Over this series of 12 articles, we have, hopefully, provided you with a more in depth understanding of various aspects of the General Data Protection Act and how it applies to SAP centric businesses. Where possible we have highlighted various pieces of SAP software that can assist in your journey to compliance. In this our final article of this series we are going to look at some of the questions that have been asked by businesses over the preceding months, together with their answers.
Q1. When should we start preparing for the GDPR?
18 months ago!
The GDPR became law 18 months ago. It becomes ‘active’ on 25th May 2018. It was designed like this, as it represents such a fundamental change to how businesses manage citizen data that the European Commission (EC) gave businesses 2 years to become compliant. If you have not started your preparations you should start now, without any further delay. Accept that you will not be compliant by 25th May 2018 and aim to show significant progress towards compliance. Focus on understanding the processing you undertake, how you gain consent and how you can enable the data subjects’ rights of disclosure, access, rectification, blocking, and deletion. SAP Information Steward will enable you to understand your processing and SAP Information Lifecycle Manager will allow you to enact archive access, retention, rectification, blocking and deletion.
Q2. Our data is in the cloud, Is that an issue?
Yes. There are two main issues with clouds and cloud providers, and this applies to things like SAP SuccessFactors, SAP Concur, AWS, Microsoft One Drive etc. Firstly, your cloud provider is classed as a Processor under the GDPR. As such there are provisions within the GDPR that they need to satisfy. Some of those provisions will require amendment of contracts; for example, Processors should be contractually obliged to assist a Controller in meeting its obligations under the GDPR (e.g. Breach reporting.) Others will require you to reach out to your cloud provider for documentation; For example, Controllers are required to demonstrate that Processors meet the requirements of the GDPR, so you will need to ask your cloud provider for written proof that it meets the requirements that the GDPR places upon it.
The second issue is to do with location. In the past we had the notion that the cloud is the cloud, our data is in the cloud and where the cloud is physically located doesn’t matter, because our data is available whereever we go. With GDPR the location of those cloud servers, of our data, matters. To transfer an EU citizens data outside of the European Economic Area you require a ‘legitimate reason to transfer data overseas.’
One reason could be that you are transferring data to a country that the European Commission has decided has adequate domestic and data protection laws in place. The EC has granted the country a so-called Adequacy Decision. Switzerland has one, so does Canada. Japan is negotiating one now. The UK does not currently need one as its part of the European Union, for now.
When the UK exits the European Union (BREXIT) we will leave the European Economic Area, thus becoming a 3rd country in data protection terms. We will not have an adequacy decision, and unless you have put other mechanisms in place, all of your HR data will be locked up in a server in Germany for instance, and inaccessible to you, because to access it, would require transferring data over to a 3rd country (the UK) and that breaches the GDPR. If you are a multinational company and have personal data as defined by the GDPR, stored in servers outside of the UK, then you need to review the ‘legitimate reason to transfer data overseas’ that you have in place or find one.
Q3 Subject Access Requests – We only have to send people 1 years’ worth of data?
No, you have to send them everything. The GDPR does not make any reference to a time span with regards to subject access requests. The European Court of Justice has issued opinions which indicate that there is no time limit. When processing a Subject Access Request, you should go as far back historically as it is reasonably feasible for you to go. SAP Information Steward will enable you to see within which systems data is residing and SAP Information Lifecycle Manager will allow you to access it.
Q4 Subject Access Requests (SAR) have to be in writing?
A subject access request can be ‘served’ to a company in any reasonable format. Companies are not permitted to force data subjects to submit SAR’s by a specific form on a website. Data Subjects could handwrite and post a SAR, but they could also email, text, or tweet one. Controllers have at most one month from the date of receipt of a SAR to respond to it. That’s the date of receipt at the company, not the date the SAR got to the person within the company who would actually deal with it.
Companies should ensure that ALL staff are trained especially staff who are customer facing, be they Help Desk, Social Media, Customer Service staff or others. Subject Access Requests may be written such that they do not contain the term Subject Access Request. They may be branded as Freedom of Information requests, or something different. Under the GDPR, data subjects do not have to use the term Subject Access Request to get access to their data. To simplify this process use SAP Information Steward to see within which systems data is residing and SAP Information Lifecycle Manager to access it. SAP Process Control will help ensure that any timescale policy infringements are flagged up.
Q5 Our staff send personal email through our corporate systems. What do we do if somebody enacts the Right To Be Forgotten (Erasure)
The right to erasure was developed with web data in mind. For example, if I delete my Facebook account, I am withdrawing my consent for Facebook to process that data. As such I can request that Facebook delete my data and they will need to comply with that request, because they were processing my data based upon consent and I have withdrawn that consent.
Under European law, staff are entitled to use corporate systems for personal use for a small proportion of time. The thinking being that as a Citizen you have to manage your life, and given that you are at work for a portion of your time, it is reasonable to expect that you would need to manage your life at some point during your working day.
If a member of staff sent emails from their personal web-based email program using a corporate network during the working day, then that would be captured in the logs of a corporate server. If staff sent personal emails, from a corporate email account that would be captured in the email server.
The key to managing both of these situations is through policy. Staff need to be informed at the outset, that as a company you have a duty to archive data such as emails, the legitimate reason why you archive the data and that data will be archived for X amount of time and then deleted. Any personal emails that they send via corporate systems may well be captured and held in the archive until the archive is deleted.
Ensure that amongst other things the IT acceptable use policy sets out whether staff are permitted to send personal emails from corporate email accounts, or whether corporate accounts are business only. The data retention policy will set out for how long things like corporate emails and web log files will be retained. SAP Process Control can be used to analyse the email archives, identifying and classifying the data within them.
Q6 Does the GDPR apply to B2B companies?
Yes. The GDPR applies to all companies who process European Citizen data. So, the GDPR will apply to B2B companies in the sense of the HR data that they hold. It will also apply to data that they hold about their corporate customers, where that data is an identifiable individual. For example, if you store the contact details of the buying manager of your customer in your CRM system, then those details are covered by the GDPR.
If you engage in B2B marketing, your obligations are unchanged. Your marketing activity is regulated by the E-Privacy directive and that does not change under the GDPR. Under the GDPR you must have a lawful basis to process employees contact details for B2B marketing and many companies will most likely still use legitimate interest as their reason for processing the data. However, you should build mechanisms within all of your systems such that the data subjects rights (Access, Rectification, Erasure etc.) can be enacted, SAP Information Lifecycle Manager can facilitate this.
Over many months we at Proceed have seen companies getting stressed about the wrong things with regards to GDPR. Focusing on the small details, or pushing their head into the sand. Hopefully this series and the accompanying podcasts have been useful in outlining your road to compliance and dispelling some of the myths and inaccuracies around the GDPR.
The UK Information Commissioner is on record as saying there is no grace period. Come 25th May 2018 the GDPR becomes active and enforcement of it will begin.
The time for putting your head in the sand has long since passed. Compliance with the GDPR requires work, however a lot of that work is not complex. There are some tasks that can put companies on a pathway to compliance, quickly and easily. The key, is not to make the journey alone and to engage with qualified people who can help you.
If you missed the GDPR Series catch up here at your leisure
Stephen Lofthouse MSc BSc PGCLTHE FHEA CIPP/E is a Certified Information Privacy Professional and Consultant with Proceed. He is a member of the International Association of Privacy Professionals, and an award-winning SAP mentor.