Data Security and Data Privacy – EU-GDPR Fields of Action

Data Security and Data Privacy
Natuvion Webcast Nr. 1 – EU-GDPR Fields of Action
Natuvion GmbH – 07.2017

AGENDA
Natuvion
Webcast Series Data Security and Data Privacy
Data Security and Privacy Policy
Overview of Fields of Action
Overview of Solutions & Services
Contact
2

Since 2014, NATUVION supports customers with our experience and expertise in
digitalization
3
Founded in 2014 as an owner-managed consulting company
specializing in utilities, transformation and security
Office locations: Walldorf, Berlin, München, Vienna(AT),
Philadelphia(US)
Company size: > 55 Employees
Expertise of consultants: > 75 % SAP certified & Ø 12 years Utilities and
SAP
SAP Gold Partner
SAP Recognized Expertise in Utilities
SAP Landscape Transformation
Long-term partner of the largest energy suppliers in Germany
Services / Skills
§ Strategic IT-Management
§ IT Consulting for Utilities Industry
§ SAP Transformation & Data Services
§ SAP Security & Data Privacy / Protection
§ Business Intelligence / Analytics
Natuvion Gruppe
In-depth experience in
implementation of DS-GVO / GDPR
requirements
Strategic partnership with SAP Data
Protection and Privacy
Development Teams
Areas– ILM / IRF / Consent
Close & long-term partnership with
IT / data protection law experts
Complete understanding of the
processes and requirements from a
business, IT and data privacy
perspective
Own certified solutions specifically
for consistent data erasure,
information and anonymization
Designated data protection and
privacy expertise (solutions)
Designated Transformation
expertise
Success Factors
Conception & introduction of
anonymization (IS-U / CRM)
Group-wide roll-out of a system
anonymization (CRM / IS-U /
ERP / HCM)
Selective data deletion (IS-U /
CRM / ERP / BW)
Deletion concept of DS-GVO /
GDPR (SAP System landscape)
IT and process concept
conformity of affected persons
rights according to DS-GVO /
GDPR (Information and
Transparency)
System and data
decommissioning with SAP ILM
Concept and implementation
information (SAP IRF)
Relevant References
Natuvion – Your specialist for the implementation and requirements of the GDPR / DS-GVO

AGENDA
Natuvion
Contact
4

Natuvion Webcasts
Overview of the webcast series „Data Security and Data Privacy"
Data Security and Data Privacy5
1
1 hr.
The webcast series „Data Security and Data Privacy in SAP“ offers an outstanding overview of the actions and
implementation possibilities in accordance to the EU-GDPR / EU-DSGVO.
EU-DSGVO/ GDPR Onboarding
Legal overview and basic structuring of the fields of
action (1 hour)
2
45 min.
Deletion of Existing Historical Data
Consistent deletion of mass data in SAP system
landscapes (30 minutes)
3
45 min.
Simple Locking and Deletion
Overview and experiences with the introduction of
SAP Information Lifecycle Management (30 minutes)
4
45 min.
Anonymization / Pseudonymization
Background, challenges and implementation of a
DSGVO / GDPR compliant anonymization
5
30 min.
Data Reporting / Transparency
DSGVO / GDPR compliant data transfer from
conception to implementation - SAP IRF
6
45 min.
Consent / Approval
DSGVO / GDPR complient approval concept and
introduction – SAP CONSENT
7
45 Min.
Privacy Impact Assessment
Wie können PIAs praktisch umgesetzt und gelebt
werden?

Natuvion Webcasts
Overview of the webcast series „Data Security and Data Privacy"
1
1 hr.
The webcast series „Data Security and Data Privacy in SAP“ offers an outstanding overview of the actions and
implementation possibilities in accordance to the EU-GDPR / EU-DSGVO.
EU-DSGVO/ GDPR Onboarding
Legal overview and basic structuring of the fields of
action (1 hour)
2
45 min.
Deletion of Existing Historical Data
Consistent deletion of mass data in SAP system
landscapes (30 minutes)
3
45 min.
Simple Locking and Deletion
Overview and experiences with the introduction of
SAP Information Lifecycle Management (30 minutes)
4
45 min.
Anonymization / Pseudonymization
Background, challenges and implementation of a
DSGVO / GDPR compliant anonymization
5
30 min.
Data Reporting / Transparency
DSGVO / GDPR compliant data transfer from
conception to implementation - SAP IRF
6
45 min.
Consent / Approval
DSGVO / GDPR compliant approval concept and
introduction – SAP CONSENT
7
45 Min.
Privacy Impact Assessment
How can DPIAs be implemented and managed?

AGENDA
Natuvion
Contact
7

Data protection involves measures for protecting individuals during the processing of their data.
Data protection and privacy laws forbid the dissemination of this information.
In privacy context, it isn't protection of data, but protection from
data.
A basic right to data privacy, derived from the catch-all basic right to
the protection of personality (general right of privacy) in connection
with the guarantee of human dignity.
The German Constitutional Court has coined the phrase "right to
informational self-determination".
What is data protection anyway?
Health
Data*
E-mail
address
Name &
Address IP address
Biometric data*
Camera
records
Access
registration
Iris scan*
Membership of
labour organisation*
Username &
password
Smart meter
data

The Data Protection Act protects persons against unauthorized use or transmission of
their personal data.
9 Data Security and Data Privacy
Responsible parties:
any person or body that collects data for itself, processes such data, uses such data, or commissions others to do so
Data subject:
natural persons protected by the BDSG (for personal data)
Personal data:
any information relating to an identified or identifiable natural person ("data subject"), such as: name, address, e-
mail address, date of birth, bank details
of a natural person – that is, no information about legal persons
There is no personal connection in anonymised data.
Principles of the protection of personal data:

Data Protection Risks and Impact
Consequences and risks in case of non-compliance with GDPR
Data Protection Risks & Impacts
1. Violation of Notification Requirement
Through ignorance when existing data protection breakdowns. Fine risk increases as
more rules are violated.
2. Administrative Fines
Under current BDSG, certain violations can be fined with up to 50 k€, more severe
violations up to 300 k€.
An "incident" can be both an actual data leak, but a justified complaint is already
sufficient with the competent supervisory authority.
3. Imprisonment
Up to 2 years imprisonment for data protection offenses.
4. Damage Claims
In case of a data breach, damage claims from data subjects can easily approach
significant levels and claims could possibly be enforced in the personal assets of the
managing directors by “piercing the corporate veil”.
5. Failure of the Insurance
If the manager has not complied with the statutory provisions, an existing insurance
will refuse to pay.
6. Damaged Reputation
Could result from a data breach affecting customers, suppliers, employees.
7. Communication of Personal Data Breaches
If data is transferred into the wrong hands, the data controller must warn the
affected data subjects immediately in writing. If this would involve disproportionate
effort, there shall instead be public communication.
Probability
Potential Negative Impact
Risk Assessment
It is assumed that fines will rise proportionately
to the increase of the maximum fines in GDPR
compared to current BDSG.
1
2
3
4
5
6
7

Pressure to create data protection conformity persistently increases in the context of the
new Data Protection Act.
§ Fines range from EUR 50.000 to 300.000 per
violation (violations can be cumulated)
§ Deletion of personal data acquired and processed
for a particular purpose must be deleted as soon
as the knowledge of this data is no longer required
for that purpose.
§ Information: The responsible body must provide
the person concerned, on request and free of
charge, with information on all stored data with
reference to persons, recipients and the purpose
of the storage.
• (changed) Fines range up to the higher of 20 M€ or 4% of total
worldwide annual turnover of affected companies.
• (new) Right to data portability (Art. 20 GDPR)
• (neu) Privacy by Design and by Default (Art. 25 GDPR)
• (changed) ‘Right to be forgotten’ (Art. 17 GDPR) far exceeds the
current right to deletion.
• (changed) Obligations regarding transparency and disclosure (Art.
12 – 15 GDPR) extend the current right to disclosure (e.g.
www.selbstauskunft.net ).
• (new) Data Protection Impact Assessment (Art. 35 GDPR)
§ Data Protection by May 2016 (Summary) § Data Protection by May 2018 (Summary)

12
A data protection act for all member states (small local derogations allowed)
All data from organizations that EU citizens can access are affected.
GDPR is based on the current guidelines (1995) but is more focused on
the following areas:
- Transparency for affected individuals
- Rights of the affected individuals
- Ensuring „Privacy-by-Design"
- Ability to demonstrate compliance
The pressure to act and create data protection conformity persistently increases in the
context of the new Basic Data Protection Act (DS-GVO / GDPR).
General Data Protection Regulation
A General Summary
20 Mil. EUR
or 4%
Transparency
about Privacy Poicy
violations
Uniform Rights for EU
Economy
MAY
2018
Portability
Right to be forgotten
Consent
& Children

13
General Data Protection Regulation
Effective and frightening fines (Text Article 83 (1) GDPR)
Concerns both from intent and negligence also from managers, data protection
officers and other persons involved in false decisions regarding data protection
(up to 20 Million EUR)
Fines for businesses up to 20 million EUR or 4% of the global sales last year
à These fines are then considered antitrust penalties
Reversing the burden of proof to the detriment of data processing companies:
Not only to ensure but to provide proof
Significantly increase the need for systematic solutions, which allow for a
comprehensive documentation of measures
Violations will have even more serious monetary consequences for companies.
What does it actually mean?
20 Mil. EUR
or 4%
Transparency
about Privacy Poicy
violations
Uniform Rights for EU
Economy
MAY
2018
Portability
Right to be forgotten
Consent
& Children

AGENDA
Natuvion
Contact
14

Important Steps/ Fields of Action for the Preparation and Implementation of the
EU-GDPR / EU-DS-GVO:
Juridicial/
Organizational
1. Awareness
2. Amount of Data
3. Privacy Statement
4. Rights Concerned
5. List of Procedures
6. Consent
7. Children
8. Data Privacy
Violations
9. PIA
and DPbyD
10. Data
Protection Officer
11. International

Important Steps/ Fields of Action for the Preparation and Implementation of the
EU-GDPR / EU-DS-GVO:
Juridicial/
Organizational
IT Relevant
In Scope
IT Relevant
1. Awareness
2. Amount of Data
4. Rights Concerned
6. Consent
7. Children
8. Data Privacy
Violations
9. PIA
and DPbyD
10. Data
Protection Officer
11. International
1. Awareness
2. Amount of Data
4. Rights Concerned
6. Consent
7. Children
8. Data Privacy
Violations
9. PIA
and DPbyD
11. International
10. Data
Protection Officer

Important Steps/ Fields of Action for the Preparation and Implementation
of the EU-GDPR / EU-DS-GVO:
Bewusstsein
The right to
be informed
The right to object
The right of access
The right to restrict
processing
The right to
rectification
The right to data
portability
The right to erasure
1. Awareness
2. Amount of Data
4. Rights
Concerned
6. Consent
7. Children
8. Data Privacy
Violations
9. PIA
and DPbyD
11. International
10. Data
Protection Officer

The use of personal data in energy management systems leads to four concrete fields of
action (extract).
Uses of personal data in energy management IT systems:
Fields of Action
Comprehensive real data in
project / test and training
systems
Historical data in productive
systems
Extensive database of process
execution
SAP Test, Training and/or project
systems are built on a complete copy of
the production system.
The access to data is possible at any
time fully and partially depending on
the authorization.
After the processing of data, contracts
or service contracts, customer data is
passed on to new service providers.
The historical data remains current and
in the respective production systems.
Processes for acquisition and contract
processing generate data. The use of
this data is legitimate for the respective
purpose.
After the process has been completed,
the data is still available without
restriction
Test and project system only
with anonymous data
Personal data after expiration of legitimation to be deleted
Anonymization training and
testing system
Delete historical data
Lock and implement
continuous data managment
1
Customer requests to provide
information
Requests for information about the
affected persons concerning the
storage and processing of their
personal data.
Information is currently available as a
manual process and information can
only be provided with high effort and
usually not in the legally prescribed
format.
Structured, IT-supported
processing
2 3 Request for information
about personal data
4

The use of personal data in IT processing systems leads to concrete fields of action.
(example)
19
systems
After the processing of data, contracts
or service contracts, customer data is
passed on to new service providers.
The historical data remains current
and in the respective production
systems.
Extensive database of
process execution
Processes for acquisition and contract
processing generate data. The use of
this data is legitimate for the
respective purpose.
After the process has been completed,
the data is still available without
restriction
information
Requests for information about the
affected persons concerning the
storage and processing of their
personal data.
Information must be provided in a
structured, electronic form with the
following specifics; the place, the
reason and the recipient as well as
the duration of the storage / deletion
criteria.
project / test and training
systems
SAP Test, Training and/or project
systems are built on-a complete copy
of the production system.
The access to data is possible at any
time extensively and partially
depending on the authorization.
û (1) To be implemented
6
4
3
1
Company codes in system
with verified legitimation
77.000
4.200.000
ChangeInterested Persons Inactive
1.150.000
400
With
supervision
Critical
Currently
aabout. 120 p.a.
Access – dark figure
Data surveys with legitimation to be
verified
(Current year)
Right of access by the data
subject (§ 15 GDPR)
* Number of inquiries across all service providers currently
can not be determined
* Change = Rejected bills of exchange and storage of data
1 2 3 4
Companies
Real data in secondary system
(Access restricted / restricted access / data
anonymized)
16
4
2
475.000 Customers
Extensive Limited Anonym.

The use of personal data in the IT settlement systems leads to concrete fields of action.
(deletion of the action field)
Historical Data in Productive System
„Be Forgotten“
Art. 5 Abs. (1) e)
Identification of the data subject shall only be possible for as
long as is necessary for the purposes for which it is processed.
Art. 17
The person concerned has the right to require the person
responsible to immediately delete any personal data relating to
him. The responsible person is obliged to immediately delete
personal data
• Fulfillment of purpose
• Revocation of consent
• Opposition to processing
• Unlawful processing (including children)
All relevant data must be deleted from the productive system. A
pure "closure" of the data is not sufficient.
Right to Delete
SAP IS-U/EDM
Production
IS-U
Transfer of data at service provider charge
BuKrs Designation
0400 Business 1
0600 Business 2
0800 Business 3
Production
IT-System
0800 Business 3
Full historical data transfer to
new service providers
20

P
P
A
A
A
A
A
A
P
Archive System
Output Control
A
P
A
Contract-/ Postal Control
CSS
Customer Self Services
ELKO Processing
SAP ERP
(Classic / HR)
ERP
SAP CRM
CRM
SAP
ERP
(Industry)
SAP BW
SAP BO
BW
IS-U
Management of interests &
acquisitions
Data Exchange
Credit Check
Mailgateway
Data Processing in Major IT Systems
(Insurance / Energy / Banking / Telecommunications…)
The use of personal data in the IT settlement systems leads to concrete fields of action.
(data management fields of action)
Process-oriented Deletion of Data
The relevant data must be deleted from the productive system
after completion of the event or after expiry of the deadline.
Standard Process of Contract Management
Prospect management, acquire process & credit check
Contract management of an ongoing business relationship
(billing, receivables management, claims management,...)
Contract end / final settlement
Contract initiation
(initiation cancellation / change of tenant / contract change)
1
2
3
4
A = Archive System
P = Output/Print
21

The use of personal data in the IT settlement systems leads to concrete fields of
action. (anonymization of the field of action)
Comprehensive real data in project, test and training systems
"[..] Software and IT procedures are to be checked with
systematically developed case constellations (test data,
no personal data) according to a test plan, from which
the desired result emerges.
Mass tests can, if necessary, be carried out with
anonymized original data after approval and
specifications of the competent authority.
The approval of the responsible authority for the
anonymization of original data and all test results must
be documented in a revision-proof manner.
Source: https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/
Inhalt/_content/m/m02/m02509.html
IT Baseline Protection Catalogs
13. EL on 2013, M 2.509):
22
In SAP test- or project systems, no personal data may be held. All test
procedures must be carried out with anonymous data.
SAP CRM
Production
CRM
SAP
ERP / IS
Production
ERP
SAP CRM
Devel.
CRM
SAP
ERP / IS
Devel.
ERP
SAP CRM
Test
CRM
SAP
ERP / IS
Test
ERP
Project-
system
CRM
Training-
system
CRM
Project-
system
ERP
Training-
system
IS-
UER
P
Sandbox-
system
CRM
Sandbox-
system
ERP
Sample of SAP System Landscape

The use of personal data in the IT settlement systems leads to concrete fields of action
(field of action information and portability).
Right to information of personal data from those affected
23
Extract of the risks / challenges of new transparency obligations starting in 2018
1
2
3
4
X
EU-DSGVO Art. 12 Abs. 3 (Frist) / EU-DSGVO Art. 13/14/15 (Umfang)
Organization or
Competition
Single Person
Energieversorger
Source: Selbstauskunft.net
Example EVU(current)
Ø 41 Tage
Future: information on collected personal data
Average working time (day)
for Information Request § 34 BDSG
KW26 KW13KW03KW46KW36
48
19 19
59
Privacy policy statement must include memory / erased data fine kit for
supervisory authorities, associations, competitors & affected persons
Lack of implementation of a declared status quo
Purpose of breach of conformity: high (personal) risk of liability
Individual / org. requests information / requests data transmission
Within one month, information and / or transmission must be provided
Supervisory authority / court meets ad-hoc order for implementation.
Immediate implementation of data protection conditions and requirements
apply.
In the case of a delay, non-conformity or incorrect answer Public Disputes /
Announcement, Monetary and Sustainable impact and Reputation damage

Next steps have to be planned in phases to target a short-term implementation of higher
data privacy rights of personal data in the respective systems.
High-level Roadmap for Next Steps
Phase I Phase II Phase III Phase IV
Establish general process
Establish general process
Implementation of IT-based
provisioning of information
Deletion of data from general
process
Approach certification
Deletion of historical data
Establish organizational process flow
Classification of data from general
process
Adhoc anonymization
Deletion concept of historical data
Concept how to provide information
Deletion concept of process data
Anonymization
Deletion
Provide
information

AGENDA
Natuvion
Contact
25

Solutions in the Implementation of the GDPR in SAP System Landscapes
(excerpt)
1. Awareness
2. Amount of Data
4. Rights Concerned
6. Consent
7. Children
8. Data Privacy
Violations
9. PIA
and DPbyD
10. Data
Protection Officer
11. International

Solutions in the implementation of the GDPR in SAP system landscapes (excerpt)
Solutions for implementation per field of action
27
Fields of Action
project / test and training systems
systems
Extensive database of process
execution
Test- and project system only with
anonymous data
Anonymization training and
testing system
Delete historical data
Lock and Implement
continuous data managment.
information
Request for information about
personal data
Natuvion DCS
(Data selection and data deletion)
SAP ILM
(Data locking and data deletion)
Natuvion TDA
(Pseudonymization of systems and data)
Natuvion EDA
(Test data generation and duplication)
SAP TDMS
(Pseudonymization of systems and data)
Natuvion DDI
(Data information and search)
SAP IRF
(Data information and search)
SAP LT 2.0
SAP Archiving
SAP ILM Decommissioning
(System replacement)
Personal data after expiration of legitimation to be deleted
Conformal use of approval &
consent
Conformal use of approval &
consent
SAP Consent
(Collection & processing of consent)
Structured, IT-supported processing

Services within the framework of the preparation, planning,
implementation and monitoring of the EU-DGPR
1. Awareness
2. Amount of Data
4. Rights Concerned
6. Consent
7. Children
8. Data Privacy
Violations
9. PIA
and DPbyD
10. Data
Protection Officer
11. International

Services im Rahmen der Vorbereitung, Planung, Umsetzung und
Überwachung der EU-GDPR
During a one-day workshop, experts from Natuvion GmbH and an expert on data protection will examine and analyze
the data protection law situation within your company's SAP system landscape. In addition, we work together with you
to develop a well-founded approach that will help you meet the most stringent legal requirements.

AGENDA
Natuvion
Contact
30

Natuvion GmbH
Altrottstraße 31 | 69190 Walldorf
Fon +49 6227 73-1400
Fax +49 6227 73-1410
www.natuvion.com
We look forward to your questions and concerns!
Patric Dahse
Geschäftsführer
Fon: +49 151 171 357 02
Mail: patric.dahse@natuvion.com
Visit us on our website!
Data Protection & Privacy
www.professional-system-security.com/
Natuvion
www.natuvion.com/
Patric Dahse
Managing Director
Natuvion GmbH
Altrottstr. 31
69190 Walldorf
Germany
T +49 (0) 6227.73 -1400
F +49 (0) 6227.73 -1410
patric.dahse@natuvion.com
Areas of expertise:
§ Data Protection & Privacy
§ SAP Transformation

Data Security and Data Privacy – EU-GDPR Fields of Action

Recommended

Recommended

More Related Content

Similar to Data Security and Data Privacy – EU-GDPR Fields of Action

Similar to Data Security and Data Privacy – EU-GDPR Fields of Action (20)

More from Patric Dahse

More from Patric Dahse (20)

Recently uploaded

Recently uploaded (20)

Data Security and Data Privacy – EU-GDPR Fields of Action