Skip to Content
Author's profile photo Anderson SANTANA DE OLIVEIRA

Prepare for the new EU General Data Protection Regulation and co-innovate with SAP GRC


The final text of the General EU Data Protection Reform has been published. It brings a number of compliance obligations, improving the privacy rights of the individuals. For instance, the right to object and the right for data portability. It also requires data breaches to be notified within 72 hours. A comprehensive guide is available here.  The reform imposes organizations to perform Data Protection Impact Assessments (DPIAs) as part of their overall risk management practices:

“In order to enhance compliance with this Regulation in cases where the processing operations are likely to result in a high risk for the rights and freedoms of individuals, the controller should be responsible for the carrying out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of this risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data is in compliance with this Regulation. Where a data protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.”

As an example, consider evaluating data retention risks. Maintaining data for a period longer than necessary and failing to apply the data minimization principle can have serious consequences to the individuals in the case of a data breach. Organizations can identify risks with the help surveys, as discussed in this panel for instance. The graphic below shows a simplified overview of the necessary steps for conducting DPIAs:


This is only one of the aspects of the new regulation. The new rules will become applicable on May 25, 2018. Fines for non-compliance are up to 4% of annual global turnover.

The GRC Product Management team and Product Security Research are running a Customer Engagement Initiative, which consists on a co-innovation project to help our customers to adapt to improve their privacy management programs with SAP GRC. There is still room for participation. The candidates do not necessarily need to be currently a GRC customer. Contact Anderson SANTANA DE OLIVEIRA for more information.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo P. Huchappa
      P. Huchappa

      Hi Anderson,

      Great blog.

      We had a partner workshop few days back with SAP regarding GDPR and the discussion was all about SAP ILM and there was no mention of SAP GRC.

      How different are these tools with respect to GDPR. What is the best approach?



      Author's profile photo Anderson SANTANA DE OLIVEIRA
      Blog Post Author

      ILM is a key component for defining the organisational data retention rules - it is an essential enabler for the EU GDPR, since the data controllers can manage what personal data must be kept in an SAP systems, and what needs to be discarded in order to comply with multiple regulations. GRC in the other hand, allows to oversee the company's privacy management  program using multiple features of the suite, such as access controls, process controls and risk management. For instance, in implementing data protection impact assessments, as I explained in this blog:


      Thanks for the question, I hope it helps, contact me if you want to know more.

      Author's profile photo Jan Matthes
      Jan Matthes

      Hi Praveen,

      as explained by Anderson there are various ways how SAP software can support you with GDPR. This could mean ILM for your on-premise landscape, GRC to manage and overview but also tools within your cloud applications like C4C or SAP Business ByDesign. Here is a blog what ByDesign offers for GDPR:




      Author's profile photo P. Huchappa
      P. Huchappa

      Thanks Jan. Good to see that there are already inbuilt tools to comply with GDPR in Business bydesign.