Modern business systems are a treasure trove of highly sensitive information, such as the names, contact information, and various financial and health details for an organization’s current and former employees and family members, as well as valuable information about business partners, shareholders, and customers. As the volume and types of data collected continue to increase through smart devices, social media, and other technologies, so too have laws and regulations designed to protect this data from misuse.
One of these regulations is the European General Data Protection Regulation (GDPR) — a regulation intended to strengthen the protection of personal data for individuals within the European Union (EU). The GDPR goes into full effect on May 25th, 2018, replacing the existing data protection directive 95/46/EC with a wider scope and increased penalties for non-compliance. In particular, the GDPR significantly broadens the definition of personal data and it applies to any company — whether that company is physically located within or outside of the EU — that processes data, offers services or goods, or monitors the behavior of people in the EU.
The GDPR will have global implications, changing IT landscapes worldwide. So, what does this mean for those processing data with SAP Business Suite applications? This article shows you how basic technical features and security safeguards included with SAP Business Suite applications help you comply with key areas of the GDPR data protection legislation. In particular, we will look at how SAP Business Suite helps you cover legal grounds for processing personal data, ensure the rights of data subjects (those whose personal data is being processed), and establish key technical and organizational measures (see the sidebar for a note about terminology in this article).
Before diving into the details of the legal grounds specified by the GDPR, however, it is critical to first understand the GDPR’s definition of personal data.
The GDPR Definition of Personal Data — And Why It Matters
With the GDPR, all companies within its defined material and territorial scope that deal with the personal data of EU residents must comply with its requirements.
The GDPR’s definition of personal data is quite broad — “any information relating to an identified or identifiable natural person” is included within its scope.1 Simply put, an “identifiable person” is identified by attributes such as last name, first name, telephone number, address, age, gender, and profession.
With this definition, a significant amount of data can be considered personal data. While neither the broad definition of personal data nor its scope are in themselves business critical, violations are subject to administrative fines of up to 4% of the fined company’s worldwide turnover.
Now that the scope — and implications — of what constitutes personal data in the context of the GDPR is clear, let’s examine the legal grounds defined in the GDPR for processing personal data, and the role SAP features and functionality can play in covering them.
Covering Legal Grounds for Processing Personal Data
According to the GDPR, the processing of personal data is lawful if at least one of the following grounds applies (see Figure 1):
- The data subject has given consent
- A contract requires the processing
- The controller (in most cases, the legal entity responsible) is subject to a legal obligation to do so
- If vital or public interests are involved
- If there is a legitimate interest
Here, we take a closer look at each of these conditions, and the ways in which SAP Business Suite applications can help you meet them.
Consent is an agreement between a data subject and a controller, in which the data subject formally agrees to the processing of personal data — via a signature or by actively clicking on a checkbox, for example. SAP Business Suite supports the documentation of consent with two features: the Marketing Permissions feature in the SAP Customer Relationship Management (SAP CRM) application and the Marketing Permissions feature for customer master data available with SAP NetWeaver 7.40.
A contract between the data subject and the controller defines the purpose of the processing of personal data — for example, a contract between an advertiser and a media company would require personal data to settle the contract and payment, and the processing would then be limited to that purpose. If the controller wants to process additional personal data or use it for purposes other than the one specified in the contract — for example, if the media company wants to sell that data to other companies — additional, specific consent from the data subject is required.
Most business activities performed using SAP Business Suite applications are based on contracts. SAP Business Suite applications enable you to prove the existence of a contract using transactional or master data — for example, you can view existing sales contracts or payment transactions.
The processing of data due to legal obligation — for example, the reporting of salary figures to tax authorities — must be proven by organizational measures, meaning any documentation that describes processes, guidelines, or directives that control people’s behavior. For example, you could document processing activities using SAP governance, risk, and compliance (GRC) solutions and then link to that information from SAP Business Suite.
Vital and Public Interest
The processing of data due to vital interest is not a typical scenario for SAP Business Suite customers. This condition might apply if data processing is required to provide medical care for an unconscious person, for instance, and the GDPR also mentions “epidemics,” “humanitarian emergencies,” and “natural and man-made disasters” as valid grounds.2 While the SAP for Healthcare industry solutions and the Industrial Hygiene and Safety component of SAP Environment, Health, and Safety Management partially process data based on these grounds, the existence of these grounds must be proven by organizational measures, such as documentation stored in SAP GRC solutions.
The processing of personal data based on public interest applies in cases of relevant national or EU law, such as police checking personal data during an inquiry. Similar to vital interest, public interest is a legal ground that must be documented organizationally.
The processing of personal data based on legitimate interest requires balancing legally protected interests to determine whether the interests of processing the data are more important than the data protection rights of the data subject. By nature, this is something that cannot be solved by automated means and must be covered by organizational measures. Solid reasoning and documentation are particularly important in this case, since the merits of “legitimate interest” can often be challenged.
Ensuring the Rights of Data Subjects
The GDPR defines numerous rights for data subjects that organizations must ensure. While some of these rights can only be ensured by organizational measures, here we’ll highlight some that require a technical measure — a configuration, feature, or solution that controls something technical — or at least technical support, and look at how SAP Business Suite applications can help.3
Blocking and Deletion of Personal Data
Based on our experience at SAP, one of the most impactful rights defined by the GDPR is the blocking and deletion of personal data that is no longer required within the purpose defined for the processing. According to the GDPR, personal data must be deleted after the primary purpose of the processing has ended. If the data must be retained to comply with retention periods required by other legislation — such as tax legislation — access to it must be blocked or restricted, and it must be kept only for the duration of the longest legal retention period, after which it must be deleted.
To help with this task, as of SAP NetWeaver 7.40, SAP Business Suite applications provide simplified blocking and deletion functionality that is based on SAP Information Lifecycle Management (SAP ILM). All SAP Business Suite applications include required SAP ILM objects that enable the transfer of data to an archive, which fulfills the blocking requirement. In addition, all SAP Business Suite applications support the “end of purpose” check, also based on SAP ILM, that is triggered from central personal master data sets, such as central business partner, customer, and vendor master data. With this check enabled, all applications registered with a central personal master data set are triggered to check whether they still need that data — if no longer needed, the data is marked as blocked and access is restricted.
Restricting the Processing of Personal Data
Another requirement specified by the GDPR is the ability to restrict the processing of personal data based on a data subject’s request while keeping the data available for the establishment, exercise, or defense of legal claims — for instance, if you want a legal clarification due to incorrect data that led to a wrong business decision.
The blocking and deletion functionality included with SAP Business Suite applications can be configured to address this requirement by leaving only data in the system that is relevant to the defined processing purpose and must be processed. SAP ILM also provides a legal hold functionality that can be used to retain relevant data as needed.
Providing Access to Personal Data in a Readable Format
The GDPR also specifies the right of data subjects to have access to any of their personal data that is undergoing processing. SAP Business Suite enables organizations to provide data subjects with this information through its reporting tools. Currently, SAP is changing from application-specific reporting to a centralized approach, which will allow for centralized reporting on data that is undergoing processing. Regardless of the reporting approach, the decision about which data to report remains with the company using the SAP software, so a detailed, customized, and specific configuration will be required.
In addition, data subjects have the right to obtain any personal data undergoing processing in machine-readable format, which is easily provided by the download functionality available with SAP Business Suite reporting tools.
Establishing Technical and Organizational Measures
In addition to meeting legal requirements for processing personal data and ensuring the specified rights of data subjects, the GDPR requires businesses to establish technical and organizational measures (TOMs) to ensure the protection of personal data. While the GDPR does not list specific required TOMs — it gives only example definitions — it clearly requires that appropriate TOMs be implemented and reviewed on a regular basis (for more on related documentation and controlling requirements, see the sidebar “Documentation and Controlling Become Key”).
So how do you know which TOMs to implement to ensure GDPR compliance? Fortunately, there is existing legislation that can provide guidance — for example, the TOMs specified by Germany’s current Federal Data Protection Act (BDSG)4 can serve as a useful guideline for establishing basic safeguards for processing personal data (see Figure 2).