The new European Union General Data Protection Regulation (GDPR) will become effective on May 25, 2018. Companies using European personal data, both inside and outside of Europe, are adjusting practices, privacy controls, and parameters in SAP environments to comply with this regulation. New policies are being implemented to protect sensitive personal information that is kept in the customer, client, employee, and candidate master, and that is sometimes transferred to or from service providers.
The consequences of mishandling personal data will significantly increase, since non-complying organizations face fines of up to 4 percent of the global annual turnover or €20 million, whichever is higher. Even though this regulation becomes effective in May 2018, requirements and practices to protect sensitive data are already defined, and they bring major challenges. Furthermore, it also applies to organizations based outside the European Union if they process personal data of European residents.
(Note: Global annual turnover is the revenue of a company or the amount of money a company generates around the world. It establishes the calculation bases for a fine related to a data protection regulation breach. Fines are calculated following the accounting principles for gross and net sales (from discounts and taxes). Using the basis of calculation in similar regulations, the revenue is taken from ordinary activities and after turnover taxes and discounts.)
This requirement creates many career opportunities for SAP experts and consultants. Being the first to communicate and to address these compliance risks is a critical factor.
A comprehensive risk analysis about current data collection, transfer, use, and disposal against the new GDPR requirements needs to be performed to prioritize the preparation plans. This article serves as a roadmap to prepare your SAP system to comply with the GDPR.
1. Define In-Scope SAP Data
Personal information is any data relating to an individual, including names, email addresses, identification numbers, bank details, medical information, and even a photo or an IP address. The GDPR also broadens personal information to biometric and genetic data.
A preparation plan starts by identifying all the SAP environments, clients, master data tables, and fields containing personal information of European residents, even customized z-tables and z-fields. All SAP systems such as SAP ERP Central Component (ECC), Business Intelligence (BI), Customer Relationship Management (CRM), and other solutions should be included in the preparation project. Backups, legacy systems, and archives of SAP databases should also be included in the planning. Digitized documents integrated into SAP containing private information should also be covered.
The quantity and quality of sensitive personal data to protect largely differs between industries and legal areas. Certain sectors, such as healthcare, insurance, banking, recruitment, and marketing, deal with a high volume and wide variety of personal information. These sectors need to comply with stricter industry rules and regulations. As a general reference, personal information is stored in global master tables for customers (KNA1, KNBK, KNVK), vendors (LFA1, LFBK), addresses (ADRC, ADR2, ADR3, ADR6), business partners (BP000, BP030), users (USR03), and credit cards (VCNUM). Other master data tables containing employment, date of birth, citizenship, identification number, tax, and credit data should be scoped. Also, some solutions as SAP Patient Relationship Management keep very sensitive information. The information system repository in SAP ABAP can be used to list all the tables containing fields with personal information in the program Where-Used List for Domain in Tables (RSCRDOMA).
Personal information on employees is stored in SAP HCM infotypes. It typically includes personal data for ethnic origin, military status, and disability (infotypes 0002 and 0077), severely challenged persons (infotype 0004), addresses (infotype 0006), bank details (infotype 0009), related person (infotype 0021), internal medical services (infotype 0028 with all the subtypes), and residence status (infotype 0094). Personal information from applicants is usually included in the employee base. The SAP country-specific features may widen the scope of personal information.
During the scope planning, it is important to validate with the business owners why the personal information is collected for the impact assessment. Confirming the specific and legitimate needs of keeping personal information with business experts is highly advisable. Also, understanding the business need for each type of information helps to define responsible contact and data retention requirements and to show how data is transferred and interfaced between the SAP system and other systems and organizations. Reducing the amount of personal information will facilitate the preparation by mitigating risk in the SAP system.
2. Audit the Access Rights to Transactions and Authorization Objects
Once it is understood where personal information is stored, it can be protected accordingly. Since the new GDPR applies to more data from non-European organizations, the review of the access rights needs to be updated, improved, and well documented. User roles and access permissions should be adjusted to the least privilege.
The access rights audit consists of the review of transaction codes and the authorization objects with their field values. The transaction codes to access the data in scope and its reports for roles and users should be validated with business process owners. All unnecessary and unused roles and transactions should be revoked.
As a general reference, the main transaction codes to access master data tables include:
- Create, change and display customers, prospects, and contact persons (XD0*, VD0*, VAP*) and reporting-related lists (S_ALR_87012179, S_ALR_87012180)
- Create, change, and display vendors (XK0*, MK0*) and reporting-related lists (S_ALR_87012086)
- Create, change, and display employee (PA10, PA20, PA30) and applicant (PB10, PB20, PB30) files
- Create and maintain bank master data (FI01, FI02, FI06) and business partners (BP, BUP1)
- Maintain general tables (SE11, SM30, SM31)
- Browse data (SE16) and display a table (SE16N)
After the transactions granted to users and roles are adjusted, the review focuses on access to objects. It can be done by using SAP GRC solutions and other tools. Reviewing the access to objects by roles and users is the most effective approach for this work.
3. Obtain or Update Consent from SAP Users
An explicit notification for the personal data collected and used should be given by all the European SAP users. This requirement may be implemented by setting a data privacy pop-up message at the SAP log-on screen with a specific consent message ensuring opt-in and withdraw choices. The pop-up message should be specific to address this requirement, should be clearly written in the local language to explain the use of personal information, and should ask for an action from the user. The consent message displayed to users should inform about the type of personal data that is collected, processed, disclosed, and transferred, and how their activity is logged. Users should also be informed about their rights, for instance, to access and to correct their own personal information. Transaction SUIM or report RSUSR002 can be used to filter which users should provide consent, for instance, users located in the European Union.
When personal data is transferred from an SAP system to third parties, such as insurance and medical companies, the consent should cover these cases.
4. Monitor How an SAP System Exports and Transfers Personal Data
Compliance for the new GDPR requires auditing of SAP logs to detect risky behaviors by users. All downloads of private information should be strictly justified by a business need, protected, erased when it is no longer needed, and authorized by the compliance function. For instance, exportation of reports by the SAP List Viewer (ALV) without business justification is considered a data breach to report.
The preparation project should plan how, by whom, and how often the SAP security logs will be reviewed for downloaded data with private information. The protection of downloaded sensitive information outside the SAP system is a related issue to address in a readiness plan.
The GDPR recognizes data transfer mechanisms to recipients outside the European Union, such as the adherence to an approved Code of Conduct. SAP services, including cloud storage, remote access, and global employee databases, need to implement a lawful data transfer mechanism. SAP experts should review the business operations to identify circumstances in which private information is transferred to recipients located outside Europe.
5. Define Action Plans to Anonymize Personal Data
The GDPR recommends the use of data pseudonymization to prevent unauthorized access to personal data. Pseudonymization is a technique whereby the personal data records are replaced by dummy codes to make it impossible to identify the people in question. Pseudonymization still allows some authorized relevant users to display the original master data. Pseudonymization is generally used by SAP Healthcare solutions to protect the identity of patients.
It is particularly relevant for non-productive environments when granting access to developers, testers, functional analysts, and contract workers. Encryption and data scrambling are also valid action plans. SAP delivers solutions for protecting data in development and testing environments (e.g., SAP TDMS HCM 4.0). Data scrambling is a technique used to scramble critical data sets, so the original personal data is no longer visible to the users of the non-productive systems copied from production.
The preparation project should consider how to assure that personal data does not leave the productive environment.
The GDPR brings in privacy-by-default and privacy-by-design approaches to encourage privacy to be a cornerstone of software and services development. Contracting with SAP developers will be required to assure that the appropriate security strategy is set at the conceptual design. Tendering of new developments should consider the impact of these requirements.
6. Define Action Plans to Block and Erase Personal Data
The GDPR requires organizations to erase personal data without undue delay when it is no longer needed or when an employee, client, or other third party objects to the inclusion of the data and exercises the right to be forgotten. Personal information is not erased in an SAP system, but is blocked to comply with document retention rules and to maintain the data integrity between tables. Once it is recoded in an SAP system, data cannot be properly erased in a legal sense. Blocking information prevents further retrieval or processing.
SAP delivers enhancement packages to block master data until an expiration date (e.g., ERP_CVP_ILM_1). Access to blocked data can be granted to admin users for reversals. SAP Information Lifecycle Management (SAP ILM) addresses the process to delete information after business rules are met. SAP experts should plan how to address the blocking and deletion requirements to license the proper business solution and to adjust the data management policy.
7. Ask for Advice and Support
Many organizations are required to appoint a lead for data protection and security. This data protection officer role is expected to set the rules for data privacy and to provide evidence of controls. SAP experts could benefit from this new position to get advice and training about processing data and conducting internal reviews and data privacy risk assessments.
Legal advisors specializing in data privacy can help an organization validate the preparation plan, in particular setting the scope, data retention requirements, and cross-border data transfers. SAP experts need legal advice to support data protection by setting security features and blocking or deleting of personal data. Liaising with functional analysts is also advisable to identify realistic action plans since they understand the user needs and behaviors.
There are many additional stakeholders to properly prepare for the GDPR since it places many responsibilities at the senior executive level. The regulation creates and increases compliance obligations on controllers to document processing activities and to implement policies. Departments responsible for risk management, audit, and compliance will be interested in supporting a preparation project.
The financial and human budget for preparation will vary significantly depending on the seriousness and complexity of the privacy risks. Getting the support from upper management is critical for the success of the preparation efforts.
Experts in SAP systems should lead organizations to prepare changes in policies, people, and control practices to adopt the data protection principles mandated by the GDPR. It affects anyone based in the European Union or handling personal data of European Union residents. Identifying available options in the SAP system to mitigate the related compliance risks should start now. The scale of sanctions and legal requirements means that actual compliance is a must.
For information about the preparedness for the GDPR and about securing data in an SAP environment, read these SAPinsider articles. You can also read Hernan Huwyler's blog on LinkedIn. For additional tips on securing an SAP environment, attend SAPinsider's GRC 2019 conference. For more information about this conference click here.