The supply of and need for data is greater than ever before. This abundance of information, combined with technological advances, means that data laws necessarily have to become more stringent to protect individuals and promote confidence in how data is being used by businesses. Data regulation compliance is an integral part of this. Probably the most prominent of these being GDPR and POPIA (download our POPIA compliance handbook here). Proceed provides data protection services to help you get your SAP data compliant.
Meeting regulatory requirements with confidence
The risks of non-compliance
Not complying leads to significant fines and compliance risks. The EU for instance, created two tiers of maximum fines for companies violating the GDPR. The higher fine threshold is four percent of an undertaking’s worldwide annual turnover or 20 million euros, whichever is higher. The lower threshold fine is two percent of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher.
What is considered privacy relevant information?
There are many elements of personal information. Some examples are name, gender, age, date of birth, marital status, citizenship, veteran status, disabled status, IP address (some jurisdictions), business and personal addresses, phone numbers, emails, internal identification numbers, credit card and bank account numbers, government issued identification numbers (social security, drivers license numbers) etc. It is important to remember business data elements can be considered personal information as well.
“Personal data” is defined as “any information relating to an identified or identifiable natural person" - are you on top of this?
By using SAP ILM, other SAP best practice tools and our in-house complimentary products, we assist with meeting regulations. Proceed is proud of our in-house experienced SAP data and document management experts who can help your organisation navigate the transition to compliance. We know both the legislation and SAP, not just for GDPR but all the requirements needed to meet the Global plans for data privacy over the next 10 years.
SAP ILM Data Protection Tools
To manage the lifecycle of information (put under corporate control) we typically use SAP Information Lifecycle Management (ILM) as part of the data protection service we provide. SAP ILM is currently the only SAP tool to manage the lifecycle of SAP data in a controlled manner, using records management & retention policies.
Data destruction objects
For the controlled destruction of privacy relevant SAP data and documents, SAP ILM offers data destruction objects. In the SAP module HCM we find in excess of a 100 data destruction objects, and the SAP HCM data destruction objects can (in most of the cases) be used without additional SAP license implications.
Privacy relevant data should be managed in alignment with other legislation based on retention rules. Other (overruling) legislation – e.g. tax regulations might require the preservation of privacy relevant data, blocking e.g. the destruction of financial data containing privacy relevant data. With SAP ILM we can harmonize this and apply specific policies for specific types of SAP data.
Data destruction in SAP
Based on the defined retention rules in SAP ILM it is possible to comply with legislation rules to destroy privacy relevant SAP data in a controlled way. SAP ILM is the only SAP approved method of data destruction in SAP.
Data logging involves tracking who has requested data within the SAP system, as well as what SAP data has been requested. This can go a long way to preventing data breaches if users know that their activity is being monitored.
Another way to protect SAP data is through hiding or masking data fields by default, giving only authorised users the ability to access unmasked data. This is an effective way to manage different business requirement scenarios.
Complimentary tools and services
In addition to the extensive functionality of SAP ILM, we have also developed internal tools and services to support the delivery of successful compliance projects.
There is often an assumption that SAP ILM has everything you need for HCM Data. In fact, SAP ILM only provides deletion objects and there is no functionality to Block Access to an employee record once they have left the organisation.
Our Proceed Automate tool has been developed to compliment SAP ILM to provide a comprehensive compliance project across your SAP HCM personal data.
GDPR Data analyser tool
There are many database tables within a SAP system and identifying which ones could potentially harbour GDPR relevant data is a time-consuming challenge. Furthermore, mapping the tables back to the business processes and workstreams adds even more complexity.
We developed a tool analysis the database tables looking for where GDPR data relevant data may be and mapping it back both to its functional source and potential ILM object. This helps the business decide on an appropriate strategy for meeting GDPR compliance.