The global and independent platform for the SAP community.

Fit for the EU General Data Protection Regulation?

The new EU data protection regulations are due to come into force in spring 2018. Companies of all sizes that store and process data now have just one and a half years to implement the data security requirements and the extensive accountability obligations.
Volker Kyra, Secude
June 30, 2016
The-current-keyword
avatar
This text has been automatically translated from German to English.

Otherwise, they face massive fines of up to 20 million euros or four percent of their annual revenue in the event of violations. What should companies that use SAP watch out for in the future and how can they prepare?

What does this mean for companies? Which data systems are particularly affected? What steps must be implemented by 2018 to comply with the new requirements?

The tier system of the new General Data Protection Regulation already provides for penalties of up to two percent of annual global turnover if processing operations are not properly documented (Article 28).

In the event of a data breach, companies are required to notify the authorities within 72 hours (Article 31).

According to the definition in the new legislation, it is also a data breach if an employee has insight into data that he or she does not need for his or her job.

In addition, companies must ensure that employees can recognize when they are violating laws with data processing or processing data without authorization.

The first and most important step for all companies is to check in which systems they hold the data affected by the legislation. The second step should be to check whether the company can reliably track and prove what is done with this data when it leaves the system, for example.

As IT environments become increasingly complex, it is a major challenge for companies to track what data is held in which systems and through which channels it may be shared.

Personal data is particularly common in ERP systems. Within this regulated IT environment, it is relatively easy to implement the specifications for the new data protection guidelines if they have authorization structures and audit logs.

So is one covered with it?

Unfortunately, no - because as soon as this data has been exported from the system, the SAP correction structures no longer take effect and it is also impossible to trace what subsequently happens to the data.

In most companies, however, these data exports take place on a daily basis without employees being aware of the possible consequences. This is particularly true for industries such as energy (electricity, oil and gas), transport (air, rail, water and road), infrastructure sectors such as drinking water supply, banking and financial market infrastructures, trading centers, healthcare providers and digital infrastructures.

It is therefore necessary to introduce audit or logging solutions that record who views, exports and passes on data.

It is also advisable to integrate a GRC solution so that notifications are sent to those responsible in the event of rule violations.

Ideally, however, data sets should be classified as they are created. Sensitive data affected by legislation can then be provided with appropriate rules for its entire life cycle.

For example, they can be released only for internal use or for certain people, or the download of specific data can be blocked completely.

In addition, employees are thus sensitized to the topic and made aware of possible violations. The introduction of a rights management system (RMS) helps to prevent a breach of data security (Article 31) and to prove or restrict the use of data even outside the ERP system.

The new legislation also stipulates that most companies must designate a data protection officer (Article 35). Now is the ideal time for those responsible to review the internal situation, initiate appropriate measures for probing and securing data, and thoroughly examine solution offers.

avatar
Volker Kyra, Secude

Volker Kyra is Managing Director, VP Sales & Marketing EMEA at Secude.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.