Compliance with the General Data Protection Regulation (GDPR) requires improving SAP data governance in companies collecting, using, and transferring personal data of European Union (EU) residents. These new privacy rules become effective on May 25, 2018, and also apply to companies based outside the EU if they offer products or services in the EU single market.
The review of who has access to what (also called access certification) to comply with this regulation needs to be performed by a control methodology that differs from the one normally used. The access review for GDPR compliance should cover master data of employees, candidates, vendors, contractors, clients, suppliers, and business partners, as well as any other standard or custom table or table field containing personal information (see my previous SAP Experts article, “How to Prepare Your SAP System for the New European Union General Data Protection Regulation.” [September 2016]) This article contains tips to adjust and improve the user access review to comply with the GDPR.
Performing the SAP user access review for GDPR compliance has particularities. While the review of access to create, change, and delete transactions, critical object authorizations, and segregation of duties is performed by frequent well-defined controls, the review of listing and display access for personal information is generally not covered in depth. SAP system managers have developed strong access controls over displaying sensitive financial information in budgets and business planning over time. However, access to personal information has gotten much less attention. The user and database access review should now consider the need to align controls to the GDPR project and the documentation for compliance.
It is important that SAP system managers interview the GDPR sponsors in organizations, such as the compliance officer and the legal department, to clarify their expectations and requirements. Some organizations focused on monitoring personal information or processing sensitive data on a large scale should appoint a data protection officer as the leading privacy sponsor. SAP system managers involved in access security should closely communicate with these GDPR sponsors. This communication with the GDPR sponsors ultimately allows SAP system managers to engage the business line in supporting changes.
During the early stages of a GDPR compliance project, personal information is mapped for SAP-system and non-SAP-system data. This task allows the identification and classification of all personal information processed by an organization to populate an inventory. Also, where data privacy breach risks are high, a privacy impact assessment is done to allow identification of risks and prioritization of control actions.
The privacy impact assessment covers risks of users exporting or downloading tables or reports containing personal information. The assessment covers the unauthorized access to critical tables and the transmission of databases with personal information inside and outside the organization. It also covers current and recommended control practices for key risks.
The resulting inventory of personal data processed in the SAP environments is the starting point for a proper access review for the GDPR. Be sure to ask for the personal information inventory and the impact assessment when performing the SAP access review. SAP system managers should also ask to receive any update or change on these documents.
The inventory of personal data should assign a responsible senior process manager as the data owner. This data owner is accountable for performing and documenting the access review for each respective SAP module. The data owners are not usually part of the SAP or the IT departments, but rather, they are part of the department relevant for each SAP module (for instance, a CFO or an accounting process manager for SAP Financial Accounting [FI] and Controlling [CO]). Be sure to get a final validation of the user review for the data owners of all SAP modules under the scope of the GDPR.
SAP roles should be updated to limit access to reports and transactions displaying personal information to those with a legitimate purpose (the principle of least privilege or need to know). User and database roles granting access to view sensitive personal data, such as the employees’ medical history and trade union association, should be limited to only a few intended users and compared against the explicit consents given by such employees. Any right allowing listing and exporting of a large amount of personal information should be properly justified by the data owner who knows about its business requirements. The data owner who is assigned in the personal data inventory should also act as a role custodian for each SAP module as a best practice.
Some categories of users create high privacy risks. The data owners should properly analyze and validate these groups of users. In general, users related to these business functions are exposed to high risks:
- Human resources, including recruiting
- Marketing, billing, and customer management
- Accounts receivable and payable, and treasury
- SAP system administration and development
- Auditing and controlling
- Outsourced functions to external consultants and other vendors
In practice, SAP system managers may identify many needs to revoke viewing accesses for roles and users. If the importance of the GDPR project is not well communicated across an organization, operational areas may start to resist the project. In this case, SAP system managers should ask for support of the GDPR sponsors to communicate both the risks of data misuse and the compliance requirements. It is important to document how the accesses are revoked during the review by creating user access forms.
Access of third-party vendors such as contractors, consultants, and other non-employees should be matched against the existence of confidentiality and privacy clauses in their contracts. Also, the roles assigned to them should be minimal to perform their contractual obligations if they need to display or manage personal information in the SAP systems. These roles also include access to also include the testing and productive environments and access to backups of SAP data. Privileges granted to developers, including object permissions, should also be closely reviewed when accessing the SAP system involves personal information of employees, clients, suppliers, and other third parties.
The access review for displaying, listing, and extracting personal information in SAP systems is a critical control to comply with the GDPR. It requires changing how the user review is performed for all SAP systems. A breach of data privacy is and will remain at the top of business risks that SAP system managers need to prevent. SAP system managers have a relevant role to protect not only personal data but also the reputation of their organizations.