Last week was the UK SAP User Group conference at the ICC in Birmingham. The event itself was very well organised and run, with everybody finding value in some way.
For myself, as a Privacy Professional and SAP Mentor I found the conference to be valuable. There is within the UK and Europe a lot of talk about the up and coming General Data Protection Regulations (GDPR.) These new regulations, which come into force next year on 25th May, have global reach. In that regard it is understandable that there was much discussion of the GDPR at the user group conference. What I found interesting and slightly concerning was the lack of clear advice, the lack of preparedness on the part of many businesses and the snake oil being peddled by a small minority of companies.
GDPR compliance requires more than just software, however if we deal with the software issue first. SAP produce four software assets the companies will require to be come GDPR compliant:
- SAP Access Control
- SAP Information Steward (on top of SAP Data Services)
- SAP Information Lifecycle Manager
- SAP Process Control
Now I will say straight off the bat, that there are other companies making similar tools, and there are additional pieces of SAP software that can fill other useful functions however the core ‘GDPR Compliance’ package are these four assets.
SAP Access Control, controls access to systems and data, can be plugged into HR business processes thus automating permission assignment and revocation, and is audit-able.
SAP Information Steward undertakes data discovery across data landscapes, can manage data quality issues, and its output forms part of your audit.
SAP Information Lifecycle manager, undertakes archiving, secure retention management, secure deletion, and legal holds. And its audit-able.
SAP Process Control, manages policy and process, facilitates adding GRC controls into business processes, and its audit-able.
If you do not have the above software and do not wish to purchase it, you should at the bear minimum ensure that your existing IT landscape includes those functionalities.
However, they by themselves are not enough. Compliance with the GDPR requires a wholesale improvement in the data governance processes within a business. In some industries it requires changing business processes to take into account the enhanced requirements for consent, or timely access for example. In all cases it requires that businesses adopt a stance of demonstrability. Saying you are compliant isn’t enough, you have to be able to demonstrate compliance, and do so on an ongoing basis. Hence why the audit-ability of software is so important. Can you prove that system access is revoke when a staff member leaves a company, can you prove that your customer service staff know what to do when a client tweets you a Subject Access Request?
Speaking to businesses at the conference and in my professional practice out side of it, it is troubling that some very large businesses, some high street names even, have not yet started their GDPR compliance projects. Within the world of the Privacy Professional we hear many stories of companies that haven’t ever archived or deleted data, companies that re-use staff ID numbers, companies that fail to appreciate the possible pandora’s box of HR data in the cloud, multi-national business and BREXIT. In many cases, companies will tell you that they just don’t know where to start.
- START. Sitting at a desk saying I dont know where to start, is a decision not to start.
- Look at the Information Commissioners web site. They have lots of good advice which will get you up to speed with actionable tasks very quickly. https://ico.org.uk
- The majority of your compliance journey, is policy, procedure and training related. Review, update and create where necessary.
- Consider engaging a registered Privacy Professional (IAPP or CPP/E.) They are qualified to advise you, and understand what you need to accomplish to be compliant. In many cases the GDPR requires companies to hire Data Protection Officers and you’ll need ones that are appropriately qualified, and registered.
- Engage with your trusted SAP consulting company. If you do require additional software assets, they will need to be installed and configured. Typical in a ‘perfect environment’ that can take unto 30 days per asset.
- Accept that you will not be compliant by 25th May 2018, but you can be along way down the road towards compliance.
- Beware of snake oil. Any company that tells you that THEY can make/get you compliant you should avoid. Any company that tells you that they have a software tool that can get you GDPR complaint, you should avoid. Any person who tells you they are a GDPR expert, you should avoid. GDPR compliance is down to you, the business and it takes far more that a software tool, or collection of software tools to become compliant. Indeed the fine detail of the GDPR is still being worked out by the WP28 (the collection of EU Information Commissioners for each of the member states).
If there is one piece of free advise I could give in closing it would be this; Dont worry, dont panic. You eat an elephant, one bite at a time. You become GDPR compliant through steady, thought out steps not through knee jerk software purchases or policy changes.
Regard the GDPR as an opportunity. If data is the new oil, then the GDPR is the environmental legislation put in place to ensure the longevity of the resource and the protection of its creators.