/wp-content/uploads/2016/07/dataprotection_1005315.png

The final text of the General EU Data Protection Reform has been published. It brings a number of compliance obligations, improving the privacy rights of the individuals. For instance, the right to object and the right for data portability. It also requires data breaches to be notified within 72 hours. A comprehensive guide is available here.  The reform imposes organizations to perform Data Protection Impact Assessments (DPIAs) as part of their overall risk management practices:

“In order to enhance compliance with this Regulation in cases where the processing operations are likely to result in a high risk for the rights and freedoms of individuals, the controller should be responsible for the carrying out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of this risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data is in compliance with this Regulation. Where a data protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.”

As an example, consider evaluating data retention risks. Maintaining data for a period longer than necessary and failing to apply the data minimization principle can have serious consequences to the individuals in the case of a data breach. Organizations can identify risks with the help surveys, as discussed in this panel for instance. The graphic below shows a simplified overview of the necessary steps for conducting DPIAs:

/wp-content/uploads/2016/07/dpiasteps_1005416.png

This is only one of the aspects of the new regulation. The new rules will become applicable on May 25, 2018. Fines for non-compliance are up to 4% of annual global turnover.

The GRC Product Management team and Product Security Research are running a Customer Engagement Initiative, which consists on a co-innovation project to help our customers to adapt to improve their privacy management programs with SAP GRC. There is still room for participation. The candidates do not necessarily need to be currently a GRC customer. Contact Anderson SANTANA DE OLIVEIRA for more information.

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. P. Huchappa

    Hi Anderson,

    Great blog.

    We had a partner workshop few days back with SAP regarding GDPR and the discussion was all about SAP ILM and there was no mention of SAP GRC.

    How different are these tools with respect to GDPR. What is the best approach?

    Regards

    Praveen

    (0) 
    1. Anderson SANTANA DE OLIVEIRA Post author

      ILM is a key component for defining the organisational data retention rules – it is an essential enabler for the EU GDPR, since the data controllers can manage what personal data must be kept in an SAP systems, and what needs to be discarded in order to comply with multiple regulations. GRC in the other hand, allows to oversee the company’s privacy management  program using multiple features of the suite, such as access controls, process controls and risk management. For instance, in implementing data protection impact assessments, as I explained in this blog: https://blogs.sap.com/2017/03/02/implementing-data-protection-impact-assessments-with-sap-grc-risk-management/

       

      Thanks for the question, I hope it helps, contact me if you want to know more.

      (0) 

Leave a Reply