GDPR: almost a year to go. What are people aiming for?

May 11, 2017
Written by Paul Hammersley

As Senior Vice-President of the ALM Products at EPI-USE Labs, Paul Hammersley's portfolio includes test data management, landscape optimisation, and archiving. He has been a remarkable technical force in the SAP arena for over 20 years, and has extensive hands-on experience of implementing Data Sync Manager (DSM) and helping clients to manage data across the breadth of their SAP landscapes.

In my last blog, I wrote about the GDPR compliance projects sprouting up at most companies. We seem to have moved past confusion around whether GDPR will apply after Brexit (the Information Commissioners Office (ICO) has been very clear on this). I’ve even seen a surge in GDPR interest from the US, although at this stage I would say that is about where Europe was in 2016, so I would expect the subject to really gain traction there in 2018.

One common theme I’m seeing with customers is pragmatism. Having spent time digesting the information, and doing a high-level analysis of systems and processes, the conclusion seems to be: ‘there is no way we can be 100% compliant on 25 May 2018’.

Instead, companies are classifying systems and processes into three categories:

  • the most critical and important, to be dealt with before May 2018
  • then the less critical, but still in scope, to happen after May 2018.

The third, and I would say also important category, are those systems and processes which are not believed to be affected by GDPR. Having a document that lists them, and lists the reasons why they were considered not to be in scope, might be very beneficial at some point in the future. Think of it as a time capsule that you may never open - but if you do it might be very gratefully received.

I guess this is maybe a good point for the standard disclaimer - I am not legally qualified, and none of the information I am providing should be considered legal advice. What I am able to do is share experiences, viewpoints and the challenges faced by different organisations we’re working with. That seems to be quite beneficial to people at this stage; when faced with something of this scale, it is nice to know others are in the same position.

This is very much true when your position is that you will not be finished by May 2018. I recently spoke at a conference where another speaker was covering the business process management aspect of GDPR. He reinforced the message that 100% compliance on day 1 is simply not feasible for many companies, and shared that most of the compliance projects his consultants are working on have May 2018 as a milestone, but not the end of the project by any means. I should highlight that he also isn’t qualified to give legal advice.

And I guess that’s the big underlying problem with GDPR: at the moment there is still so much uncertainty. Is it legally ok to plan to NOT be completely compliant by May 2018? Organisations haven’t been given that clear guidance yet from their own legal advisors, or by their local DPA (Data Protection Authority; in the UK this is the ICO, but this is different in each European country). So everyone continues on their journeys, looking closely to see what’s happening at other organisations.

Don't know where to start with GDPR and SAP? We do!

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling General Data Protection Regulation Data Redact POPI Act POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager SAP data privacy and compliance Right to be forgotten Data privacy compliance Data privacy regulations GDPR readiness GDPR deadline Personal data SAP SAP security GRC for SAP SAP systems Access Risk management Access risk controls Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) SAP data privacy and security compliance COVID-19 Data Privacy suite Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day Data masking European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data processor versus controller Data retention rules Documentation EPI-USE Labs’ solutions Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act Online shopping Penalties Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data encryption SIEM SOX Sarbanes-Oxley (SOX) legislation Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: