Expand +



Be Compliant, Stay Compliant

How Policies, Procedures, Protocol, and People Help You Tackle the GDPR

by James Baird | SAPinsider, Volume 18, Issue 4

November 7, 2017

The General Data Protection Regulation (GDPR) — a new data privacy regulation in Europe — will affect any organization that handles the personal data of EU residents, regardless of whether it is located in the EU. With the regulation going into effect in May 2018, and stiff fines for non-compliance, now is the time to establish a process for adherence. Learn how SAP customers can ensure compliance with the GDPR by focusing on four critical areas: policies, procedures, protocol, and people.

The General Data Protection Regulation (GDPR) is a new privacy regulation in Europe that protects the personal data for any individual based in the European Union (EU), regardless of citizenship or where the data is held. It applies to any organizations located inside or outside the EU if they offer goods or services to — or monitor the behavior of — EU data subjects. The GDPR will be enforced in May 2018 and outlines strict fines for companies found to be out of compliance. Now is the time for SAP customers to establish a process for adhering to the necessary requirements.

To be compliant — and stay compliant — with the GDPR, companies need to be mindful of four critical areas: policies, procedures, protocol, and people (see Figure 1).

1. Policies

Identify a risk team to conduct a risk assessment. Evaluate and determine which data falls under the GDPR, where that data resides, and how it moves through the system. Once the inventory of personal data is complete, establish a policy for handling that data in compliance with the regulation. There should also be a policy around proper security controls to prevent external or internal exposure of personal data. All potential risks should be categorized and relayed to data stewards or owners before a specific policy is put in place.

2. Procedures

Existing procedures for collecting and storing data must be adapted to be fully GDPR compliant. In some cases, this may require an overhaul of existing procedures. In others, retained information may no longer be required, thus eliminating some procedures altogether. Examples of well-established procedures that will need to be reexamined include informing individuals when and why personal data is collected and requesting that individuals give explicit consent to retain personal information.

3. Protocol

Develop a protocol for how you will handle situations in which individuals want to invoke the GDPR. You need to consider areas such as: Who will be responsible for handling inbound requests? What is the procedure for addressing said request? What are the cases where information needs to be kept for legal, business, or other reasons? Each area should be thoroughly considered with the protocol clearly communicated to all key stakeholders.

4. People

Educate your customers, vendors, and employees about the GDPR and relay the steps you are taking to safeguard their personal information. Let them know how much you value their privacy and your role as the custodian of their personal data. Be sure to give them peace of mind that you are taking the regulation seriously and approaching it carefully and swiftly. In the end, they will thank you — and your organization can rest assured that you are in full compliance.

Figure 1 — Policies, procedures, protocol, and people are critical to GDPR compliance

Be Compliant, Stay Compliant

The GDPR will affect SAP customers worldwide, regardless of whether they are located in the EU. With strict fines and regulations, non-compliance could be costly for the unprepared company. By building your approach to the GDPR around these four critical areas, you can ensure that your company is compliant and stays compliant in the future. To learn more, visit

An email has been sent to:


James Baird
James Baird

Senior Data Consultant
Dolphin Enterprise Solutions Corporation

More from SAPinsider


Please log in to post a comment.