General Data Protection Regulations for SAP Information
SAP system users should be interested in what needs to be done to apply the data privacy laws to their SAP systems, in particular how to handle your SAP data in accordance to the Global Data Protection Regulations for SAP Information .
The risks of non-compliance
Not complying leads to significant fines and compliance risks. The EU for instance, created two tiers of maximum fines for companies violating the GDPR. The higher fine threshold is four percent of an undertaking’s worldwide annual turnover or 20 million euros, whichever is higher. The lower threshold fine is two percent of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher.
What is considered privacy relevant information?
There are many elements of personal information
Some examples are name, gender, age, date of birth, marital status, citizenship, languages spoken, veteran status, disabled status, IP address (some jurisdictions), business and personal addresses, phone numbers, email addresses, internal identification numbers, credit card and bank account numbers, government issued identification numbers (social security, drivers license numbers, etc.) and identity verification information, etc.
It is important to remember business data elements can be considered personal information as well.
“Personal data” is defined as “any information relating to an identified or identifiable natural person”
The supply of and need for data is greater than ever before. This abundance of information, combined with technological advances, means that data laws necessarily have to become more stringent to protect individuals and promote confidence in how data is being used by businesses. Data regulation compliance is an integral part of this. Data management underpins Proceeds’ approach to ensuring your SAP data is compliant,
Using SAP ILM and other SAP best practice tools to assist with meeting these regulations. Proceed are proud of their in-house experienced SAP data and document management experts can help your organisation navigate the transition to compliance along with Data Privacy Experts who know both the legislation and SAP, not just for GDPR but all the requirements needed to meet the Global plans for data privacy over the next 10 years.
SAP ILM Data Protection Tools
The lifecycle of information (put under corporate control) can be managed with SAP Information Lifecycle Management (ILM). SAP ILM is currently the only SAP tool to manage the lifecycle of SAP data in a controlled manner, using records management & retention policies.
SAP ILM Data Retention is now part of your SAP ERP licence for compliance.
Data destruction objects
For the controlled destruction of privacy relevant SAP data and documents, SAP ILM offers data destruction objects. In the SAP module HCM we find in excess of a 100 data destruction objects, and the SAP HCM data destruction objects can (in most of the cases) be used without additional SAP license implications.
Retention policy: manage the lifecycle of your data
Privacy relevant data should be managed in alignment with other legislation based on retention rules. Other (overruling) legislation – e.g. tax regulations might require the preservation of privacy relevant data, blocking e.g. the destruction of financial data containing privacy relevant data.
With SAP ILM we can harmonize this and apply specific policies for specific types of SAP data.
Data destruction in SAP
Based on the defined retention rules in SAP ILM it is possible to comply with legislation rules to destroy privacy relevant SAP data in a controlled way.
Data logging involves tracking who has requested data within the SAP system, as well as what SAP data has been requested. This can go a long way to preventing data breaches if users know that their activity is being monitored
Another way to protect SAP data is through hiding or masking data fields by default, giving only authorised users the ability to access unmasked data.
Automate from Proceed
There is often an assumption that SAP ILM has everything you need for HCM Data. However ILM provides Deletion Objects only, there is no functionality to Block Access to an employee once they have left the organisation, but due to legislation employers still have to keep employee data for many years. Also deletion through SAP ILM does not delete all the employees data, certain key records are kept. Proceeds’ solution Automate eliminates these issues, with or without SAP ILM retention manager, simplifying the tasks required to implement a thorough compliance project across your SAP HCM personal data. For more information on this innovative solution from Proceed, download our white paper here
Contact us through the link below, and we will be happy to discuss and give guidance on your Global Data Protection Regulations for SAP Information strategy for your SAP Data & Documents.
Contact us to find out how we can help.