Extensive sensitive data about your customers, vendors, and employees is held in your SAP system. When addressing your data privacy, taking the SAP data model into consideration is critical; if you update one field, it will populate the value in different places throughout your system. In our experience, one personally identifiable value can be replicated up to a 100 times throughout your system. With this depth of data, you need to change the values consistently throughout the system to comply with data privacy regulations. Also, many long-term SAP business users have developed customized functions, including custom tables storing data and facilitating processing, which expands the target for sensitive data.
Leveraging our decades of domain experience in the SAP data model, we can help you manage your sensitive data consistently between objects and systems.
As well as the standard delivered data model which SAP provides, all clients customise their processes and data storage, replicating PII into custom tables, most without maintaining a PII data map. These tables have been built for efficiency, but new privacy laws present a challenge, as nobody knows all the places in which PII has been stored throughout SAP.
Global data privacy regulations include:
Each of these regulations includes the 'right to access' and 'right to deletion / correction'. To comply, you need to understand and map the PII in your IT estate.
We can help you to understand and identify your Personally Identifiable Information (PII), and assess your access risks. Our comprehensive service covers:
As an SAP development partner specializing in SAP data management, we have developed our own proprietary Business Object Definitions detailing the integration between objects and between systems. From this detailed table mapping, we have created a field-level integration map of all standard SAP PII fields.
Using this map, we have designed a Data Discovery program to analyze the Data Dictionary in your SAP system. It performs a wildcard search of sensitive data elements, and builds a list of tables and fields potentially containing PII. The tables are then validated to confirm they are populated.
Our data privacy specialists will run a workshop with your functional team to define the requirements for all PII data types including:
With an additional two days’ input, we offer an Enhanced Discovery Report with our strategic partner Soterion, considering both your data privacy risk and access risk in the SAP system. Soterion focuses on building business-centric Governance, Risk and Compliance (GRC) solutions for SAP to enhance business accountability of risk.
A file export will be taken from your SAP instance and loaded to a temporary instance of Soterion, hosted in a local data center, to complete an analysis and present the results.
Soterion has a standard access risk rule-set. Whether you already run a GRC solution or not, these pre-built rules will measure your compliance status.
Highlights of the key insights provided as a part of this enhanced service:
"With the EPI-USE Labs’ approach, we can anonymise and redact sensitive data, meaning business transactions may stay in the system without being related to an identifiable individual. Now, when starting projects, we have frameworks for how to do information sensitivity and risk analyses, and from there come the requirements on the IT side, including the sensitivity of data – the complete information security perspective."
Richard Wenell, Head of IT department, JM
"Thanks to Data Secure, we can anonymize all sensitive SAP HCM data, such as employee-related data, in a very short time.
The biggest advantage of Data Disclose is that data integrity is guaranteed; customers’ sensitive data is anonymized but all orders and items sold are still accessible. All test systems stay fully functional, and test orders are still editable."
Malte Podszus, Consultant FI/CO/HR, MAPA GmbH
"We have had very good results on our Access Review Management, which is now performed by our line managers with much less effort. With Soterion, we identified that many people had risk-bearing access that they no longer needed. Now, we have reduced our access risk footprint significantly. Our business users expressed their appreciation of having a tool that was much easier for them to work through, understand, and have visibility over the reviews."
Nick Achteberg, Senior Director Technical Services (SAP), Endeavor
"Scrambling data was a time-consuming manual exercise which didn’t give us enough guarantees that sensitive data was securely scrambled. We wanted to be 100% confident that all sensitive data was masked.
We needed a product that would remove the manual effort, allow us to schedule jobs and enable us to comply with regulations. That product proved to be Data Secure."
Jan Huizinga, Technical consultant, Rabobank