Professional Documents
Culture Documents
Disclaimer: the author of this presentation does not provide any legal advice regarding data privacy with this presentation.
In this presentation personal opinions, practical experiences on the fulfillment of data protection requirements and possible instruments are discussed.
This presentation contains some pictures/slides from public available sources and SAP presentations.
March 29, 2018
Disclaimer: The information contained in this presentation is for general guidance only and provided on the understanding that the
author is not herein engaged in rendering legal advice. As such, it should not be used as a substitute for legal consultation.
The author accepts no liability for any actions taken as response hereto.
It is the responsibility your organization to adopt measures that deems appropriate to achieve GDPR compliance.
vcv
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 1
Questions to the audiance
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 2
Analogy: processing financial transactions
Bookkeeping system
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 3
Analogy: processing privacy relevant data
DPA GDPR
Key elements:
(Data Privacy Legislation
• Legislation
Authority)
• Legal authority
• C-Level executive
• Internal control function
• Governance & policies
• Management layer
C-level
• Record/bookkeeping system
• Operations/execution layer & tools executives
• Dataflow in/out (CIO/CDO)
• External stakeholders
(e.g. data subjects, external Policy
controllers & processors)
Privacy “bookkeeping”
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 4
The roadmap to GDPR compliance
Key questions
Technical measures:
What are the appropriate privacy enhancing tools?
Implement technical measures based on defined policies
Etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 5
Presentation focus area: PET in the context of SAP
The presentation has a main focus on privacy enhancing technology available in SAP and will touch
also some of the data privacy relevant processes this technology can be used for.
We will not focus on governance, relevant data privacy processes, roles and responsibilities, etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 6
Part 1 – GDPR key aspects put into context
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 7
GDPR Article 24(1): the GDPR Key aspects
The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: https://gdpr-info.eu/ and here in different languages:
Directive 95/46/EC (General Data Protection Regulation) http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 8
The nature, scope, context, purpose, risk of
processing personal data & appropriate measures
Determine risks of
Identify Identify the Identify the Identify the context: processing the data
where purpose for context: determine determine the and implement
privacy processing the lawful basis retention and appropriate
relevant personal data for processing deletion periods (technical)
data lives (identify (displayed: a few and triggers measures
in your relevant examples of a (some examples)
SAP business lawful basis)
system processes) SAP ILM RM
Etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 9
What is considered privacy relevant data? Identify
10
where
privacy
relevant
data lives
in your
SAP
“'personal data' means any information relating to an system
identified or identifiable natural person 'data subject'; an
identifiable person is one who can be identified, directly
or indirectly, in particular by reference to an identifier
such as a name, an identification number, location
data, online identifier or to one or more factors specific
to the physical, physiological, genetic, mental,
economic, cultural or social identity of that person”
Art. 4 Sec. 1 GDPR
“Personal data” is defined as “any information relating to an identified or identifiable natural person”
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 10
First things first (1): Identify
where
• Tip: a standard “quick to use” SAP report could be used to identify the tables in
SAP used to potentially store (sensitive) privacy relevant information. Downside: too
limited (does not identify if table records are actually populated with personal data)
Personal
data
(in SAP)
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 11
First things first (2): Identify
where
Personal
data
(in SAP)
Demo?
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 12
First things first (3):
Detect the privacy relevant data living in your systems Identify
where
privacy
relevant
data lives
in your
• Usage of privacy relevant documents SAP
system
Not only privacy relevant data can be stored in SAP, documents and (email)
messages, etc. containing privacy relevant data can be stored in SAP or to the to
SAP connected content/archive servers. This needs to be checked as well.
Personal
data
(in SAP)
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 13
Identify the purpose & processes related to Identify the
purpose for
14
the identified personal data in SAP systems processing
personal
data
(identify
relevant
• Personal data of a particular person can be used for different (lawful) business
processes)
purposes. Example: usage of email address
Purpose(s) of
processing
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 14
Determine the
Data: purchase Processing purchase contract Until end of maintenance Until last related retention
contract for iPhone & Processing maintenance requirements period ends g e.g. tax law
maintenance
Data: purchase Processing purchase contract During processing of Until last related retention
contract for “The purchase contract, possibly period ends g e.g. tax law
Divine Comedy“ for reporting purposes
Data: contract for Processing contract for works During processing of contract Until last related retention
works for works, possibly for period ends g e.g. contract
reporting purposes law
Data: employment Processing employment During time of employment Attention: deadlines of
contract relationship and for processing end of pensions, pensions
employment offices,…
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 15
Know what information (not) to retain
Identify the
context:
determine the
retention
and deletion
periods and
Note: GDPR Article 17 ( right to be forgotten) does not overrule retention rules defined in other legislation ! triggers
Develop
A Records
and
Retention
Schedule!
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 16
Next step: populate your data privacy register,
and start with data privacy “book keeping”
• Document the results of your data & process analysis in a “data privacy
register”
Consult
your DPO
or privacy
program
manager
Example of a very simple data privacy register template is provided by the EDPS.
Source: https://edps.europa.eu/data-protection/our-work/publications/other-documents/register-template-0_en
Example of a more extensive data privacy register template is provided by the Belgium DPA .
https://onetrust.com/wp-content/uploads/2017/09/Belgian-DPA-Registry-of-Processing-Activities-Template-20170907-EN.xlsx
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 17
Now we identified the context of data, whats next?
Assess & prioritize the risk using a privacy impact assessment
Consult
your DPO
or privacy
program
manager
There are many different (D)PIA tools and templates. One example: www.isaca.org/GDPR-DPIA
A (D)PIA can be seen as a kind of risk assessment to identify how privacy relevant data in handled
(by the different business processes) in your organization. Based on the outcome you can define
improvements in different area’s (like data protection measures, policies/procedures, etc.).
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 18
The roadmap to GDPR compliance
Key questions
Technical measures:
What are the appropriate privacy enhancing tools?
Implement technical measures based on defined policies
Etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 19
Part 2 – Overview of privacy enhancing SAP tools
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 20
GDPR Article 24(1): the GDPR Key aspects
The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: https://gdpr-info.eu/
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 21
Map the different GDPR articles to “appropiate measures”
40 - 37 - 35 -
25 30 33, 34
43 39 36
5, 12-14,
15 17
19 16
18 20 21
32 22
6, 7
5 - 11
GDPR articles
The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 22
Overview of some privacy enhancing SAP tools
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 23
Requesting explicit consent in SAP
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 24
Policy driven erasure of personal data
Under GDPR Article 17, controllers must erase personal data “without undue delay” if the data is no longer needed
(purpose), the data subject objects to processing, or the processing was unlawful.
GDPR Article 5: purpose limitation and data minimization: do not collect/keep data without a clear purpose
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 25
Introduction of SAP ILM
The lifecycle of information (put under corporate control) can be managed with SAP Information
Lifecycle management (ILM). SAP ILM is currently the only SAP tool to manage the lifecycle of
SAP data and documents in a controlled way using records management & retention policies.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 26
Data destruction objects
For the controlled destruction of privacy relevant SAP data and documents, SAP ILM offers so
called data destruction objects. Alone in SAP module HCM we find more then 100 data destruction
objects, and the SAP HCM data destruction objects can (in most of the cases) be used without
additional SAP license implications.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 27
SAP ILM RM: applying retention rules in SAP (1)
Privacy relevant data should be managed in alignment with other legislation based on retention
rules. Other (overruling) legislation – e.g. tax regulation – might require the preservation of privacy
relevant data, blocking e.g. the destruction of financial data containing privacy relevant data.
With SAP ILM we can harmonize this and apply specific policies for specific types of SAP data.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 29
SAP ILM RM: executing data deletion in SAP
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 30
Final (policy based) data destruction in SAP
Based on the defined retention rules in SAP ILM it is possible to comply with the
retention and deletion rules to block and destroy privacy relevant SAP data in a controlled way.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 31
Personal Data Lifecycle in SAP: block or delete?
Source: SAP
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 32
Masterdata: blocking of business partner
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 33
Blocking privacy relevant data
SAP delivers business functions for the blocking of personal (business partner) data that can’t be
deleted instantly for different reasons (SAP data consistency or data must be preserved longer due
to overruling legal or fiscal legislation, etc.).
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 34
Restrict the access to personal & sensitive data
Unauthorized access to & processing of privacy relevant must be prevented using SOD
(segregation of duties) principles and (logical) data minimization – access only the data you need
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 35
Authorizations - restrict access to privacy relevant data
Special technical and organizational measures must be taken in order to combat the risk of
unauthorized access to the SAP ERP System. When taken, these measures ensure that
unauthorized viewing and unintentional/intentional manipulation of data is prevented.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 36
Authorizations – Analysis of access to personal data
With the authorization object P_DURATION it is possible to block access to personal data
from the past (stored in infotypes) by users. This could be required if data needs to be
available due to legal retention periods for or is still required for other processes, but active
use or processing by users should no longer be possible, because of data privacy rules.
There are many other types of solution like e.g. SAP Dynamic authorizations that can support
in the definition of tailored authorization concepts.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 38
Security of personal & sensitive data
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 39
Protect the access to privacy relevant data in SAP
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 40
UI Masking and logging (I)
Configure on field
level how a field is
displayed.
Define whether data
are shown, or how
they are masked
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 44
Authorizations UI logging – Access log (II)
“Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data
transmitted, stored or otherwise processed.”
In the event of a personal data breach, data controllers must notify the supervisory authority
“without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 46
Monitoring data breaches in SAP using RAL
If data is leaked, companies must inform the Data Protection Authority (DPA) within 72 hours of
them being aware of the breach. All data breaches must be sufficiently documented.
So organizations must indicate exactly where in the systems breaches have taken place and
what consequences they have. They potentially must also inform the owners of the leaked data.
SAP offers a standard tool (as part of NetWeaver) to monitor the unauthorized access to
(privacy relevant) data – even if this is “just looking” at privacy relevant data. The name of the
tool is RAL (Read Access Logging) and it can monitor the access to data from many different
channels.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 47
RAL (Read Access Logging) - 1
With RAL you can define and categorize the logging purpose, domains and object yourself.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 48
RAL (Read Access Logging) - 2
Access to privacy relevant SAP data via different channels (Gui, internet, RFC) can be logged in a
flexible way so that you can determine what needs to be logged in detail.
RAL can help you significantly in detecting and logging data breaches in SAP.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 49
Data privacy versus system & data security
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 50
Information security = information privacy?
The term information privacy refers to the handling, controlling, sharing and disposal of personal
information while the term information security includes a very wide range of activities both
physical and administrative that protect not only personal information, but any type of information or
information asset that supports a business.
The difference between information privacy and information security supports the statement,
“You can have security without privacy…but you cannot have privacy without security.”
For example, a secure computer with solid access controls may be secure however if access
controls were not assigned correctly privacy may become an issue.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 51
List of possible technical measures
https://www.dsag.de/fileadmin/media/Leitfaeden/110818_Leitfaden_Datenschutz_Englisch_final.pdf
The German SAP user group (DSAG) provides in a document (maybe not completely updated with
the GDPR but sill useful) regarding the different technical measures you can implement to enhance
the (data) security and privacy based on for example:
- recommendations on system parameters
- known authorization risks
- risks related to interfaces
- logging mechanisms and housekeeping
- measures around the security of the (SAP) network, database, system, etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 52
Data protection in non productive SAP systems
Context: the GDPR prohibit the unauthorized access to personal data and encourage the (pseudo)
anonymization of data when possible. How do you give developers, testers and contract workers
access to a non-production system without endangering your data privacy and data security
regulations?
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 53
Privacy relevant data in NON productive systems
SAP offers, with SAP TDMS 4.0, the option to scramble privacy relevant data in non productive SAP
systems. (see SAP slide of TDMS 4.0 above).
Alternative 3rd party solutions are delivered by e.g. EPI-USE, Natuvion, etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 54
Instruments for complex data privacy operations
Maintaining records and retention rules for different types of information and with differentiated
retention rules per country or organizational entity can be a challenge
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 55
SAP Data Controller Rule Framework
The SAP data controller Rule framework can be used to define differentiated business rules on the
retention of SAP data used for the blocking and deletion of SAP data.
This “rule generator” populates SAP ILM with the correct ILM rules.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 56
Mass processing of deletion in HR: process models
The HR process workbench can be used to define (country specific) data destruction processes for
the execution of the (controlled) destruction of data from many different infotypes.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 57
Data subject information requests
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 58
SAP Information Retrieval Framework (IRF)
The Information Retrieval Framework toolset can be used to define and execute the reporting of
personal data in case of a data subject request. There are also alternative 3rd party tools delivered
by e.g. EPI-USE.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 59
Privacy management instruments
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 60
How privacy management could look like in SAP
There are many different tools to administer, monitor document and control different data privacy
aspects. SAP promotes SAP GRC, and is thinking about the development of a data protection
cockpit. There are also many NON SAP tools on the market, delivered by e.g. Truste, Nymity, etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 61
Summary of privacy enhancing SAP tools
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 62
The roadmap to GDPR compliance
Key questions
Technical measures:
What are the appropriate privacy enhancing tools?
Implement technical measures based on defined policies
Etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 63
Questions?
DISCLAMER. This document is provided without a warranty of any kind, either express or implied, including but not limited to,
the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The Author assumes no
responsibility for errors or omissions in this document, except if such damages were caused intentionally or grossly negligent.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 64