© 2017 SAP AG. All rights reserved. 1

GeneralDataProtectionRegulation

Webinar for SAP Belux ClientsMarch 23rd 2017

© 2017 SAP AG. All rights reserved. 2

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This

presentation is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue

any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This

document, or any related presentation and SAP's strategy and possible future developments, products and or platforms directions and

functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is

not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any

kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-

infringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors

or omissions in this document, except if such damages were caused by SAP´s willful misconduct or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations.

Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not

be relied upon in making purchasing decisions.

Legal disclaimer

NOTE: Information in this presentation or communication from SAP in no way guarantees you will achieve GDPR

compliance. It is your responsibility to adopt measures you deem appropriate to achieve GDPR compliance.

© 2017 SAP AG. All rights reserved. 3

Agenda

What is GDPR?

Mariano Kristensen, Database and Data Management CoE EMEA, SAP [5 min]

How to become compliant?

Neil Patrick, Director GRC & Security CoE (EMEA), SAP [30 min]

Impact on SAP System landscape

Philip Trappeniers, Enterprise Architect SAP BeLux [10 min]

Special focus on SAP Business Suite and SAP S/4HANA

Philip Trappeniers, Enterprise Architect SAP BeLux [10 min]

Q&A and next steps

Mariano Kristensen, Database and Data Management CoE EMEA, SAP [5 min]

© 2017 SAP AG. All rights reserved. 4

The New EU Data Protection Rules

Since May 2016, an EU

Regulation and Directive

governs the protection of

personal data

The Regulation entered

into force on 24 May

2016, it shall apply

from 25 May 2018.

The Directive has entered

into force on 5 May 2016

and EU Member States

have to transpose it into

their national law by 6

May 2018.

How you can drive your

compliance program

© 2017 SAP AG. All rights reserved. 6

GDPR is one of the most far reaching pieces regulation, ever

The following must be made provision for:

Creation of an independent Data Protection Officer

with compliance, cyber, business procedure oversight

Purpose of data processing + lawful reason for doing it

Data protection risk impact assessment, prior approval

for high risks

Data protection by design, by default

Information notices, policy implementation

Data breach notifications

Data retention consent requirements, right to erasure

Data profiling restrictions (especially automated)

Data portability, machine readable format

Data protection audits

© 2017 SAP AG. All rights reserved. 7

Core Business Areas Impacted

Locate Personal Data,

Purpose, Risk

Purpose, Procedures,

Breaches & Blocking

DPO, Accountability,

Sustainable, Comply

• Spans systems (prod, dev, test, DR, BC, archive)

• Direct and indirect identification

• Classification of special personal data

• High risk Impact Assessment, protection by design & by default

• Data breaches & disclosure (72hr)

• Unlawful access, inaccurate, altered • Procedures, fines, audits, certification

• Consent, right to forget (per process), delete and also archive

• Minimisation, 3rd parties, transparency

Organisations must maintain a written record of the processing activities carried out on behalf of each

controller, and notify each controller on becoming aware of a data breach without undue delay

1

2

3

© 2017 SAP AG. All rights reserved. 8

Mapping GDPR Requirements with various SAP products

SAP ERP ; SAP S/4 HANA (CRM; ECC; HCM) Non- SAP Applications

IS: Information Steward; ILM: Information Lifecycle Management; AC: Access Control; DAM: Dynamic Authorization Management ; IDM: Identity Management

OT: OpenText; SSO: Single Sign On; RAL: Read Access Logging; ETD: Enterprise Threat Detection; PC: Process Control; AM: Audit Management

§ Authentication

(SSO/IDM)

§ Personal Data Information

Flow Tracking (Celonis)§ Ability to track how data subject requests

responded to (CRM/Call center -> PC)

§ Maintain Data Breach

Management (RAL/ETD)

§ Authorizations1

§ Processing activities (PC, Celonis)

§ Purpose Repository (PC)

§ Privacy Impact

assessment (PC)

§ Blocking and

Deletion (ILM, OT)

§ Data Mgt (IS)

§ Audit capabilities for personal

data protection (PC)

§ Physical Access Control

(AC / IDM/ DAM) 2

Data Privacy Controls

Assessment Cycle (PC)

Data Privacy Audit Planning,

Preparation and Execution (AM)

Reporting & Dashboarding (BI) DPO Governance (PC)

3

Cloud Applications

© 2017 SAP AG. All rights reserved. 9

1. Data Tagging, Delete, Retention & Blocked Access

SAP and non SAP

• Tagging of personal data

• Deletion of SAP data,

document systems &

procedures for deletion of

non-SAP data

• Archive SAP data, document

systems & procedures for

non-SAP data for legal

purposes + retention periods

• Safe (separate, managed,

blocked) storage of archived

data

• Paper OCR, unstructured data

management, tagging

Personal information are safely deleted/stored after employees

have left the company or following a consent request

Based on Information Lifecycle Management,

OpenText, Information Steward and Process Control

ILM: Tagging SAP data across

environments, delete and block

IS: Tagging non-SAP

data across environments

Information Steward

OT: ‘Digital Vault’, OCR, content

tagging, storage, management

Process Control

PC: Governance & evidence

Information Lifecycle Management

© 2017 SAP AG. All rights reserved. 10

2. Processing and Storing of Personal Data, Data Privacy RightsLawful basis

Based on Process Control, Celonis

Data Privacy includes the following rights of the natural

person (data subject):

• Their data can only be processed if one of the grounds on the

left can be shown. Per process.

• They have the right to request blocking of their data, and

deleting of their data. Defence based on lawful grounds.

• The risk associated with processing their data has to be

assessed

• Their data is safeguarded, ensuring that only the defined and

currently agreed processing in the required scope will take

place (minimising data to as little as possible)

• The data is deleted as soon as all legal retention periods have

passed, and the data is blocked during the time in which it is

kept for legal grounds

• They can get all relevant information on their data undergoing

processing: where to maintain processes/procedures?

© 2017 SAP AG. All rights reserved. 11

4. Data BreachesAccidental or malicious

GDPR:

• An “accidental or unlawful

destruction, loss, alteration,

unauthorised disclosure of, or

access to, personal data”

• Processors must report breaches to

controllers

• Controllers must report breaches to

the supervisory authority (within 72

hours) and affected data subjects if

at risk

• Also NIS Directive on security of

network and information systems,

May 2018 + 6 months: to ensure a

high common level of network and

information security across the

Union. Other breach notifications.

“…take into account

state of the art ...

appropriate technical

measures ..”

Breach

DLP IAM

Link to HR cycles (JML)

Govern access and manage identities

Review critical access and relevant

transactions

Monitor security configuration changes

Monitor logs for anomalies and attacks

Protect data inside / outside the application

Consistently apply patches and updates

Investigate and manage breaches

Mature from rigid preventive controls to

agile detective controls

Ensure appropriate policies and training

Maintain control over other parties, partners

etc.Based on Enterprise Threat Detection (RAL for simple cases), Access

Control, Dynamic Authorisation Management, Process Control

© 2017 SAP AG. All rights reserved. 12

4. Data Protection Impact AssessmentThe DPIA

GDPR requires:

• A formalised process to identify non-compliant risks

• PIA carried out on any high risk processing, before it is

commenced

• A description of the processing activities and purpose

• an assessment of the need for and proportionality of the

processing

• risks arising and mitigations are documented and dealt with

• especially safeguards and security measures to protect

personal data and comply with GDPR

Examples: large scale processing or profiling of any personal data.

DPO’s advice on carrying out a PIA must be sought.

Authority must be consulted before processing is carried out on

high unmitigated risk.

Based on Risk Management and Process Control

© 2017 SAP AG. All rights reserved. 13

6. Assist you with demonstrating your GDPR Certification

Document governance requirements

Favourable measures of demonstrating compliance would be

operating a regular audit program including for example:

• Privacy by design

• Privacy impact assessments (and managed consequences)

• Engaging a DPO and giving them adequate resources and

independence, and transparency into state of compliance

• Controller selection process, and regular review of service providers

(data processors) for data processed

• Manage the use of sub-processors, third parties, vendors

• Evidence of use of e.g. pseudonymisation, encryption (so called state

of the art technologies), access governance, breach management

• Certification of data processing (especially cloud where individual

audits are not feasible)

Based on Process Control and Risk Management

Regulator: “Accountability, good governance, sustainable

procedures” When in doubt, get a DPO

Art 5.2 “The controller shall be

responsible for, and be able to

demonstrate compliance with,

paragraph 1 ('accountability').”

© 2017 SAP AG. All rights reserved. 14

Example GDPR Cockpit you might build

© 2017 SAP AG. All rights reserved. 15

Example Customer GDPR Compliance Approach

1H-2017 1H-20182H-2017

Gap &

Tolerance

Doc

SAP

GDPR

Platform &

Services*

2H-2018 & Beyond

Ongoing compliance:

automation,

evidence, repeatable,

efficiency, resilience

Where is my data?

What is my risk?

Data & Procedure

Management

Once-off compliance,

error-prone,

Exposure to fines

Manual =

“Best

Endeavours”

‡ Can be from SAP or our partner community

Customer,

SAP,

Partner‡,

Legal

Phase 1

Phase 2.1

Accountability &

Governance

Phase 2.2

© 2017 SAP AG. All rights reserved. 16

Customer Compliance Approach Phase 1 (1H2017)Audit and Gap Analysis: Where is my personal data, what is my baseline risk?

Gap analysis, strategic direction, program of work

1

• Identify personal data locations

• stored or processed

• internally, or by 3rd parties

2

• Determine lawful purposes

• processes touching data

• consent procedures & policy management

3

• Risk assess processes

• lawful user access to data, cyber security risk

• retention requirements and management

Info

rmation L

ifecycle

Managem

ent*

Info

rma

tio

n S

tew

ard

Ce

lon

is

Pro

ce

ss C

on

tro

l

Ris

k M

an

ag

em

en

t

© 2017 SAP AG. All rights reserved. 17

Customer Compliance Approach Phase 2.1 (2H2017)Set up Business as Usual Program: Implement data & procedures management

Data security, consent and procedure management

4

• Tagging for consent, consent management

• erasure, porting & no-process

• retention archive & destroy

5

• Data security technology for DLP and IAM

• breach management incl. 3rd parties

• data minimization, accuracy, unlawful viewing

6

• New processes & lawful purpose

• consent policy, risk assessments, data security

• 3rd party contracts

Info

rma

tio

n L

ife

cycle

Ma

na

ge

me

nt*

Info

rma

tio

n S

tew

ard

Ce

lon

is

Pro

ce

ss C

on

tro

l, A

C, D

AM

, S

SO

/ID

M

Ris

k M

an

ag

em

en

t, C

RM

lin

ks

En

terp

rise

Th

rea

t D

ete

ctio

n, R

AL

© 2017 SAP AG. All rights reserved. 18

Customer Compliance Approach Phase 2.2 (1H2018)Embed DPO, Compliance Status: Accountability, governance, repeatable processes

Ready for Regulator

7

• DPO engagement

• DPIA and compliance signoff

• DPO sanctions certification

8

• Governance process evidence

• accountability

• transparency policy

9

• Regulator communication procedures

• audit procedures

• breach notification policy (country, industry)

Info

rma

tio

n L

ife

cycle

Ma

na

ge

me

nt*

Info

rma

tio

n S

tew

ard

Ce

lon

is

Pro

ce

ss C

on

tro

l, A

C, D

AM

, S

SO

/ID

M

Ris

k M

an

ag

em

en

t, C

RM

lin

ks

Ente

rprise T

hre

at D

ete

ction, R

AL

BI C

ockp

it, A

ud

it M

an

ag

em

en

t

© 2017 SAP AG. All rights reserved. 19

GDPR is so vast no single solution in the market can address all of it. Furthermore, there is no single most important area to focus on first. SAP have the unique

advantage of best of breed solutions when used together to provide a comprehensive platform demonstrating GDPR compliance for SAP and non-SAP systems.:

Process Control (PC): The single most important custodian of GDPR compliance, providing ongoing digital evidence to the supervising authority of for

example breach management, compliant policies & privacy notices and procedures, lawful exclusions, DPIA results (and assessment), controls (with

automated monitoring across SAP and non-SAP systems), challenge responses, audit evidence (AM for full audits) and action management, lawful purpose

per process, third party and contract management, processor/sub-processor management.

Information Lifecycle Management (ILM)*, PowerDesigner (PD): ILM is A powerful SAP-only tool for tagging personal data across multiple environments

and managing the procedures for deleting and archiving with defensible legal retention requirements. PD covers non-SAP data tagging (not deleting).

Information Steward: Mature data profiling and metadata management tool providing contiguous interrogation of the location of personal data across the

estate for SAP and non-SAP systems, as well as assisting in managing personal data accuracy and consistency.

Celonis: Cutting edge HANA-powered process mining technology to understand and visualize which processes actually ‘touch’ personal data, as opposed to

the ones you think do, with real-time cross-platform big data surveillance for SAP and non-SAP systems.

DLP: Read Access Logging (RAL)* or Enterprise Threat Detection (ETD): RAL will monitor, log and categorise read access to personal data for SAP

systems. HANA-powered ETD is a big-data real-time security event detection and management tool for application-level access processing and pattern

analysis - provides real time breach, inappropriate access, investigation and remediation plus dasboarding.

IAM: AC, DAM, IDM/SSO, HR: Managing lawful user access to personal data is a core requirement of GDPR either in active business systems, contracted

processors, archives, as part of employee enrolment, or contract management. SAP provides robust best of breed solutions.

Customer Relationship Management (CRM): Customer-facing solution to track and manage consent requests, regulator dialogues.

BI for Cockpit: Develop a dashboard that provides the single place to go for real-time GDPR compliance status, with drill-through into topic details.

Core SAP Solutions for Your GDPR ComplianceRequires services (SAP or partner) & Legal to Implement

Impact on SAP System

landscape

© 2017 SAP AG or an SAP affiliate company. All rights reserved. 21

Impact for SAP S4 and SAP Business Suite

How is Personal Data defined?

“'personal data' means any information relating to an identified or identifiable natural person 'data

subject'; an identifiable person is one who can be identified, directly or indirectly, in particular by

reference to an identifier such as a name, an identification number, location data, online identifier or to

one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social

identity of that person” Art. 4 Sec. 1 GDPR

What does this mean for SAP Business Suite and SAP S/4HANA?

• Most Data in SAP Business Suite and SAP S/4HANA might become personal data. A Sales Order is

linked to the Business Partner (ID). The sales order itself contains additional personal data – so the

whole Sales Order is personal data.

• Combinations of attributes might become personal data – as soon as it is possible to identify the

person behind.

© 2017 SAP AG or an SAP affiliate company. All rights reserved. 22

Legal Requirements§ 20, § 35 BDSG

(2) […] Personal data shall be erased if

1. unlawfully recorded, or […]

3. as soon as knowledge of them is no longer needed to carry out the purpose for which they were

recorded […]

(3) Instead of being erased, data shall be blocked where

1. in the case of subsection 2 no. 3, erasure would violate retention periods set by law, statute or

contract,

2. there is reason to believe that erasure would be detrimental to legitimate interests of the data

subject […]

© 2017 SAP AG or an SAP affiliate company. All rights reserved. 23

ExamplePersonal Data in SAP Business Suite

SAP

Business

Partner

Contract

Order Delivery Invoice Payment

(01.10.2011)

All Objects in this particular Example include personal data and need to be

blocked and erased referring to data privacy acts!

Name

Address

Unique,

assignable

contract ID

Sold-to

Party

Delivery

address

Invoice

address

Bank account

or credit card

information

Special focus on SAP Business

Suite and SAP S/4HANA

© 2017 SAP AG. All rights reserved. 25

Lifecycle of personal data handled

© 2017 SAP AG. All rights reserved. 26

SAP ILM enablement of application objects

SAP has been asked to simplifly the blocking and deletion of personal data

SAP implements in the SAP Business Suite and S/4HANA procedures for the simplified blocking and

deletion of personal data.

The implementation is an ongoing project. Any statement within this presentation is valid for named

applications and might be subject to changes.

The simplified blocking and deletion of personal data is technically based on SAP Information Lifecycle

Management (SAP ILM).

The SAP standard product documentation describes how to use the above mentioned functionalities.

SAP is NOT providing any legal advice.

© 2017 SAP AG. All rights reserved. 27

Personal data: active business processes

© 2017 SAP AG. All rights reserved. 28

Personal data: Blocking

© 2017 SAP AG. All rights reserved. 29

Personal data: Deletion

© 2017 SAP AG. All rights reserved. 30

Overview Scenario and Process Flow

Check

purpose

Retention

Time

applies ?

Check

end of retention

period

Block BP

Exists

DESTROY

BP

*No

Yes

No

**Reached

Not Reached

Simplified Blocking & Deletion of Personal Data

Business

Partner

Application

Logic

[End Of Purpose

Check is done by

each application]

Residence

Periods

– ILM Rules

[Specific to each

application]

Retention Periods – ILM Rules

[Specific to each

application]

*No - After expiration of the longest residence period of each business interaction

**Reached - After expiration of the longest retention period of each business interaction

Authorized Read Only

© 2017 SAP AG. All rights reserved. 31

Enterprise Information Retention Management

ILM places retention rules on archived

SAP data objects, based on policy

ILM disallows destruction of any data

where there is still content attached -

content must be destroyed first, per

Extended ECM rules.

All documents both SAP and non-SAP are

managed by Extended ECM Records

Management

Extended ECM provides the ILM aware

and certiified archive that stores both data

and content securely

Permanent audit trail for data kept by ILM;

for content kept by Extended ECM

Sales OrderCustomer Information

NetWeaver ILM

Manages retention of SAP

data and attachments

Extended ECM

Unified Archive for Data and Content

Extended ECM

Manages retention of

enterprise content

© 2017 SAP AG. All rights reserved. 32

Enterprise Information Retention Management for BW

Data in Dataware house has to be kept in

sync

ILM places retention rules on archived

SAP data objects, based on policy

ILM sends message to SAP BW about

blocking and deletion of data

SAP BW can ask SAP ILM for Business

partner status

SAP ERP

SAP ERP

DB

ILM Framework

Arch

Data

SAP BW

DB

© 2017 SAP AG or an SAP affiliate company. All rights reserved. 33

Q&A and Next Steps

SAP is ready to support you in the GDPR journey

Reach out to your SAP representative for a follow up meeting

Contact information:

Dr. Neil Patrick

Director COE GRC & Security (EMEA)

neil.patrick@sap.com

+44 7833 480 248

Philip Trappeniers

Enterprise Architect SAP BeLux

philip.trappeniers@sap.com

+32 499 56 73 78

Mariano Kristensen

Database and Data Management CoE EMEA

mariano.kristensen@sap.com

+45 29233380

© 2017 SAP AG or an SAP affiliate company. All rights reserved.

Thank you