Legal Disclaimer

SAP does not provide legal advice. The following information is only about technical features which might help a customer to become compliant with data protection regulations.

When an organization fails to protect personal data? 

• British Airways faced a record $230 million fine after a website failure compromised the personal details of roughly 500,000 customers (Under GDPR Law)


• Marriott to be fined nearly £100m over GDPR breach (Under GDPR Law)


• The Federal Trade Commission has approved a fine of roughly $5 billion against Facebook for mishandling users’ personal information (Under GDPR Law)

Following blog illustrates SAP Intelligent Delivery Group (IDG) proactive measures to protect our customers from huge fines imposed by new global data privacy and protection regulations.

What is GDPR?

The General Data Protection Regulation (GDPR) is mainly introduced to simplify and standardize data protection within the European Union. Main objective is to unify and improve EU citizens’ data protection. GDPR regulation very significantly increases the obligations and responsibilities for how personal data is collected, used and protected. Responding to the GDPR requirements means organizations must treat personal data in accordance with the regulation and, where applicable, with the appropriate consent from individuals throughout the life of that data—from acquisition to processing and retention, all the way through archiving and deletion.

No single product can address all the requirements of GDPR, and this is not simply an IT issue. This is an opportunity to think holistically about “digital transformation” – to set up the kind of future-friendly business processes that incorporate sound Data Protection and Privacy practices AND accommodate for new business models.

Data privacy and protection regulations vary globally and continue to evolve, following are some of the regulations that impact cloud vendors and customers.

Data privacy and protection Challenges:

• Requires the time and expertise to identify what you have, what you don’t and what you need to do.


• Need to adapt policies, processes, and systems to address specific requirements around privacy by design, consent, storage, access, usage, retention and deletion.


• Must accurately assess and plan for sustaining ongoing compliance with GDPR.


• Cannot disrupt day-to-day business, especially revenue-generating activities

Data privacy and protection Opportunities:

• Reduce risks and address compliance, while building the foundation to cost-effectively address future regulations and requirements.


• Increase accountability and clarity of roles within your organization by improving the depth and breadth of policies and procedures.


• Protect your brand and increase trust with customers, employees, and business partners by demonstrating your commitment to protecting their data and privacy.


• Establish data best practices to build better engagements with your customers and prospects.

SAP Data Privacy and Protection Service as the Starting point

The SAP Data Privacy and Protection (DPP) Technical check service gives the customer 360-degree overview of the requirements of the Data Privacy and Protection aspects and an idea of their current situation concerning various global data privacy regulations. In addition, this service proposes practical steps for achieving compliance with a customer specific road-map as an outcome.

SAP Data Privacy and Protection Questionnaire:

SAP DPP Questionnaire powered by SAP Cloud Platform is provided to determine state-of-practice use of data-privacy aspects in the current customer SAP landscape. Proper consent and disclosures are maintained during our customer questionnaire process. Online Questionnaire is diligently categorized into various sections based on the DPP requirements. It is necessary to implement the “SAP Note 2611875 – ABAP Program for SAP DPP Technical Check” for analyzing the customer system with corresponding counterpart of spot checks regarding the regulatory and compliance requirements.

The questionnaire raises questions out of the following below categories, that are specific to DPP requirements. The questionnaire comes with predefined questions and answers, that can be chosen by the customer. There is a possibility to add some comment to the predefined answers. The following categories are part of the questionnaire:

• Information to be provided


• Information Access


• Correction


• Erasure: Blocking and Deletion


• Physical Access Control/ Access Control


• Authentication


• Authorization


• Restriction of Processing


• Change and Disclosure control


• Job Control


• Availability control


• Data Separation


• General Questions

Technical System Analysis:

• Technical parameters


• Organizational structures


• Access Control (authorizations)


• Authentication (Passwords / SSO)


• Change and Disclosure control


• Archiving


• Restriction of Processing (RFC-interfaces, ODATA-Services, ICM-Services)


• Data stocks of typical personal data such as employee data, vendor data, business partner data, etc. (no data is downloaded, only the absolute numbers are determined!)

The customer specific information from the SAP DPP questionnaire and the technical system analysis done on the ECC or S/4HANA system are consolidated by experienced DPP evangelists. As a result, customer specific DPP roadmap is created based on the Procedure Model (step-by-step implementation approach). To provide the best possible support on the journey to data privacy and protection aspects, SAP DBS Services and SAP security product recommendations are being considered in the customer results presentation.

Re-scoping of the service has been done to cover data privacy in general (to cover regulations such as GDPR, China Cybersecurity Law, Russian Localization Law, CCSL, California Law, etc.) as SAP DPP Technical Check Service.

Key SAP Contacts:

• Andreas Oesterle


• Kiran Kola