The Road to Data Protection and GDPR

June 29, 2017
Written by James Watson

James is responsible for the global line of business for EPI-USE Labs' data privacy and SAP IS-* Solutions, supporting all regions and key accounts running Data Sync Manager (DSM) for these complex requirements. With a functional and business background of over 20 years, James provides the bridge between Development, Basis, Test/Competency Centres and leadership teams to provide guidance and advise on the route to data privacy compliance. His history includes SAP specialisms in non-production data management and anonymisation, Production data removal or redactions, System Landscape Optimisation (SLO) and SAP industry solutions.

I have worked in the UK utilities industry for the last 15 years, and I've spent the last ten years using SAP in this industry. For the last year I have worked with EPI-USE Labs in SAP Data and Landscape Management. This is a highly complex industry where vast amounts of personal data have to be stored in order to service the customer effectively, but with this amount of data also comes a strong focus on Data Protection Compliance. Over the next year, we are going to see a large change in the requirements for compliance as the General Data Protection Regulation (GDPR) comes into force on 25 May 2018. There is a lot of information available on GDPR, and as mentioned I am not a lawyer or process expert in your business, so I’m not going to promise you the golden bullet to compliance.

However, I am going to publish a paper every couple of weeks during the coming months focusing on a different area of GDPR, specific to SAP data management. I will cover:

  • In this article, a brief overview of the Data Protection history in the UK and highlight some of the differences GDPR is bringing;
  • I will then focus on Article 5 and Recital 39 looking at Proportional Data to use case;
  • Article 89 is next, to review Data security and scrambling of sensitive data once it is no more required;
  • I will then discuss the Right of access to data (Article 15);
  • Finally, I'll focus on the Right to erasure (Article 17) – particularly tricky in SAP.

As we at EPI-USE Labs progress with our developments and learning in this area, I will then write subsequent articles detailing what we have found and how we can help.

The Road to Data Protection and GDPR

What is the history behind GDPR?

For the last 19 years, any UK company recording Personal Data of Companies or Customers has had to abide by the principles of the UK Data Protection Act 1998 (created following the 1995 EU Data Protection Directive). I was still attending high school at that time, people were still asking “jeeves” - google only just being founded that year, and the DVD format was released in the UK! Technological advancements have made huge leaps to what we are very used to in our daily lives today in 2017. The UK Data Protection Act 1998 provided requirements for the protection of any personal data relating to living individuals which could identify them and covered any “processing” of the data whether that be computerised or not. However, so much has changed and the volume of data which requires protection has increased exponentially since then - and as such this act is now to be superseded.

Now the European Union has created the General Data Protection Regulation (GDPR) which is live now but needs to be in place and demonstrable by all entities processing secure data by 25 May 2018. Although in legal terms 23 years is not a long time for a law to be in place with the speed at which technology, social media and consumer habits have changed, in this period the Data Protection Directive became out of date.

What is the difference between the Directive and the Regulation?

The difference between the Directive and the Regulation is that the Directive outlined principles for which each EU member state had to define their own laws; by comparison the Regulation is a strict legal act covering all EU countries which is centrally controlled and enforced. The Regulation continues to enforce the principle that a Person / Company (“Data Subject”) can request to view, change or delete their data, but also stipulates that:

  • The Data stored must be proportionate to the Use Case for which it has been declared;
  • GDPR is applicable to an EU citizen not company;
  • Explicit and informed Consent is required for data storage;
  • Maximum fines have increased to 4% of global turnover or €20 million, whichever is greater.

What does this mean to you?

Here are a couple of highlights:

  • Whether your company or data centre is located within the European Union (EU) or not, this regulation is now applicable for any EU citizen within your data set.
  • The regulation covers all data stored in all system types, including manual indexed files.
  • Full copies of all data maintained throughout the environment will not be considered proportional to the use, i.e. you Development, Quality, Training and Preproduction environments will have to be reduced or obfuscated.
  • A tick box confirming consent is no longer sufficient, you must ensure that all customers are informed and provide explicit consent for data storage.
  • You must be able to demonstrate your compliance through auditors by 25 May 2018; there will be strong consequences enforced if not.

Will you be ready?

At EPI-USE Labs, I work as part of the services team that leverages our unique IP for SAP Landscape and data management. Exciting stuff! Over this series of blogs, I intend to highlight where we can assist you in becoming more GDPR compliant. I will share with you what I learn about GDPR as we take this journey together.  If you need any further information, you can subscribe to our "Let's talk Data Security" blog, or contact us on the form below.

Don't know where to start with GDPR and SAP? We do!

 

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling General Data Protection Regulation Data Redact POPI Act POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager SAP data privacy and compliance Right to be forgotten Data privacy compliance Data privacy regulations GDPR readiness GDPR deadline Personal data SAP SAP security GRC for SAP SAP systems Access Risk management Access risk controls Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) SAP data privacy and security compliance COVID-19 Data Privacy suite Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day Data masking European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data processor versus controller Data retention rules Documentation EPI-USE Labs’ solutions Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act Online shopping Penalties Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data encryption SIEM SOX Sarbanes-Oxley (SOX) legislation Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: