materializing dataprivacy in sap .. how?
TRANSCRIPT
May 10, 2016
Implementing data privacy measures in SAP
Nico J.W. Kuijper, D&IM Services
SAP Archiving, Information Lifecycle Management, ECM & (SAP) Data Privacy Consultant
Email: [email protected] - Phone: +31(0)20 615 82 89
Member of the International Association of Privacy Professionals
May 10, 2016 Page 1
Subject and scope of this presentation
This presentation is about data privacy seen in the context of SAP data.
A data privacy project covers many different legal, organizational and technical aspects - however
in this presentation we focus only on (some of the) SAP instruments and practices regarding the
enforcement of data privacy regulations (like the new EU GDPR) in SAP systems.
May 10, 2016 Page 2
May 10, 2016 Page 3
Why is this topic relevant for SAP using companies?
On Thursday, 14 April 2016, the European Parliament adopted the General Data Protection Regulation (GDPR).
The GDPR comes into effect on 25 May 2018 and companies have 24 months to become GDPR compliant.
When you are using SAP systems you might be interested in what needs to be done to apply the new EU data
privacy laws to your SAP systems, in particular how to handle your SAP data according the new data privacy law.
Official EU publication of the EU GDPR: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC
You can read the full legislative text of the EU GDPR here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52012PC0011
May 10, 2016 Page 4
The risks of non-compliance with the EU GDPR
Not complying with the EU GDPR (General Data Protection Regulation) leads to significant fines
and compliance risks. The EU created two tiers of maximum fines for companies violating the
GDPR. The higher fine threshold is four percent of an undertaking’s worldwide annual turnover
or 20 million euros, whichever is higher. The lower threshold fine is two percent of an
undertaking’s worldwide annual turnover or 10 million euros, whichever is higher.
You can read the full legislative text of the EU GDPR here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52012PC0011
May 10, 2016 Page 5
What is considered privacy relevant information?
There are many elements of personal information.
Some examples are name, gender, age, date of
birth, marital status, citizenship, languages spoken,
veteran status, disabled status, IP address (some
jurisdictions), business and personal -addresses, -
phone numbers, -email addresses, internal
identification numbers, credit card and bank account
numbers, government-issued identification numbers
(social security, drivers license numbers, etc.) and
identity verification information, etc.
It is important to remember business data elements
can be considered personal information as well.
“Personal data” is defined as “any information relating to an identified or identifiable natural person”
May 10, 2016 Page 6
The General Data Protection Regulation in short
The highlights of the EU GDPR are displayed above and require an update of your privacy program
On the next slides we focus on the translation of some of the GDPR articles to the SAP context
May 10, 2016 Page 7
The identification of personal data in SAP
The GDPR requires the designation of a data protection officer and the execution of DPIA’s.
One of his/her tasks? Monitoring compliance with the GDPR and other data protection laws,
including managing internal data protection activities, training data processing staff, and conducting
internal audits. DPIAs (Data Privacy Impact Assessments) are used to identify potential privacy
issues, evaluate whether the benefits of a project outweigh its risks, implement privacy by design,
conduct internal auditing for compliance with legal, regulatory, industry and organizational standards.
Do you know how to
identify, monitor and
audit the use of
personal data in SAP?
May 10, 2016 Page 8
Explicit consent for processing personal data in SAP
The GDPR requires explicit consent for the processing of (special categories of) personal data.
How to request or trigger
explicit consent regarding
personal data (to be)
processed in SAP?
May 10, 2016 Page 9
Erasure or blocking of personal data (right to be forgotten)
Under GDPR Article 17, controllers must erase personal data “without undue delay” if the data is no
longer needed, the data subject objects to the processing, or the processing was unlawful.
Do you know how to erase
or block personal data in
SAP in a consistent way?
May 10, 2016 Page 10
The transfer of personal data out of the EU
The GDPR makes clear that it is not lawful to transfer personal data out of the EU in response to a
legal requirement from a third country. It also imposes hefty monetary fines for transfers in violation
of the Regulation.
Do you know how to
restrict the (unlawful)
transfer of personal data
stored in SAP systems?
May 10, 2016 Page 11
Protect personal data in non productive systems
The GDPR encourage data pseudonymization - defined as “the processing of personal data in
such a way that the data can no longer be attributed to a specific data subject without the use of
additional information”. Data encryption, pseudo- and anonymization, etc. are means of protecting
the rights of individuals while also allowing controllers to benefit from the data’s utility – in the SAP
context e.g. the use of SAP data in test and quality assurance systems.
Do you know how to (pseudo)
anonymize or encrypt personal data
in non productive SAP systems?
May 10, 2016 Page 12
Data breach notifications within 72 hours
“Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data
transmitted, stored or otherwise processed.”
In the event of a personal data breach, data controllers must notify the supervisory authority
“without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
Do you know how to
prevent and/or detect a
data breach in SAP or
control the download of
privacy relevant data
from SAP systems?
May 10, 2016 Page 13
Information security = information privacy?
The term information privacy refers to the handling, controlling, sharing and disposal of personal
information while the term information security includes a very wide range of activities both
physical and administrative that protect not only personal information, but any type of information or
information asset that supports a business.
The difference between information privacy and information security supports the statement,
“You can have security without privacy…but you cannot have privacy without security.”
For example, a secure computer with solid access controls may be secure however if access
controls were not assigned correctly privacy may become an issue.
In these slides we focus mainly on the protection of privacy relevant SAP information.
May 10, 2016 Page 14
May 10, 2016 Page 15
Mitigating the violation of data privacy laws in SAP
Organizations handling privacy relevant data in the context of SAP systems might need some
practical guidance on how to mitigate the risk of violating data privacy regulations.
In this section we show some of the practical examples on how to mitigate the risk of violating data
privacy regulations in SAP environments.
May 10, 2016 Page 16
Some examples of data privacy measures in SAP
Data privacy topic Applicable to SAP system, functionality or data
Supporting SAP
functionality
Supporting 3rd party
functionality
Data privacy impact
assessment on SAP data
SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. AIS (Audit system),
special reports, GRC,
etc.
Activate explicit consent for
processing of personal data
SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. Standard SAP
Restrict / limit access to
privacy relevant data
SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc.
Standard SAP
Blocking of privacy relevant
data (if can’t be deleted)
SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc.
Standard SAP
Destruction of privacy
relevant SAP data
SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc.
SAP ILM RM
(part of standard SAP)
Data encryption, masking,
anonymizations, etc.
Privacy relevant data in all NON productive SAP systems SAP TDMS 4.0 EPI-USE, Dolphin, etc.
Data protection &
prevention of data leakage
(outside SAP)
SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc.
SAP Authorizations,
AIS (Audit system).
External DLP solution
providers like Secude,
etc.
Monitor unlawful access to
privacy relevant or sensitive
data in SAP
SAP ECC (HCM,SD,FI, etc.), BW, CRM, SRM, IS-*, etc. Read Access Logging
(RAL), SAP Enterprise
Threat detection, etc.
Different external
solution providers
Audit SAP data privacy
Enforce explicit consent
Restrict data
access
Blocking of SAP data
Destroy SAP data
Encrypt, Mask, etc.
Prevent SAP data leakage
Monitor unlawful
data access
May 10, 2016 Page 17
Conducting data privacy impact assessments in SAP
Audit SAP data privacy
Enforce explicit consent
Restrict data
access
Blocking of SAP data
Destroy SAP data
Encrypt, Mask, etc.
Prevent SAP data leakage
Monitor unlawful
data access
Context: organizations handling privacy relevant (personal) data are obliged to execute DPIA‘s
(Data Privacy Impact Assessments) under the EU GDPR. Organizations need to evaluate the
personal data they have; categorizing the data so they are clear where the personal and sensitive
data resides and where other less important data sits in the company.
What are some of the instruments that can support you in conducting a DPIA on SAP data?
May 10, 2016 Page 18
Some Data Privacy Impact Assessment questions
In a DPIA different types of questions might be raised such as:
• What data is collected and from which source(s) and why?
• Where and how the recorded data is stored (in SAP).
• Who (roles/individuals) has access (consulting, updating, etc.) to the data?
• What the data is used for, and how it passes both between systems and to data consumers.
• How long should data be retained?
• Who is responsible for the data at both an operational and a strategic level.
It is not always easy to answer some of these questions when you are using a system with a
impressive data model and broad functionality like SAP. Where is privacy relevant data actually
stored in SAP?
May 10, 2016 Page 19
DPIA’s in SAP – Identify privacy relevant data (I)
There are reports available in SAP to identify where in the data model of SAP privacy relevant
information could be stored (including your custom developments).
Categorizing the data so that it becomes clear where the personal and sensitive data resides in
SAP is an important step in your Data Privacy Impact Assessment.
May 10, 2016 Page 20
DPIA’s in SAP – Identify privacy relevant data (II)
Another useful step is to identify if you actually store privacy relevant data in SAP – and this should
be assessed at least once a year. Audit Information System reports can support you in this task.
May 10, 2016 Page 21
DPIA’s in SAP – Identify privacy relevant data (III)
Once it is clear where privacy relevant data is stored in SAP, you want to know who has access to it
and the type of actions that can be executed by the users/roles (this can be done using e.g. GRC
and other tools). It is also relevant to check who can access privacy relevant data directly on
database level using a table browser like e.g. SE16 – often used as backdoor to access data.
May 10, 2016 Page 22
Supporting data privacy assessments in SAP
Once organisations understand just what personal data they have,
they should then ensure that regular risk assessments are completed
to understand the degree of threat imposed on the company when
processing privacy relevant data in SAP.
There are many tools and reports available in SAP that
can support you in conducting your Data Privacy Impact
Assessment in SAP in a structured way, we just scratched
on the surface of the possibilities.
Knowing (and measuring) your risks is key for a solid data
privacy program.
May 10, 2016 Page 23
Explicit consent for processing of personal data
Audit SAP data privacy
Enforce explicit consent
Restrict data
access
Blocking of SAP data
Destroy SAP data
Encrypt, Mask, etc.
Prevent SAP data leakage
Monitor unlawful
data access
Context: the GDPR requires explicit consent for the processing of personal data.
There are different options available in SAP to enforce the explicit consent for the processing
of privacy relevant data.
May 10, 2016 Page 24
Data privacy – requesting explicit consent in SAP 24
Individuals have rights when it comes to the
collection & processing of personal information.
Consent and choice are two of those rights.
As a result, organizations should describe the
choices available to individuals and should get
implicit or explicit consent with respect to the
collection, use, retention and disclosure of
personal information.
There are different options in SAP to request
explicit consent for the storage and processing
of personal data in for example HCM (employee
data and in e-recruiting), ECC, SRM, CRM, IS*,
etc.
Processing personal data in SAP without explicit
consent is unlawful and should be avoided.
May 10, 2016 Page 25
Blocking of personal data in SAP
Audit SAP data privacy
Enforce explicit consent
Restrict data
access
Blocking of SAP data
Destroy SAP data
Encrypt, Mask, etc.
Prevent SAP data leakage
Monitor unlawful
data access
Context: the GDPR gives data subjects the right to have their personal data erased.
However, personal data sometimes cannot be erased due to data consistency rules,
other (overruling) legislation. In some cases privacy relevant (master)data
must be blocked for further access and/or processing in SAP.
May 10, 2016 Page 26
Blocking privacy relevant data 26
SAP delivers business functions for the blocking of personal (business partner) data that can’t be
deleted instantly for different reasons (SAP data consistency or data must be preserved longer due
to overruling legal or fiscal legislation, etc.).
May 10, 2016 Page 27
Right to be forgotten and erasure of personal SAP data
Context: the GDPR gives data subjects the right to have their personal data erased, provided that
certain conditions are met. SAP offers > 100 so called data destruction objects for the rule based
and compliant erasure of privacy relevant SAP data (for e.g. ECC6, CRM, SRM, IS*, etc.).
This is delivered by the SAP functionality called SAP ILM (Information Lifecycle Management).
Audit SAP data privacy
Enforce explicit consent
Restrict data
access
Blocking of SAP data
Destroy SAP data
Encrypt, Mask, etc.
Prevent SAP data leakage
Monitor unlawful
data access
May 10, 2016 Page 28
Placing information under corporate control
Definition of a ‘RECORD’
SOX
GAAP
EU GDPR
BASEL II/III
HIPAA
Etc.
Corporate information that is subjected to legislation must be managed as a “record” using records
management principles in order to manage, preserve and destruct the information according rules
May 10, 2016 Page 29
Introduction of SAP ILM
The lifecycle of information (put under corporate control) can be managed with SAP Information
Lifecycle management (ILM). SAP ILM is currently the only SAP tool to manage the lifecycle of
SAP data and documents in a controlled way using records management & retention policies.
May 10, 2016 Page 30
Data destruction objects
For the controlled destruction of privacy relevant SAP data and documents, SAP ILM offers so
called data destruction objects. Alone in SAP module HCM we find more then 100 data destruction
objects, and the SAP HCM data destruction objects can (in most of the cases) be used without
additional SAP license implications.
May 10, 2016 Page 31
Retention policy: manage the lifecycle of your data
Privacy relevant data should be managed in alignment with other legislation based on retention
rules. Other (overruling) legislation – e.g. tax regulation – might require the preservation of privacy
relevant data, blocking e.g. the destruction of financial data containing privacy relevant data.
With SAP ILM we can harmonize this and apply specific policies for specific types of SAP data.
May 10, 2016 Page 32
Data destruction in SAP
Based on the defined retention rules in SAP ILM it is possible to comply with the GDPR rule to
destroy privacy relevant SAP data in a controlled way.
May 10, 2016 Page 33
Data protection in non productive SAP systems
Audit SAP data privacy
Enforce explicit consent
Restrict data
access
Blocking of SAP data
Destroy SAP data
Encrypt, Mask, etc.
Prevent SAP data leakage
Monitor unlawful
data access
Context: the GDPR prohibit the unauthorized access to personal data and encourage the (pseudo)
anonymization of data when possible.
How do you give developers, testers and contract workers access to a non-production system
without endangering your data privacy and data security regulations?
Encrypting or (pseudo) anonymization might be the answer.
May 10, 2016 Page 34
Data protection in context and some terminology
Even if great care is taken to set up authorizations, design roles and isolate duties in the production
environment, these authorizations do not work in non-production systems.
How do you give developers, testers and contract workers access to a non-production system without
endangering data privacy and data security? Data encryption or (pseudo)anonymization might be the answer.
Terminology explained
We speak of anonymity if the identity of a person is not known or if a person does not wish to make his
identity known. Pseudonymization and anonymization are both techniques by means of which the identity
of a person can no longer be traced.
Pseudonymization is a procedure by means of which identifying data with a particular algorithm are
replaced by encrypted data (the pseudonym).
The algorithm can always calculate the same pseudonym for a person, by means of which information
about the person, also from various sources, can be combined.
Pseudonymization distinguishes itself in this way from anonymization,
because linking information to a person, from various sources,
is not possible with anonymization. (source wikipedia.org)
May 10, 2016 Page 35
SAP TDMS 4.0: scramble privacy relevant data
SAP offers, with SAP TDMS 4.0, the option to scramble privacy relevant data in non productive SAP
systems. (see SAP slide of TDMS 4.0 above)
May 10, 2016 Page 36
3rd party solutions for SAP data encryption
Other (SAP certified 3rd party) vendors do deliver data encryption and (pseudo)anonymization tools
for SAP data as well. Note: under the GDPR, a data breach (especially data theft) of encrypted data
still must be reported to the authorities – data security remains of vital importance in al cases.
May 10, 2016 Page 37
Data theft & data leakage prevention of SAP data
Context: the GDPR also introduces the need for organizations to prepare a data breach notification
plan in the event that something does actually go wrong. However, it is vital to prevent data leakage!
How can you actually prevent that privacy relevant SAP data can be “leaked” and distributed
outside your organization?
Audit SAP data privacy
Enforce explicit consent
Restrict data
access
Blocking of SAP data
Destroy SAP data
Encrypt, Mask, etc.
Prevent SAP data leakage
Monitor unlawful
data access
May 10, 2016 Page 38
Is privacy relevant data leaving your SAP system?
Privacy relevant data should only be downloaded from SAP when authorized (ensure a adequately
configured authorization concept). Misuse of personal data by the download function and/or the
XXL/ALV List Viewer is prohibited under the GDPR (considered a data breach/data leakage).
Even with appropriate SAP authorizations it is often difficult to control what happens with the data
outside the controlled SAP environment – however there are tools to overcome that hurdle.
May 10, 2016 Page 39
Data leakage prevention in SAP 39
Not many companies are aware of what sensitive/privacy relevant data is leaving their systems.
Often, that sensitive information is sent to unsecure locations such as unprotected mobile devices,
and public cloud environments. There are 3rd party tools that can block the download of sensitive
data from SAP – not only useful for compliance with regulations, but also to protect your IP, etc.
May 10, 2016 Page 40
Controlled access to downloaded SAP data (1) 40
With 3rd party software you can combine SAP authorizations (controlling access to privacy relevant
data in SAP) with MS Digital Right Management (controlling access to privacy relevant data outside
the SAP environment). With this concept you can protect SAP data even when it is leaving SAP.
May 10, 2016 Page 41
Controlled access to downloaded SAP data (2) 41
Using these kind of SAP certified 3rd party tools, you can get a grip on the sensitive / privacy
relevant data that is leaving your SAP systems in a controlled and auditable way.
May 10, 2016 Page 42
Monitor the access to privacy relevant SAP data
Audit SAP data privacy
Enforce explicit consent
Restrict data
access
Blocking of SAP data
Destroy SAP data
Encrypt, Mask, etc.
Prevent SAP data leakage
Monitor unlawful
data access
Context: a data breach covers under the GDPR different unauthorized activities.
Unauthorized access to & processing of privacy relevant data (not only by hackers also by the
employees of the organization) is considered a data breach that must be reported within 72 hours.
How can you actually detect that privacy relevant SAP data has been accessed unauthorized?
SAP delivers different instruments to monitor the unlawful access of privacy relevant SAP data.
May 10, 2016 Page 43
Monitoring databreaches in SAP
If data is leaked, companies must inform the Data Protection Authority (DPO) within two working
days of them being aware of the breach. All data breaches must be sufficiently documented.
So organizations must indicate exactly where in the systems breaches have taken place and
what consequences they have. They must also inform the owners of the leaked data.
SAP offers a standard tool (as part of NetWeaver) to monitor the unauthorized access to
(privacy relevant) data – even if this is “just looking” at privacy relevant data. The name of the
tool is RAL (Read Access Logging) and it can monitor the access to data from many different
channels.
May 10, 2016 Page 44
RAL (Read Access Logging) - 1
With RAL you can define and categorize the logging purpose, domains and object yourself.
May 10, 2016 Page 45
RAL (Read Access Logging) - 2
Access to privacy relevant SAP data via different channels (Gui, internet, RFC) can be logged in a
flexible way so that you can determine what needs to be logged in detail. RAL can help you
significantly in detecting and logging data breaches in SAP.
May 10, 2016 Page 46
Closure
In this presentation we presented some of the available options in SAP to mitigate data privacy risks
Looking for expertise to enforce data privacy in your SAP systems? Don’t hesitate to consult us!
May 10, 2016 Page 47
Nico J. W. Kuijper, D&IM Services
SAP Archiving, Information Lifecycle Management, ECM & (SAP) Data Privacy Consultancy
Email: [email protected] - Phone: 0031(0)20 615 82 89
DISCLAMER. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the
implied warranties of merchantability, fitness for a particular purpose, or non-infringement. D&IM Services assumes no
responsibility for errors or omissions in this document, except if such damages were caused intentionally or grossly negligent.