The global and independent platform for the SAP community.
Business Management, MAG 17-05

Making SAP systems ready for Europe

Already last year, the EU General Data Protection Regulation (GDPR) on the protection of individuals with regard to the processing of personal data and on the free movement of such data entered into force. The regulation is applicable as of May 25, 2018. Until then, companies have time to prepare accordingly and implement the regulation.
Gerhard Krauss, SNP
April 27, 2017
Content:
Making SAP systems ready for Europe
avatar
This text has been automatically translated from German to English.

Krauss GerhardThe General Data Protection Regulation, which was brought into being by the European Union, raises the question of what it actually means, particularly in comparison with the German Federal Data Protection Act (BDSG).

Many of the regulations set out in the GDPR are based on the BDSG. Major extensions of the regulation lie in the areas of consumer protection, the "right to be forgotten," accountability obligations and data portability.

Companies must become active here

While the regulations for data portability or accountability mean adjustments in the companies' internal processes, consumer protection or the right to erasure require changes directly in data protection. Here, companies must ensure that the rights of those whose data is stored are safeguarded.

The major challenge for companies is to implement the individual requirements from the data protection regulation to the extent necessary. Above all, they must take action at an early stage in order to be able to implement the new rules within the specified time.

First, companies need to get a detailed overview of the processes currently used internally that involve personal data.

These processes are the starting point for all subsequent measures within the scope of the GDPR and thus one of the essential factors for a successful implementation of the new regulations.

The relevant processes are based on a large amount of data that is necessary for data processing or is generated in the process. Every company should examine this data in detail and evaluate the extent to which it can be minimized or whether this data is necessary at all.

Furthermore, data quality is an extremely important factor. The better the data quality of the data concerned is and the better it corresponds to a defined data profile, the easier it is to define measures with which the requirements of the GDPR can be reasonably implemented.

In preparation for the implementation of the EU General Data Protection Regulation, the data protection departments of each company must draw up concepts on how to maintain information security in their own data processing.

These concepts define both the handling of personal data in the company's own IT landscape and also describe guidelines and processes that take into account the topics of data protection, accountability obligations, data portability, or even the implementation of data subjects' right to erasure.

Maintaining information security is especially urgent in non-production application systems. Test systems are usually provided with production-related data for good reason. If "real" data is to be worked with in test systems, it is imperative that measures be taken to ensure the protection of all personal data.

In particular, when it comes to application systems that are also accessed by external processors who work or live outside the EU. Anonymization or pseudo-anonymization of data, which is applied to personal data, is suitable for this purpose.

The nuts and bolts - the analysis

An essential prerequisite for anonymizing data is to identify those processes that process or use personal data.

There are tools that support these analyses, such as SNP System Scan or also SNP Business Process Analysis.

While the SNP System Scan provides an overall view of your SAP system, focusing particularly on the scope of organizational structures or the use of modules, the SNP Business Process Analysis (BPA) is used to analyze and visualize business processes and workflows.

BPA is a standard solution. It is used to analyze and illustrate workflows from SAP, EBS, JD Edwards or PeopleSoft ERP systems, among others, based on master and transaction data. SNP BPA contains an extractor that automatically collects the necessary data from the SAP system and provides the extracted information for further analysis or data creation.

Such evaluations are also relevant in the course of anonymization projects. They help to understand which process variants are used in the application systems and how anonymization affects them.

SNP Chart
Communication between systems is just as important as the design of business processes. Interfaces ensure the exchange of information within the company's own system landscape and with external communication partners.

When anonymizing, one must not make the mistake of considering an application system only for itself. It must be clearly analyzed which systems communicate with each other and which data is exchanged between these systems.

For example, if data is anonymized only in one ERP system and data from another system is returned in a non-anonymized form via an interface, the anonymization of certain data may become ineffective.

The SNP Interface Scanner (IFS) provides extensive support for analysis by checking and documenting interfaces with little effort. The results show which interface types are used between which systems and how often they are in use.

By means of various forms of presentation (table, Visio graphic, etc.), a wide variety of evaluations can be provided and illustrated. After completion of the analysis and concept phase, the agreed processes must be implemented.

In the concept phase, it is determined which data will be anonymized and how. This requires a tool that configures such settings easily and reusably and that is capable of anonymizing mass data in a consistent form with low processing time.

With SNP Data Provisioning & Masking (SNP DPM), these requirements can be fully implemented. This product is a standard software for the provision of realistic and secure test data.

The software helps to decisively shorten development and change processes, enables more cost-effective testing and training scenarios, and at the same time protects sensitive customer and product data from internal and external misuse.

SNP DPM provides a central control component with which migration scenarios and anonymization and pseudonymization rules are configured. The scenarios are applied during subsequent data migrations or data anonymization runs as logic for the alienation of the data.

The central storage of these sets of rules has the advantage that they are permanently available and reusable. In addition, the same rules can be applied to different application systems.

SNP DPM provides anonymization rules that can alienate contacts such as business partners, customers, suppliers, employees, or even transactional data such as financial or logistics data.

The rules use substitution mechanisms, random mixing mechanisms, encryption mechanisms, or initialization mechanisms, among many others.

SNP DPM provides even more functionalities. Among other things, you can use data extraction with defined selection criteria or extractions using predefined business objects. These predefined business objects map both master data objects, e.g. customers, and business processes, e.g. a sales order.

They thus contain the relevant tables, taking into account the necessary dependencies between them, in order to consistently provide the dependent data for the selected documents.

The time is running

A year goes by quickly and before you know it, it will be May 25, 2018. Start now with the preparatory activities needed to implement the EU General Data Protection Regulation.

The more detailed the implementation of the key points of the regulation is prepared, the fewer problems will arise when it comes to actual implementation - and the lower the risk of high penalties for non-compliance.

https://e3mag.com/partners/snp-ag/

avatar
Gerhard Krauss, SNP

After 19 years as a manager in consulting at SNP, Gerhard Krauss has now been Managing Director there for over a year.


All articles of the author

Write a comment

The Hackett Group has recognized Esker in the area of C2C Receivables

Rackspace Technology launches UK Sovereign Services

August-Wilhelm Scheer Institute and BAD Gesundheitsvorsorge und Sicherheitstechnik: The future of healthcare

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.