Workshop dataprivacy in SAP - D & IM Services and SAP - Overview... · 2018. 3. 29. · Data in SAP Business Suite and SAP S/4HANA is or might become personal data. A Sales Order

March 29, 2018

Workshop dataprivacy in SAP

Ing. Nico J.W. Kuijper MSc. CIPP/EU

SAP information & data governance/management consultant, (SAP) Data Privacy Consultant

Certified by the International Association of Privacy Professionals

[email protected] +31 20 615 82 89

Disclaimer: the author of this presentation does not provide any legal advice regarding data privacy with this presentation.

In this presentation personal opinions, practical experiences on the fulfillment of data protection requirements and possible instruments are discussed.

This presentation contains some pictures/slides from public available sources and SAP presentations.

https://iapp.org/certify/cipp/

March 29, 2018 D&IM Services – SAP Information & Data governance | Data Privacy | Archiving | ILM | DVM | System Decomisioning | HANA Data Temperature Management Page 1

vcv

Disclaimer: The information contained in this presentation is for general guidance only and provided on the understanding that the

author is not herein engaged in rendering legal advice. As such, it should not be used as a substitute for legal consultation.

The author accepts no liability for any actions taken as response hereto.

It is the responsibility your organization to adopt measures that deems appropriate to achieve GDPR compliance.


Questions to the audiance

Is your organization currently ready for / compliant with the GDPR?

Yes?

No?

Not sure?

Who should be responsible for data privacy in your view?

Business?

IT?

Both?

On what level should data privacy be addressed in the organization?

Strategic level?

Tactical level?

Operational level?

All these levels above?

How are other companies doing? https://www.gartner.com/newsroom/id/3701117

https://www.gartner.com/newsroom/id/3701117


Analogy: processing financial transactions

€ in € out

Bookkeeping system

Fiscal law, etc.

C-level

executives

(CFO)

Processing financial transactions

Clerk

Financial

Controller

stakeholder(s) External

stakeholder(s)

Tax officer

Head of Finance

Policy

Key elements:

• Legislation

• Legal/fiscal authority

• C-Level executive

• Internal control function

• Governance & policies

• Management layer

• Record/bookkeeping

• Operations/execution layer

• Money flow in/out

• External stakeholders


Analogy: processing privacy relevant data

Data in Data out

Privacy “bookkeeping”

GDPR

Legislation

C-level

executives

(CIO/CDO)

Processing privacy relevant data

Data processor

DPO

(Data privacy Officer)

External

stakeholder(s)

DPA

(Data Privacy

Authority)

Data controller

Stakeholder(s)

like data

subjects

Article on data privacy bookkeeping: https://executive-people.nl/587119/privacy-boekhouding.html

Policy

Key elements:

• Legislation

• Legal authority

• C-Level executive

• Internal control function

• Governance & policies

• Management layer

• Record/bookkeeping system

• Operations/execution layer & tools

• Dataflow in/out

• External stakeholders

(e.g. data subjects, external

controllers & processors)

https://executive-people.nl/587119/privacy-boekhouding.html






The roadmap to GDPR compliance

Key questions

Idenfity the context of privacy relevant data

Where (systems) is privacy relevant data used/stored?

How & where is it processed (business process)?

For what (lawful) purpose?

What are the relevant (legal/fiscal) retention rules?

Document outcome in your data register

& records and retention scheme

Assess & prioritize privacy risks

What are the identified privacy risks (PIA)?

Gap analysis regarding

organizational & technical measures

Evaluate risks, measures & prioritize.

Develop and execute a privacy program

How to mitigate the identified privacy risks?

What are our data privacy policies and procedures?

How do we govern/evaluate (ongoing) data privacy?

Technical measures:

What are the appropriate privacy enhancing tools?

Implement technical measures based on defined policies

Etc.


Presentation focus area: PET in the context of SAP

The presentation has a main focus on privacy enhancing technology available in SAP and will touch

also some of the data privacy relevant processes this technology can be used for.

We will not focus on governance, relevant data privacy processes, roles and responsibilities, etc.


Part 1 – GDPR key aspects put into context


GDPR Article 24(1): the GDPR Key aspects

The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: https://gdpr-info.eu/ and here in different languages:

Directive 95/46/EC (General Data Protection Regulation) http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

https://gdpr-info.eu/



http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679






The nature, scope, context, purpose, risk of processing personal data & appropriate measures

Determine risks of processing the data

and implement appropriate (technical) measures

(some examples)

Determine risks of processing the data

and implement appropriate (technical) measures

(some examples)

Identify the context: determine the retention and

deletion periods and triggers

Identify the context: determine the retention and

deletion periods and triggers

Identify the

context: determine the lawful basis for processing

(displayed: a few examples of a lawful basis)

Identify the

context: determine the lawful basis for processing

(displayed: a few examples of a lawful basis)

Identify the purpose for processing

personal data (identify relevant business

processes)

Identify the purpose for processing

personal data (identify relevant business

processes)

Identify where privacy relevant

data lives in your SAP

system



system

Personal data

(in SAP)

Personal data

(in SAP)

Purpose(s) of processing

personal data


personal data

Consent Consent Delete after withdrawn consent

Delete after withdrawn consent

SAP ILM RM SAP ILM RM

Consent management

Consent management

Legal obligation

Legal obligation

contract contract

Retain based on

legal retention times per country

NL x years DE y years

Retain based on

legal retention times per country

NL x years DE y years

SAP ILM RM SAP ILM RM

Authorization concept

Authorization concept

Data masking Data masking

Anonymization Anonymization

Data breach prevention &

detection

Data breach prevention &

detection

Etc. Etc.


What is considered privacy relevant data?

“Personal data” is defined as “any information relating to an identified or identifiable natural person”

“'personal data' means any information relating to an

identified or identifiable natural person 'data subject'; an

identifiable person is one who can be identified, directly

or indirectly, in particular by reference to an identifier

such as a name, an identification number, location

data, online identifier or to one or more factors specific

to the physical, physiological, genetic, mental,

economic, cultural or social identity of that person”

Art. 4 Sec. 1 GDPR

What does this mean for SAP Business Suite

and SAP S/4HANA?

Data in SAP Business Suite and SAP S/4HANA is or might

become personal data.

A Sales Order is linked to the Business Partner (ID). The sales order

itself could contain additional personal data – or can reveal personal

data (purchases person X).

Combinations of attributes might become personal data – as soon as

it is possible to identify the person behind. Example: information

combined from ECC, CRM, BW, etc.

10



system

Personal data

(in SAP)


First things first (1): Detect the privacy relevant data living in your systems

• There are different tools in the market available to detect if and where privacy

relevant information lives in SAP systems. SAP promotes e.g. Information steward,

Celonis, etc.

• Tip: a standard “quick to use” SAP report could be used to identify the tables in

SAP used to potentially store (sensitive) privacy relevant information. Downside: too

limited (does not identify if table records are actually populated with personal data)



system

Personal data

(in SAP)



• Alternative: a 3rd party analysis tool could be used to verify if table records are

actually populated with personal data (e.g. per personnel area), the relevant

authorization checks, available data destruction objects for the identified personal

data, etc.



system

Personal data

(in SAP)

Demo?



• Usage of privacy relevant documents

Not only privacy relevant data can be stored in SAP, documents and (email)

messages, etc. containing privacy relevant data can be stored in SAP or to the to

SAP connected content/archive servers. This needs to be checked as well.

Example: keeping successfully send emails in SAP containing personal data

is a widely spread practice (and potential risk regarding the purpose limitation,

unauthorized disclosure of email content, data minimization, etc.).



system

Personal data

(in SAP)


Identify the purpose & processes related to the identified personal data in SAP systems

14

Identify the

purpose for

processing

personal

data

(identify

relevant

business

processes)


• Personal data of a particular person can be used for different (lawful)

purposes. Example: usage of email address

Attribute Used in

system

Data is

stored in

Purpose(s) Business process(es)

Email

(customer)

ECC KNA1,

SOES

Different types

of business

transaction

communication

Send contract, order &

delivery confirmation

(MM/SD), invoices (FI),

product defect

notifications, etc.

Email

(business

partner)

CRM BUT020,

SOES

Marketing Campaign management

Email

(employee)

HR PA0105,

SOES

HR - Employee

communication

Many different HR

processes


Aligning purposes, retention rules & laws

Purpose Active availability Retention period

Master data Dependent on other purposes With related data Until last related retention

period ends g in this

example: pension law

Payment details Dependent on other purposes With related data Until last retention period for

payment details ends g

e.g. tax law

Communication details Dependent on other purposes With related data With master data

Marketing Marketing Until consent is revoked or

missing renewal after x years

None

Data: purchase

contract for iPhone &

maintenance

Processing purchase contract

Processing maintenance

Until end of maintenance

requirements

Until last related retention

period ends g e.g. tax law

Data: purchase

contract for “The

Divine Comedy“

Processing purchase contract

During processing of

purchase contract, possibly

for reporting purposes


period ends g e.g. tax law

Data: contract for

works

Processing contract for works During processing of contract

for works, possibly for

reporting purposes


period ends g e.g. contract

law

Data: employment

contract

Processing employment

relationship

During time of employment

and for processing end of

employment

Attention: deadlines of

pensions, pensions

offices,…

15

Determine the

lawful basis

for processing

(displayed:

some

examples of a

lawful basis)


Know what information (not) to retain

- What type of information?

- How long should it be preserved?

Note: GDPR Article 17 ( right to be forgotten) does not overrule retention rules defined in other legislation !

Identify the

context:

determine the

retention

and deletion

periods and

triggers

Develop

A Records

and

Retention

Schedule!


Next step: populate your data privacy register, and start with data privacy “book keeping”

Consult

your DPO

or privacy

program

manager

• Document the results of your data & process analysis in a “data privacy

register”

Example of a very simple data privacy register template is provided by the EDPS.

Source: https://edps.europa.eu/data-protection/our-work/publications/other-documents/register-template-0_en

Example of a more extensive data privacy register template is provided by the Belgium DPA .

https://onetrust.com/wp-content/uploads/2017/09/Belgian-DPA-Registry-of-Processing-Activities-Template-20170907-EN.xlsx

https://edps.europa.eu/data-protection/our-work/publications/other-documents/register-template-0_en































Now we identified the context of data, whats next? Assess & prioritize the risk using a privacy impact assessment

There are many different (D)PIA tools and templates. One example: www.isaca.org/GDPR-DPIA

A (D)PIA can be seen as a kind of risk assessment to identify how privacy relevant data in handled

(by the different business processes) in your organization. Based on the outcome you can define

improvements in different area’s (like data protection measures, policies/procedures, etc.).

Consult

your DPO

or privacy

program

manager

http://www.isaca.org/GDPR-DPIA





Key questions

















Technical measures:



Etc.


Part 2 – Overview of privacy enhancing SAP tools


GDPR Article 24(1): the GDPR Key aspects

The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: https://gdpr-info.eu/





Map the different GDPR articles to “appropiate measures”

24 -

27

28 -

29 44 -

50

30

17 16 5, 12-14,

19 15

5 - 11

18 20 21

22

6, 7

35 -

36 33, 34

40 -

43

32

GDPR articles

37 -

39 25

(Source picture: SAP SE)

The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

Discussion:

Identify some

measures and

Supporting

(SAP)

tools







Overview of some privacy enhancing SAP tools

SAP ILM RM

(Data blocking & deletion)

HR process Workbench

(Mass deletion process

automation)

)

Data controler rule

framework

(central retention rules)

)

SAP (special)

authorizations

(SOD, restrict access to

privacy relevant data)

SAP UI Masking

(Masking/blocking data

based on user roles)

)

Data deletion & blocking

Restrict the access to (personal) data

SAP Read Access

Logging

(Monitor the access to

(sensitive) personal data)

SAP Enterprise Thread

Detection

Data breach detection / data access logging

Options for consent

request /

(standard SAP functions)

SAP consent

management

(future feature)

Consent management, privacy notifications

E-discover & legal hold

)

SAP system security

(Firewall, SSO, encryption,

system settings, etc )

SAP (system/data) security

Information retrieval

Framework

(report on personal data)

Inform the data subject

SAP TDMS

(encryption/anonymization)

NON productive systems

SAP GRC

Privacy management software

Privacy

Cockpit

3rd party PET software


Requesting explicit consent in SAP

Individuals have rights when it comes to the

collection & processing of personal information.

Consent and choice are two of those rights.

As a result, organizations should describe the

choices available to individuals and should get

implicit or explicit consent with respect to the

collection, use, retention and disclosure of

personal information.

There are different options in SAP to request

explicit consent for the storage and processing

of personal data in for example HCM (e-

recruiting), ECC, SRM, CRM, IS*, etc.

Processing personal data in SAP without explicit

consent is unlawful and should be avoided.

Options for consent

request /



Policy driven erasure of personal data

Under GDPR Article 17, controllers must erase personal data “without undue delay” if the data is no longer needed

(purpose), the data subject objects to processing, or the processing was unlawful.

GDPR Article 5: purpose limitation and data minimization: do not collect/keep data without a clear purpose


Introduction of SAP ILM

The lifecycle of information (put under corporate control) can be managed with SAP Information

Lifecycle management (ILM). SAP ILM is currently the only SAP tool to manage the lifecycle of

SAP data and documents in a controlled way using records management & retention policies.


Data destruction objects

For the controlled destruction of privacy relevant SAP data and documents, SAP ILM offers so

called data destruction objects. Alone in SAP module HCM we find more then 100 data destruction

objects, and the SAP HCM data destruction objects can (in most of the cases) be used without

additional SAP license implications.


SAP ILM RM: applying retention rules in SAP (1)

ILM Policies are the instruments to translate (differentiated) external legal

& fiscal retention and data destruction rules to SAP data and documents

ILM retention rules serve mainly the following purposes:

- separate the data (e.g. per country) during archiving/deletion processes

- store the data in different containers (when needed for archiving)

- apply retention rules to the data (how long it MUST be preserved)

- apply expiration dates (when the data can/must be destroyed)


Retention policy: manage the lifecycle of your data

Privacy relevant data should be managed in alignment with other legislation based on retention

rules. Other (overruling) legislation – e.g. tax regulation – might require the preservation of privacy

relevant data, blocking e.g. the destruction of financial data containing privacy relevant data.

With SAP ILM we can harmonize this and apply specific policies for specific types of SAP data.


SAP ILM RM: executing data deletion in SAP


Final (policy based) data destruction in SAP

Based on the defined retention rules in SAP ILM it is possible to comply with the

retention and deletion rules to block and destroy privacy relevant SAP data in a controlled way.


Personal Data Lifecycle in SAP: block or delete?

Blocking phase

Access only for explicitly

authorized persons

Deletion Processing in

accordance with

intended purpose

Source: SAP


Masterdata: blocking of business partner

Source Picture:SAP SE.


Blocking privacy relevant data

SAP delivers business functions for the blocking of personal (business partner) data that can’t be

deleted instantly for different reasons (SAP data consistency or data must be preserved longer due

to overruling legal or fiscal legislation, etc.).


Restrict the access to personal & sensitive data

Unauthorized access to & processing of privacy relevant must be prevented using SOD

(segregation of duties) principles and (logical) data minimization – access only the data you need


Authorizations - restrict access to privacy relevant data

Special technical and organizational measures must be taken in order to combat the risk of

unauthorized access to the SAP ERP System. When taken, these measures ensure that

unauthorized viewing and unintentional/intentional manipulation of data is prevented.

Limit access to personal & sensitive data:

• Use a solid, flexible and clear authorization concept

• Define a strict access management policy and process

• Consistent across SAP applications & dbase layer (ECC, S/4HANA, BW, HR, FIORI, CRM,…)

• Restrict access to blocked data elements

• Restrict access to data reports

• Store data extracts at secure locations

• Implement sufficient security parameters to prevent unauthorized access

The Audit Information System (transaction SUIM) and many other tools (like GRC) can be

useful.


Authorizations – Analysis of access to personal data

Example of a 3rd party tool

(Soterion) to assess GDPR

related authorization risks

Source Picture: Soterion


HR: context & time sensitive authorizations

With the authorization object P_DURATION it is possible to block access to personal data

from the past (stored in infotypes) by users. This could be required if data needs to be

available due to legal retention periods for or is still required for other processes, but active

use or processing by users should no longer be possible, because of data privacy rules.

There are many other types of solution like e.g. SAP Dynamic authorizations that can support

in the definition of tailored authorization concepts.

Source Picture: SAP SE.


Security of personal & sensitive data


Protect the access to privacy relevant data in SAP

Source Picture: SAP SE.


UI Masking and logging (I)

Configure on field

level how a field is

displayed.

Define whether data

are shown, or how

they are masked

Register Authorized Users per Field

• In transaction PFCG, assign users

to the UI Masking authorization a

role.

• Users assigned to these roles will

be able to see unmasked values for

the applicable fields

Source Picture – Public slides SAP SE.


Authorizations - UI Masking (II)

Result: data masking

Data is masked in GUI

transaction display for

un-authorized users.

This also affects high-level

“admin” system users (in

dynamic transactions, e.g.

SE11, SE12, SE16, SE16n)

unless explicitly authorized

UI Masking also protects data

during download, export, and

print.



Authorizations - UI Masking (III)

Example of role based masking of particular screen fields.


Authorizations - UI logging – Access log (I)



Authorizations UI logging – Access log (II)



Data breach notifications

“Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or

unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data

transmitted, stored or otherwise processed.”

In the event of a personal data breach, data controllers must notify the supervisory authority

“without undue delay and, where feasible, not later than 72 hours after having become aware of it.”


Monitoring data breaches in SAP using RAL

If data is leaked, companies must inform the Data Protection Authority (DPA) within 72 hours of

them being aware of the breach. All data breaches must be sufficiently documented.

So organizations must indicate exactly where in the systems breaches have taken place and

what consequences they have. They potentially must also inform the owners of the leaked data.

SAP offers a standard tool (as part of NetWeaver) to monitor the unauthorized access to

(privacy relevant) data – even if this is “just looking” at privacy relevant data. The name of the

tool is RAL (Read Access Logging) and it can monitor the access to data from many different

channels.

Source: SAP SE.


RAL (Read Access Logging) - 1

With RAL you can define and categorize the logging purpose, domains and object yourself.


RAL (Read Access Logging) - 2

Access to privacy relevant SAP data via different channels (Gui, internet, RFC) can be logged in a

flexible way so that you can determine what needs to be logged in detail.

RAL can help you significantly in detecting and logging data breaches in SAP.


Data privacy versus system & data security


Information security = information privacy?

The term information privacy refers to the handling, controlling, sharing and disposal of personal

information while the term information security includes a very wide range of activities both

physical and administrative that protect not only personal information, but any type of information or

information asset that supports a business.

The difference between information privacy and information security supports the statement,

“You can have security without privacy…but you cannot have privacy without security.”

For example, a secure computer with solid access controls may be secure however if access

controls were not assigned correctly privacy may become an issue.


List of possible technical measures

The German SAP user group (DSAG) provides in a document (maybe not completely updated with

the GDPR but sill useful) regarding the different technical measures you can implement to enhance

the (data) security and privacy based on for example:

- recommendations on system parameters

- known authorization risks

- risks related to interfaces

- logging mechanisms and housekeeping

- measures around the security of the (SAP) network, database, system, etc.

https://www.dsag.de/fileadmin/media/Leitfaeden/110818_Leitfaden_Datenschutz_Englisch_final.pdf

https://www.dsag.de/fileadmin/media/Leitfaeden/110818_Leitfaden_Datenschutz_Englisch_final.pdf


Data protection in non productive SAP systems

Context: the GDPR prohibit the unauthorized access to personal data and encourage the (pseudo)

anonymization of data when possible. How do you give developers, testers and contract workers

access to a non-production system without endangering your data privacy and data security

regulations?


Privacy relevant data in NON productive systems

SAP offers, with SAP TDMS 4.0, the option to scramble privacy relevant data in non productive SAP

systems. (see SAP slide of TDMS 4.0 above).

Alternative 3rd party solutions are delivered by e.g. EPI-USE, Natuvion, etc.



Instruments for complex data privacy operations

Maintaining records and retention rules for different types of information and with differentiated

retention rules per country or organizational entity can be a challenge


SAP Data Controller Rule Framework

The SAP data controller Rule framework can be used to define differentiated business rules on the

retention of SAP data used for the blocking and deletion of SAP data.

This “rule generator” populates SAP ILM with the correct ILM rules.


Mass processing of deletion in HR: process models

The HR process workbench can be used to define (country specific) data destruction processes for

the execution of the (controlled) destruction of data from many different infotypes.


Data subject information requests


SAP Information Retrieval Framework (IRF)

Source: SAP SE.

The Information Retrieval Framework toolset can be used to define and execute the reporting of

personal data in case of a data subject request. There are also alternative 3rd party tools delivered

by e.g. EPI-USE.


Privacy management instruments


How privacy management could look like in SAP

There are many different tools to administer, monitor document and control different data privacy

aspects. SAP promotes SAP GRC, and is thinking about the development of a data protection

cockpit. There are also many NON SAP tools on the market, delivered by e.g. Truste, Nymity, etc.

Source: SAP SE.


Summary of privacy enhancing SAP tools

SAP ILM RM

(Data blocking & deletion)

HR process Workbench

(Mass deletion process

automation)

)

Data controler rule

framework

(central retention rules)

)

SAP (special)

authorizations

(SOD, restrict access to

privacy relevant data)

SAP UI Masking

(Masking/blocking data

based on user roles)

)

Data deletion & blocking

Restrict the access to (personal) data

SAP Read Access

Logging

(Monitor the access to

(sensitive) personal data)

SAP Enterprise Thread

Detection

Data breach detection / data access logging

Options for consent

request /


SAP consent

management

(future feature)

Consent management, privacy notifications

E-discover & legal hold

)

SAP system security

(Firewall, SSO, encryption,

system settings, etc )

SAP (system/data) security

Information retrieval

Framework

(report on personal data)

Inform the data subject

SAP TDMS

(encryption/anonymization)

NON productive systems

SAP GRC

Privacy management software

Data

Protection

Cockpit

3rd party PET software



Key questions

















Technical measures:



Etc.


Questions?

DISCLAMER. This document is provided without a warranty of any kind, either express or implied, including but not limited to,

the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The Author assumes no

responsibility for errors or omissions in this document, except if such damages were caused intentionally or grossly negligent.

Documents

Workshop dataprivacy in SAP - D & IM Services and SAP - Overview... · 2018. 3. 29. · Data in SAP Business Suite and SAP S/4HANA is or might become personal data. A Sales Order