Upload
dangdieu
View
217
Download
0
Embed Size (px)
Citation preview
© 2017 SAP AG. All rights reserved. 1
GeneralDataProtectionRegulation
Webinar for SAP Belux ClientsMarch 23rd 2017
© 2017 SAP AG. All rights reserved. 2
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This
presentation is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue
any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This
document, or any related presentation and SAP's strategy and possible future developments, products and or platforms directions and
functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is
not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any
kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-
infringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors
or omissions in this document, except if such damages were caused by SAP´s willful misconduct or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations.
Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not
be relied upon in making purchasing decisions.
Legal disclaimer
NOTE: Information in this presentation or communication from SAP in no way guarantees you will achieve GDPR
compliance. It is your responsibility to adopt measures you deem appropriate to achieve GDPR compliance.
© 2017 SAP AG. All rights reserved. 3
Agenda
What is GDPR?
Mariano Kristensen, Database and Data Management CoE EMEA, SAP [5 min]
How to become compliant?
Neil Patrick, Director GRC & Security CoE (EMEA), SAP [30 min]
Impact on SAP System landscape
Philip Trappeniers, Enterprise Architect SAP BeLux [10 min]
Special focus on SAP Business Suite and SAP S/4HANA
Philip Trappeniers, Enterprise Architect SAP BeLux [10 min]
Q&A and next steps
Mariano Kristensen, Database and Data Management CoE EMEA, SAP [5 min]
© 2017 SAP AG. All rights reserved. 4
The New EU Data Protection Rules
Since May 2016, an EU
Regulation and Directive
governs the protection of
personal data
The Regulation entered
into force on 24 May
2016, it shall apply
from 25 May 2018.
The Directive has entered
into force on 5 May 2016
and EU Member States
have to transpose it into
their national law by 6
May 2018.
© 2017 SAP AG. All rights reserved. 6
GDPR is one of the most far reaching pieces regulation, ever
The following must be made provision for:
Creation of an independent Data Protection Officer
with compliance, cyber, business procedure oversight
Purpose of data processing + lawful reason for doing it
Data protection risk impact assessment, prior approval
for high risks
Data protection by design, by default
Information notices, policy implementation
Data breach notifications
Data retention consent requirements, right to erasure
Data profiling restrictions (especially automated)
Data portability, machine readable format
Data protection audits
© 2017 SAP AG. All rights reserved. 7
Core Business Areas Impacted
Locate Personal Data,
Purpose, Risk
Purpose, Procedures,
Breaches & Blocking
DPO, Accountability,
Sustainable, Comply
• Spans systems (prod, dev, test, DR, BC, archive)
• Direct and indirect identification
• Classification of special personal data
• High risk Impact Assessment, protection by design & by default
• Data breaches & disclosure (72hr)
• Unlawful access, inaccurate, altered • Procedures, fines, audits, certification
• Consent, right to forget (per process), delete and also archive
• Minimisation, 3rd parties, transparency
Organisations must maintain a written record of the processing activities carried out on behalf of each
controller, and notify each controller on becoming aware of a data breach without undue delay
1
2
3
© 2017 SAP AG. All rights reserved. 8
Mapping GDPR Requirements with various SAP products
SAP ERP ; SAP S/4 HANA (CRM; ECC; HCM) Non- SAP Applications
IS: Information Steward; ILM: Information Lifecycle Management; AC: Access Control; DAM: Dynamic Authorization Management ; IDM: Identity Management
OT: OpenText; SSO: Single Sign On; RAL: Read Access Logging; ETD: Enterprise Threat Detection; PC: Process Control; AM: Audit Management
§ Authentication
(SSO/IDM)
§ Personal Data Information
Flow Tracking (Celonis)§ Ability to track how data subject requests
responded to (CRM/Call center -> PC)
§ Maintain Data Breach
Management (RAL/ETD)
§ Authorizations1
§ Processing activities (PC, Celonis)
§ Purpose Repository (PC)
§ Privacy Impact
assessment (PC)
§ Blocking and
Deletion (ILM, OT)
§ Data Mgt (IS)
§ Audit capabilities for personal
data protection (PC)
§ Physical Access Control
(AC / IDM/ DAM) 2
Data Privacy Controls
Assessment Cycle (PC)
Data Privacy Audit Planning,
Preparation and Execution (AM)
Reporting & Dashboarding (BI) DPO Governance (PC)
3
Cloud Applications
© 2017 SAP AG. All rights reserved. 9
1. Data Tagging, Delete, Retention & Blocked Access
SAP and non SAP
• Tagging of personal data
• Deletion of SAP data,
document systems &
procedures for deletion of
non-SAP data
• Archive SAP data, document
systems & procedures for
non-SAP data for legal
purposes + retention periods
• Safe (separate, managed,
blocked) storage of archived
data
• Paper OCR, unstructured data
management, tagging
Personal information are safely deleted/stored after employees
have left the company or following a consent request
Based on Information Lifecycle Management,
OpenText, Information Steward and Process Control
ILM: Tagging SAP data across
environments, delete and block
IS: Tagging non-SAP
data across environments
Information Steward
OT: ‘Digital Vault’, OCR, content
tagging, storage, management
Process Control
PC: Governance & evidence
Information Lifecycle Management
© 2017 SAP AG. All rights reserved. 10
2. Processing and Storing of Personal Data, Data Privacy RightsLawful basis
Based on Process Control, Celonis
Data Privacy includes the following rights of the natural
person (data subject):
• Their data can only be processed if one of the grounds on the
left can be shown. Per process.
• They have the right to request blocking of their data, and
deleting of their data. Defence based on lawful grounds.
• The risk associated with processing their data has to be
assessed
• Their data is safeguarded, ensuring that only the defined and
currently agreed processing in the required scope will take
place (minimising data to as little as possible)
• The data is deleted as soon as all legal retention periods have
passed, and the data is blocked during the time in which it is
kept for legal grounds
• They can get all relevant information on their data undergoing
processing: where to maintain processes/procedures?
© 2017 SAP AG. All rights reserved. 11
4. Data BreachesAccidental or malicious
GDPR:
• An “accidental or unlawful
destruction, loss, alteration,
unauthorised disclosure of, or
access to, personal data”
• Processors must report breaches to
controllers
• Controllers must report breaches to
the supervisory authority (within 72
hours) and affected data subjects if
at risk
• Also NIS Directive on security of
network and information systems,
May 2018 + 6 months: to ensure a
high common level of network and
information security across the
Union. Other breach notifications.
“…take into account
state of the art ...
appropriate technical
measures ..”
Breach
DLP IAM
Link to HR cycles (JML)
Govern access and manage identities
Review critical access and relevant
transactions
Monitor security configuration changes
Monitor logs for anomalies and attacks
Protect data inside / outside the application
Consistently apply patches and updates
Investigate and manage breaches
Mature from rigid preventive controls to
agile detective controls
Ensure appropriate policies and training
Maintain control over other parties, partners
etc.Based on Enterprise Threat Detection (RAL for simple cases), Access
Control, Dynamic Authorisation Management, Process Control
© 2017 SAP AG. All rights reserved. 12
4. Data Protection Impact AssessmentThe DPIA
GDPR requires:
• A formalised process to identify non-compliant risks
• PIA carried out on any high risk processing, before it is
commenced
• A description of the processing activities and purpose
• an assessment of the need for and proportionality of the
processing
• risks arising and mitigations are documented and dealt with
• especially safeguards and security measures to protect
personal data and comply with GDPR
Examples: large scale processing or profiling of any personal data.
DPO’s advice on carrying out a PIA must be sought.
Authority must be consulted before processing is carried out on
high unmitigated risk.
Based on Risk Management and Process Control
© 2017 SAP AG. All rights reserved. 13
6. Assist you with demonstrating your GDPR Certification
Document governance requirements
Favourable measures of demonstrating compliance would be
operating a regular audit program including for example:
• Privacy by design
• Privacy impact assessments (and managed consequences)
• Engaging a DPO and giving them adequate resources and
independence, and transparency into state of compliance
• Controller selection process, and regular review of service providers
(data processors) for data processed
• Manage the use of sub-processors, third parties, vendors
• Evidence of use of e.g. pseudonymisation, encryption (so called state
of the art technologies), access governance, breach management
• Certification of data processing (especially cloud where individual
audits are not feasible)
Based on Process Control and Risk Management
Regulator: “Accountability, good governance, sustainable
procedures” When in doubt, get a DPO
Art 5.2 “The controller shall be
responsible for, and be able to
demonstrate compliance with,
paragraph 1 ('accountability').”
© 2017 SAP AG. All rights reserved. 15
Example Customer GDPR Compliance Approach
1H-2017 1H-20182H-2017
Gap &
Tolerance
Doc
SAP
GDPR
Platform &
Services*
2H-2018 & Beyond
Ongoing compliance:
automation,
evidence, repeatable,
efficiency, resilience
Where is my data?
What is my risk?
Data & Procedure
Management
Once-off compliance,
error-prone,
Exposure to fines
Manual =
“Best
Endeavours”
‡ Can be from SAP or our partner community
Customer,
SAP,
Partner‡,
Legal
Phase 1
Phase 2.1
Accountability &
Governance
Phase 2.2
© 2017 SAP AG. All rights reserved. 16
Customer Compliance Approach Phase 1 (1H2017)Audit and Gap Analysis: Where is my personal data, what is my baseline risk?
Gap analysis, strategic direction, program of work
1
• Identify personal data locations
• stored or processed
• internally, or by 3rd parties
2
• Determine lawful purposes
• processes touching data
• consent procedures & policy management
3
• Risk assess processes
• lawful user access to data, cyber security risk
• retention requirements and management
Info
rmation L
ifecycle
Managem
ent*
Info
rma
tio
n S
tew
ard
Ce
lon
is
Pro
ce
ss C
on
tro
l
Ris
k M
an
ag
em
en
t
© 2017 SAP AG. All rights reserved. 17
Customer Compliance Approach Phase 2.1 (2H2017)Set up Business as Usual Program: Implement data & procedures management
Data security, consent and procedure management
4
• Tagging for consent, consent management
• erasure, porting & no-process
• retention archive & destroy
5
• Data security technology for DLP and IAM
• breach management incl. 3rd parties
• data minimization, accuracy, unlawful viewing
6
• New processes & lawful purpose
• consent policy, risk assessments, data security
• 3rd party contracts
Info
rma
tio
n L
ife
cycle
Ma
na
ge
me
nt*
Info
rma
tio
n S
tew
ard
Ce
lon
is
Pro
ce
ss C
on
tro
l, A
C, D
AM
, S
SO
/ID
M
Ris
k M
an
ag
em
en
t, C
RM
lin
ks
En
terp
rise
Th
rea
t D
ete
ctio
n, R
AL
© 2017 SAP AG. All rights reserved. 18
Customer Compliance Approach Phase 2.2 (1H2018)Embed DPO, Compliance Status: Accountability, governance, repeatable processes
Ready for Regulator
7
• DPO engagement
• DPIA and compliance signoff
• DPO sanctions certification
8
• Governance process evidence
• accountability
• transparency policy
9
• Regulator communication procedures
• audit procedures
• breach notification policy (country, industry)
Info
rma
tio
n L
ife
cycle
Ma
na
ge
me
nt*
Info
rma
tio
n S
tew
ard
Ce
lon
is
Pro
ce
ss C
on
tro
l, A
C, D
AM
, S
SO
/ID
M
Ris
k M
an
ag
em
en
t, C
RM
lin
ks
Ente
rprise T
hre
at D
ete
ction, R
AL
BI C
ockp
it, A
ud
it M
an
ag
em
en
t
© 2017 SAP AG. All rights reserved. 19
GDPR is so vast no single solution in the market can address all of it. Furthermore, there is no single most important area to focus on first. SAP have the unique
advantage of best of breed solutions when used together to provide a comprehensive platform demonstrating GDPR compliance for SAP and non-SAP systems.:
Process Control (PC): The single most important custodian of GDPR compliance, providing ongoing digital evidence to the supervising authority of for
example breach management, compliant policies & privacy notices and procedures, lawful exclusions, DPIA results (and assessment), controls (with
automated monitoring across SAP and non-SAP systems), challenge responses, audit evidence (AM for full audits) and action management, lawful purpose
per process, third party and contract management, processor/sub-processor management.
Information Lifecycle Management (ILM)*, PowerDesigner (PD): ILM is A powerful SAP-only tool for tagging personal data across multiple environments
and managing the procedures for deleting and archiving with defensible legal retention requirements. PD covers non-SAP data tagging (not deleting).
Information Steward: Mature data profiling and metadata management tool providing contiguous interrogation of the location of personal data across the
estate for SAP and non-SAP systems, as well as assisting in managing personal data accuracy and consistency.
Celonis: Cutting edge HANA-powered process mining technology to understand and visualize which processes actually ‘touch’ personal data, as opposed to
the ones you think do, with real-time cross-platform big data surveillance for SAP and non-SAP systems.
DLP: Read Access Logging (RAL)* or Enterprise Threat Detection (ETD): RAL will monitor, log and categorise read access to personal data for SAP
systems. HANA-powered ETD is a big-data real-time security event detection and management tool for application-level access processing and pattern
analysis - provides real time breach, inappropriate access, investigation and remediation plus dasboarding.
IAM: AC, DAM, IDM/SSO, HR: Managing lawful user access to personal data is a core requirement of GDPR either in active business systems, contracted
processors, archives, as part of employee enrolment, or contract management. SAP provides robust best of breed solutions.
Customer Relationship Management (CRM): Customer-facing solution to track and manage consent requests, regulator dialogues.
BI for Cockpit: Develop a dashboard that provides the single place to go for real-time GDPR compliance status, with drill-through into topic details.
Core SAP Solutions for Your GDPR ComplianceRequires services (SAP or partner) & Legal to Implement
© 2017 SAP AG or an SAP affiliate company. All rights reserved. 21
Impact for SAP S4 and SAP Business Suite
How is Personal Data defined?
“'personal data' means any information relating to an identified or identifiable natural person 'data
subject'; an identifiable person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, online identifier or to
one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that person” Art. 4 Sec. 1 GDPR
What does this mean for SAP Business Suite and SAP S/4HANA?
• Most Data in SAP Business Suite and SAP S/4HANA might become personal data. A Sales Order is
linked to the Business Partner (ID). The sales order itself contains additional personal data – so the
whole Sales Order is personal data.
• Combinations of attributes might become personal data – as soon as it is possible to identify the
person behind.
© 2017 SAP AG or an SAP affiliate company. All rights reserved. 22
Legal Requirements§ 20, § 35 BDSG
(2) […] Personal data shall be erased if
1. unlawfully recorded, or […]
3. as soon as knowledge of them is no longer needed to carry out the purpose for which they were
recorded […]
(3) Instead of being erased, data shall be blocked where
1. in the case of subsection 2 no. 3, erasure would violate retention periods set by law, statute or
contract,
2. there is reason to believe that erasure would be detrimental to legitimate interests of the data
subject […]
© 2017 SAP AG or an SAP affiliate company. All rights reserved. 23
ExamplePersonal Data in SAP Business Suite
SAP
Business
Partner
Contract
Order Delivery Invoice Payment
(01.10.2011)
All Objects in this particular Example include personal data and need to be
blocked and erased referring to data privacy acts!
Name
Address
Unique,
assignable
contract ID
Sold-to
Party
Delivery
address
Invoice
address
Bank account
or credit card
information
© 2017 SAP AG. All rights reserved. 26
SAP ILM enablement of application objects
SAP has been asked to simplifly the blocking and deletion of personal data
SAP implements in the SAP Business Suite and S/4HANA procedures for the simplified blocking and
deletion of personal data.
The implementation is an ongoing project. Any statement within this presentation is valid for named
applications and might be subject to changes.
The simplified blocking and deletion of personal data is technically based on SAP Information Lifecycle
Management (SAP ILM).
The SAP standard product documentation describes how to use the above mentioned functionalities.
SAP is NOT providing any legal advice.
© 2017 SAP AG. All rights reserved. 30
Overview Scenario and Process Flow
Check
purpose
Retention
Time
applies ?
Check
end of retention
period
Block BP
Exists
DESTROY
BP
*No
Yes
No
**Reached
Not Reached
Simplified Blocking & Deletion of Personal Data
Business
Partner
Application
Logic
[End Of Purpose
Check is done by
each application]
Residence
Periods
– ILM Rules
[Specific to each
application]
Retention Periods – ILM Rules
[Specific to each
application]
*No - After expiration of the longest residence period of each business interaction
**Reached - After expiration of the longest retention period of each business interaction
Authorized Read Only
© 2017 SAP AG. All rights reserved. 31
Enterprise Information Retention Management
ILM places retention rules on archived
SAP data objects, based on policy
ILM disallows destruction of any data
where there is still content attached -
content must be destroyed first, per
Extended ECM rules.
All documents both SAP and non-SAP are
managed by Extended ECM Records
Management
Extended ECM provides the ILM aware
and certiified archive that stores both data
and content securely
Permanent audit trail for data kept by ILM;
for content kept by Extended ECM
Sales OrderCustomer Information
NetWeaver ILM
Manages retention of SAP
data and attachments
Extended ECM
Unified Archive for Data and Content
Extended ECM
Manages retention of
enterprise content
© 2017 SAP AG. All rights reserved. 32
Enterprise Information Retention Management for BW
Data in Dataware house has to be kept in
sync
ILM places retention rules on archived
SAP data objects, based on policy
ILM sends message to SAP BW about
blocking and deletion of data
SAP BW can ask SAP ILM for Business
partner status
SAP ERP
SAP ERP
DB
ILM Framework
Arch
Data
SAP BW
DB
© 2017 SAP AG or an SAP affiliate company. All rights reserved. 33
Q&A and Next Steps
SAP is ready to support you in the GDPR journey
Reach out to your SAP representative for a follow up meeting
Contact information:
Dr. Neil Patrick
Director COE GRC & Security (EMEA)
+44 7833 480 248
Philip Trappeniers
Enterprise Architect SAP BeLux
+32 499 56 73 78
Mariano Kristensen
Database and Data Management CoE EMEA
+45 29233380