EN
FR DE EN ES IT
| Contact Us
 
Latest
News
Let's Talk SAP Landscape
Let's Talk HCM
Let's Talk Data Security
Let's talk Cloud and Managed Services
Let's Talk Community Care

Ready for GDPR: Non-Production Data Security

August 09, 2017
James Watson
Written by James Watson

James is responsible for the global line of business for EPI-USE Labs' data privacy and SAP IS-* Solutions, supporting all regions and key accounts running Data Sync Manager (DSM) for these complex requirements. With a functional and business background of over 20 years, James provides the bridge between Development, Basis, Test/Competency Centres and leadership teams to provide guidance and advise on the route to data privacy compliance. His history includes SAP specialisms in non-production data management and anonymisation, Production data removal or redactions, System Landscape Optimisation (SLO) and SAP industry solutions.

My previous post explains how with the use of Data Sync Manager (DSM) and EPI-USE Labs you can ensure that the Data held in your non-production environments is proportional to its use, and therefore more compliant with Article 5 of GDPR. Of course, being proportionate is not the only method required to prove your compliance with GDPR; you can also consider obfuscating sensitive data. EPI-USE Labs is ready to assist here too.

From my research, Article 89 of GDPR deals with data security; this is a far-reaching topic, and rather than moving into network and security again, I’d like to focus on the SAP data and landscape.

Remove or scramble sensitive data?

The simple way to reduce your risk on data security is to remove the sensitive data which is of concern. Of course, simply removing the full data would mean you no longer have production quality data to test against. Instead, I recommend scrambling the sensitive parts of the data model but leaving the integration as is. Data Secure™ is a product that was developed by EPI-USE Labs specifically to mask data in SAP non-production systems.

Data Secure - pre-built Integrity maps

Based on the Objects already defined within Data Sync Manager, Data Secure maintains pre-built Integrity maps which detail the required data integration points to consistently affect sensitive data. These Integrity maps have already been designed for the most commonly transformed and sensitive data areas. Just a few examples include:

  • Employee – personal details, salary, payroll results etc
  • Customer – Names, phone numbers and more
  • Business Partner – Names, phone numbers and so on
  • Vendor – Names, phone numbers etc
  • Addresses – Identifying the country of the address and ensuring a consistent Post/ZIP code is used.

As a customer using Data Secure, you would be able to choose which fields within each Object you wish to scramble and which you don’t, providing you the flexibility to obfuscate only the data needed to meet your requirements.

A bespoke solution

Of course each one of you will have Customisations and extensions applied, which we are not aware of in our “default” model. To address this, we also deliver Data Discovery as part of the solution. This allows the EPI-USE Labs consultant to identify through both Data Dictionary and Data level searches of the DB where a certain Data item is maintained. This can then easily be added to the Integrity map, ensuring all areas of the system are kept consistent.

As well as the “Out of the box” Data Secure solution, our Services team is able to consult with you and define extensions or new Integrity Maps as required. For each map and data item within that map, you have the ability to select one of the following actions to consistently occur:

  1. Clear the field entirely
  2. Apply a fixed value to all entries
  3. Randomise the entry
  4. Provide a mapping table for the conversion
  5. Apply a user exit with custom scrambling code as per your requirement.
System integration

Data Secure also provides an integration to your other SAP instances, via RFC, so you can scramble consistently between systems. As an example, if you have both SRM and ECC in your environment and you wish to scramble the Bank Details for your Vendor, Data Secure will interrogate both ECC and SRM and apply the same scrambled value to each.Find out more about Data Secure

Best practice - and GDPR compliance

Making sure your non-production systems are secure is not only good practice in general, it will become more important than ever with the GDPR coming into effect on 25 May 2018. By leveraging our unique IP, the EPI-USE Labs Services team is able to slice, refresh and scramble your non-productive environment. This allows you to work towards compliance to the non-production SAP data storage requirements of GDPR.


All of the items I’ve discussed so far have been in relation to managing your non-production environment. Of equal concern is addressing the Right to View, Change and Delete which comes into force with GDPR. In the next article, I will begin to describe how EPI-USE Labs can also assist with this.

If you want any further information please contact our GDPR specialist team at gdpr@labs.epiuse.com.

 

Don't know where to start with GDPR and SAP? We do!

 

GDPR Data Security Data Secure data scrambling GDPR readiness GDPR deadline Data Sync Manager

 

Like it? Share it:

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling General Data Protection Regulation Data Redact POPI Act POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager SAP data privacy and compliance Right to be forgotten Data privacy compliance Data privacy regulations GDPR readiness GDPR deadline Personal data SAP SAP security GRC for SAP SAP systems Access Risk management Access risk controls Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) SAP data privacy and security compliance COVID-19 Data Privacy suite Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day Data masking European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data processor versus controller Data retention rules Documentation EPI-USE Labs’ solutions Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act Online shopping Penalties Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data encryption SIEM SOX Sarbanes-Oxley (SOX) legislation Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates

Leave a Comment:
Group Elephant part of the groupelephant.com family
beyond corporate purpose ERP

Manage your sap environment

Optimize your SAP Landscape

Maximize your SAP HCM Systems

Simplify your SAP Security & Compliance

Tools & Knowledge Resources

Get Support