On Thursday, 14 April 2016, the European Parliament adopted the General Data Protection Regulation (GDPR)
The GDPR came into effect on 25 May 2018 and companies should now be accountable for all personal data they collect across their business.
SAP system users should be interested in what needs to be done to apply the new EU data privacy laws to their SAP systems, in particular how to handle your SAP data in accordance to the regulations.
The risks of non-compliance with GDPR
Not complying with the GDPR (General Data Protection Regulation) leads to significant fines and compliance risks. The EU created two tiers of maximum fines for companies violating the GDPR. The higher fine threshold is four percent of an undertaking’s worldwide annual turnover or 20 million euros, whichever is higher. The lower threshold fine is two percent of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher.
What is considered privacy relevant information?
There are many elements of personal information
Some examples are name, gender, age, date of birth, marital status, citizenship, languages spoken, veteran status, disabled status, IP address (some jurisdictions), business and personal addresses, phone numbers, email addresses, internal identification numbers, credit card and bank account numbers, government issued identification numbers (social security, drivers license numbers, etc.) and identity verification information, etc.
It is important to remember business data elements can be considered personal information as well.
“Personal data” is defined as “any information relating to an identified or identifiable natural person”
The supply of and need for data is greater than ever before. This abundance of information, combined with technological advances, means that data laws necessarily have to become more stringent to protect individuals and promote confidence in how data is being used by businesses. Data regulation compliance is an integral part of this. Data management underpins Proceeds’ approach to ensuring your SAP data is GDPR compliant,
Using SAP ILM and other SAP best practice tools to assist with meeting these regulations. Proceed are proud of their in-house experienced SAP data and document management experts can help your organisation navigate the transition to GDPR compliance along with Data Privacy Experts who know both the legislation and SAP, not just for GDPR but all the requirements needed to meet the EU plans for data privacy over the next 10 years.
SAP ILM GDPR Tools
The lifecycle of information (put under corporate control) can be managed with SAP Information Lifecycle Management (ILM). SAP ILM is currently the only SAP tool to manage the lifecycle of SAP data in a controlled manner, using records management & retention policies.
SAP ILM Data Retention is now part of your SAP ERP licence for GDPR compliance.
Data destruction objects
For the controlled destruction of privacy relevant SAP data and documents, SAP ILM offers data destruction objects. In the SAP module HCM we find in excess of a 100 data destruction objects, and the SAP HCM data destruction objects can (in most of the cases) be used without additional SAP license implications.
Retention policy: manage the lifecycle of your data
Privacy relevant data should be managed in alignment with other legislation based on retention rules. Other (overruling) legislation – e.g. tax regulations might require the preservation of privacy relevant data, blocking e.g. the destruction of financial data containing privacy relevant data.
With SAP ILM we can harmonize this and apply specific policies for specific types of SAP data.
Data destruction in SAP
Based on the defined retention rules in SAP ILM it is possible to comply with the GDPR rule to destroy privacy relevant SAP data in a controlled way.
Data logging involves tracking who has requested data within the SAP system, as well as what SAP data has been requested. This can go a long way to preventing data breaches if users know that their activity is being monitored
Another way to protect SAP data is through hiding or masking data fields by default, giving only authorised users the ability to access unmasked data.
Automate from Proceed
There is often an assumption that SAP ILM has everything you need for HCM Data. However ILM provides Deletion Objects only, there is no functionality to Block Access to an employee once they have left the organisation, but due to legislation employers still have to keep employee data for many years. Also deletion through SAP ILM does not delete all the employees data, certain key records are kept. Proceeds’ solution Automate eliminates these issues, with or without SAP ILM retention manager, simplifying the tasks required to implement a thorough compliance project across your SAP HCM personal data. For more information on this innovative solution from Proceed, download our white paper here
Contact us through the link below, and we will be happy to discuss and give guidance on your GDPR strategy for your SAP Data & Documents.
Contact us to find out how we can help.