You are on page 1of 65

Workshop dataprivacy in SAP

Ing. Nico J.W. Kuijper MSc. CIPP/EU


SAP information & data governance/management consultant, (SAP) Data Privacy Consultant
Certified by the International Association of Privacy Professionals
nico.kuijper@d-im-services.com +31 20 615 82 89

Disclaimer: the author of this presentation does not provide any legal advice regarding data privacy with this presentation.
In this presentation personal opinions, practical experiences on the fulfillment of data protection requirements and possible instruments are discussed.
This presentation contains some pictures/slides from public available sources and SAP presentations.
March 29, 2018
Disclaimer: The information contained in this presentation is for general guidance only and provided on the understanding that the
author is not herein engaged in rendering legal advice. As such, it should not be used as a substitute for legal consultation.
The author accepts no liability for any actions taken as response hereto.
It is the responsibility your organization to adopt measures that deems appropriate to achieve GDPR compliance.

vcv

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 1
Questions to the audiance

Is your organization currently ready for / compliant with the GDPR?


 Yes?
 No?
 Not sure?
How are other companies doing? https://www.gartner.com/newsroom/id/3701117

Who should be responsible for data privacy in your view?


 Business?
 IT?
 Both?

On what level should data privacy be addressed in the organization?


 Strategic level?
 Tactical level?
 Operational level?
 All these levels above?

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 2
Analogy: processing financial transactions

Key elements: Tax officer Fiscal law, etc.


• Legislation
• Legal/fiscal authority
• C-Level executive
• Internal control function
• Governance & policies
• Management layer
C-level
• Record/bookkeeping
• Operations/execution layer executives
• Money flow in/out (CFO)
• External stakeholders
Policy

Head of Finance Financial


Controller

Bookkeeping system

€ in Processing financial transactions € out


External
stakeholder(s)
stakeholder(s)
Clerk

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 3
Analogy: processing privacy relevant data

DPA GDPR
Key elements:
(Data Privacy Legislation
• Legislation
Authority)
• Legal authority
• C-Level executive
• Internal control function
• Governance & policies
• Management layer
C-level
• Record/bookkeeping system
• Operations/execution layer & tools executives
• Dataflow in/out (CIO/CDO)
• External stakeholders
(e.g. data subjects, external Policy
controllers & processors)

Data controller DPO


(Data privacy Officer)

Privacy “bookkeeping”

Data in Processing privacy relevant data Data out


Stakeholder(s) External
like data stakeholder(s)
subjects Data processor

Article on data privacy bookkeeping: https://executive-people.nl/587119/privacy-boekhouding.html

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 4
The roadmap to GDPR compliance

Key questions

Idenfity the context of privacy relevant data


Where (systems) is privacy relevant data used/stored?
How & where is it processed (business process)?
For what (lawful) purpose?
What are the relevant (legal/fiscal) retention rules?
Document outcome in your data register
& records and retention scheme

Assess & prioritize privacy risks


What are the identified privacy risks (PIA)?
Gap analysis regarding
organizational & technical measures
Evaluate risks, measures & prioritize.

Develop and execute a privacy program


How to mitigate the identified privacy risks?
What are our data privacy policies and procedures?
How do we govern/evaluate (ongoing) data privacy?

Technical measures:
What are the appropriate privacy enhancing tools?
Implement technical measures based on defined policies

Etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 5
Presentation focus area: PET in the context of SAP

The presentation has a main focus on privacy enhancing technology available in SAP and will touch
also some of the data privacy relevant processes this technology can be used for.
We will not focus on governance, relevant data privacy processes, roles and responsibilities, etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 6
Part 1 – GDPR key aspects put into context

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 7
GDPR Article 24(1): the GDPR Key aspects

The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: https://gdpr-info.eu/ and here in different languages:
Directive 95/46/EC (General Data Protection Regulation) http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 8
The nature, scope, context, purpose, risk of
processing personal data & appropriate measures

Determine risks of
Identify Identify the Identify the Identify the context: processing the data
where purpose for context: determine determine the and implement
privacy processing the lawful basis retention and appropriate
relevant personal data for processing deletion periods (technical)
data lives (identify (displayed: a few and triggers measures
in your relevant examples of a (some examples)
SAP business lawful basis)
system processes) SAP ILM RM

Delete after Consent


Consent withdrawn management
consent
Personal SAP ILM RM
data
(in SAP) Authorization
Purpose(s) of Legal
processing concept
obligation Retain
personal data
based on
legal Data masking
contract retention
times per
country Anonymization
NL x years
DE y years
Data breach
prevention &
detection

Etc.

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 9
What is considered privacy relevant data? Identify
10
where
privacy
relevant
data lives
in your
SAP
“'personal data' means any information relating to an system
identified or identifiable natural person 'data subject'; an
identifiable person is one who can be identified, directly
or indirectly, in particular by reference to an identifier
such as a name, an identification number, location
data, online identifier or to one or more factors specific
to the physical, physiological, genetic, mental,
economic, cultural or social identity of that person”
Art. 4 Sec. 1 GDPR

What does this mean for SAP Business Suite


and SAP S/4HANA?
 Data in SAP Business Suite and SAP S/4HANA is or might
become personal data.
A Sales Order is linked to the Business Partner (ID). The sales order
itself could contain additional personal data – or can reveal personal Personal
data (purchases person X). data
(in SAP)
 Combinations of attributes might become personal data – as soon as
it is possible to identify the person behind. Example: information
combined from ECC, CRM, BW, etc.

“Personal data” is defined as “any information relating to an identified or identifiable natural person”
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 10
First things first (1): Identify
where

Detect the privacy relevant data living in your systems privacy


relevant
data lives
in your
SAP
system
• There are different tools in the market available to detect if and where privacy
relevant information lives in SAP systems. SAP promotes e.g. Information steward,
Celonis, etc.

• Tip: a standard “quick to use” SAP report could be used to identify the tables in
SAP used to potentially store (sensitive) privacy relevant information. Downside: too
limited (does not identify if table records are actually populated with personal data)
Personal
data
(in SAP)

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 11
First things first (2): Identify
where

Detect the privacy relevant data living in your systems privacy


relevant
data lives
in your
SAP
system
• Alternative: a 3rd party analysis tool could be used to verify if table records are
actually populated with personal data (e.g. per personnel area), the relevant
authorization checks, available data destruction objects for the identified personal
data, etc.

Personal
data
(in SAP)

Demo?

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 12
First things first (3):
Detect the privacy relevant data living in your systems Identify
where
privacy
relevant
data lives
in your
• Usage of privacy relevant documents SAP
system
Not only privacy relevant data can be stored in SAP, documents and (email)
messages, etc. containing privacy relevant data can be stored in SAP or to the to
SAP connected content/archive servers. This needs to be checked as well.

Example: keeping successfully send emails in SAP containing personal data


is a widely spread practice (and potential risk regarding the purpose limitation,
unauthorized disclosure of email content, data minimization, etc.).

Personal
data
(in SAP)

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 13
Identify the purpose & processes related to Identify the
purpose for
14
the identified personal data in SAP systems processing
personal
data
(identify
relevant
• Personal data of a particular person can be used for different (lawful) business
processes)
purposes. Example: usage of email address

Purpose(s) of
processing

Attribute Used in Data is Purpose(s) Business process(es)


system stored in
Email ECC KNA1, Different types Send contract, order &
(customer) SOES of business delivery confirmation
transaction (MM/SD), invoices (FI),
communication product defect
notifications, etc.
Email CRM BUT020, Marketing Campaign management
(business SOES
partner)
Email HR PA0105, HR - Employee Many different HR
(employee) SOES communication processes

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 14
Determine the

Aligning purposes, retention rules & laws lawful basis


15
for processing
(displayed:
some
examples of a
lawful basis)
Purpose Active availability Retention period
Master data Dependent on other purposes With related data Until last related retention
period ends g in this
example: pension law
Payment details Dependent on other purposes With related data Until last retention period for
payment details ends g
e.g. tax law
Communication details Dependent on other purposes With related data With master data
Marketing Marketing Until consent is revoked or None
missing renewal after x years

Data: purchase Processing purchase contract Until end of maintenance Until last related retention
contract for iPhone & Processing maintenance requirements period ends g e.g. tax law
maintenance
Data: purchase Processing purchase contract During processing of Until last related retention
contract for “The purchase contract, possibly period ends g e.g. tax law
Divine Comedy“ for reporting purposes
Data: contract for Processing contract for works During processing of contract Until last related retention
works for works, possibly for period ends g e.g. contract
reporting purposes law
Data: employment Processing employment During time of employment Attention: deadlines of
contract relationship and for processing end of pensions, pensions
employment offices,…
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 15
Know what information (not) to retain
Identify the
context:
determine the
retention
and deletion
periods and
Note: GDPR Article 17 ( right to be forgotten) does not overrule retention rules defined in other legislation ! triggers

- What type of information?


- How long should it be preserved?

Develop
A Records
and
Retention
Schedule!

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 16
Next step: populate your data privacy register,
and start with data privacy “book keeping”
• Document the results of your data & process analysis in a “data privacy
register”
Consult
your DPO
or privacy
program
manager

Example of a very simple data privacy register template is provided by the EDPS.
Source: https://edps.europa.eu/data-protection/our-work/publications/other-documents/register-template-0_en
Example of a more extensive data privacy register template is provided by the Belgium DPA .
https://onetrust.com/wp-content/uploads/2017/09/Belgian-DPA-Registry-of-Processing-Activities-Template-20170907-EN.xlsx

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 17
Now we identified the context of data, whats next?
Assess & prioritize the risk using a privacy impact assessment

Consult
your DPO
or privacy
program
manager

There are many different (D)PIA tools and templates. One example: www.isaca.org/GDPR-DPIA
A (D)PIA can be seen as a kind of risk assessment to identify how privacy relevant data in handled
(by the different business processes) in your organization. Based on the outcome you can define
improvements in different area’s (like data protection measures, policies/procedures, etc.).

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 18
The roadmap to GDPR compliance

Key questions

Idenfity the context of privacy relevant data


Where (systems) is privacy relevant data used/stored?
How & where is it processed (business process)?
For what (lawful) purpose?
What are the relevant (legal/fiscal) retention rules?
Document outcome in your data register
& records and retention scheme

Assess & prioritize privacy risks


What are the identified privacy risks (PIA)?
Gap analysis regarding
organizational & technical measures
Evaluate risks, measures & prioritize.

Develop and execute a privacy program


How to mitigate the identified privacy risks?
What are our data privacy policies and procedures?
How do we govern/evaluate (ongoing) data privacy?

Technical measures:
What are the appropriate privacy enhancing tools?
Implement technical measures based on defined policies

Etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 19
Part 2 – Overview of privacy enhancing SAP tools

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 20
GDPR Article 24(1): the GDPR Key aspects

The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: https://gdpr-info.eu/

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 21
Map the different GDPR articles to “appropiate measures”

(Source picture: SAP SE) Discussion:


Identify some
measures and
Supporting
24 - 28 -
27 44 - 29 (SAP)
50
tools

40 - 37 - 35 -
25 30 33, 34
43 39 36

5, 12-14,
15 17
19 16

18 20 21

32 22

6, 7

5 - 11

GDPR articles
The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 22
Overview of some privacy enhancing SAP tools

HR process Workbench 3rd party PET software


SAP ILM RM
(Mass deletion process
(Data blocking & deletion)
automation)
)
SAP system security
E-discover & legal hold Data controler rule (Firewall, SSO, encryption,
framework system settings, etc )
) (central retention rules)
Data deletion & blocking ) SAP (system/data) security

SAP (special) Information retrieval


SAP UI Masking
authorizations Framework
(Masking/blocking data
(SOD, restrict access to (report on personal data)
based on user roles)
privacy relevant data)
)
Restrict the access to (personal) data Inform the data subject

SAP Read Access


Logging SAP Enterprise Thread SAP TDMS
(Monitor the access to Detection (encryption/anonymization)
(sensitive) personal data)
Data breach detection / data access logging NON productive systems

Options for consent SAP consent


Privacy
request / management SAP GRC
Cockpit
(standard SAP functions) (future feature)

Consent management, privacy notifications Privacy management software

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 23
Requesting explicit consent in SAP

Individuals have rights when it comes to the


collection & processing of personal information.
Consent and choice are two of those rights.
As a result, organizations should describe the
choices available to individuals and should get
implicit or explicit consent with respect to the
collection, use, retention and disclosure of
personal information.

There are different options in SAP to request


explicit consent for the storage and processing
of personal data in for example HCM (e-
recruiting), ECC, SRM, CRM, IS*, etc.

Processing personal data in SAP without explicit


consent is unlawful and should be avoided.

Options for consent


request /
(standard SAP functions)

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 24
Policy driven erasure of personal data

Under GDPR Article 17, controllers must erase personal data “without undue delay” if the data is no longer needed
(purpose), the data subject objects to processing, or the processing was unlawful.
GDPR Article 5: purpose limitation and data minimization: do not collect/keep data without a clear purpose

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 25
Introduction of SAP ILM

The lifecycle of information (put under corporate control) can be managed with SAP Information
Lifecycle management (ILM). SAP ILM is currently the only SAP tool to manage the lifecycle of
SAP data and documents in a controlled way using records management & retention policies.

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 26
Data destruction objects

For the controlled destruction of privacy relevant SAP data and documents, SAP ILM offers so
called data destruction objects. Alone in SAP module HCM we find more then 100 data destruction
objects, and the SAP HCM data destruction objects can (in most of the cases) be used without
additional SAP license implications.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 27
SAP ILM RM: applying retention rules in SAP (1)

 ILM Policies are the instruments to translate (differentiated) external legal


& fiscal retention and data destruction rules to SAP data and documents
 ILM retention rules serve mainly the following purposes:
- separate the data (e.g. per country) during archiving/deletion processes
- store the data in different containers (when needed for archiving)
- apply retention rules to the data (how long it MUST be preserved)
- apply expiration dates (when the data can/must be destroyed)
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 28
Retention policy: manage the lifecycle of your data

Privacy relevant data should be managed in alignment with other legislation based on retention
rules. Other (overruling) legislation – e.g. tax regulation – might require the preservation of privacy
relevant data, blocking e.g. the destruction of financial data containing privacy relevant data.
With SAP ILM we can harmonize this and apply specific policies for specific types of SAP data.

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 29
SAP ILM RM: executing data deletion in SAP

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 30
Final (policy based) data destruction in SAP

Based on the defined retention rules in SAP ILM it is possible to comply with the
retention and deletion rules to block and destroy privacy relevant SAP data in a controlled way.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 31
Personal Data Lifecycle in SAP: block or delete?

Processing in Blocking phase


accordance with Access only for explicitly Deletion
intended purpose authorized persons

Source: SAP
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 32
Masterdata: blocking of business partner

Source Picture:SAP SE.

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 33
Blocking privacy relevant data

SAP delivers business functions for the blocking of personal (business partner) data that can’t be
deleted instantly for different reasons (SAP data consistency or data must be preserved longer due
to overruling legal or fiscal legislation, etc.).
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 34
Restrict the access to personal & sensitive data

Unauthorized access to & processing of privacy relevant must be prevented using SOD
(segregation of duties) principles and (logical) data minimization – access only the data you need
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 35
Authorizations - restrict access to privacy relevant data

Special technical and organizational measures must be taken in order to combat the risk of
unauthorized access to the SAP ERP System. When taken, these measures ensure that
unauthorized viewing and unintentional/intentional manipulation of data is prevented.

Limit access to personal & sensitive data:


• Use a solid, flexible and clear authorization concept
• Define a strict access management policy and process
• Consistent across SAP applications & dbase layer (ECC, S/4HANA, BW, HR, FIORI, CRM,…)
• Restrict access to blocked data elements
• Restrict access to data reports
• Store data extracts at secure locations
• Implement sufficient security parameters to prevent unauthorized access
The Audit Information System (transaction SUIM) and many other tools (like GRC) can be
useful.

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 36
Authorizations – Analysis of access to personal data

Source Picture: Soterion

Example of a 3rd party tool


(Soterion) to assess GDPR
related authorization risks
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 37
HR: context & time sensitive authorizations

With the authorization object P_DURATION it is possible to block access to personal data
from the past (stored in infotypes) by users. This could be required if data needs to be
available due to legal retention periods for or is still required for other processes, but active
use or processing by users should no longer be possible, because of data privacy rules.
There are many other types of solution like e.g. SAP Dynamic authorizations that can support
in the definition of tailored authorization concepts.

Source Picture: SAP SE.

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 38
Security of personal & sensitive data

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 39
Protect the access to privacy relevant data in SAP

Source Picture: SAP SE.

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 40
UI Masking and logging (I)

Configure on field
level how a field is
displayed.
Define whether data
are shown, or how
they are masked

Register Authorized Users per Field


• In transaction PFCG, assign users
to the UI Masking authorization a
role.
• Users assigned to these roles will
be able to see unmasked values for
the applicable fields

Source Picture – Public slides SAP SE.


March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 41
Authorizations - UI Masking (II)

Result: data masking


Data is masked in GUI
transaction display for
un-authorized users.

This also affects high-level


“admin” system users (in
dynamic transactions, e.g.
SE11, SE12, SE16, SE16n)
unless explicitly authorized

UI Masking also protects data


during download, export, and
print.

Source Picture – Public slides SAP SE.


March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 42
Authorizations - UI Masking (III)

Example of role based masking of particular screen fields.


March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 43
Authorizations - UI logging – Access log (I)

Source Picture – Public slides SAP SE.

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 44
Authorizations UI logging – Access log (II)

Source Picture – Public slides SAP SE.


March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 45
Data breach notifications

“Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data
transmitted, stored or otherwise processed.”
In the event of a personal data breach, data controllers must notify the supervisory authority
“without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 46
Monitoring data breaches in SAP using RAL

If data is leaked, companies must inform the Data Protection Authority (DPA) within 72 hours of
them being aware of the breach. All data breaches must be sufficiently documented.
So organizations must indicate exactly where in the systems breaches have taken place and
what consequences they have. They potentially must also inform the owners of the leaked data.

SAP offers a standard tool (as part of NetWeaver) to monitor the unauthorized access to
(privacy relevant) data – even if this is “just looking” at privacy relevant data. The name of the
tool is RAL (Read Access Logging) and it can monitor the access to data from many different
channels.

Source: SAP SE.

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 47
RAL (Read Access Logging) - 1

With RAL you can define and categorize the logging purpose, domains and object yourself.

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 48
RAL (Read Access Logging) - 2

Access to privacy relevant SAP data via different channels (Gui, internet, RFC) can be logged in a
flexible way so that you can determine what needs to be logged in detail.
RAL can help you significantly in detecting and logging data breaches in SAP.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 49
Data privacy versus system & data security

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 50
Information security = information privacy?

The term information privacy refers to the handling, controlling, sharing and disposal of personal
information while the term information security includes a very wide range of activities both
physical and administrative that protect not only personal information, but any type of information or
information asset that supports a business.

The difference between information privacy and information security supports the statement,
“You can have security without privacy…but you cannot have privacy without security.”
For example, a secure computer with solid access controls may be secure however if access
controls were not assigned correctly privacy may become an issue.

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 51
List of possible technical measures

https://www.dsag.de/fileadmin/media/Leitfaeden/110818_Leitfaden_Datenschutz_Englisch_final.pdf

The German SAP user group (DSAG) provides in a document (maybe not completely updated with
the GDPR but sill useful) regarding the different technical measures you can implement to enhance
the (data) security and privacy based on for example:
- recommendations on system parameters
- known authorization risks
- risks related to interfaces
- logging mechanisms and housekeeping
- measures around the security of the (SAP) network, database, system, etc.

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 52
Data protection in non productive SAP systems

Context: the GDPR prohibit the unauthorized access to personal data and encourage the (pseudo)
anonymization of data when possible. How do you give developers, testers and contract workers
access to a non-production system without endangering your data privacy and data security
regulations?
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 53
Privacy relevant data in NON productive systems

Source Picture – Public slides SAP SE.

SAP offers, with SAP TDMS 4.0, the option to scramble privacy relevant data in non productive SAP
systems. (see SAP slide of TDMS 4.0 above).
Alternative 3rd party solutions are delivered by e.g. EPI-USE, Natuvion, etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 54
Instruments for complex data privacy operations

Maintaining records and retention rules for different types of information and with differentiated
retention rules per country or organizational entity can be a challenge
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 55
SAP Data Controller Rule Framework

The SAP data controller Rule framework can be used to define differentiated business rules on the
retention of SAP data used for the blocking and deletion of SAP data.
This “rule generator” populates SAP ILM with the correct ILM rules.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 56
Mass processing of deletion in HR: process models

The HR process workbench can be used to define (country specific) data destruction processes for
the execution of the (controlled) destruction of data from many different infotypes.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 57
Data subject information requests

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 58
SAP Information Retrieval Framework (IRF)

Source: SAP SE.

The Information Retrieval Framework toolset can be used to define and execute the reporting of
personal data in case of a data subject request. There are also alternative 3rd party tools delivered
by e.g. EPI-USE.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 59
Privacy management instruments

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 60
How privacy management could look like in SAP

Source: SAP SE.

There are many different tools to administer, monitor document and control different data privacy
aspects. SAP promotes SAP GRC, and is thinking about the development of a data protection
cockpit. There are also many NON SAP tools on the market, delivered by e.g. Truste, Nymity, etc.

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 61
Summary of privacy enhancing SAP tools

HR process Workbench 3rd party PET software


SAP ILM RM
(Mass deletion process
(Data blocking & deletion)
automation)
)
SAP system security
E-discover & legal hold Data controler rule (Firewall, SSO, encryption,
framework system settings, etc )
) (central retention rules)
Data deletion & blocking ) SAP (system/data) security

SAP (special) Information retrieval


SAP UI Masking
authorizations Framework
(Masking/blocking data
(SOD, restrict access to (report on personal data)
based on user roles)
privacy relevant data)
)
Restrict the access to (personal) data Inform the data subject

SAP Read Access


Logging SAP Enterprise Thread SAP TDMS
(Monitor the access to Detection (encryption/anonymization)
(sensitive) personal data)
Data breach detection / data access logging NON productive systems

Options for consent SAP consent Data


request / management SAP GRC Protection
(standard SAP functions) (future feature) Cockpit

Consent management, privacy notifications Privacy management software

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 62
The roadmap to GDPR compliance

Key questions

Idenfity the context of privacy relevant data


Where (systems) is privacy relevant data used/stored?
How & where is it processed (business process)?
For what (lawful) purpose?
What are the relevant (legal/fiscal) retention rules?
Document outcome in your data register
& records and retention scheme

Assess & prioritize privacy risks


What are the identified privacy risks (PIA)?
Gap analysis regarding
organizational & technical measures
Evaluate risks, measures & prioritize.

Develop and execute a privacy program


How to mitigate the identified privacy risks?
What are our data privacy policies and procedures?
How do we govern/evaluate (ongoing) data privacy?

Technical measures:
What are the appropriate privacy enhancing tools?
Implement technical measures based on defined policies

Etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 63
Questions?

DISCLAMER. This document is provided without a warranty of any kind, either express or implied, including but not limited to,
the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The Author assumes no
responsibility for errors or omissions in this document, except if such damages were caused intentionally or grossly negligent.

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 64