As I wrote in an earlier post, the significance of the EU’s new General Data Protection Regulation (GDPR) for BI teams can’t be underestimated. The capability that BI teams need to cultivate is rapid response ‑ to both the potential for the mishandling of personal data, and the rights and requests of the data subject.
In practical terms, GDPR adoption for BI teams comes down to three activities:
I wrote about data inspection in an earlier post. Data inspection is the first step in GDPR adoption, because you need to know what personal data you have and where it is before you can protect it and set policies for its retention.
Now let’s look at data protection.
The GDPR puts the rights of the data subject ‑ the “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data” (Article 1.2) ‑ at the forefront of its regulatory requirements. Protecting personal data means controlling access to and distribution of that data, and knowing how and when to encrypt, restrict access to, anonymize and pseudonimize personal data.
In a recent webinar, APOS Solution Consultant Alan Golding summarized the data protection capabilities needed by BI teams with the following questions:
- Who has access to personal data reports?
View and manage the security model and settings.
MInimize the risk of human error through a clear understanding of security.
Identify and correct anomalies in security settings.
- How is access being controlled?
Maximimize protection of SAP BI reports containing personal data.
- Are reports containing personal data being distributed outside the BI system?
Understand how and to whom reports are distributed.
Examine distribution methodologies for security holes.
Establish and maintain distribution governance.
Effective data protection for GDPR compliance requires an audit of access rights by roles, users and groups. As a best practice, you should set the bar very high for access to personal data, but you will need to consult with business process owners to understand how and when reports containing personal data are being used. You need to ensure there is no interference in the ability of individuals and teams to accomplish their business objectives, but you must also determine whether the need for data outweighs the risk of personal data misuse.
You should review your audit log regularly (preferably automatically) for unauthorized or risky behavior by users. The protection of personal data should be a proactive practice. The GDPR has some very specific provisions on the transfer of data, so you will need to be able to monitor how personal data is exported and transferred by the BI system.
Note: this post is the third in a series of posts on the GDPR, including: