The Road to Data Protection and GDPR

I have worked in the UK utilities industry for the last 15 years, and I've spent the last ten years using SAP in this industry. For the last year I have worked with EPI-USE Labs in SAP Data and Landscape Management. This is a highly complex industry where vast amounts of personal data have to be stored in order to service the customer effectively, but with this amount of data also comes a strong focus on Data Protection Compliance. Over the next year, we are going to see a large change in the requirements for compliance as the General Data Protection Regulation (GDPR) comes into force on 25 May 2018. There is a lot of information available on GDPR, and as mentioned I am not a lawyer or process expert in your business, so I’m not going to promise you the golden bullet to compliance.

However, I am going to publish a paper every couple of weeks during the coming months focusing on a different area of GDPR, specific to SAP data management. I will cover:

• In this article, a brief overview of the Data Protection history in the UK and highlight some of the differences GDPR is bringing;
• I will then focus on Article 5 and Recital 39 looking at Proportional Data to use case;
• Article 89 is next, to review Data security and scrambling of sensitive data once it is no more required;
• I will then discuss the Right of access to data (Article 15);
• Finally, I'll focus on the Right to erasure (Article 17) – particularly tricky in SAP.

As we at EPI-USE Labs progress with our developments and learning in this area, I will then write subsequent articles detailing what we have found and how we can help.

What is the history behind GDPR?

For the last 19 years, any UK company recording Personal Data of Companies or Customers has had to abide by the principles of the UK Data Protection Act 1998 (created following the 1995 EU Data Protection Directive). I was still attending high school at that time, people were still asking “jeeves” - google only just being founded that year, and the DVD format was released in the UK! Technological advancements have made huge leaps to what we are very used to in our daily lives today in 2017. The UK Data Protection Act 1998 provided requirements for the protection of any personal data relating to living individuals which could identify them and covered any “processing” of the data whether that be computerised or not. However, so much has changed and the volume of data which requires protection has increased exponentially since then - and as such this act is now to be superseded.

Now the European Union has created the General Data Protection Regulation (GDPR) which is live now but needs to be in place and demonstrable by all entities processing secure data by 25 May 2018. Although in legal terms 23 years is not a long time for a law to be in place with the speed at which technology, social media and consumer habits have changed, in this period the Data Protection Directive became out of date.

What is the difference between the Directive and the Regulation?

The difference between the Directive and the Regulation is that the Directive outlined principles for which each EU member state had to define their own laws; by comparison the Regulation is a strict legal act covering all EU countries which is centrally controlled and enforced. The Regulation continues to enforce the principle that a Person / Company (“Data Subject”) can request to view, change or delete their data, but also stipulates that:

• The Data stored must be proportionate to the Use Case for which it has been declared;
• GDPR is applicable to an EU citizen not company;
• Explicit and informed Consent is required for data storage;
• Maximum fines have increased to 4% of global turnover or €20 million, whichever is greater.

What does this mean to you?

Here are a couple of highlights:

• Whether your company or data centre is located within the European Union (EU) or not, this regulation is now applicable for any EU citizen within your data set.
• The regulation covers all data stored in all system types, including manual indexed files.
• Full copies of all data maintained throughout the environment will not be considered proportional to the use, i.e. you Development, Quality, Training and Preproduction environments will have to be reduced or obfuscated.
• A tick box confirming consent is no longer sufficient, you must ensure that all customers are informed and provide explicit consent for data storage.
• You must be able to demonstrate your compliance through auditors by 25 May 2018; there will be strong consequences enforced if not.

Will you be ready?

At EPI-USE Labs, I work as part of the services team that leverages our unique IP for SAP Landscape and data management. Exciting stuff! Over this series of blogs, I intend to highlight where we can assist you in becoming more GDPR compliant. I will share with you what I learn about GDPR as we take this journey together.  If you need any further information, you can subscribe to our "Let's talk Data Security" blog, or contact us on the form below.