What is data privacy and how does SAP Business ByDesign Cloud ERP manage it?

Many organizations are concerned about how the more than 50 data privacy laws around the globe like

• EU data privacy regulation (GDPR),
• California consumer privacy act (CCPA)
• India Personal Data Protection Bill-2018 (PDPB)
• Chinese cyber security law (CCSL)
• Singapore Personal Data Protection Act 2012 (PDPA)
• Swiss DSG revision planned for May 2022

to name just a few, might impact their day-to-day business especially if they are using cloud business software. The video below gives you an idea on what data privacy means for GDPR and what you need to consider for your business since May 25th 2018 – if you are doing business with EU citizens.

CCPA, PDPB or PDPA regulations have similar intent and obligations as GDPR and will become effective soon (CCPA by January 1st 2020) for companies doing business with citizens of those countries and states.

The free SAP Business ByDesign Administration OpenSAP online course provides in week 4 a full training on data privacy and protection. Here you can register: https://open.sap.com/courses/byd9

Please be aware that the information provided in this blog should not be considered as legal advice or replace legal counsel for your specific needs.

The powerful capabilities which SAP’s Cloud ERP Business ByDesign provides will help you to execute data privacy policies your organization might setup.

Since 19.11 release we recommend to use only the new information lifecycle management work center and it’s configuration and to retire the old data protection and privacy work center.

Here is quick overview on what ByDesign offers to support data privacy and protection:

1. Information lifecycle management work center for data privacy officers: Allows to disclose and delete personal data across business scenarios including custom add-ons by partners (PDI). Support for all natural persons like private accounts, contacts, internal and external employees and for leads without reference to account master data.
2. Data Retention Periods: Configure minimal retention periods for key business documents in order to control deletion.
3. Block usage of data: Manually or automatically block usage of data for new business processes.
4. Logging: Change logs and read access logs for special categories of personal data like religion, bank etc.
5. Marketing permissions: Manage the natural persons consent for marketing communication.
6. Authorization: Grant and revoke access to data only to users which need the data.
7. More information: Most important links on GDPR, Business ByDesign, SAP and it’s data centers, certifications, security measures and privacy by design.

If you need more details on which legal rules apply to the SAP Cloud products and it’s data centers have a look in the Cloud Trust Center and the Data Processing Agreements  which are available in all major languages and audited by external authorities and standard organizations.

SAP is one of the first companies to receive global certification from BSI for BS 10012:2017 standard. This certification confirms that the certified internal processes of SAP are in accordance to GDPR. Here you can read more.

More details on key data security, data privacy and protection certifications of SAP data centers can be found here:

• ISO/IEC 27017 Code of practice for Cloud service information security

• ISO/IEC 27018: ISO 27018 Code of practice for personally DATA protection

• BS 10012 Personal Information Management System

General compliance certificates which are specific to ByDesign or in general for SAP can be found in the SAP compliance finder.

The demo video below gives you an impression on how data privacy works in detail:

In addition to using the information lifecycle for data privacy it is possible to use it also to fuel machine learning with valid data from your Cloud ERP. For instance data scientists and administrators are able to ensure that only current and ready to use data is consumed for machine learning and to rule-out data that should not be used anymore. Here you find a demo:

Here is an example on how to use this for data privacy compliant project expense prediction:

1. Central Data Protection & Privacy Work Center

As you have seen in the demo the data privacy expert can use the business partner view in the information lifecycle work center to easily find employees, service agents (i.e. external employees) or private accounts and block data for usage or trigger the deletion. Additionally he can generate and download detailed reports for master and transaction data which is stored for a natural person in the system as you can see in the screenshots below.

Data disclosure and deletion of personal data coming from custom add-ons is also supported by using the SAP Cloud Application Development Studio (PDI).

2. Configuration of data retention periods

Prerequisite for data privacy management is to define in the business configuration the residence and retention periods for the various business areas and companies. Those configuration settings control that data cannot be deleted within the minimal retention period and allow deletion if retention is over.

To configure the new information lifecycle based data privacy management you need to do the following:

1. Business Configuration: Activate scoping element “Information Lifecycle Management”
2. Business Configuration: Activate the scoping question “Read Access Logging” under Security/System Management (this has been moved to the new ILM work center in 1911)
   
3. Business Configuration: Configure the retention periods for business documents
4. Assign information lifecycle management work center to the administrator or data privacy officer
   
5. Activate the read access for the field groups which are relevant for your company in the information lifecycle management work center (this has been moved to the new ILM work center in 1911)
6. Activate the document lifecycle KPIs for the data privacy officer or other users
7. Here you can find detailed configuration with screenshots

3. Block usage of data for new business

Besides disclosing and deleting natural persons data it is also possible to manually or automatically block it for usage in new business processes:

1. Blocked persons will not appear in master data work centers, value helps & webservices and cannot be used for new business processes anymore.
2. Only the data privacy team will be able to see all master data and also be able to unblock.
3. Existing business documents will remain visible and will still be possible to process.
4. PDI add-ons which use standard business partner queries need to add parameter “ExludeBusinessPurposeCompleted” to hide blocked persons

The screenshots above show you how reports will look like if they contain blocked persons:

1. Blocked persons data will not appear in reports and data sources
2. Reports it will not allow to filter for blocked persons
3. Existing business documents will remain visible without persons data and key figures remain stable
4. Navigation to the natural person will not be possible anymore
5. Blocked data will not be transmitted to via interfaces to BW (so you might think about doing assuming a full upload from time to time).

With our 1902 release we have added capabilities to automatically block business partners for normal business users. So besides the well known capabilities it is now also possible to automatically block data for usage by using a scheduled run.

In the blocking run you can define the recurrence (e.g. daily) and an offset for how long a business partner needs to be in “obsolete” status before getting blocked by the run (e.g. 30 days).

Additionally data privacy experts are able to disallow the deletion of natural persons data e.g. due to a legal hold or other reasons.

4. Read access logging of sensitive data and change logs

Data privacy experts can configure which predefined business partner attributes are to be treated as special category of data and activate read access logging for sensitive data of natural persons.

1. Activate or deactivate predefined field groups for read access logging including change log.
2. Extension fields can be marked as special category either by key user or SAP Cloud Application Studio (PDI). Field group configuration can be extended by PDI.
3. PDI allows to mark partner created BO fields as special.
4. Download daily read access logs by webservice or UI within 14 days. Log is provided as XML files to be archived with external applications.
5. Here you can find more details on read access logging and how to automatically download logs by webservice

Administrators, sales and marketing employees can according to their authorization access change logs:

1. See changes per date and user
2. See changed attribute with old / new value and modification type
3. Export changes

5. Marketing permissions

Sales and marketing employees can mark contacts and private accounts to be excluded, included or checked before executing outbound marketing campaigns:

1. Mark contacts to be included, excluded from marketing campaigns per channel including ability to retrieve and change consent by webservice.
2. Channel independent marketing permissions which can be used to indicate that overall recheck might be needed.
3. Ability to add more marketing channel by configuration e.g. social media, e-mail-newsletter…
4. Ability to extend channels by PDI

6. User Authorization also for external applications

Finally ByDesign does not only control what happens inside the system but also how data is being consumed in external applications with the standard web-services and interfaces.

1. Communication scenarios and arrangements allow to control external access (via the Application and User Management work center).
2. Valid certificates are required to allow access ByDesign Web services.
3. Communication Monitoring for e.g. failed web service calls. Customers still need to assess which integration scenarios are exposed to whom.

7. More information on GDPR and links to documentation

Here you get general overview material on GDPR, the SAP GDPR policies and especially the SAP data center data privacy measures and it’s certifications which are continuously being audited:

• General information on GDPR and SAP
  

• • SAP overview on GDPR
  • GDPR regulation with links to all details in multiple languages
  • GDPR – What are the biggest problems companies have to solve?
  • Four steps to get started with GDPR
  • GDPR: Company stakeholders and obligations
  • SAP Data Protection & Privacy overview
  • SAP Data Processing Agreement in all languages
  • SAP Compliance & Certificates
  • SAP receives data privacy certification BS 10012:2017 from BSI
  • Which other tools does SAP offer for managing data privacy (e.g. GRC, ILM)?
  • BSI M2.509 English: How to conduct data privacy compliant testing?
  • BSI M2.509 German: How to conduct data privacy compliant testing?
• Documentation & enablement for SAP Business ByDesign:
  • Webinar: Lessons learned from Data privacy implementations via PDI (PartnerEdge login required).
  • Documentation: Data Privacy Management in Business ByDesign
  • Documentation: Read access logging for sensitive data
  • Sample code in python for read access log webservice
  • What to consider for custom or partner add-ons (PDI)?
  • Data Privacy & protection in SAP Cloud Application Studio (PDI)
  • Data disclosure & deletion for customer business objects in SAP Cloud Application Studio (PDI)
  • Read access logging with SAP Cloud Application Studio (PDI)
  • What’s new in SAP Cloud Application Studio (PDI) 1711 for data privacy?
  • Blog: How to request a restore point before data deletion and roll back?
  • Q&A Data Retention and Residence Periods
• Examples for potential legal bearings
  • H&M to be fined with 35 mio € for not having consent and retention rules for employee data
  • German Labour Court: EUR 5,000 compensation for insufficient and delayed fulfillment of the right of access under the GDPR
  • GDPR Awareness Coalition: Fines and investigations due to data privacy issues
  • Google hit with £44m GDPR fine over ads
  • GDPR: 5000€ fine for missing data processing agreement
  • Structural GDPR noncompliance of streaming providers
  • First costly warning letters are being sent by lawyers in Germany
  • Fines for sending unwanted emails
  • How to mitigate the risk to receive costly warnings from lawyers due to GDPR in Germany

Disclaimer

The information provided in this blog should not be considered as legal advice or replace legal counsel for your specific needs. Readers are cautioned not to place undue reliance on these statements and they should not be relied upon in making purchasing decisions or for achieving compliancy to legal regulations.