention and data destruction rules to SAP data and documents  ILM retention rules serve mainly the following purposes: - separate the data (e.g. per country) during archiving/deletion processes - store the data in different containers (when needed) - apply retention rules to the data (how long it MUST be preserved) - apply expiration dates (when the data can/must be destroyed)
  24. 24. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 23 SAP ILM RM: executing data deletion rules in SAP
  25. 25. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 24 Final (policy based) data destruction in SAP Based on the defined retention rules in SAP ILM it is possible to comply with the GDPR rule to block and destroy privacy relevant SAP data in a controlled way.
  26. 26. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 25 Personal Data Lifecycle in SAP: block or delete? Blocking phase Access only for explicitly authorized persons Deletion Processing in accordance with intended purpose Source: SAP
  27. 27. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 26 Roadmap to GDPR compliance - summary Data-discovery in SAP (D)PIA: Privacy impact assessments Policy implementation: Case: data deletion Policy development: Case: data deletion Key questions: • Where is the data? • How is it processed? • Why do I need data governance? • How can I use a policy when implementing data management instruments?
  28. 28. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 27 Cccc
  29. 29. November 15, 2017 Nico Kuijper | Data governance and management aspects around data privacy in SAP | VNSG Focus group Data Management Page 28 Questions? DISCLAMER. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. D&IM Service assumes no responsibility for errors or omissions in this document, except if such damages were caused intentionally or grossly negligent. Interested in SAP data privacy support or the SAP data discovery tool? Contact: nico.kuijper@d-im-services.com +31 (0)20 615 82 89

×