There are a lot of discussions about privacy and data protection these days due to all the data leaks and breaches we can read about in the newspaper. HR data is especially sensitive in this respect and needs to be protected. The SAP HR system offers very good authorization tools (structural authorization, context sensitive authorizations).
But one things astonishes me again and again: When we are implementing a new SAP HR system there are always numerous interfaces existing between the old HR-system(s) and many other systems. And guess what: The funny thing is that at the beginning we are always discussing about the data protection for the HR system but nobody cares how the HR data you transfer to the other system is protected. Do not get me wrong: I do not want to implicate that the data is per se more secure when it is stored on the SAP HR system and I know that HR data is needed in other systems for business purposes – e.g. for production planning. But nobody can release you from your liability as the owner of the HR data. And nobody will care when HR data will get lost from one system outside SAP HR whether you have done everything right. The reputation of the HR department will be damaged.
Therefore I always follow some simple steps in order to ensure an organization-wide protection of the HR data:
- New approach: I know that you are always under pressure to implement a HR solution as quickly as possible and that you will see these points below as an unnecessary burden. But just think of the cost for your company when a headhunter can get HR data out of a partner system and can hire your top employees. Therefore the first step must be that you see this area as part of your responsibilities.
- Create a data map: Before discussing all the technical details for the outbound interfaces from the SAP HR system create a map with all the partner systems and with all the data which is distributed.
- Questions: Discuss for every interface whether the distribution of the data is really necessary and whether it is not possible to exclude some data elements from the distribution.
- Service Level Agreements: Include a security chapter within the service level agreement. There should be a description included in the service level agreement which describes how the HR data is protected within the partner system and who can access this data.
- Approval: Present your findings and results in the project steering committee in order to be sure that all decision makers are aware of these challenges and clearly articulate the challenges if you were not successful with step 3-4 for a partner system.
- Hub concept: It is quite obvious that from a technical point of view you can support this approach by establishing the SAP PI as single point of distribution to the other systems so that you have one place to monitor all the data exchanges.