gdpr u sap u 29052017 - hgk.hr · d } u o ] v } zw z î x î ~ í, î ì í ô u wk u } u o ] v ^...
TRANSCRIPT
GDPR in SAP
June, 2017
Igor Gregurec
© 2
012
Alti
ma
Agenda
GDPR rules
GDPR compliance approach
Example – SAP solutions for GDPR compliance
Lifecycle of personal data
Fines and trends
2
© 2
012
Alti
ma
The New EU Data Protection Rules
Since May 2016, an EURegulation and Directivegoverns the protection ofpersonal data
The Regulation enteredinto force on 24 May 2016,it shall applyfrom 25 May 2018.
The Directive has enteredinto force on 5 May 2016and EU Member States haveto transpose it into theirnational law by 6 May 2018.
© 2
012
Alti
ma
GDPR is one of the most far reaching piecesregulation, ever
The following must be made provision for:
Creation of an independent Data Protection Officerwith compliance, cyber, business procedure oversight
Purpose of data processing + lawful reason for doing it
Data protection risk impact assessment, prior approval forhigh risks
Data protection by design, by default
Information notices, policy implementation
Data breach notifications
Data retention consent requirements, right to erasure
Data profiling restrictions (especially automated)
Data portability, machine readable format
Data protection audits
© 2
012
Alti
ma
1. Data Tagging, Delete, Retention & Blocked Access
• Tagging of personal data
• Deletion of SAP data, document the systems & procedures for deletion of non-SAP data
• Archiving of SAP data, document the systems & procedures for non-SAP data for legal purposes with retention periods
• Safe (separate, managed, blocked) storage of archived data
Personal information are safely deleted/stored after employees have left the company or following a consent request
Based on Information Lifecycle Management,
• ILM: Tagging SAPdata across environments,deletes, secure archives
PowerDesigner and Process Control
• PD: Tagging non-SAPdata across environments
PowerDesigner
© 2
012
Alti
ma
2. Processing and Storing of Personal Data, Data Privacy Rights -Lawful basis
Based on Process Control
10
Data Privacy includes the following rights of the naturalperson (data subject):
• Their data can only be processed if one of the grounds on the leftcan be shown – per process
• They have the right to request blocking of their data, anddeleting of their data
• The risk associated with processing their data has to be assessed
• Their data is safeguarded, ensuring that only the defined and currently agreed processing in the required scope will take place(minimising to as little data as possible)
• The data is deleted as soon as all legal retention periods have passed, and the data is blocked during the time in which it is keptfor legal reasons only
• They can get all relevant information on their data undergoingprocessing
• They have the right to get incorrect data corrected
© 2
012
Alti
ma
3. Data BreachesAccidental or malicious
7
GDPR:• An “accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”
• Processors must report breachesto controllers
• Controllers must report breaches tothe supervisory authority (within 72hours) and affected data subjects if atrisk
• Failures can result in punitive fines persensitive breach
Breach
DLP IAM
Monitor configuration changes
Consistently apply patches and updates
Monitor logs for anomalies and attacks
Review critical access and
relevant transactions
Govern access and manage identities
Protect data inside /
outside the application
Ensure appropriate policies and training
Mature from rigid preventive controls to
agile detective controls
Connecting with business partners and to
equipment
“…take into account state of the art….cost of implementation....appropriate technical
measures..”
© 2
012
Alti
ma
4. Data Protection Impact AssessmentThe DPIA
GDPR requires:• A formalised process to identify non-compliant risks
• PIA carried out on any high risk processing, before it is commenced
• A description of the processing activities and purpose
• an assessment of the need for and proportionality of the processing
• risks arising and mitigations are documented and dealt with
• especially safeguards and security measures to protectpersonal data and comply with GDPR
Examples: large scale processing or profiling of any personal data.DPO’s advice on carrying out a PIA must be sought.Authority must be consulted before processing is carried out on highunmitigated risk.
Based on Risk Management and Process Control
© 2
012
Alti
ma
5. Assist you with demonstrating your GDPR CertificationDocument governance requirements
Favourable measures of demonstrating compliance would be operatinga regular audit program including for example:• Privacy by design
• Privacy impact assessments (and managed consequences)
• Engaging a DPO and giving them adequate resources and independence,
• Controller selection process, and regular review of serviceproviders (data processors) for data processed
• Manage the use of sub-processors, vendors
• Use of e.g. pseudonymisation, encryption (so called state of the arttechnologies), access governance
• Certification of data processing (especially cloud where individual audits arenot feasible)
Based on Process Control and Risk ManagementRegulator: “Accountability, good governance, sustainable procedures”………..when in doubt, get a DPO
© 2
012
Alti
ma
Example GDPR Cockpit you might build
© 2
012
Alti
ma
Example - GDPR Compliance Approach
© 2
012
Alti
ma
Compliance Approach Phase 1 (1H2017)Audit and Gap Analysis: Where is my personal data, what is my baseline risk?
Gap analysis, strategic direction, program of work
1
• Identify personal data locations• stored or processed• internally, or by 3rd parties
2
• Determine lawful purposes• processes touching data• consent procedures & policy management
3
• Risk assess processes• lawful user access to data, cyber security risk• retention requirements and management
Info
rmat
ion
Life
cycl
eM
anag
emen
t*
Pow
erD
esig
ner
Info
rmat
ion
Stew
ard
Celo
nis
Proc
ess
Cont
rol
Risk
Man
agem
ent
© 2
012
Alti
ma
Compliance Approach Phase 2.1 (2H2017)Set up Business as Usual Program: Implement data & procedures management
Data security, consent and procedure management
4
• Tagging for consent, consent management• erasure, porting & no-process• retention archive & destroy
5
• Data security technology for DLP and IAM• breach management incl. 3rd parties• data minimization, accuracy, unlawful viewing
6
• New processes & lawful purpose• consent policy, risk assessments, data security• 3rd party contracts
Info
rmat
ion
Life
cycl
eM
anag
emen
t*
Pow
erD
esig
ner
Info
rmat
ion
Stew
ard
Celo
nis
Proc
ess
Cont
rol,
AC,D
AM,S
SO/I
DM
Ris
kM
anag
emen
t,CR
Mlin
ks E
nter
pris
eTh
reat
Det
ectio
n,RA
L
© 2
012
Alti
ma
Compliance Approach Phase 2.2 (1H2018)Embed DPO, Compliance Status: Accountability, governance, repeatable processes
Ready for Regulator
7
• DPO engagement• DPIA and compliance signoff• DPO sanctions certification
8
• Governance process evidence• accountability• transparency policy
9
• Regulator communication procedures• audit procedures• breach notification policy (country, industry)
Info
rma
tion
Life
cycl
eM
an
ag
em
en
t*
Po
we
rDe
sig
ner
Info
rma
tion
Ste
wa
rd
Ce
lon
is
Pro
cess
Co
ntr
ol,
AC
,DA
M,S
SO
/IDM
Ris
kM
an
ag
em
en
t,C
RM
links
En
terp
rise
Th
rea
tDe
tect
ion
,RA
L
BI
Co
ckp
it,A
ud
itM
an
ag
em
en
t
© 2
012
Alti
ma
GDPR is so vast no single solution in the market can address all of it. Furthermore, there is no single most important area to focus on first. SAPhave the unique advantage of best of breed solutions when used together to enable you to demonstrate your GDPR compliance: Process Control (PC): The single most important custodian of GDPR compliance, providing ongoing digital evidence to the supervising
authority of for example breach management, compliant policies & privacy notices and procedures, lawful exclusions, DPIA results (andassessment), controls (with automated monitoring across SAP and non-SAP systems), challenge responses, audit evidence(AM for full audits) and action management, lawful purpose per process, third party and contract management, processor/sub-processormanagement.
Information Lifecycle Management (ILM)*, PowerDesigner (PD): ILM is A powerful SAP-only tool for tagging personal data across multipleenvironments and managing the procedures for deleting and archiving with defensible legal retention requirements. PD covers non-SAPdata tagging (not deleting).
Information Steward: Mature data profiling and metadata management tool providing contiguous interrogation of the location of personaldata across the estate for SAP and non-SAP systems, as well as assisting in managing personal data accuracy and consistency.
Celonis: Cutting edge HANA-powered process mining technology to understand and visualize which processes actually ‘touch’ personaldata, as opposed to the ones you think do, with real-time cross-platform big data surveillance for SAP and non-SAP systems.
Read Access Logging (RAL)* or Enterprise Threat Detection (ETD): Data Loss Prevention. RAL will monitor, log and categorise read accessto personal data for SAP systems. HANA-powered ETD is a big-data real-time security event detection and management tool forapplication-level access processing and pattern analysis - provides real time breach, inappropriate access, investigation and remediationplus dashboarding.
AC, DAM, IDM/SSO, HR: Id & Access Management. Managing lawful user access to personal data is a core requirement of GDPR eitherin active business systems, contracted processors, archives, as part of employee enrolment, or contract management.SAP provides robust best of breed solutions.
Customer Relationship Management (CRM): Customer-facing solution to track and manage consent requests, regulator dialogues. BI for Cockpit: Develop a dashboard that provides the single place to go for real-time GDPR compliance status, with drill-through into topic
details.
Core SAP Solutions for GDPR Compliance
© 2
012
Alti
ma
ExamplePersonal Data in SAP Business Suite
© 2
012
Alti
ma
Lifecycle of personal data handled
17
© 2
012
Alti
ma
Last but not least
The GDPR carries massive fines -- up to €20 million or 4% of your company's global gross revenue, for a single violation
Say you’re DPO at JetBlue. What happens to your company (and your career), when a DPA determines your team violated the GDPR and levies a fine of $256,000,000? (That’s 4% of 2016 gross revenue.)
Germany Enacts GDPR Implementation Bill
Facebook received a $122 million fine from the European Union’s antitrust regulators, who say the social media giant provided misleading information during its 2014 acquisition of the messenger app WhatsApp
18
Altima d.o.o.
Horvatova 80A, HR-10010 Zagreb, Hrvatska
T +385 1 6408 000, F +385 1 6408 001
www.altima.hr, [email protected]