Skip to Content
Product Information

Brief Introduction to Data Protection and Privacy in S/4 HANA

This article is a mostly copied summary of the current Security Guide. It has been reviewed and adapted from the S/4HANA DPP Product Owner Volker Lehnert .

Data protection is associated with numerous legal requirements and privacy concerns.
In addition to compliance with general data protection acts, it is necessary to consider compliance with industry-specific legislation in different countries. This blog briefly describes the features S/4 HANA explicitly provides to support compliance with the relevant legal requirements and data protection. Other features like authentication or authorizations are in the blog not named. Still the customer will have effort to adapt e.g. the authorization concept to reach compliance. Please refer to the official security guide of S/4 HANA for detailed information on the prerequisites and features.

1) Consent Management :

Any personal data collected or processed must be linked to a specific, pre-defined purpose, such as the fulfillment of a contract or legal obligation. If there is no other legal basis for the lawful processing of personal data or in some cases if the data is to be sent to a third party, you must obtain consent from the data subject to use their personal data. This consent data can be stored in the SAP system as consent records.
Consent Management enables you to search for and display stored consent records as well as to import consent records as copies from either a file on your device or via the Consent Repository service available on the SAP Cloud Platform.

2)Read Access Logging :

Read access to personal data is partially based on legislation, and it is subject to logging functionality. The Read Access Logging (RAL) component can be used to monitor and log read access to data and provide information such as which business users accessed personal data (for example, fields related to bank account data), and when they did so.

3)Information Retrieval :

Data subjects have the right to get information regarding their personal data undergoing processing, including the reason (purpose) for processing.
The SAP NetWeaver component Information Retrieval Framework can be used to carry out a cross-application search for personal data of a specified data subject. The data is retrieved from the system and displayed in a structured, easy-to-read list, subdivided according to the purposes for which the data was initially collected and processed.

4)Deletion of Personal Data :

Personal data in a system can be blocked as soon as the business activities for which this data is needed are completed and the residence time for the data has elapsed. After this time, only users who are assigned additional authorizations can access the data.
When the retention period has expired, personal data can be destroyed completely so that it can no longer be retrieved. Residence and retention periods are defined in the customer system.
For this purpose, SAP uses SAP Information Lifecycle Management (ILM) to help you set up a compliant information lifecycle management process in an efficient and flexible manner.

5)Change Log :

Creation and change of personal data need to be documented. Therefore, for review purposes or as a result of legal regulations, it may be necessary to track the changes made to this data. When these changes are logged, you should be able to check which employee made which change, the date and time, the previous value, and the current value, depending on the configuration. It is also possible to analyze errors in this way.

For more information about topics related to data protection, see the Data Protection section in the relevant application-specific security guides.

Please contact Volker Lehnert or Peter Dejon for any queries related to the topic.

4 Comments
You must be Logged on to comment or reply to a post.
  •  

    Hi Manasi,

    many thanks for the info.

    In addition to those 5 points, what is your proposed solution for the anonymization of productive system copies (in QA, Dev etc) in support of:

    • Legal requirements (GDPR, HIPAA etc.)
    • Protection of customer’s own IP?

    Regards, Alan

  • We currently do not have any solution.

     

    Pls, do not use the term anonymization at all. This is likely niche reachable

     

    KR

     

    Volker Lehnert

    (Datenschutzbeauftragter DSB-TÜV)

    Senior Director Data Protection S/4HANA

     

  • „niche reachable“ is a typo not reachable was meant. Thank you for pointing out.

    The term aligned with DPO to be used “De-personalization”, The argumentation for customers is quite simple: Whether data is in fact anonymized (re-identifcation is not possible)  or pseudonymized  (as defined in Art. 4 No. 5 GDPR) can only be judged in the concrete scenario.

     

    KR