How SAP assesses GDPR compliance: What SAP Cloud Partners need to know

Are customer data safe? Is data breach or misuse communicated immediately? Can user data be easily blocked or deleted? These are questions that companies must answer in order to comply with the EU’s General Data Protection Regulation (GDPR) requirements.

How does SAP address this topic and what do partners using SAP’s cloud infrastructure need to know?

Data Protection Management System

Data protection and privacy are critical to digital transformation. This is why SAP has focused on the GDPR requirements long before the legislation was introduced. Since 2010, SAP has a centrally managed DPMS (data protection management system ) in place, certified based on the BS 10012. This data proctection management system allows SAP to manage data protection requirements in a structured way, and to provide business units with specific guidelines, data protection trainings and regular controls (by numerous audits). In 2012, SAP implemented a Data Protection and Privacy Policy, which is the basis for the current DPMS.

GDPR: A Corporate Goal

Data protection and data privacy have been defined as a corporate requirement at SAP, with a holistic approach to help minimize risks and cost for compliance. In order to get ready for GDPR compliance, a cross-board project has been implemented and executed, led by SAP Data Protection & Privacy (DPP). The team includes IT architects, developers, and consultants, plus legal experts, business stakeholders, and executive sponsors.

According to Thomas Saueressig, CIO of SAP, this GDPR project requires a focus on people, process, and technology. In a recently published article he said, that “from a people perspective, communicating to a large global workforce is a key  component”. As an SAP employee myself, I can confirm that education on data protection has been a strong effort and there were repeated offers for trainings while management ensured that the trainings were taken seriously. In my opinion many colleagues have a candid interest in this topic, they want to know more and make sure, that it is not just a compliance issue.

SAP Cloud Trust Center: Valuable source of information for SAP Cloud Partners

Working closely with partners, who build applications on the SAP Cloud Platform, I understand that they have a very particular interest in understanding SAP’s efforts in data protection, especially for any cloud processed data. The questions, that come up from a very heterogenous partner ecosystem are manifold: Where can I check out the data processing agreements in different languages? How can I verify the general terms and conditions concerning a certain cloud service including usage rights, customer data, warranties, confidentiality, and limitations of liability provisions? How does a sample order form for subscription to SAP’s cloud services look like?

I would like to highly recommend the “SAP Cloud Trust Center” webpage, which provides answers to the questions above and gives the latest information on aspects of security, data privacy, and compliance in the cloud along with current compliance certificates. Moreover, you find detailed information about various certifications against ISO/BS standards as well as in-depth answers to the question “How SAP is implementing the requirements of the GDPR to best support its customers” – see hyperlink to Whitepaper.

Recap of measures taken by SAP

For partners, it is important to understand that SAP shows commitment to comply with the legislation in its role as a controller as well as a processor. In addition to that, SAP is committed, with its products and services, to support its customers to implement the GDPR requirements, delivering functionalities that help customers to comply with the laws.

Let me end with a brief summary of the most important measures taken by SAP in order to assess GDPR compliance:

• Having in place a designated DPO (Data Protection Officer) with a team of skilled experts.
• Assuring data protection with the implementation of a Data Protection Management System (DPMS) in all board areas and controlling 115 locations, mandatory for all units of SAP.
• Increasing transparency by using records of processing activities supported by a so-called Procedure Enrolment Tool (PET).
• Providing state-of-the-art data security measures.
• Enhancing their software products to foster their customer’s compliance.
• Privacy by design through so-called data protection compliance evaluation in software development.
• Educating all employees about GDPR elements.

Read more about GDPR readiness, including an SAP Cloud Platform Build Partner’s point of view, in my previous blog.

If you would like to share your view on GDPR or if you would like to provide insights on what is your fine-tuning to achieve compliance, feel encouraged to comment in the blog.

# # #

Ulrike Fempel is a book author and a senior business development manager with over 20 years of global experience in IT. Recognized as significant driver by peers, management as well as partners, she has a passion for sciences. Contact her on Twitter / LinkedIn.

# # #

Related links:

• SAP overview on GDPR
• How SAP is implementing the requirements of the General Data Protection Regulation (GDPR) to best support its customers
• Whitepaper: Getting ready for May 25, 2018
• SAP Data Protection & Privacy overview
• SAP Global Data Protection and Privacy Policy
• SAP Data Center: Data Protection
• SAP Cloud Trust Center: Data Protection and Data privacy
• GDPR law in 23 languages
• GDPR Portal of the EU