The EU General Data Protection Regulation (EU GDPR) takes effect on May 25, 2018, and hardly a day goes by without some news about it – and that’s the way it should be! As demonstrated by a DSAG member survey of SAP users just a few weeks ago, only just over half of all the companies (53%) have a roadmap. To say nothing of full implementation of the new requirements.
Michael Muellner, Head of Security & Compliance at AKQUINET, discusses helps to make this topic accessible to you by building a bridge from the statutory requirements to steps in operations and concrete tips.
Mr. Müllner, take one look at the status of companies with regard to the GDPR and you might get the impression that many people have massively underestimated this issue. Is the situation really that dramatic?
“From an Austrian and a German perspective, companies have a crucial advantage that plays right into their hands: The fact that our previous legal situation has already been relatively strict as compared to the rest of Europe. This means that companies that have kept up-to-date in the past with respect to the relevant data protection regulations valid at that time have a much easier time of closing the gap to the new legal situation as compared with companies that have largely ignored this subject.”
Naturally, data protection is not a topic that affects companies’ SAP areas alone. Why is it still important for SAP decision makers to keep the key aspects of the new regulation on their radar?
“It is not a surprise that data protection affects companies as a whole. However, a great deal of personal data at companies is processed in SAP systems in particular, automatically putting the spotlight on these systems. This is why the SAP Security & Compliance Team at AKQUINET is specifically concentrating on what the regulation means for our customers’ SAP systems and users.”
We could probably spend days talking about the various stops on the way to compliance with the GDPR. Let’s walk things back a bit, though. What is the basic idea behind the new regulation?
“The EU considers the basic idea behind the changes to the law as a way to provide end users with transparency where their personal data is concerned. The idea is to ensure that companies no longer permitted to save, process or share personal data any way they want.
What this means for us now is the following: Everyone has a right to request information on which personal data is available to a respective company and to request that incorrect data is adjusted or request that personal data be deleted. If there is no longer a purpose or legal basis for the company to keep the data for any longer.”
Hardly a day goes by now without a newsletter about the GDPR. Why is this such a hot-button issue right now and nearly impossible to avoid?
“That’s an easy one: penalties! Noncompliance with the statutory requirements brings penalties of up to 4% of a company’s revenues. Such a high penalty has certainly not been seen in this context – not even in Austria or Germany. The authorities have announced that they intend to strictly enforce the regulation. Of course, the leading case will show us what this means in practice.”
How can companies identify whether the information in their systems is considered personal data under the EU GDPR?
“This is actually the first question that customers ask us. There are three crucial components you can use to figure this out:
1) Processing component
Is data processed fully or partially automatically or not automatically saved in a file system? If no, the functional area of application of the GDPR is not affected and the test ends here.
2) Content component
Is there data that refers to a (living) person or that can be connected with a person? Some examples of this typically include names, addresses, birth dates, or sometimes information about religion or other particularly sensitive information. If no, then you have anonymous or anonymized data that is not subject to the GDPR.
3) Identity component
Is the person to whom the data refers identified or is it likely that one could generally identify the person based on the information? Specifically, could you infer who the specific person is based on the data under the content component. If no, then you again have anonymous or anonymized data that is not subject to the GDPR.
If the answer to this three questions is “YES”, then this is personal data within the meaning of Article 4 (1).
The approach using these three components has been tried and tested to help our customers separate the wheat from the chaff with respect to data stored in their SAP systems.”
Now, the GDPR is naturally not restricted to collection or processing of personal data. It provides clear guidelines about what must happen in the case of lost or stolen data. What is your advice for companies?
“It is only possible to quickly report a data loss or theft from a company to the authorities in good time if the situation has been actually identified. In particular, unauthorized data outflows containing personal data from a core system must therefore be monitored reliably. This also applies to read-only access to data!
With respect to data leakage prevention, customers using our SAST Suite have two modules that provide ideal support: SAST Download Management and SAST HCM Read Access Monitoring.”
Why is it important to log read-only accesses of HR data, too?
“Privileged users in an SAP system, like administrators, need full access to sensitive data, including sensitive employee data. An appropriate “Emergency User Concept” can therefore provide an audit-proof way to document when data is opened, edited and downloaded. This is often not the case at companies with regard to purely displaying SAP HCM data. The lack of logs mean that confidential personal data is not protected here. The module HCM Read Access Monitoring in our SAST Suite eliminates this vulnerability and in turn helps make data loss or forwarding much more difficult.”
The SAP standard also offers a number of features for protecting SAP systems from data theft. Isn’t this protection enough for most companies?
“The SAP standard offers rather modest options, especially when you consider that data protection must be for the company as a whole. This means that personal data in accordance with the GDPR is not the only critical data in SAP systems. That list also includes vendor data, company data like financial data or prices, and of course technical drawings or formulations. And these must also be protected, meaning that companies must be able to prevent undesired access to and especially downloads of this data.
By contrast, the SAST Download Management allows companies to detect file downloads above a defined size and contain certain key words such as “Price List”, the “$” sign or others, and whether data is sent to certain e-mail addresses. And this all takes place in real time. For example, our customers have the option to take immediate action in response. This is because you can immediately identify who is trying to download what and when. Of course, there is no such thing as 100% protection against data theft. Nevertheless, we can greatly limit the likelihood of data leakage and in the worst case scenario immediately identify the guilty party.”
In articles about the GDPR, you often read about concepts such as “privacy by design” and “privacy by default”. What is this exactly?
“That just means that the technology is designed in a way that makes it easier to protect data, for example via data protection-friendly default settings. Or in other words: Privacy and data protection are embedded throughout the entire life cycle of technologies, from the early design stage to their deployment, use and ultimate disposal.
This is a statement that shows you just how far-reaching the issue of data protection will be for all business done by a company and that the issue is not exclusively relevant to IT.
My tip is therefore to set up a process to implement all the obligations in good time and to think about both privacy and data protection right from the start when creating and operating data processing systems, while always aiming to follow the principle of minimizing data.”
Is there anything else you’d like to pass on to us before we finish up?
“There is something that is not limited to the SAP area and is relevant for the whole company. That is to maintain a directory containing all processing activities. What do I mean by that?
The responsible persons should maintain a directory that tracks “processing activities under its responsibility”. The purpose is to create a transparent overview of all personal data at a company, for use by both internal and external auditors.
For example, such an index should cover which data is processed using which processing activities and for which purposes. This document will play a central role in upcoming audits, no matter whether you create it in an Excel file or use a database.
A tip from our experience: Adding a column that directly links you to the relevant application where the data is found has proven to be useful again and again. This makes it considerably easier for companies to answer incoming questions as to where, across various system, you can find the data about a specific person.”
What about the nearly 50% of companies that said they do not yet have a mature GDPR roadmap? How can you and your colleague help?
“First, we recommend evaluating the degree of maturity and to then develop a company-specific GDPR catalog of actions based on this. This is followed by an identification of the necessary actions and, of course, we’re also happy to support you to put them into operation.”
Thank you for talking with us and providing some really helpful insights.
Head of Security & Compliance Services at AKQUINET (Austria)
You’d like more tips and recommendations for the General Data Protection Regulation? Take advantage of an opportunity to discuss this with us, for example at our GDPR webinar.