SAP Database and Data Management Portfolio/SAP GRC Solutions

Ready for the GDPR,

Ready for the Digital Economy
Fast-Track Your Business for the Digital Economy While
Addressing GDPR Requirements
2 Ready for the GDPR, Ready for the Digital Economy
Table of Contents

4 Ready for the GDPR, Ready for the Digital Economy

Defining Data Privacy for the Digital Age
What Does This Mean for Your Business?
GDPR Challenges and Opportunities
How Can SAP Help?

6 Better Data Management Improves Business Outcomes

Understand Where Personal Data Resides
Understand How Personal Data Is Processed
Enhance Data Quality
Address Data Retention and Deletion Requirements

8 Better Corporate Governance Improves Business Outcomes

Streamline Access Control
Enhance Control Monitoring
Keep Personal Data Secure
Collaborate Safely Across Your Business Network
Assess the Financial Impact of Access Risk

10 Next Steps

Ready for the GDPR, Ready for the Digital Economy 3

Ready for the GDPR,
Ready for the Digital Economy
Explore How SAP® Solutions and Services Can Help You
Achieve the Best of Both Worlds
The deadline for enforcement of the General
Data Protection Regulation (GDPR) is only a
matter of months away, and the severe
financial penalties for noncompliance have
been well publicized. Yet the new regulation
also represents a wider opportunity to
transform the way you handle data and
manage risk and compliance so that your
organization is in better shape to compete in
the digital economy. On the following pages,
discover some of the ways that SAP and our
partners can help you accelerate your digital
transformation journey and address GDPR
requirements along the way.
DEFINING DATA PRIVACY FOR THE DIGITAL AGE
Today’s digital world is driven by data. All our actions,
transactions and interactions – whether via social media,
smart devices or connected machines – leave a trail of
potentially exploitable personal information about our tastes,
preferences, and likely future behavior. This data explosion
has raised new concerns about data privacy and security,
and updated legislation was required to protect individuals
from misuse of their data in this modern digital age.
In response, the General Data Protection Regulation will be
enforced from May 25, 2018, and has been described as one
of the most far-reaching pieces of regulation ever. Although
the GDPR was specifically designed to protect the data and
fundamental privacy of all EU citizens, its reach is global. It
affects every company around the world that stores or
processes personal data about EU citizens – irrespective of
where the data processing is done. The detailed requirements
of the GDPR are well documented elsewhere, but in essence,
the regulation has increased focus on two key areas: individual
rights and accountability.
4 Ready for the GDPR, Ready for the Digital Economy
WHAT DOES THIS MEAN FOR YOUR BUSINESS?
The GDPR will potentially affect every commercial and public
sector organization that processes EU citizen data. At one end
of the scale, this could be simply how you handle your internal
employee data; at the other end, it could have dramatic and
far-reaching effects on how you process and store large
volumes of customer data across multiple markets.
Either way, your organization needs to be ready to show
compliance in two key areas by the enforcement date and
beyond. The first is the ability to deal effectively with
individuals’ rights such as data rectification and erasure.
The second is the new principle of accountability:
demonstrating how compliance is achieved on an ongoing
basis through documentary evidence.
GDPR CHALLENGES AND OPPORTUNITIES
This means that the GDPR will have implications across the
business and is not only an IT issue. In larger or more complex
organizations, it could affect everything from finance, HR, risk
and compliance management, and security, to sales,
marketing, and customer service. At SAP, we believe this is an
opportunity to look at the bigger picture and view regulatory
compliance within the wider context of digital transformation
and the future direction of your business.
Today’s organizations need to be fit for digital business, today
and tomorrow. The requirements of the GDPR can therefore
serve as a useful accelerator to harnessing the full value of
your data by channelling resources into the right areas. Instead
of thinking of the GDPR as an unavoidable cost, consider it as a
valuable investment in your digital future.
HOW CAN SAP HELP?
No matter where you are on your GDPR journey, SAP and our
partners can help. We offer a wide range of integrated data
management and governance, risk, and compliance (GRC)
solutions that cover SAP® and non-SAP applications and work
with your existing infrastructure investments to streamline and
automate processes.

We cannot guarantee GDPR compliance, of course, as it is

about more than software, and you are responsible for
adopting the measures you deem appropriate to achieve
compliance. However, we can give you the tools and capabilities
you need to accelerate your journey, automate compliance
processes,
and become a more agile digital business in better shape
for long-term success. Browse the following pages to
find out more.

€20 million
Potential penalty for noncompliance,
or 4% of annual global revenue,
whichever is greater

Ready for the GDPR, Ready for the Digital Economy 5

Better Data Management
Improves Business Outcomes
Simplify Your Compliance Efforts with End-to-End
Data Management

The successful digital business relies on
information excellence. It follows that the more
effectively you manage data across the
organization, the more straightforward it will
be to address your GDPR requirements.
SAP offers a range of integrated enterprise
information management (EIM) and data
management solutions to help you understand,
integrate, cleanse, manage, associate, and
archive your data (see Figure 1). These
solutions help you accelerate and scale your
efforts to address GDPR requirements, and
provide a strong foundation to address digital
business needs such as workforce
engagement, supplier collaboration, and
improving customer experiences.
and when processing takes place, you can truly understand:
• What business processes are using personal data
• If those processes include third-party entities
• What applications support those processes
• If there are undocumented variant subprocesses
ENHANCE DATA QUALITY
Addressing GDPR requirements for rights to data access,
rectification, portability, and erasure is much harder if there are
no standards for formats and definitions used across the
systems acquiring, processing, and storing personal data.
SAP Data Services software provides best-in-class functionality
for data integration, quality, and cleansing that helps you:
• Standardize formats to ensure consistency across systems
• Cleanse personal data to ensure accuracy
• Match and consolidate multiple records to simplify data
management
• Implement checks during data entry to ensure quality and
consistency over time

UNDERSTAND WHERE PERSONAL DATA RESIDES

The first step in any data management initiative is to
understand the current state of your data. SAP Information
Steward software combines data profiling, metadata,
stewardship, and governance capabilities into a single solution
that enables you to understand:
• What systems are collecting personal data
• What formats are being used for personal data

46%
• How personal data is being categorized and tagged
• If personal data is accurate and consistent across sources

UNDERSTAND HOW PERSONAL DATA IS PROCESSED

The GDPR also requires companies to understand how
personal data flows through business processes and Higher revenue growth for
applications. While most companies have business process
models as part of their enterprise architecture, SAP Process
organizations that recognize
Mining software by Celonis tracks how personal data actually information as a strategic key asset
flows through processes and applications. With a clear picture
SAP Performance Benchmarking
of whether processes are running as designed, as well as where

6 Ready for the GDPR, Ready for the Digital Economy

ADDRESS DATA RETENTION AND
DELETION REQUIREMENTS
While the GDPR has specific requirements around deletion
of personal data, based on a legal basis for processing and
individuals’ rights to erasure, other regulations require a legal
hold of data for activities like tax reporting and e-discovery.
The SAP Information Lifecycle Management (SAP ILM)
component and SAP Extended Enterprise Content
Management application by OpenText can help you simplify
management of archiving, retention, and destruction of
personal data to address the ever-growing, constantly evolving
list of country and industry regulations.
The software enables you to:
• Define sophisticated policies and rules for archiving, deletion,
and retention that incorporate requirements from multiple
regulations
• Delete both personal data and any associated content such
as invoices, e-mails, and social media content
• Set up access controls and encryption of archived data
• Reduce the cost and risk of data access and portability
requests by automating data collection
• Maintain audit trails and reporting capabilities for
documenting deletion of personal data

Figure 1: Solutions for Information Excellence and Compliance from SAP Throughout the Personal Data Lifecycle

SAP® Process Governance, risk, SAP Access

Control application compliance, and Control application
Use assessments and surveys security solutions Control or block user access
for ownership, status, and data to sensitive data and business
privacy impacts. Manage and processes. Support
monitor policies and controls. compliant user provisioning.

Business systems

SAP Information Lifecycle Database and SAP Data Services and SAP
Management component data management Information Steward software
Retention, blocking, and solutions Tagging, profiling, and
deletion of sensitive data for accuracy of personal data
ABAP®-based SAP systems. across landscapes.

Acquisition Processing Archiving Deletion

Ready for the GDPR, Ready for the Digital Economy 7

Better Corporate Governance
Improves Business Outcomes
Simplify Compliance Efforts with End-to-End Governance,
Risk, and Control

The GDPR isn’t just about data management. ENHANCE CONTROL MONITORING
Nearly half of the articles in the regulation are The GDPR also requires companies to continually monitor
compliance and quickly respond to issues. The SAP Process
related to business procedures associated with Control application automates the monitoring of controls and
policies, controls, record keeping, and the policies and provides best-practice workflows for the
accountabilities of different roles and entities. notification of exceptions. This allows you to identify, prioritize,
To avoid costly penalties, governance of and remediate any regulatory issues – including GDPR and
policies, processes, and people must be clearly many other requirements – quickly and effectively.
defined and documented. • Document policies and controls centrally and map them to
all relevant requirements of the regulation
• Evaluate control design and operating effectiveness, and
Just as the successful digital business relies on information
raise, track, and remediate issues
excellence, it also relies on governance excellence. This
• Perform automated, exception-based monitoring across
requires a robust, consistent, and holistic approach across the
heterogeneous application landscapes
enterprise. Based on the “three lines of defense” model, SAP
• Improve accountability and decision-making with workflow
offers a range of governance, risk, and compliance (GRC)
sign-off and analytics
solutions that allow different parts of the organization to work
together cohesively within an integrated framework. The
solutions enable the organization to automate its risk,
KEEP PERSONAL DATA SECURE
compliance, and audit management processes and to monitor
Secure data storage is a key GDPR requirement. Cyberattacks
the enforcement of policies and effectiveness of controls.
can come both from inside and outside the organization, and to
This can greatly assist in addressing GDPR requirements as
react quickly and effectively, you need actionable information
part of day-to-day business operations moving forward.
in real time. The SAP Enterprise Threat Detection application
provides real-time security monitoring to help you protect the
STREAMLINE ACCESS CONTROL
integrity of your critical business processes and prevent theft
To meet GDPR compliance, you need to know who has access
or manipulation of business data.
to your data. The SAP Access Control application automates
• Gather events from the landscape
the process of managing and validating user access to
• Evaluate attack-detection patterns
applications and data – all with minimal support from IT.
• React on critical alerts
• Automatically detect and remediate access-risk violations
• Gain an overview of the threat situation
across SAP and non-SAP systems
• Embed compliance checks and mandatory risk mitigation
into business processes
• Automate reviews of user access, role authorizations, risk
violations, and control assignments
• Create a comprehensive audit trail of user and role-based
access control activities

Just as the successful digital business relies on

information excellence, it also relies on governance
excellence. This requires a robust, consistent,
and holistic approach across the enterprise.

8 Ready for the GDPR, Ready for the Digital Economy

COLLABORATE SAFELY ACROSS YOUR
BUSINESS NETWORK
Data processors and controllers are both responsible for GDPR
requirements for personal data, wherever that data may be in
your business network. The SAP Dynamic Authorization
Management application by NextLabs enables you to quickly
and securely share data with partners using dynamic attribute-
based access control (ABAC). With this solution you can:
• Classify and segregate data based on metadata, content,
association, or policy
• Establish fine-grained, attribute-based access policies
• Automate access authorization based on policies
• Centralize activity logging and auditing to simplify reporting

ASSESS THE FINANCIAL IMPACT OF ACCESS RISK

Managing user access to applications and data requires a
careful balance – too much access creates risk, and too little
impacts business operations. The SAP Access Violation
Management application by Greenlight enables you to make
informed decisions by automatically measuring access risk
and assessing its financial impact.
• On-premise or cloud deployment
• Monitoring of violation cost and impact
• Decreased manual control efforts
• Centralized monitoring, investigation tracking, and resolution
of violations

50%
Decrease in audit cycle time
with automated and continuous
management of controls
SAP Performance Benchmarking

Ready for the GDPR, Ready for the Digital Economy 9

Next Steps
Ready for the Digital Economy, Ready for the GDPR:
Explore How SAP Solutions and Services Can Help

To thrive in today’s digital economy,

organizations need the ability to run live:
to sense, respond, learn, adapt, and predict
to meet and create customer demand in the
moment of opportunity. Data is at the core
of this digital transformation, and the GDPR
provides a timely catalyst for improvement.

In the previous pages, we have highlighted just some of the

solutions available from SAP and our partners to help you get
your business fit for the digital economy and fit for the GDPR.
If you would like to find out more about the portfolio or discuss
any of our data management and GRC solutions in more detail,
please get in touch today.

10 Ready for the GDPR, Ready for the Digital Economy

 www.sap.com/contactsap

© 2017 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software
products marketed by SAP SE and its distributors contain proprietary software components
of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational
purposes only, without representation or warranty of any kind, and SAP or its affiliated
companies shall not be liable for errors or omissions with respect to the materials. The only
warranties for SAP or SAP affiliate company products and services are those that are set
forth in the express warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of
business outlined in this document or any related presentation, or to develop or release any
functionality mentioned therein. This document, or any related presentation, and SAP SE’s
or its affiliated companies’ strategy and possible future developments, products, and/or
platform directions and functionality are all subject to change and may be changed by SAP
SE or its affiliated companies at any time for any reason without notice. The information in
this document is not a commitment, promise, or legal obligation to deliver any material,
code, or functionality. All forward-looking statements are subject to various risks and
uncertainties that could cause actual results to differ materially from expectations. Readers
are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in
Germany and other countries. All other product and service names mentioned are the
trademarks of their respective companies.

See http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark

information and notices.