Fit for the EU General Data Protection Regulation?
Otherwise, they face massive fines of up to 20 million euros or four percent of their annual revenue in the event of violations. What should companies that use SAP watch out for in the future and how can they prepare?
What does this mean for companies? Which data systems are particularly affected? What steps must be implemented by 2018 to comply with the new requirements?
The tier system of the new General Data Protection Regulation already provides for penalties of up to two percent of annual global turnover if processing operations are not properly documented (Article 28).
In the event of a data breach, companies are required to notify the authorities within 72 hours (Article 31).
According to the definition in the new legislation, it is also a data breach if an employee has insight into data that he or she does not need for his or her job.
In addition, companies must ensure that employees can recognize when they are violating laws with data processing or processing data without authorization.
The first and most important step for all companies is to check in which systems they hold the data affected by the legislation. The second step should be to check whether the company can reliably track and prove what is done with this data when it leaves the system, for example.
As IT environments become increasingly complex, it is a major challenge for companies to track what data is held in which systems and through which channels it may be shared.
Personal data is particularly common in ERP systems. Within this regulated IT environment, it is relatively easy to implement the specifications for the new data protection guidelines if they have authorization structures and audit logs.
So is one covered with it?
Unfortunately, no - because as soon as this data has been exported from the system, the SAP correction structures no longer take effect and it is also impossible to trace what subsequently happens to the data.
In most companies, however, these data exports take place on a daily basis without employees being aware of the possible consequences. This is particularly true for industries such as energy (electricity, oil and gas), transport (air, rail, water and road), infrastructure sectors such as drinking water supply, banking and financial market infrastructures, trading centers, healthcare providers and digital infrastructures.
It is therefore necessary to introduce audit or logging solutions that record who views, exports and passes on data.
It is also advisable to integrate a GRC solution so that notifications are sent to those responsible in the event of rule violations.
Ideally, however, data sets should be classified as they are created. Sensitive data affected by legislation can then be provided with appropriate rules for its entire life cycle.
For example, they can be released only for internal use or for certain people, or the download of specific data can be blocked completely.
In addition, employees are thus sensitized to the topic and made aware of possible violations. The introduction of a rights management system (RMS) helps to prevent a breach of data security (Article 31) and to prove or restrict the use of data even outside the ERP system.
The new legislation also stipulates that most companies must designate a data protection officer (Article 35). Now is the ideal time for those responsible to review the internal situation, initiate appropriate measures for probing and securing data, and thoroughly examine solution offers.