The Impact of GDPR for Organizations that Run on SAP
The General Data Protection Regulation (GDPR) is a new privacy regulation in Europe that protects the personal data for any individual “based” in the EU, regardless of citizenship or where the data is being held. This regulation will be enforced in May 2018 and outlines strict fines for those companies found to be out of compliance. In fact, the maximum fine (for the most serious infringements) is “up to 4% of annual global turnover for breaching GDPR or €20 million,” (http://www.eugdpr.org) whichever is higher. This is a significant hit for any organization of any size. Though we are a year away from regulation enforcement, it’s critical for organizations to begin preparations to comply now.
Is your organization already compliant, or are you ready to fulfill the GDPR requirements within one year? For organizations running on SAP, it’s essential to not only know what data falls under GDPR, but also understand how to apply the regulation to the information processed and stored in SAP systems. Below, I’ve outlined four key questions to ask yourself to ensure your organization is fully prepared to be GDPR compliant by May 2018.
- Does GDPR apply to my organization?
GDPR applies to any organization located inside or outside the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. Meaning, even if your organization is outside the EU, if you process personal data of European residents, you must adhere to GDPR regulations.
- How will it affect companies who are currently doing business with EU residents?
With GDPR, any global enterprise that collects or processes information about individuals in the EU is legally responsible for protecting that information while it is under their stewardship. If information is retained, it must be purged when it is no longer needed.
This regulation will impact information collected in sales orders, invoices, receipts, delivery slips and many other day-to-day business activities. Types of data that may fall under the regulation can include:
- Contact information (name, address, phone number, email)
- Credit card information
- Personally identifiable information (gender, social security number, etc.)
Organizations must have a risk team evaluate exactly how the regulation will apply to their business. Conduct an analysis on current data collection and use, to determine how GDPR will impact your business.
- What does it mean if I run on SAP systems?
The process of understanding how to apply the GDPR regulation to the information stored and processed in SAP systems can be very complex. Information about individuals can be contained in both data and documents that are stored across multiple environments, systems, locations and countries. Organizations must ensure that this information is protected and properly discarded. This is why the risk evaluation mentioned in question two is critical – how is your organization currently discarding outdated information? Does this align with GDPR regulations, or do you have to make changes?
- How can my organization prepare for May 2018?
It would be wise for organizations to implement available audit and compliance solutions that will enable you to comply with GDPR by managing data in online SAP systems and archive repositories.
Current SAP-certified solutions provide the capabilities to:
- Identify information on EU residents across SAP environments (ECC, SRM, HR, etc.) and systems (Production, QA, etc.)
- Protect information according to regulations through encryption or masking
- Automatically purge data according to retention rules when it is no longer needed.
- Maintain a centralized audit log of data protection activities that demonstrates compliance with GDPR