At SAP SuccessFactors, we have the pulse on shifting regulatory frameworks, and are committed to helping our customers comply with current regulations as well as what we anticipate future regulations will be.
SAP customers can be assured that we already log incidents and provide supporting data in case of a confirmed personal data breach. Our strict security policies already reflect requirements introduced in GDPR and have been in place for some time. We will continue to invest in state of the art security measures and constantly improve these to best protect customer data entrusted to SAP.
SAP is introducing read access logging as part of its rigorous product standards. These product standards, together with our secure software development lifecycle, ensure our software is built according to the principles of privacy by design and privacy by default. SAP SuccessFactors will enable customers to use the Data Protection and Privacy Read Audit feature in Q3 2018 for Employee Central, Employee Central Payroll, Platform, Onboarding, Recruiting Management, Reporting and Workforce Analytics. Other SAP SuccessFactors products generally do not contain data fields with sensitive information and are therefore beyond the scope and purpose of this feature.
In the overall context of appropriate technical and organizational measures required under Art. 32 GDPR, sensitive data requires a high standard of protection. Customers have various means available to ensure a level of security appropriate to the risk. Here are some examples. Note that read access logging via the Read Audit feature is one of many key aspects relevant to these security concepts:
- Data Minimization– Customers need to ensure that personal data and sensitive data is only collected and stored if absolutely required. In many cases, sensitive personal data requires a valid consent from the person concerned. As part of overall compliance efforts, customers should review whether sensitive data previously collected is still permitted to be stored and processed under GDPR.
- Role Based Permission (RBP) – Customers can and should implement strict RBP concepts to limit the number of persons who can access sensitive data fields. It is generally advisable to limit access to those who have an absolute need to view such data.
- Data Masking– To further protect sensitive data, customers can mask data to avoid read access by unauthorized personnel. Accordingly, they would not be able to read such data as clear text.
- Read Access – If customers allow identified persons access to sensitive data, they may want to introduce additional protection by configuring read access logging, which provides the ability to determine when sensitive data was read and by whom. This is an additional control mechanism to enforce the “need to know” principle and generally limit access to data except when there is a true business requirement. This is an advanced data protection feature not directly mandated by GDPR. Customers must actively decide if the feature is required and to what extent it should be activated.
SAP SuccessFactors Data Protection and Privacy (DPP) strategy includes many new features in support of GDPR today while also putting stronger safeguards in place to help prepare for future regulatory changes. Customers should routinely evaluate the usage of all technical features as well as their organizational processes related to DPP in the context of their business needs.
Find out more about the technical and organizational measures (TOMs) SAP has in place to protect customer data in SAP’s Cloud Services Data Processing Agreement (DPA).
Learn more about how SAP SuccessFactors can help you prepare for the General Data Protection Regulation here.