3. Since 2014, NATUVION supports customers with our experience and expertise in
digitalization
3
Founded in 2014 as an owner-managed consulting company
specializing in utilities, transformation and security
Office locations: Walldorf, Berlin, München, Vienna(AT),
Philadelphia(US)
Company size: > 55 Employees
Expertise of consultants: > 75 % SAP certified & Ø 12 years Utilities and
SAP
SAP Gold Partner
SAP Recognized Expertise in Utilities
SAP Landscape Transformation
Long-term partner of the largest energy suppliers in Germany
Services / Skills
§ Strategic IT-Management
§ IT Consulting for Utilities Industry
§ SAP Transformation & Data Services
§ SAP Security & Data Privacy / Protection
§ Business Intelligence / Analytics
Natuvion Gruppe
In-depth experience in
implementation of DS-GVO / GDPR
requirements
Strategic partnership with SAP Data
Protection and Privacy
Development Teams
Areas– ILM / IRF / Consent
Close & long-term partnership with
IT / data protection law experts
Complete understanding of the
processes and requirements from a
business, IT and data privacy
perspective
Own certified solutions specifically
for consistent data erasure,
information and anonymization
Designated data protection and
privacy expertise (solutions)
Designated Transformation
expertise
Success Factors
Conception & introduction of
anonymization (IS-U / CRM)
Group-wide roll-out of a system
anonymization (CRM / IS-U /
ERP / HCM)
Selective data deletion (IS-U /
CRM / ERP / BW)
Deletion concept of DS-GVO /
GDPR (SAP System landscape)
IT and process concept
conformity of affected persons
rights according to DS-GVO /
GDPR (Information and
Transparency)
System and data
decommissioning with SAP ILM
Concept and implementation
information (SAP IRF)
Relevant References
Natuvion – Your specialist for the implementation and requirements of the GDPR / DS-GVO
Data Security and Data Privacy
5. Natuvion Webcasts
Overview of the webcast series „Data Security and Data Privacy"
Data Security and Data Privacy5
1
1 hr.
The webcast series „Data Security and Data Privacy in SAP“ offers an outstanding overview of the actions and
implementation possibilities in accordance to the EU-GDPR / EU-DSGVO.
EU-DSGVO/ GDPR Onboarding
Legal overview and basic structuring of the fields of
action (1 hour)
2
45 min.
Deletion of Existing Historical Data
Consistent deletion of mass data in SAP system
landscapes (30 minutes)
3
45 min.
Simple Locking and Deletion
Overview and experiences with the introduction of
SAP Information Lifecycle Management (30 minutes)
4
45 min.
Anonymization / Pseudonymization
Background, challenges and implementation of a
DSGVO / GDPR compliant anonymization
5
30 min.
Data Reporting / Transparency
DSGVO / GDPR compliant data transfer from
conception to implementation - SAP IRF
6
45 min.
Consent / Approval
DSGVO / GDPR complient approval concept and
introduction – SAP CONSENT
7
45 Min.
Privacy Impact Assessment
Wie können PIAs praktisch umgesetzt und gelebt
werden?
10. 10 Data Security and Data Privacy
Data Protection Risks and Impact
Consequences and risks in case of non-compliance with GDPR
Data Protection Risks & Impacts
1. Violation of Notification Requirement
Through ignorance when existing data protection breakdowns. Fine risk increases as
more rules are violated.
2. Administrative Fines
Under current BDSG, certain violations can be fined with up to 50 k€, more severe
violations up to 300 k€.
An "incident" can be both an actual data leak, but a justified complaint is already
sufficient with the competent supervisory authority.
3. Imprisonment
Up to 2 years imprisonment for data protection offenses.
4. Damage Claims
In case of a data breach, damage claims from data subjects can easily approach
significant levels and claims could possibly be enforced in the personal assets of the
managing directors by “piercing the corporate veil”.
5. Failure of the Insurance
If the manager has not complied with the statutory provisions, an existing insurance
will refuse to pay.
6. Damaged Reputation
Could result from a data breach affecting customers, suppliers, employees.
7. Communication of Personal Data Breaches
If data is transferred into the wrong hands, the data controller must warn the
affected data subjects immediately in writing. If this would involve disproportionate
effort, there shall instead be public communication.
Probability
Potential Negative Impact
Risk Assessment
It is assumed that fines will rise proportionately
to the increase of the maximum fines in GDPR
compared to current BDSG.
1
2
3
4
5
6
7
11. Pressure to create data protection conformity persistently increases in the context of the
new Data Protection Act.
11 Data Security and Data Privacy
§ Fines range from EUR 50.000 to 300.000 per
violation (violations can be cumulated)
§ Deletion of personal data acquired and processed
for a particular purpose must be deleted as soon
as the knowledge of this data is no longer required
for that purpose.
§ Information: The responsible body must provide
the person concerned, on request and free of
charge, with information on all stored data with
reference to persons, recipients and the purpose
of the storage.
• (changed) Fines range up to the higher of 20 M€ or 4% of total
worldwide annual turnover of affected companies.
• (new) Right to data portability (Art. 20 GDPR)
• (neu) Privacy by Design and by Default (Art. 25 GDPR)
• (changed) ‘Right to be forgotten’ (Art. 17 GDPR) far exceeds the
current right to deletion.
• (changed) Obligations regarding transparency and disclosure (Art.
12 – 15 GDPR) extend the current right to disclosure (e.g.
www.selbstauskunft.net ).
• (new) Data Protection Impact Assessment (Art. 35 GDPR)
§ Data Protection by May 2016 (Summary) § Data Protection by May 2018 (Summary)
12. 12
A data protection act for all member states (small local derogations allowed)
All data from organizations that EU citizens can access are affected.
GDPR is based on the current guidelines (1995) but is more focused on
the following areas:
- Transparency for affected individuals
- Rights of the affected individuals
- Ensuring „Privacy-by-Design"
- Ability to demonstrate compliance
The pressure to act and create data protection conformity persistently increases in the
context of the new Basic Data Protection Act (DS-GVO / GDPR).
Data Security and Data Privacy
General Data Protection Regulation
A General Summary
20 Mil. EUR
or 4%
Transparency
about Privacy Poicy
violations
Uniform Rights for EU
Economy
MAY
2018
Portability
Right to be forgotten
Consent
& Children
15. 15 Data Security and Data Privacy
Important Steps/ Fields of Action for the Preparation and Implementation of the
EU-GDPR / EU-DS-GVO:
Juridicial/
Organizational
1. Awareness
2. Amount of Data
3. Privacy Statement
4. Rights Concerned
5. List of Procedures
6. Consent
7. Children
8. Data Privacy
Violations
9. PIA
and DPbyD
10. Data
Protection Officer
11. International
16. Important Steps/ Fields of Action for the Preparation and Implementation of the
EU-GDPR / EU-DS-GVO:
16 Data Security and Data Privacy
Juridicial/
Organizational
IT Relevant
In Scope
IT Relevant
1. Awareness
2. Amount of Data
3. Privacy Statement
4. Rights Concerned
5. List of Procedures
6. Consent
7. Children
8. Data Privacy
Violations
9. PIA
and DPbyD
10. Data
Protection Officer
11. International
1. Awareness
2. Amount of Data
3. Privacy Statement
4. Rights Concerned
5. List of Procedures
6. Consent
7. Children
8. Data Privacy
Violations
9. PIA
and DPbyD
11. International
10. Data
Protection Officer
17. Important Steps/ Fields of Action for the Preparation and Implementation
of the EU-GDPR / EU-DS-GVO:
17 Data Security and Data Privacy
Bewusstsein
The right to
be informed
The right to object
The right of access
The right to restrict
processing
The right to
rectification
The right to data
portability
The right to erasure
1. Awareness
2. Amount of Data
3. Privacy Statement
4. Rights
Concerned
5. List of Procedures
6. Consent
7. Children
8. Data Privacy
Violations
9. PIA
and DPbyD
11. International
10. Data
Protection Officer
18. Data Security and Data Privacy18
The use of personal data in energy management systems leads to four concrete fields of
action (extract).
Uses of personal data in energy management IT systems:
Fields of Action
Comprehensive real data in
project / test and training
systems
Historical data in productive
systems
Extensive database of process
execution
SAP Test, Training and/or project
systems are built on a complete copy of
the production system.
The access to data is possible at any
time fully and partially depending on
the authorization.
After the processing of data, contracts
or service contracts, customer data is
passed on to new service providers.
The historical data remains current and
in the respective production systems.
Processes for acquisition and contract
processing generate data. The use of
this data is legitimate for the respective
purpose.
After the process has been completed,
the data is still available without
restriction
Test and project system only
with anonymous data
Personal data after expiration of legitimation to be deleted
Anonymization training and
testing system
Delete historical data
Lock and implement
continuous data managment
1
Customer requests to provide
information
Requests for information about the
affected persons concerning the
storage and processing of their
personal data.
Information is currently available as a
manual process and information can
only be provided with high effort and
usually not in the legally prescribed
format.
Structured, IT-supported
processing
2 3 Request for information
about personal data
4
19. The use of personal data in IT processing systems leads to concrete fields of action.
(example)
19
Historical data in productive
systems
After the processing of data, contracts
or service contracts, customer data is
passed on to new service providers.
The historical data remains current
and in the respective production
systems.
Extensive database of
process execution
Processes for acquisition and contract
processing generate data. The use of
this data is legitimate for the
respective purpose.
After the process has been completed,
the data is still available without
restriction
Customer requests to provide
information
Requests for information about the
affected persons concerning the
storage and processing of their
personal data.
Information must be provided in a
structured, electronic form with the
following specifics; the place, the
reason and the recipient as well as
the duration of the storage / deletion
criteria.
Comprehensive real data in
project / test and training
systems
SAP Test, Training and/or project
systems are built on-a complete copy
of the production system.
The access to data is possible at any
time extensively and partially
depending on the authorization.
û (1) To be implemented
û (2) To be implemented
û (3) To be implemented
6
4
3
1
Company codes in system
with verified legitimation
77.000
4.200.000
ChangeInterested Persons Inactive
1.150.000
400
With
supervision
Critical
Currently
aabout. 120 p.a.
Access – dark figure
Data surveys with legitimation to be
verified
(Current year)
Right of access by the data
subject (§ 15 GDPR)
* Number of inquiries across all service providers currently
can not be determined
* Change = Rejected bills of exchange and storage of data
û (3) To be implemented
1 2 3 4
Companies
Real data in secondary system
(Access restricted / restricted access / data
anonymized)
16
4
2
475.000 Customers
Extensive Limited Anonym.
Data Security and Data Privacy
20. The use of personal data in the IT settlement systems leads to concrete fields of action.
(deletion of the action field)
Data Security and Data Privacy
Historical Data in Productive System
„Be Forgotten“
Art. 5 Abs. (1) e)
Identification of the data subject shall only be possible for as
long as is necessary for the purposes for which it is processed.
Art. 17
The person concerned has the right to require the person
responsible to immediately delete any personal data relating to
him. The responsible person is obliged to immediately delete
personal data
• Fulfillment of purpose
• Revocation of consent
• Opposition to processing
• Unlawful processing (including children)
All relevant data must be deleted from the productive system. A
pure "closure" of the data is not sufficient.
Right to Delete
SAP IS-U/EDM
Production
IS-U
Transfer of data at service provider charge
BuKrs Designation
0400 Business 1
0600 Business 2
0800 Business 3
Production
IT-System
0800 Business 3
Full historical data transfer to
new service providers
20
22. The use of personal data in the IT settlement systems leads to concrete fields of
action. (anonymization of the field of action)
Data Security and Data Privacy
Comprehensive real data in project, test and training systems
"[..] Software and IT procedures are to be checked with
systematically developed case constellations (test data,
no personal data) according to a test plan, from which
the desired result emerges.
Mass tests can, if necessary, be carried out with
anonymized original data after approval and
specifications of the competent authority.
The approval of the responsible authority for the
anonymization of original data and all test results must
be documented in a revision-proof manner.
Source: https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/
Inhalt/_content/m/m02/m02509.html
IT Baseline Protection Catalogs
13. EL on 2013, M 2.509):
22
In SAP test- or project systems, no personal data may be held. All test
procedures must be carried out with anonymous data.
SAP CRM
Production
CRM
SAP
ERP / IS
Production
ERP
SAP CRM
Devel.
CRM
SAP
ERP / IS
Devel.
ERP
SAP CRM
Test
CRM
SAP
ERP / IS
Test
ERP
Project-
system
CRM
Training-
system
CRM
Project-
system
ERP
Training-
system
IS-
UER
P
Sandbox-
system
CRM
Sandbox-
system
ERP
Sample of SAP System Landscape
31. Natuvion GmbH
Altrottstraße 31 | 69190 Walldorf
Fon +49 6227 73-1400
Fax +49 6227 73-1410
www.natuvion.com
We look forward to your questions and concerns!
Patric Dahse
Geschäftsführer
Fon: +49 151 171 357 02
Mail: patric.dahse@natuvion.com
18 Data Security and Data Privacy
Visit us on our website!
Data Protection & Privacy
www.professional-system-security.com/
Natuvion
www.natuvion.com/
Patric Dahse
Managing Director
Natuvion GmbH
Altrottstr. 31
69190 Walldorf
Germany
T +49 (0) 6227.73 -1400
F +49 (0) 6227.73 -1410
patric.dahse@natuvion.com
Areas of expertise:
§ Data Protection & Privacy
§ SAP Transformation