Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
March 29, 2018
Workshop dataprivacy in SAP
Ing. Nico J.W. Kuijper MSc. CIPP/EU
SAP information & data governance/management consultant, (SAP) Data Privacy Consultant
Certified by the International Association of Privacy Professionals
[email protected] +31 20 615 82 89
Disclaimer: the author of this presentation does not provide any legal advice regarding data privacy with this presentation.
In this presentation personal opinions, practical experiences on the fulfillment of data protection requirements and possible instruments are discussed.
This presentation contains some pictures/slides from public available sources and SAP presentations.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 1
vcv
Disclaimer: The information contained in this presentation is for general guidance only and provided on the understanding that the
author is not herein engaged in rendering legal advice. As such, it should not be used as a substitute for legal consultation.
The author accepts no liability for any actions taken as response hereto.
It is the responsibility your organization to adopt measures that deems appropriate to achieve GDPR compliance.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 2
Questions to the audiance
Is your organization currently ready for / compliant with the GDPR?
Yes?
No?
Not sure?
Who should be responsible for data privacy in your view?
Business?
IT?
Both?
On what level should data privacy be addressed in the organization?
Strategic level?
Tactical level?
Operational level?
All these levels above?
How are other companies doing? https://www.gartner.com/newsroom/id/3701117
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 3
Analogy: processing financial transactions
€ in € out
Bookkeeping system
Fiscal law, etc.
C-level
executives
(CFO)
Processing financial transactions
Clerk
Financial
Controller
stakeholder(s) External
stakeholder(s)
Tax officer
Head of Finance
Policy
Key elements:
• Legislation
• Legal/fiscal authority
• C-Level executive
• Internal control function
• Governance & policies
• Management layer
• Record/bookkeeping
• Operations/execution layer
• Money flow in/out
• External stakeholders
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 4
Analogy: processing privacy relevant data
Data in Data out
Privacy “bookkeeping”
GDPR
Legislation
C-level
executives
(CIO/CDO)
Processing privacy relevant data
Data processor
DPO
(Data privacy Officer)
External
stakeholder(s)
DPA
(Data Privacy
Authority)
Data controller
Stakeholder(s)
like data
subjects
Article on data privacy bookkeeping: https://executive-people.nl/587119/privacy-boekhouding.html
Policy
Key elements:
• Legislation
• Legal authority
• C-Level executive
• Internal control function
• Governance & policies
• Management layer
• Record/bookkeeping system
• Operations/execution layer & tools
• Dataflow in/out
• External stakeholders
(e.g. data subjects, external
controllers & processors)
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 5
The roadmap to GDPR compliance
Key questions
Idenfity the context of privacy relevant data
Where (systems) is privacy relevant data used/stored?
How & where is it processed (business process)?
For what (lawful) purpose?
What are the relevant (legal/fiscal) retention rules?
Document outcome in your data register
& records and retention scheme
Assess & prioritize privacy risks
What are the identified privacy risks (PIA)?
Gap analysis regarding
organizational & technical measures
Evaluate risks, measures & prioritize.
Develop and execute a privacy program
How to mitigate the identified privacy risks?
What are our data privacy policies and procedures?
How do we govern/evaluate (ongoing) data privacy?
Technical measures:
What are the appropriate privacy enhancing tools?
Implement technical measures based on defined policies
Etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 6
Presentation focus area: PET in the context of SAP
The presentation has a main focus on privacy enhancing technology available in SAP and will touch
also some of the data privacy relevant processes this technology can be used for.
We will not focus on governance, relevant data privacy processes, roles and responsibilities, etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 7
Part 1 – GDPR key aspects put into context
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 8
GDPR Article 24(1): the GDPR Key aspects
The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: https://gdpr-info.eu/ and here in different languages:
Directive 95/46/EC (General Data Protection Regulation) http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 9
The nature, scope, context, purpose, risk of processing personal data & appropriate measures
Determine risks of processing the data
and implement appropriate (technical) measures
(some examples)
Determine risks of processing the data
and implement appropriate (technical) measures
(some examples)
Identify the context: determine the retention and
deletion periods and triggers
Identify the context: determine the retention and
deletion periods and triggers
Identify the
context: determine the lawful basis for processing
(displayed: a few examples of a lawful basis)
Identify the
context: determine the lawful basis for processing
(displayed: a few examples of a lawful basis)
Identify the purpose for processing
personal data (identify relevant business
processes)
Identify the purpose for processing
personal data (identify relevant business
processes)
Identify where privacy relevant
data lives in your SAP
system
Identify where privacy relevant
data lives in your SAP
system
Personal data
(in SAP)
Personal data
(in SAP)
Purpose(s) of processing
personal data
Purpose(s) of processing
personal data
Consent Consent Delete after withdrawn consent
Delete after withdrawn consent
SAP ILM RM SAP ILM RM
Consent management
Consent management
Legal obligation
Legal obligation
contract contract
Retain based on
legal retention times per country
NL x years DE y years
Retain based on
legal retention times per country
NL x years DE y years
SAP ILM RM SAP ILM RM
Authorization concept
Authorization concept
Data masking Data masking
Anonymization Anonymization
Data breach prevention &
detection
Data breach prevention &
detection
Etc. Etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 10
What is considered privacy relevant data?
“Personal data” is defined as “any information relating to an identified or identifiable natural person”
“'personal data' means any information relating to an
identified or identifiable natural person 'data subject'; an
identifiable person is one who can be identified, directly
or indirectly, in particular by reference to an identifier
such as a name, an identification number, location
data, online identifier or to one or more factors specific
to the physical, physiological, genetic, mental,
economic, cultural or social identity of that person”
Art. 4 Sec. 1 GDPR
What does this mean for SAP Business Suite
and SAP S/4HANA?
Data in SAP Business Suite and SAP S/4HANA is or might
become personal data.
A Sales Order is linked to the Business Partner (ID). The sales order
itself could contain additional personal data – or can reveal personal
data (purchases person X).
Combinations of attributes might become personal data – as soon as
it is possible to identify the person behind. Example: information
combined from ECC, CRM, BW, etc.
10
Identify where privacy relevant
data lives in your SAP
system
Personal data
(in SAP)
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 11
First things first (1): Detect the privacy relevant data living in your systems
• There are different tools in the market available to detect if and where privacy
relevant information lives in SAP systems. SAP promotes e.g. Information steward,
Celonis, etc.
• Tip: a standard “quick to use” SAP report could be used to identify the tables in
SAP used to potentially store (sensitive) privacy relevant information. Downside: too
limited (does not identify if table records are actually populated with personal data)
Identify where privacy relevant
data lives in your SAP
system
Personal data
(in SAP)
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 12
First things first (2): Detect the privacy relevant data living in your systems
• Alternative: a 3rd party analysis tool could be used to verify if table records are
actually populated with personal data (e.g. per personnel area), the relevant
authorization checks, available data destruction objects for the identified personal
data, etc.
Identify where privacy relevant
data lives in your SAP
system
Personal data
(in SAP)
Demo?
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 13
First things first (3): Detect the privacy relevant data living in your systems
• Usage of privacy relevant documents
Not only privacy relevant data can be stored in SAP, documents and (email)
messages, etc. containing privacy relevant data can be stored in SAP or to the to
SAP connected content/archive servers. This needs to be checked as well.
Example: keeping successfully send emails in SAP containing personal data
is a widely spread practice (and potential risk regarding the purpose limitation,
unauthorized disclosure of email content, data minimization, etc.).
Identify where privacy relevant
data lives in your SAP
system
Personal data
(in SAP)
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 14
Identify the purpose & processes related to the identified personal data in SAP systems
14
Identify the
purpose for
processing
personal
data
(identify
relevant
business
processes)
Purpose(s) of processing
• Personal data of a particular person can be used for different (lawful)
purposes. Example: usage of email address
Attribute Used in
system
Data is
stored in
Purpose(s) Business process(es)
(customer)
ECC KNA1,
SOES
Different types
of business
transaction
communication
Send contract, order &
delivery confirmation
(MM/SD), invoices (FI),
product defect
notifications, etc.
(business
partner)
CRM BUT020,
SOES
Marketing Campaign management
(employee)
HR PA0105,
SOES
HR - Employee
communication
Many different HR
processes
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 15
Aligning purposes, retention rules & laws
Purpose Active availability Retention period
Master data Dependent on other purposes With related data Until last related retention
period ends g in this
example: pension law
Payment details Dependent on other purposes With related data Until last retention period for
payment details ends g
e.g. tax law
Communication details Dependent on other purposes With related data With master data
Marketing Marketing Until consent is revoked or
missing renewal after x years
None
Data: purchase
contract for iPhone &
maintenance
Processing purchase contract
Processing maintenance
Until end of maintenance
requirements
Until last related retention
period ends g e.g. tax law
Data: purchase
contract for “The
Divine Comedy“
Processing purchase contract
During processing of
purchase contract, possibly
for reporting purposes
Until last related retention
period ends g e.g. tax law
Data: contract for
works
Processing contract for works During processing of contract
for works, possibly for
reporting purposes
Until last related retention
period ends g e.g. contract
law
Data: employment
contract
Processing employment
relationship
During time of employment
and for processing end of
employment
Attention: deadlines of
pensions, pensions
offices,…
15
Determine the
lawful basis
for processing
(displayed:
some
examples of a
lawful basis)
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 16
Know what information (not) to retain
- What type of information?
- How long should it be preserved?
Note: GDPR Article 17 ( right to be forgotten) does not overrule retention rules defined in other legislation !
Identify the
context:
determine the
retention
and deletion
periods and
triggers
Develop
A Records
and
Retention
Schedule!
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 17
Next step: populate your data privacy register, and start with data privacy “book keeping”
Consult
your DPO
or privacy
program
manager
• Document the results of your data & process analysis in a “data privacy
register”
Example of a very simple data privacy register template is provided by the EDPS.
Source: https://edps.europa.eu/data-protection/our-work/publications/other-documents/register-template-0_en
Example of a more extensive data privacy register template is provided by the Belgium DPA .
https://onetrust.com/wp-content/uploads/2017/09/Belgian-DPA-Registry-of-Processing-Activities-Template-20170907-EN.xlsx
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 18
Now we identified the context of data, whats next? Assess & prioritize the risk using a privacy impact assessment
There are many different (D)PIA tools and templates. One example: www.isaca.org/GDPR-DPIA
A (D)PIA can be seen as a kind of risk assessment to identify how privacy relevant data in handled
(by the different business processes) in your organization. Based on the outcome you can define
improvements in different area’s (like data protection measures, policies/procedures, etc.).
Consult
your DPO
or privacy
program
manager
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 19
The roadmap to GDPR compliance
Key questions
Idenfity the context of privacy relevant data
Where (systems) is privacy relevant data used/stored?
How & where is it processed (business process)?
For what (lawful) purpose?
What are the relevant (legal/fiscal) retention rules?
Document outcome in your data register
& records and retention scheme
Assess & prioritize privacy risks
What are the identified privacy risks (PIA)?
Gap analysis regarding
organizational & technical measures
Evaluate risks, measures & prioritize.
Develop and execute a privacy program
How to mitigate the identified privacy risks?
What are our data privacy policies and procedures?
How do we govern/evaluate (ongoing) data privacy?
Technical measures:
What are the appropriate privacy enhancing tools?
Implement technical measures based on defined policies
Etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 20
Part 2 – Overview of privacy enhancing SAP tools
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 21
GDPR Article 24(1): the GDPR Key aspects
The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: https://gdpr-info.eu/
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 22
Map the different GDPR articles to “appropiate measures”
24 -
27
28 -
29 44 -
50
30
17 16 5, 12-14,
19 15
5 - 11
18 20 21
22
6, 7
35 -
36 33, 34
40 -
43
32
GDPR articles
37 -
39 25
(Source picture: SAP SE)
The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
Discussion:
Identify some
measures and
Supporting
(SAP)
tools
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 23
Overview of some privacy enhancing SAP tools
SAP ILM RM
(Data blocking & deletion)
HR process Workbench
(Mass deletion process
automation)
)
Data controler rule
framework
(central retention rules)
)
SAP (special)
authorizations
(SOD, restrict access to
privacy relevant data)
SAP UI Masking
(Masking/blocking data
based on user roles)
)
Data deletion & blocking
Restrict the access to (personal) data
SAP Read Access
Logging
(Monitor the access to
(sensitive) personal data)
SAP Enterprise Thread
Detection
Data breach detection / data access logging
Options for consent
request /
(standard SAP functions)
SAP consent
management
(future feature)
Consent management, privacy notifications
E-discover & legal hold
)
SAP system security
(Firewall, SSO, encryption,
system settings, etc )
SAP (system/data) security
Information retrieval
Framework
(report on personal data)
Inform the data subject
SAP TDMS
(encryption/anonymization)
NON productive systems
SAP GRC
Privacy management software
Privacy
Cockpit
3rd party PET software
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 24
Requesting explicit consent in SAP
Individuals have rights when it comes to the
collection & processing of personal information.
Consent and choice are two of those rights.
As a result, organizations should describe the
choices available to individuals and should get
implicit or explicit consent with respect to the
collection, use, retention and disclosure of
personal information.
There are different options in SAP to request
explicit consent for the storage and processing
of personal data in for example HCM (e-
recruiting), ECC, SRM, CRM, IS*, etc.
Processing personal data in SAP without explicit
consent is unlawful and should be avoided.
Options for consent
request /
(standard SAP functions)
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 25
Policy driven erasure of personal data
Under GDPR Article 17, controllers must erase personal data “without undue delay” if the data is no longer needed
(purpose), the data subject objects to processing, or the processing was unlawful.
GDPR Article 5: purpose limitation and data minimization: do not collect/keep data without a clear purpose
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 26
Introduction of SAP ILM
The lifecycle of information (put under corporate control) can be managed with SAP Information
Lifecycle management (ILM). SAP ILM is currently the only SAP tool to manage the lifecycle of
SAP data and documents in a controlled way using records management & retention policies.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 27
Data destruction objects
For the controlled destruction of privacy relevant SAP data and documents, SAP ILM offers so
called data destruction objects. Alone in SAP module HCM we find more then 100 data destruction
objects, and the SAP HCM data destruction objects can (in most of the cases) be used without
additional SAP license implications.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 28
SAP ILM RM: applying retention rules in SAP (1)
ILM Policies are the instruments to translate (differentiated) external legal
& fiscal retention and data destruction rules to SAP data and documents
ILM retention rules serve mainly the following purposes:
- separate the data (e.g. per country) during archiving/deletion processes
- store the data in different containers (when needed for archiving)
- apply retention rules to the data (how long it MUST be preserved)
- apply expiration dates (when the data can/must be destroyed)
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 29
Retention policy: manage the lifecycle of your data
Privacy relevant data should be managed in alignment with other legislation based on retention
rules. Other (overruling) legislation – e.g. tax regulation – might require the preservation of privacy
relevant data, blocking e.g. the destruction of financial data containing privacy relevant data.
With SAP ILM we can harmonize this and apply specific policies for specific types of SAP data.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 30
SAP ILM RM: executing data deletion in SAP
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 31
Final (policy based) data destruction in SAP
Based on the defined retention rules in SAP ILM it is possible to comply with the
retention and deletion rules to block and destroy privacy relevant SAP data in a controlled way.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 32
Personal Data Lifecycle in SAP: block or delete?
Blocking phase
Access only for explicitly
authorized persons
Deletion Processing in
accordance with
intended purpose
Source: SAP
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 33
Masterdata: blocking of business partner
Source Picture:SAP SE.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 34
Blocking privacy relevant data
SAP delivers business functions for the blocking of personal (business partner) data that can’t be
deleted instantly for different reasons (SAP data consistency or data must be preserved longer due
to overruling legal or fiscal legislation, etc.).
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 35
Restrict the access to personal & sensitive data
Unauthorized access to & processing of privacy relevant must be prevented using SOD
(segregation of duties) principles and (logical) data minimization – access only the data you need
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 36
Authorizations - restrict access to privacy relevant data
Special technical and organizational measures must be taken in order to combat the risk of
unauthorized access to the SAP ERP System. When taken, these measures ensure that
unauthorized viewing and unintentional/intentional manipulation of data is prevented.
Limit access to personal & sensitive data:
• Use a solid, flexible and clear authorization concept
• Define a strict access management policy and process
• Consistent across SAP applications & dbase layer (ECC, S/4HANA, BW, HR, FIORI, CRM,…)
• Restrict access to blocked data elements
• Restrict access to data reports
• Store data extracts at secure locations
• Implement sufficient security parameters to prevent unauthorized access
The Audit Information System (transaction SUIM) and many other tools (like GRC) can be
useful.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 37
Authorizations – Analysis of access to personal data
Example of a 3rd party tool
(Soterion) to assess GDPR
related authorization risks
Source Picture: Soterion
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 38
HR: context & time sensitive authorizations
With the authorization object P_DURATION it is possible to block access to personal data
from the past (stored in infotypes) by users. This could be required if data needs to be
available due to legal retention periods for or is still required for other processes, but active
use or processing by users should no longer be possible, because of data privacy rules.
There are many other types of solution like e.g. SAP Dynamic authorizations that can support
in the definition of tailored authorization concepts.
Source Picture: SAP SE.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 39
Security of personal & sensitive data
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 40
Protect the access to privacy relevant data in SAP
Source Picture: SAP SE.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 41
UI Masking and logging (I)
Configure on field
level how a field is
displayed.
Define whether data
are shown, or how
they are masked
Register Authorized Users per Field
• In transaction PFCG, assign users
to the UI Masking authorization a
role.
• Users assigned to these roles will
be able to see unmasked values for
the applicable fields
Source Picture – Public slides SAP SE.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 42
Authorizations - UI Masking (II)
Result: data masking
Data is masked in GUI
transaction display for
un-authorized users.
This also affects high-level
“admin” system users (in
dynamic transactions, e.g.
SE11, SE12, SE16, SE16n)
unless explicitly authorized
UI Masking also protects data
during download, export, and
print.
Source Picture – Public slides SAP SE.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 43
Authorizations - UI Masking (III)
Example of role based masking of particular screen fields.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 44
Authorizations - UI logging – Access log (I)
Source Picture – Public slides SAP SE.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 45
Authorizations UI logging – Access log (II)
Source Picture – Public slides SAP SE.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 46
Data breach notifications
“Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data
transmitted, stored or otherwise processed.”
In the event of a personal data breach, data controllers must notify the supervisory authority
“without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 47
Monitoring data breaches in SAP using RAL
If data is leaked, companies must inform the Data Protection Authority (DPA) within 72 hours of
them being aware of the breach. All data breaches must be sufficiently documented.
So organizations must indicate exactly where in the systems breaches have taken place and
what consequences they have. They potentially must also inform the owners of the leaked data.
SAP offers a standard tool (as part of NetWeaver) to monitor the unauthorized access to
(privacy relevant) data – even if this is “just looking” at privacy relevant data. The name of the
tool is RAL (Read Access Logging) and it can monitor the access to data from many different
channels.
Source: SAP SE.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 48
RAL (Read Access Logging) - 1
With RAL you can define and categorize the logging purpose, domains and object yourself.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 49
RAL (Read Access Logging) - 2
Access to privacy relevant SAP data via different channels (Gui, internet, RFC) can be logged in a
flexible way so that you can determine what needs to be logged in detail.
RAL can help you significantly in detecting and logging data breaches in SAP.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 50
Data privacy versus system & data security
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 51
Information security = information privacy?
The term information privacy refers to the handling, controlling, sharing and disposal of personal
information while the term information security includes a very wide range of activities both
physical and administrative that protect not only personal information, but any type of information or
information asset that supports a business.
The difference between information privacy and information security supports the statement,
“You can have security without privacy…but you cannot have privacy without security.”
For example, a secure computer with solid access controls may be secure however if access
controls were not assigned correctly privacy may become an issue.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 52
List of possible technical measures
The German SAP user group (DSAG) provides in a document (maybe not completely updated with
the GDPR but sill useful) regarding the different technical measures you can implement to enhance
the (data) security and privacy based on for example:
- recommendations on system parameters
- known authorization risks
- risks related to interfaces
- logging mechanisms and housekeeping
- measures around the security of the (SAP) network, database, system, etc.
https://www.dsag.de/fileadmin/media/Leitfaeden/110818_Leitfaden_Datenschutz_Englisch_final.pdf
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 53
Data protection in non productive SAP systems
Context: the GDPR prohibit the unauthorized access to personal data and encourage the (pseudo)
anonymization of data when possible. How do you give developers, testers and contract workers
access to a non-production system without endangering your data privacy and data security
regulations?
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 54
Privacy relevant data in NON productive systems
SAP offers, with SAP TDMS 4.0, the option to scramble privacy relevant data in non productive SAP
systems. (see SAP slide of TDMS 4.0 above).
Alternative 3rd party solutions are delivered by e.g. EPI-USE, Natuvion, etc.
Source Picture – Public slides SAP SE.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 55
Instruments for complex data privacy operations
Maintaining records and retention rules for different types of information and with differentiated
retention rules per country or organizational entity can be a challenge
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 56
SAP Data Controller Rule Framework
The SAP data controller Rule framework can be used to define differentiated business rules on the
retention of SAP data used for the blocking and deletion of SAP data.
This “rule generator” populates SAP ILM with the correct ILM rules.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 57
Mass processing of deletion in HR: process models
The HR process workbench can be used to define (country specific) data destruction processes for
the execution of the (controlled) destruction of data from many different infotypes.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 58
Data subject information requests
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 59
SAP Information Retrieval Framework (IRF)
Source: SAP SE.
The Information Retrieval Framework toolset can be used to define and execute the reporting of
personal data in case of a data subject request. There are also alternative 3rd party tools delivered
by e.g. EPI-USE.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 60
Privacy management instruments
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 61
How privacy management could look like in SAP
There are many different tools to administer, monitor document and control different data privacy
aspects. SAP promotes SAP GRC, and is thinking about the development of a data protection
cockpit. There are also many NON SAP tools on the market, delivered by e.g. Truste, Nymity, etc.
Source: SAP SE.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 62
Summary of privacy enhancing SAP tools
SAP ILM RM
(Data blocking & deletion)
HR process Workbench
(Mass deletion process
automation)
)
Data controler rule
framework
(central retention rules)
)
SAP (special)
authorizations
(SOD, restrict access to
privacy relevant data)
SAP UI Masking
(Masking/blocking data
based on user roles)
)
Data deletion & blocking
Restrict the access to (personal) data
SAP Read Access
Logging
(Monitor the access to
(sensitive) personal data)
SAP Enterprise Thread
Detection
Data breach detection / data access logging
Options for consent
request /
(standard SAP functions)
SAP consent
management
(future feature)
Consent management, privacy notifications
E-discover & legal hold
)
SAP system security
(Firewall, SSO, encryption,
system settings, etc )
SAP (system/data) security
Information retrieval
Framework
(report on personal data)
Inform the data subject
SAP TDMS
(encryption/anonymization)
NON productive systems
SAP GRC
Privacy management software
Data
Protection
Cockpit
3rd party PET software
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 63
The roadmap to GDPR compliance
Key questions
Idenfity the context of privacy relevant data
Where (systems) is privacy relevant data used/stored?
How & where is it processed (business process)?
For what (lawful) purpose?
What are the relevant (legal/fiscal) retention rules?
Document outcome in your data register
& records and retention scheme
Assess & prioritize privacy risks
What are the identified privacy risks (PIA)?
Gap analysis regarding
organizational & technical measures
Evaluate risks, measures & prioritize.
Develop and execute a privacy program
How to mitigate the identified privacy risks?
What are our data privacy policies and procedures?
How do we govern/evaluate (ongoing) data privacy?
Technical measures:
What are the appropriate privacy enhancing tools?
Implement technical measures based on defined policies
Etc.
March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 64
Questions?
DISCLAMER. This document is provided without a warranty of any kind, either express or implied, including but not limited to,
the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The Author assumes no
responsibility for errors or omissions in this document, except if such damages were caused intentionally or grossly negligent.