The world wakes up to GDPR: where did it come from?

February 06, 2017
Written by Paul Hammersley

Paul has for many years been a remarkable technical force at EPI-USE Labs. As VP of the ALM Products, his portfolio includes System Landscape Optimization, and his hands-on experience of implementing Data Sync Manager and helping clients to manage data across the breadth of their SAP landscapes is unique. He has specialised knowledge about data security and how GDPR (the General Data Protection Regulation) impacts companies running SAP.

Since the start of the year, the volume has definitely been turned up on GDPR. I was speaking to customers and partners about GDPR throughout 2016, but in many cases the start of the conversation was explaining the basics to them (which was often met with some shock and concern). Having enlightened a customer on this topic, I was expecting immediate requests for data analysis services, product demos etc. In my mind, this was such a wide-ranging compliance requirement, and May 2018 was looming ever nearer. I was starting to fret on my customers’ behalf and couldn’t understand why they weren’t.

Then it dawned on me: this regulation has been in the making for over seven years. The last few years probably started with the expectation of it being finalised, but that never came to pass. So those working exclusively in the data privacy and governance areas were aware of it, and monitoring the situation, but the wider business was unaware. And crucially, no additional budget was allocated for GDPR compliance in the 2016 fiscal year, because no one expected the draft to be agreed for sure. Organisations starting their fiscal year in January this year were for the first time able to plan budgets with a certainty of when this regulation would come into effect.

Of course, that is essentially how big organisations work. Projects may be interesting, important or critical to the business, but the moment you want to allocate someone’s time to them, the question is asked: which budget is this allocated against? And if the answer is ‘there isn’t one’, then the subject is put on the back burner. I remember a few years ago talking to a customer about why they weren’t masking data in test systems, and the response was ‘we know we should be doing more, but right now there isn’t budget for that’. And that, of course, is the difference. With the headline of potential fines of 4% of global turnover or €20 million Euro, it’s much easier to get a slice of the cake when the budget is being planned.

For the companies that now have budget allocated, a team has been put together, or at least earmarked, that combines IT, Compliance, Legal and Audit. And when they start to size up the sheer scope, it’s clear this is a significant undertaking. The project will look different for every company, varying greatly between industries, countries where they trade, company culture, IT systems used, business processes in place and much more.

In effect, the project looks like a big road map with some significant bridges or tunnels missing (or in some cases whole roads!) that would allow all the necessary journeys to take place. The focus is initially on the biggest gaps: How can we access file system data on shared drives? What about paper copies? Can we give the Right to be Forgotten for these data and process types? It’s interesting being in some of these discussions and seeing common themes and approaches.

I’ll continue to share more as these projects evolve.

Don't know where to start with GDPR and SAP? We do!



Explore Popular Tags

GDPR Data Privacy data security data secure data scrambling GDPR compliance POPI Act POPIA Data Sync Manager Data Redaction Right to be forgotten GDPR readiness General Data Protection Regulation SAP GDPR Data Archiving Data Redact GDPR deadline personal data sap Data privacy compliance SAP data privacy and compliance SAP systems SAR Subject Access Request CCPA European operations Federal Law May 2018 Right to Erasure anonymised data compliance test data management Access risk controls Australian Privacy Act 1988 Breach Notification Brexit Budget COVID-19 Canada data privacy legislation Client Sync Cloud migrations Consent DSM Data Portability Data privacy by design Data privacy regulations Documentation Europe Friday 25 May 2018 GDPR-type legislation GRC for SAP HCM HR ICO Information Commissioner’s Office Information transfer Infotype 41 Object Sync Penalties Privacy by Design Proportional Data Right to Access Risk management Risk monitoring S/4HANA Migrations SAP Data Security SAP S/4HANA SAP data SAP security Secure scrambled production data for testing Security Security for SAP. Live South African data privacy legislation Success Factors Territorial Scope UK Government Virtual conference What does the European GDPR mean for Australia? masking rules quality of test data system copy
+ See More

Get Instant Updates

Leave a Comment: