GDPR and SAP - Overview Presentation

Workshop dataprivacy in SAP
Ing. Nico J.W. Kuijper MSc. CIPP/EU

SAP information & data governance/management consultant, (SAP) Data Privacy Consultant
Certified by the International Association of Privacy Professionals
nico.kuijper@d-im-services.com +31 20 615 82 89
Disclaimer: the author of this presentation does not provide any legal advice regarding data privacy with this presentation.
In this presentation personal opinions, practical experiences on the fulfillment of data protection requirements and possible instruments are discussed.
This presentation contains some pictures/slides from public available sources and SAP presentations.
March 29, 2018
Disclaimer: The information contained in this presentation is for general guidance only and provided on the understanding that the
author is not herein engaged in rendering legal advice. As such, it should not be used as a substitute for legal consultation.
The author accepts no liability for any actions taken as response hereto.
It is the responsibility your organization to adopt measures that deems appropriate to achieve GDPR compliance.
vcv
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 1
Questions to the audiance
Is your organization currently ready for / compliant with the GDPR?

 Yes?
 No?
 Not sure?
How are other companies doing? https://www.gartner.com/newsroom/id/3701117
Who should be responsible for data privacy in your view?

 Business?
 IT?
 Both?
On what level should data privacy be addressed in the organization?

 Strategic level?
 Tactical level?
 Operational level?
 All these levels above?
Analogy: processing financial transactions
Key elements: Tax officer Fiscal law, etc.

• Legislation
• Legal/fiscal authority
• C-Level executive
• Internal control function
• Governance & policies
• Management layer
C-level
• Record/bookkeeping
• Operations/execution layer executives
• Money flow in/out (CFO)
• External stakeholders
Policy
Head of Finance Financial

Controller
Bookkeeping system
€ in Processing financial transactions € out

External
stakeholder(s)
stakeholder(s)
Clerk
Analogy: processing privacy relevant data
DPA GDPR
Key elements:
(Data Privacy Legislation
• Legislation
Authority)
• Legal authority
• C-Level executive
• Internal control function
• Governance & policies
• Management layer
C-level
• Record/bookkeeping system
• Operations/execution layer & tools executives
• Dataflow in/out (CIO/CDO)
• External stakeholders
(e.g. data subjects, external Policy
controllers & processors)
Data controller DPO

(Data privacy Officer)
Privacy “bookkeeping”
Data in Processing privacy relevant data Data out

Stakeholder(s) External
like data stakeholder(s)
subjects Data processor
Article on data privacy bookkeeping: https://executive-people.nl/587119/privacy-boekhouding.html
The roadmap to GDPR compliance
Key questions
Idenfity the context of privacy relevant data

Where (systems) is privacy relevant data used/stored?
How & where is it processed (business process)?
For what (lawful) purpose?
What are the relevant (legal/fiscal) retention rules?
Document outcome in your data register
& records and retention scheme
Assess & prioritize privacy risks

What are the identified privacy risks (PIA)?
Gap analysis regarding
organizational & technical measures
Evaluate risks, measures & prioritize.
Develop and execute a privacy program

How to mitigate the identified privacy risks?
What are our data privacy policies and procedures?
How do we govern/evaluate (ongoing) data privacy?
Technical measures:
What are the appropriate privacy enhancing tools?
Implement technical measures based on defined policies
Etc.
Presentation focus area: PET in the context of SAP
The presentation has a main focus on privacy enhancing technology available in SAP and will touch
also some of the data privacy relevant processes this technology can be used for.
We will not focus on governance, relevant data privacy processes, roles and responsibilities, etc.
Part 1 – GDPR key aspects put into context
GDPR Article 24(1): the GDPR Key aspects
The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: https://gdpr-info.eu/ and here in different languages:
Directive 95/46/EC (General Data Protection Regulation) http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
The nature, scope, context, purpose, risk of
processing personal data & appropriate measures
Determine risks of
Identify Identify the Identify the Identify the context: processing the data
where purpose for context: determine determine the and implement
privacy processing the lawful basis retention and appropriate
relevant personal data for processing deletion periods (technical)
data lives (identify (displayed: a few and triggers measures
in your relevant examples of a (some examples)
SAP business lawful basis)
system processes) SAP ILM RM
Delete after Consent

Consent withdrawn management
consent
Personal SAP ILM RM
data
(in SAP) Authorization
Purpose(s) of Legal
processing concept
obligation Retain
personal data
based on
legal Data masking
contract retention
times per
country Anonymization
NL x years
DE y years
Data breach
prevention &
detection
Etc.
What is considered privacy relevant data? Identify
10
where
privacy
relevant
data lives
in your
SAP
“'personal data' means any information relating to an system
identified or identifiable natural person 'data subject'; an
identifiable person is one who can be identified, directly
or indirectly, in particular by reference to an identifier
such as a name, an identification number, location
data, online identifier or to one or more factors specific
to the physical, physiological, genetic, mental,
economic, cultural or social identity of that person”
Art. 4 Sec. 1 GDPR
What does this mean for SAP Business Suite

and SAP S/4HANA?
 Data in SAP Business Suite and SAP S/4HANA is or might
become personal data.
A Sales Order is linked to the Business Partner (ID). The sales order
itself could contain additional personal data – or can reveal personal Personal
data (purchases person X). data
(in SAP)
 Combinations of attributes might become personal data – as soon as
it is possible to identify the person behind. Example: information
combined from ECC, CRM, BW, etc.
“Personal data” is defined as “any information relating to an identified or identifiable natural person”
First things first (1): Identify
where
Detect the privacy relevant data living in your systems privacy

relevant
data lives
in your
SAP
system
• There are different tools in the market available to detect if and where privacy
relevant information lives in SAP systems. SAP promotes e.g. Information steward,
Celonis, etc.
• Tip: a standard “quick to use” SAP report could be used to identify the tables in
SAP used to potentially store (sensitive) privacy relevant information. Downside: too
limited (does not identify if table records are actually populated with personal data)
Personal
data
(in SAP)
First things first (2): Identify
where
Detect the privacy relevant data living in your systems privacy

relevant
data lives
in your
SAP
system
• Alternative: a 3rd party analysis tool could be used to verify if table records are
actually populated with personal data (e.g. per personnel area), the relevant
authorization checks, available data destruction objects for the identified personal
data, etc.
Personal
data
(in SAP)
Demo?
First things first (3):
Detect the privacy relevant data living in your systems Identify
where
privacy
relevant
data lives
in your
• Usage of privacy relevant documents SAP
system
Not only privacy relevant data can be stored in SAP, documents and (email)
messages, etc. containing privacy relevant data can be stored in SAP or to the to
SAP connected content/archive servers. This needs to be checked as well.
Example: keeping successfully send emails in SAP containing personal data

is a widely spread practice (and potential risk regarding the purpose limitation,
unauthorized disclosure of email content, data minimization, etc.).
Personal
data
(in SAP)
Identify the purpose & processes related to Identify the
purpose for
14
the identified personal data in SAP systems processing
personal
data
(identify
relevant
• Personal data of a particular person can be used for different (lawful) business
processes)
purposes. Example: usage of email address
Purpose(s) of
processing
Attribute Used in Data is Purpose(s) Business process(es)

system stored in
Email ECC KNA1, Different types Send contract, order &
(customer) SOES of business delivery confirmation
transaction (MM/SD), invoices (FI),
communication product defect
notifications, etc.
Email CRM BUT020, Marketing Campaign management
(business SOES
partner)
Email HR PA0105, HR - Employee Many different HR
(employee) SOES communication processes
Determine the
Aligning purposes, retention rules & laws lawful basis

15
for processing
(displayed:
some
examples of a
lawful basis)
Purpose Active availability Retention period
Master data Dependent on other purposes With related data Until last related retention
period ends g in this
example: pension law
Payment details Dependent on other purposes With related data Until last retention period for
payment details ends g
e.g. tax law
Communication details Dependent on other purposes With related data With master data
Marketing Marketing Until consent is revoked or None
missing renewal after x years
Data: purchase Processing purchase contract Until end of maintenance Until last related retention
contract for iPhone & Processing maintenance requirements period ends g e.g. tax law
maintenance
Data: purchase Processing purchase contract During processing of Until last related retention
contract for “The purchase contract, possibly period ends g e.g. tax law
Divine Comedy“ for reporting purposes
Data: contract for Processing contract for works During processing of contract Until last related retention
works for works, possibly for period ends g e.g. contract
reporting purposes law
Data: employment Processing employment During time of employment Attention: deadlines of
contract relationship and for processing end of pensions, pensions
employment offices,…
Know what information (not) to retain
Identify the
context:
determine the
retention
and deletion
periods and
Note: GDPR Article 17 ( right to be forgotten) does not overrule retention rules defined in other legislation ! triggers
- What type of information?

- How long should it be preserved?
Develop
A Records
and
Retention
Schedule!
Next step: populate your data privacy register,
and start with data privacy “book keeping”
• Document the results of your data & process analysis in a “data privacy
register”
Consult
your DPO
or privacy
program
manager
Example of a very simple data privacy register template is provided by the EDPS.
Source: https://edps.europa.eu/data-protection/our-work/publications/other-documents/register-template-0_en
Example of a more extensive data privacy register template is provided by the Belgium DPA .
https://onetrust.com/wp-content/uploads/2017/09/Belgian-DPA-Registry-of-Processing-Activities-Template-20170907-EN.xlsx
Now we identified the context of data, whats next?
Assess & prioritize the risk using a privacy impact assessment
Consult
your DPO
or privacy
program
manager
There are many different (D)PIA tools and templates. One example: www.isaca.org/GDPR-DPIA
A (D)PIA can be seen as a kind of risk assessment to identify how privacy relevant data in handled
(by the different business processes) in your organization. Based on the outcome you can define
improvements in different area’s (like data protection measures, policies/procedures, etc.).
Key questions



Technical measures:
Etc.
Part 2 – Overview of privacy enhancing SAP tools
GDPR Article 24(1): the GDPR Key aspects
The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: https://gdpr-info.eu/
Map the different GDPR articles to “appropiate measures”
(Source picture: SAP SE) Discussion:

Identify some
measures and
Supporting
24 - 28 -
27 44 - 29 (SAP)
50
tools
40 - 37 - 35 -
25 30 33, 34
43 39 36
5, 12-14,
15 17
19 16
18 20 21
32 22
6, 7
5 - 11
GDPR articles
The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
Overview of some privacy enhancing SAP tools
HR process Workbench 3rd party PET software

SAP ILM RM
(Mass deletion process
(Data blocking & deletion)
automation)
)
SAP system security
E-discover & legal hold Data controler rule (Firewall, SSO, encryption,
framework system settings, etc )
) (central retention rules)
Data deletion & blocking ) SAP (system/data) security
SAP (special) Information retrieval

SAP UI Masking
authorizations Framework
(Masking/blocking data
(SOD, restrict access to (report on personal data)
based on user roles)
privacy relevant data)
)
Restrict the access to (personal) data Inform the data subject
SAP Read Access

Logging SAP Enterprise Thread SAP TDMS
(Monitor the access to Detection (encryption/anonymization)
(sensitive) personal data)
Data breach detection / data access logging NON productive systems
Options for consent SAP consent

Privacy
request / management SAP GRC
Cockpit
(standard SAP functions) (future feature)
Consent management, privacy notifications Privacy management software
Requesting explicit consent in SAP
Individuals have rights when it comes to the

collection & processing of personal information.
Consent and choice are two of those rights.
As a result, organizations should describe the
choices available to individuals and should get
implicit or explicit consent with respect to the
collection, use, retention and disclosure of
personal information.
There are different options in SAP to request

explicit consent for the storage and processing
of personal data in for example HCM (e-
recruiting), ECC, SRM, CRM, IS*, etc.
Processing personal data in SAP without explicit

consent is unlawful and should be avoided.
Options for consent

request /
(standard SAP functions)
Policy driven erasure of personal data
Under GDPR Article 17, controllers must erase personal data “without undue delay” if the data is no longer needed
(purpose), the data subject objects to processing, or the processing was unlawful.
GDPR Article 5: purpose limitation and data minimization: do not collect/keep data without a clear purpose
Introduction of SAP ILM
The lifecycle of information (put under corporate control) can be managed with SAP Information
Lifecycle management (ILM). SAP ILM is currently the only SAP tool to manage the lifecycle of
SAP data and documents in a controlled way using records management & retention policies.
Data destruction objects
For the controlled destruction of privacy relevant SAP data and documents, SAP ILM offers so
called data destruction objects. Alone in SAP module HCM we find more then 100 data destruction
objects, and the SAP HCM data destruction objects can (in most of the cases) be used without
additional SAP license implications.
SAP ILM RM: applying retention rules in SAP (1)
 ILM Policies are the instruments to translate (differentiated) external legal

& fiscal retention and data destruction rules to SAP data and documents
 ILM retention rules serve mainly the following purposes:
- separate the data (e.g. per country) during archiving/deletion processes
- store the data in different containers (when needed for archiving)
- apply retention rules to the data (how long it MUST be preserved)
- apply expiration dates (when the data can/must be destroyed)
Retention policy: manage the lifecycle of your data
Privacy relevant data should be managed in alignment with other legislation based on retention
rules. Other (overruling) legislation – e.g. tax regulation – might require the preservation of privacy
relevant data, blocking e.g. the destruction of financial data containing privacy relevant data.
With SAP ILM we can harmonize this and apply specific policies for specific types of SAP data.
SAP ILM RM: executing data deletion in SAP
Final (policy based) data destruction in SAP
Based on the defined retention rules in SAP ILM it is possible to comply with the
retention and deletion rules to block and destroy privacy relevant SAP data in a controlled way.
Personal Data Lifecycle in SAP: block or delete?
Processing in Blocking phase

accordance with Access only for explicitly Deletion
intended purpose authorized persons
Source: SAP
Masterdata: blocking of business partner
Source Picture:SAP SE.
Blocking privacy relevant data
SAP delivers business functions for the blocking of personal (business partner) data that can’t be
deleted instantly for different reasons (SAP data consistency or data must be preserved longer due
to overruling legal or fiscal legislation, etc.).
Restrict the access to personal & sensitive data
Unauthorized access to & processing of privacy relevant must be prevented using SOD
(segregation of duties) principles and (logical) data minimization – access only the data you need
Authorizations - restrict access to privacy relevant data
Special technical and organizational measures must be taken in order to combat the risk of
unauthorized access to the SAP ERP System. When taken, these measures ensure that
unauthorized viewing and unintentional/intentional manipulation of data is prevented.
Limit access to personal & sensitive data:

• Use a solid, flexible and clear authorization concept
• Define a strict access management policy and process
• Consistent across SAP applications & dbase layer (ECC, S/4HANA, BW, HR, FIORI, CRM,…)
• Restrict access to blocked data elements
• Restrict access to data reports
• Store data extracts at secure locations
• Implement sufficient security parameters to prevent unauthorized access
The Audit Information System (transaction SUIM) and many other tools (like GRC) can be
useful.
Authorizations – Analysis of access to personal data
Source Picture: Soterion
Example of a 3rd party tool

(Soterion) to assess GDPR
related authorization risks
HR: context & time sensitive authorizations
With the authorization object P_DURATION it is possible to block access to personal data
from the past (stored in infotypes) by users. This could be required if data needs to be
available due to legal retention periods for or is still required for other processes, but active
use or processing by users should no longer be possible, because of data privacy rules.
There are many other types of solution like e.g. SAP Dynamic authorizations that can support
in the definition of tailored authorization concepts.
Source Picture: SAP SE.
Security of personal & sensitive data
Protect the access to privacy relevant data in SAP
Source Picture: SAP SE.
UI Masking and logging (I)
Configure on field
level how a field is
displayed.
Define whether data
are shown, or how
they are masked
Register Authorized Users per Field

• In transaction PFCG, assign users
to the UI Masking authorization a
role.
• Users assigned to these roles will
be able to see unmasked values for
the applicable fields
Source Picture – Public slides SAP SE.

Authorizations - UI Masking (II)
Result: data masking

Data is masked in GUI
transaction display for
un-authorized users.
This also affects high-level

“admin” system users (in
dynamic transactions, e.g.
SE11, SE12, SE16, SE16n)
unless explicitly authorized
UI Masking also protects data

during download, export, and
print.

Authorizations - UI Masking (III)
Example of role based masking of particular screen fields.

Authorizations - UI logging – Access log (I)
Authorizations UI logging – Access log (II)

Data breach notifications
“Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data
transmitted, stored or otherwise processed.”
In the event of a personal data breach, data controllers must notify the supervisory authority
“without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
Monitoring data breaches in SAP using RAL
If data is leaked, companies must inform the Data Protection Authority (DPA) within 72 hours of
them being aware of the breach. All data breaches must be sufficiently documented.
So organizations must indicate exactly where in the systems breaches have taken place and
what consequences they have. They potentially must also inform the owners of the leaked data.
SAP offers a standard tool (as part of NetWeaver) to monitor the unauthorized access to
(privacy relevant) data – even if this is “just looking” at privacy relevant data. The name of the
tool is RAL (Read Access Logging) and it can monitor the access to data from many different
channels.
Source: SAP SE.
RAL (Read Access Logging) - 1
With RAL you can define and categorize the logging purpose, domains and object yourself.
RAL (Read Access Logging) - 2
Access to privacy relevant SAP data via different channels (Gui, internet, RFC) can be logged in a
flexible way so that you can determine what needs to be logged in detail.
RAL can help you significantly in detecting and logging data breaches in SAP.
Data privacy versus system & data security
Information security = information privacy?
The term information privacy refers to the handling, controlling, sharing and disposal of personal
information while the term information security includes a very wide range of activities both
physical and administrative that protect not only personal information, but any type of information or
information asset that supports a business.
The difference between information privacy and information security supports the statement,
“You can have security without privacy…but you cannot have privacy without security.”
For example, a secure computer with solid access controls may be secure however if access
controls were not assigned correctly privacy may become an issue.
List of possible technical measures
https://www.dsag.de/fileadmin/media/Leitfaeden/110818_Leitfaden_Datenschutz_Englisch_final.pdf
The German SAP user group (DSAG) provides in a document (maybe not completely updated with
the GDPR but sill useful) regarding the different technical measures you can implement to enhance
the (data) security and privacy based on for example:
- recommendations on system parameters
- known authorization risks
- risks related to interfaces
- logging mechanisms and housekeeping
- measures around the security of the (SAP) network, database, system, etc.
Data protection in non productive SAP systems
Context: the GDPR prohibit the unauthorized access to personal data and encourage the (pseudo)
anonymization of data when possible. How do you give developers, testers and contract workers
access to a non-production system without endangering your data privacy and data security
regulations?
Privacy relevant data in NON productive systems
SAP offers, with SAP TDMS 4.0, the option to scramble privacy relevant data in non productive SAP
systems. (see SAP slide of TDMS 4.0 above).
Alternative 3rd party solutions are delivered by e.g. EPI-USE, Natuvion, etc.
Instruments for complex data privacy operations
Maintaining records and retention rules for different types of information and with differentiated
retention rules per country or organizational entity can be a challenge
SAP Data Controller Rule Framework
The SAP data controller Rule framework can be used to define differentiated business rules on the
retention of SAP data used for the blocking and deletion of SAP data.
This “rule generator” populates SAP ILM with the correct ILM rules.
Mass processing of deletion in HR: process models
The HR process workbench can be used to define (country specific) data destruction processes for
the execution of the (controlled) destruction of data from many different infotypes.
Data subject information requests
SAP Information Retrieval Framework (IRF)
Source: SAP SE.
The Information Retrieval Framework toolset can be used to define and execute the reporting of
personal data in case of a data subject request. There are also alternative 3rd party tools delivered
by e.g. EPI-USE.
Privacy management instruments
How privacy management could look like in SAP
Source: SAP SE.
There are many different tools to administer, monitor document and control different data privacy
aspects. SAP promotes SAP GRC, and is thinking about the development of a data protection
cockpit. There are also many NON SAP tools on the market, delivered by e.g. Truste, Nymity, etc.
Summary of privacy enhancing SAP tools
HR process Workbench 3rd party PET software

SAP ILM RM
(Mass deletion process
(Data blocking & deletion)
automation)
)
SAP system security
E-discover & legal hold Data controler rule (Firewall, SSO, encryption,
framework system settings, etc )
) (central retention rules)
Data deletion & blocking ) SAP (system/data) security
SAP (special) Information retrieval

SAP UI Masking
authorizations Framework
(Masking/blocking data
(SOD, restrict access to (report on personal data)
based on user roles)
privacy relevant data)
)
Restrict the access to (personal) data Inform the data subject
SAP Read Access

Logging SAP Enterprise Thread SAP TDMS
(Monitor the access to Detection (encryption/anonymization)
(sensitive) personal data)
Data breach detection / data access logging NON productive systems
Options for consent SAP consent Data

request / management SAP GRC Protection
(standard SAP functions) (future feature) Cockpit
Consent management, privacy notifications Privacy management software
Key questions



Technical measures:
Etc.
Questions?
DISCLAMER. This document is provided without a warranty of any kind, either express or implied, including but not limited to,
the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The Author assumes no
responsibility for errors or omissions in this document, except if such damages were caused intentionally or grossly negligent.

GDPR and SAP - Overview Presentation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GDPR and SAP - Overview Presentation

Uploaded by

Copyright:

Available Formats

Workshop dataprivacy in SAP

Ing. Nico J.W. Kuijper MSc. CIPP/EU

Is your organization currently ready for / compliant with the GDPR?

Who should be responsible for data privacy in your view?

On what level should data privacy be addressed in the organization?

Key elements: Tax officer Fiscal law, etc.

Head of Finance Financial

€ in Processing financial transactions € out

Data controller DPO

Data in Processing privacy relevant data Data out

Article on data privacy bookkeeping: https://executive-people.nl/587119/privacy-boekhouding.html

Idenfity the context of privacy relevant data

Assess & prioritize privacy risks

Develop and execute a privacy program

Delete after Consent

What does this mean for SAP Business Suite

Detect the privacy relevant data living in your systems privacy

Detect the privacy relevant data living in your systems privacy

Example: keeping successfully send emails in SAP containing personal data

Attribute Used in Data is Purpose(s) Business process(es)

Aligning purposes, retention rules & laws lawful basis

- What type of information?

Idenfity the context of privacy relevant data

Assess & prioritize privacy risks

Develop and execute a privacy program

(Source picture: SAP SE) Discussion:

HR process Workbench 3rd party PET software

SAP (special) Information retrieval

SAP Read Access

Options for consent SAP consent

Consent management, privacy notifications Privacy management software

Individuals have rights when it comes to the

There are different options in SAP to request

Processing personal data in SAP without explicit

Options for consent

 ILM Policies are the instruments to translate (differentiated) external legal

Processing in Blocking phase

Source Picture:SAP SE.

Limit access to personal & sensitive data:

Source Picture: Soterion

Example of a 3rd party tool

Source Picture: SAP SE.

Source Picture: SAP SE.

Register Authorized Users per Field

Source Picture – Public slides SAP SE.

Result: data masking

This also affects high-level

UI Masking also protects data

Source Picture – Public slides SAP SE.

Example of role based masking of particular screen fields.

Source Picture – Public slides SAP SE.

Source Picture – Public slides SAP SE.

Source: SAP SE.

Source Picture – Public slides SAP SE.

Source: SAP SE.

Source: SAP SE.

HR process Workbench 3rd party PET software

SAP (special) Information retrieval

SAP Read Access

Options for consent SAP consent Data

Consent management, privacy notifications Privacy management software

Idenfity the context of privacy relevant data

Assess & prioritize privacy risks

Develop and execute a privacy program