GDPR Road-Map and Prioritization for SAP System Landscapes
Doing Business in Europe?EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.What you need to know and do by Friday, May 25, 2018.
4. Natuvion GmbH
Altrottstraße 31 | 69190 Walldorf
Fon +49 6227 73-1400
Fax +49 6227 73-1410
www.natuvion.com
Your Experts Today
Patric Dahse
Geschäftsführer
Fon: +49 151 171 357 02
Mail: patric.dahse@natuvion.com
18
Patric Dahse
CEO / Founder
Natuvion Americas Inc.
19 W. 34th Street, Suite 1018
New York, NY 10001, USA
T +49 (0) 6227.73 -1400
F +49 (0) 6227.73 -1410
patric.dahse@natuvion.com
Areas of expertise
§ Data Protection and Privacy
§ SAP Transformation
Benjamin Spies
IT Lawyer, Partner, SKW Schwarz
Rechtsanwälte, Wittelsbacherplatz 1
80333 Munich, Germany
T +49 (0) 89.286 40-108
F +49 (0) 89.280 94 32
B.Spies@skwschwarz.de
Areas of expertise
§ IT-Law
§ Data Security Rights
11. 99 GDPR Arcticles – e.g., Six Rights of Individuals
11
Right of Access | Art.15
• Information
• Copy
Rectification | Art. 16
• Correction
• Completion
Deletion | Art. 17
• Person responsible
• 3rd party (to be forgotten)
Restrictions | Art. 18
• Restriction of processing
• Blocking
Portability | Art. 20
• Extraction
• Automatic transfer to 3rd party
Objections | Art. 21
• General
• Direct marketing
LEGAL | One month deadline (Exception: able to be extended by two months)
LEGAL | Costs data must be provided free of charge (Exception: misuse)
Anonymization drives efficiency and reduces costs when implementing GDPR requirements (Art. 5)
13. Deletion Article 17 – Customer M&A Example
Historical Data in Productive System
“Be Forgotten”
Art. 5 Abs. (1) e)
Identification of the data subject shall only be possible for as
long as is necessary for the purposes for which it is processed.
Art. 17
The person concerned has the right to require the person
responsible to immediately delete any personal data relating to
him. The responsible person is obliged to immediately delete
personal data.
• Fulfillment of purpose
• Revocation of consent
• Opposition to processing
• Unlawful processing (including children)
All relevant data must be deleted from the productive system.
A pure "concealment" of the data is not sufficient.
Right to be Forgotten
SAP ERP/CRM/IS*
Production
IT-System
Transfer of data at service provider charge
BuKrs Designation
0400 Business 1
0600 Business 2
0800 Business 3
Production
IT-System
0800 Business 3
Full historical data transfer to
new service providers
13
14. Technical Procedure | Depending on the project requirements, selective data erasure can be
performed in three different variants.
Data Protection and Data Privacy – Cyber Security Week - ASUG / SAP / Natuvion 14
Big-Bang* Object Batch
Typing the data (key definition)
Delete data with optimized
performance (within 40 hours)
Reorganization of the database
Possibility of data recovery
Typing the data (key definition)
Deleting the data with low process speed
Object deletion with low performance
Possibility of data recovery
Step-by-step deletion of data on fixed dates
Unique data typing
Delete table type-oriented
Delete with optimized performance
Possibility of data recovery
Variant 1 Variant 2 Variant 3
Variant 1-3 Selective Deletion
DSO HH
* Big-Bang is the most effective erasure process. Deletion of data is generally possible in less than 40 hours.
Deletion Article 17 – Customer Approaches
17. 17
Management of Retention Rules:
Automated Data Storage and Destruction
Ÿ Data storage according to active rules.
Ÿ Destroy the data as soon as the retention time is reached.
Ÿ Data destruction directly from the database or the archive.
“Data Cluster” per Retention Period
Ÿ Generation of various archive files with the corresponding expiration date
according to the defined retention period.
E-Discovery
Ÿ Search for information related to litigation.
Legal Hold
Ÿ Prevent early data destruction in legal cases.
• Simplified blocking and deletion of
personal data.
• Functionality is based on SAP Information
Lifecycle Management.
• With SAP ILM, business partner data can
not only be blocked or deleted, but
transactional data can also be destroyed.
Natuvion can support ASUG members exclusively with predefined templates and
blueprints or implementation support via the Natuvion International ILM Competency Center.
New! SAP ILM Blocking & Deletion
Information Lifecycle Management – Competency Center
18. Right of Access Article 15 – New! SAP IRF Generic Smart Search
Art. 15 “Right of access by the data subject” - The data subject shall have the right to obtain from the controller
confirmation as to whether or not personal data concerning him or her are being processed, and, if that is the case, access to
the personal data plus other details. Solution “Information Retrieval Framework “– Generic Smart Search.
18
Extract of the risks / challenges of new transparency obligations
starting in 2018
1
2
3
4
X
GDPR Art. 12 Abs. 3 (time limits) / GDPR Art. 13/14/15 (scope)
Organization or
Competition
Single Person
EnergieversorgerExample (current)
Ø 41 Tage
Retail Customer = current processing time ave. 41 days.
GDPR = one month with more complex reporting requirements.
Average working time (day)
for Information Request Art. 15 GDPR
KW26 KW13KW03KW46KW36
48
19 19
59
Privacy policy statement must include memory / erased data
Fine kit for supervisory authorities, associations, competitors,
and affected persons.
Lack of implementation of a declared status quo
Purpose of breach of conformity: high (personal) risk of liability.
Individual or organization requests information / requests data transmission
Within one month, information and/or transmission must be provided.
Supervisory authority / court meets ad-hoc order for implementation
Immediate implementation of data protection conditions and
requirements apply.
In the case of a delay, nonconformity, or incorrect answer
Public disputes / announcement, monetary and sustainable impact, and
reputation damage.
19. 19
New in a Netweaver patch: SAP Information Retrieval Framework – Generic Smart Search
Using SAP IRF together with Natuvion‘s blueprints and data models, quickly identify GDPR-protected personal data across hereogeneous landscapes
Searching for Data
Ÿ The search can be carried out according to defined entry criteria
(partner, customer, order, etc.).
Ÿ Data models can be stored in different versions and variants.
Ÿ The search can be performed centrally on all connected systems.
Ÿ The search jobs are executed asynchronously in the system.
Output of Results
Ÿ The executed search jobs persist the results in their own tables
(possibly their own clients).
Ÿ This data will be deleted after the deadline.
Ÿ Result processing can be filtered and/or modified.
Ÿ Output of data ALV grid (SAP standard).
Ÿ Connection of other technologies possible (SAP Fiori, UI5, HCP).
Ÿ Form integration not standard.
• Realtime data visibility across fragmented data sources.
• Base technology (SAP BASIS) is included in the license costs
of SAP Business Suite.
• Data search for defined data models on all systems in SAP
Business Suite.
• Connection of non-SAP systems and web services possible.
• Use of BASIS functionality “Generic Smart Search.”
• Use of the ILM objects (table scope / grouping) and
derivation of the reading paths.
• Rule-based search and exclusion of values / results.
Natuvion can support ASUG members exclusively either with predefined templates (data models), blueprints,
and/or implementation support as a co-innovation development partner for IRF.
Functionality Overview
SAP Standard-
Technology
Information Retrieval Framework - Blueprint & Data Models
21. 21
Concept Test Position Individualization Golive
§ Introduction data
anonymization in the
department and record
additional requirements, if
necessary.
§ Survey of relevant process,
authorization, or UI
adjustments.
§ Delivery of transport orders.
§ Carry out the necessary
standard customizing.
§ Create rules and variants.
§ Display of additional functions
or selection features.
§ Customizing as a coaching
approach.
§ Development of customer-
driven developments / tables.
§ Adaptation of variants.
§ Test management
§ Test execution
§ Key user training
§ End user training
§ Golive
§ Stabilization
§ Certification of §9 German
Federal Data Protection Act
(optional)
2 - 3 PD 5 PD 10 - 15 PD 5 PD
Project Duration: 6 to 10 Weeks
2 - 3 PD 3 PD 3 - 2 PD 3 PD
Scope Test Environment Tailoring Your Solution Start of Regular Operation
Typical Phases of Implementation
ASUG offer - Natuvion’s Certified “TDA”
ASUG Member
24. Natuvion GmbH
Altrottstraße 31 | 69190 Walldorf
Fon +49 6227 73-1400
Fax +49 6227 73-1410
www.natuvion.com
Question and Answer
Patric Dahse
Geschäftsführer
Fon: +49 151 171 357 02
Mail: patric.dahse@natuvion.com
18 Data Security und Data Privacy in SAP - Data Security und Data Privacy
Patric Dahse
CEO / Founder
Natuvion Americas Inc.
19 W. 34th Street, Suite 1018
New York, NY 10001
USA
T +49 (0) 6227.73 -1400
F +49 (0) 6227.73 -1410
patric.dahse@natuvion.com
http://www.natuvion.com/en/north-america
Areas of expertise:
§ Data Protection & Privacy
§ SAP Transformation
Benjamin Spies
IT Lawyer, Partner
SKW Schwarz Rechtsanwälte
Wittelsbacherplatz 1
80333 Munich
Germany
T +49 (0) 89.286 40-108
F +49 (0) 89.280 94 32
B.Spies@skwschwarz.de
Areas of expertise:
§ IT-Law
§ Data Security Rights