Hot topics when assessing GDPR readiness
When starting with my research for a book about the “generation z” on the so-called General Data Protection Regulation, aka EU-DSGVO (Datenschutzverordnung), in the context of social media (i.e. Instagram, Snapchat, Musical.ly) in 2015, there was little public awareness about data privacy and protection. GDPR is a topic which now touches everybody – customers, employees as well as individuals have become very sensitive about this subject.
The EU’s General Data Protection Regulation (GDPR) passed by the EU in May 2016, will be enforced on 25 May 2018. It will have a major impact on all EU organizations and even those based outside the EU, when offering goods or services to people who are located in the European Union, processing their personal data or monitoring their behavior. The new Regulation will touch most departments of organizations operating data, as well as service providers, who process or monitor data on behalf of an organization (i.e. a Cloud provider that offers data storage). Fines of up to 4% of the annual global turnover or €20m for companies (whatever is higher!!!) that fail to comply with the Regulation raise not only the question, who will be first, but should motivate to take data protection more seriously.
Increase trust and protect individuals
At the same time, this Regulation will allow organizations to show customers that they are trustworthy and responsible, and derive added value from the data they hold. After all, GDPR strengthens our individual rights regarding our informational self-determination, where the concept of personal data considers any data relating to an identified or identifiable natural person. It protects all individuals in the European Union (EU), which could include customers, employees, suppliers as well as end-users.
Some of the most relevant features of the GDPR
- An affirmative action (in the sense of consent) must be given prior to all processing of personal data, and every time the purpose of the data collection changes, the user has to declare his/her consent again. Besides, consent can be withdrawn any time and it shall be as easy to withdraw as to give consent.
- Every subject has the right of information about him/herself and the right to be forgotten within certain legal boundaries.
- It should be easily possible for a user to switch from one service provider to another, transferring his/her personal data.
- Data protection principles must be assured by technical and organizational measures.
- The appointment of a Data Protection Officer (DPO) to oversee and implement the data protection strategy is mandatory for any organization that processes or stores large amounts of personal data (whether for employees, individuals outside the organization, or both).
- Liability applies to all parties involved in the processing of personal data. In the SAP cloud business, it is the customer (in the role of data controller) as well as SAP processing the data on behalf of customers or partners (in the role of the data processor).
- All companies with business in Europe must comply with the law (lex loci solutionis).
Cloud companies in their role as data processor
As a Cloud company, SAP is subject to strict controls in its role as data processor and therefore has to have an appropriate compliance framework in place. This is also true for partner companies, who build applications on the SAP Cloud Platform and use either SAP data centers or other cloud infrastructure to process their customer’s data.
Finally, I would like to share a Partner quote of Ingentis, a German based software company with more than 20 years of experience in the area of HR applications and a successful cloud application, the so-called Ingentis org.manager, offered on the SAP’s App Center. Wolfgang Schuller, Managing Director and Founder, will share some insights related to the General Data Protection Regulation (GDPR).
SAP Cloud Platform Build Partner Ingentis talking about GDPR
When assessing your GDPR readiness, what are the hot topics you are facing?
Wolfgang Schuller: Data security has been important to us in the past as the services and products we provide are based on the personal data of our customers (i.e. employee data).
The way I look at it, there are three areas we need to focus on:
- In order for customers to be able to use our software according to GDPR, the software has to comply with the respective requirements.
- Contracts and data processing addenda need to be updated according to the GDPR.
- And last, but not least, we handle our own employees’ data with the same care as customer data.
Under the General Data Protection Regulation employee data is an important aspect of personal data. What consequence does this have on providing certain employee data in org charts or simulations?
Wolfgang Schuller: This is a complex topic as our application covers a variety of use cases. Whether it is the visualization of organizational structures or the display of KPIs or simulations to plan a reorganization, our software considers role based permissions for certain user groups and we will only display the information defined by the customer. It might be an aggregation of vacation days or salary data which is visualized for managers or stakeholders in a company – however, it is the customer’s responsibility to decide which data can be visualized from a legal point of view. But as a software provider it is our responsibility to design a solution that is GDPR compliant in the first place. With SAP SuccessFactors as HR backend-system we rely on the compliance and tools provided by SAP to fully support the GDPR obligations.
What challenges or opportunities do you see for your customers with the new data regulation being enforced?
Wolfgang Schuller: The time and effort put into this might seem overwhelming at first. But I believe it will pay off in the end: There’s nothing more important than the trust of your employees and customers. By taking data security and the GDPR seriously, companies can strengthen this trust.
Thank you, Wolfgang, for your time and insights.
If you would like to hear how SAP addresses GDPR compliance and what partners using SAP’s cloud infrastructure need to know, please check out my following blog.
# # #
Ulrike Fempel is a book author and a senior business development manager with over 20 years of global experience in IT. Recognized as significant driver by peers, management as well as partners, she has a passion for sciences. Contact her on Twitter / LinkedIn.
# # #
- SAP overview on GDPR
- How SAP is implementing the requirements of the General Data Protection Regulation (GDPR) to best support its customers
- SAP Data Protection & Privacy overview
- SAP Data Center: Data Protection
- SAP Cloud Trust Center: Data Protection and Data privacy
- GDPR law in 23 languages
- GDPR Portal of the EU