[PPT] - Workshop dataprivacy in SAP Ing. Nico J.W. Kuijper MSc. CIPP/EU SAP PowerPoint Presentation

SLIDE 1

March 29, 2018

Workshop dataprivacy in SAP

Ing. Nico J.W. Kuijper MSc. CIPP/EU

SAP information & data governance/management consultant, (SAP) Data Privacy Consultant Certified by the International Association of Privacy Professionals nico.kuijper@d-im-services.com +31 20 615 82 89

Disclaimer: the author of this presentation does not provide any legal advice regarding data privacy with this presentation. In this presentation personal opinions, practical experiences on the fulfillment of data protection requirements and possible instruments are discussed. This presentation contains some pictures/slides from public available sources and SAP presentations.

SLIDE 2

vcv

Disclaimer: The information contained in this presentation is for general guidance only and provided on the understanding that the author is not herein engaged in rendering legal advice. As such, it should not be used as a substitute for legal consultation. The author accepts no liability for any actions taken as response hereto. It is the responsibility your organization to adopt measures that deems appropriate to achieve GDPR compliance.

SLIDE 3

Questions to the audiance

Is your organization currently ready for / compliant with the GDPR?  Yes?  No?  Not sure? Who should be responsible for data privacy in your view?  Business?  IT?  Both? On what level should data privacy be addressed in the organization?  Strategic level?  Tactical level?  Operational level?  All these levels above? How are other companies doing? https://www.gartner.com/newsroom/id/3701117

SLIDE 4

Analogy: processing financial transactions

€ in € out Bookkeeping system

Fiscal law, etc. C-level executives (CFO)

Processing financial transactions

Clerk Financial Controller stakeholder(s) External stakeholder(s) Tax officer Head of Finance

Policy

Key elements:

Legislation
Legal/fiscal authority
C-Level executive
Internal control function
Governance & policies
Management layer
Record/bookkeeping
Operations/execution layer
Money flow in/out
External stakeholders

SLIDE 5

Analogy: processing privacy relevant data

Data in Data out Privacy “bookkeeping”

GDPR Legislation C-level executives (CIO/CDO)

Processing privacy relevant data

Data processor DPO (Data privacy Officer) External stakeholder(s) DPA (Data Privacy Authority) Data controller Stakeholder(s) like data subjects

Article on data privacy bookkeeping: https://executive-people.nl/587119/privacy-boekhouding.html

Policy

Key elements:

Legislation
Legal authority
C-Level executive
Internal control function
Governance & policies
Management layer
Record/bookkeeping system
Operations/execution layer & tools
Dataflow in/out
External stakeholders

(e.g. data subjects, external controllers & processors)

SLIDE 6

The roadmap to GDPR compliance

Key questions

Idenfity the context of privacy relevant data Where (systems) is privacy relevant data used/stored? How & where is it processed (business process)? For what (lawful) purpose? What are the relevant (legal/fiscal) retention rules? Document outcome in your data register & records and retention scheme Assess & prioritize privacy risks What are the identified privacy risks (PIA)? Gap analysis regarding

rganizational & technical measures

Evaluate risks, measures & prioritize. Develop and execute a privacy program How to mitigate the identified privacy risks? What are our data privacy policies and procedures? How do we govern/evaluate (ongoing) data privacy? Technical measures: What are the appropriate privacy enhancing tools? Implement technical measures based on defined policies Etc.

SLIDE 7

Presentation focus area: PET in the context of SAP

The presentation has a main focus on privacy enhancing technology available in SAP and will touch also some of the data privacy relevant processes this technology can be used for. We will not focus on governance, relevant data privacy processes, roles and responsibilities, etc.

SLIDE 8

Part 1 – GDPR key aspects put into context

SLIDE 9

GDPR Article 24(1): the GDPR Key aspects

The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: https://gdpr-info.eu/ and here in different languages: Directive 95/46/EC (General Data Protection Regulation) http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

SLIDE 10

The nature, scope, context, purpose, risk of processing personal data & appropriate measures

Determine risks of processing the data and implement appropriate (technical) measures (some examples) Determine risks of processing the data and implement appropriate (technical) measures (some examples) Identify the context: determine the retention and deletion periods and triggers Identify the context: determine the retention and deletion periods and triggers Identify the context: determine the lawful basis for processing (displayed: a few examples of a lawful basis) Identify the context: determine the lawful basis for processing (displayed: a few examples of a lawful basis) Identify the purpose for processing personal data (identify relevant business processes) Identify the purpose for processing personal data (identify relevant business processes) Identify where privacy relevant data lives in your SAP system Identify where privacy relevant data lives in your SAP system Personal data (in SAP) Personal data (in SAP) Purpose(s) of processing personal data Purpose(s) of processing personal data Consent Consent Delete after withdrawn consent Delete after withdrawn consent SAP ILM RM SAP ILM RM Consent management Consent management Legal

bligation

Legal

bligation

contract contract Retain based on legal retention times per country NL x years DE y years Retain based on legal retention times per country NL x years DE y years SAP ILM RM SAP ILM RM Authorization concept Authorization concept Data masking Data masking Anonymization Anonymization Data breach prevention & detection Data breach prevention & detection Etc. Etc.

SLIDE 11

What is considered privacy relevant data?

“Personal data” is defined as “any information relating to an identified or identifiable natural person” “'personal data' means any information relating to an identified or identifiable natural person 'data subject'; an identifiable person is one who can be identified, directly

r indirectly, in particular by reference to an identifier

such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”

Art. 4 Sec. 1 GDPR

What does this mean for SAP Business Suite and SAP S/4HANA?

 Data in SAP Business Suite and SAP S/4HANA is or might become personal data. A Sales Order is linked to the Business Partner (ID). The sales order itself could contain additional personal data – or can reveal personal data (purchases person X).  Combinations of attributes might become personal data – as soon as it is possible to identify the person behind. Example: information combined from ECC, CRM, BW, etc.

10

Identify where privacy relevant data lives in your SAP system Personal data (in SAP)

SLIDE 12

First things first (1): Detect the privacy relevant data living in your systems

There are different tools in the market available to detect if and where privacy

relevant information lives in SAP systems. SAP promotes e.g. Information steward, Celonis, etc.

Tip: a standard “quick to use” SAP report could be used to identify the tables in

SAP used to potentially store (sensitive) privacy relevant information. Downside: too limited (does not identify if table records are actually populated with personal data)

Identify where privacy relevant data lives in your SAP system Personal data (in SAP)

SLIDE 13

First things first (2): Detect the privacy relevant data living in your systems

Alternative: a 3rd party analysis tool could be used to verify if table records are

actually populated with personal data (e.g. per personnel area), the relevant authorization checks, available data destruction objects for the identified personal data, etc.

Identify where privacy relevant data lives in your SAP system Personal data (in SAP)

Demo?

SLIDE 14

First things first (3): Detect the privacy relevant data living in your systems

Usage of privacy relevant documents

Not only privacy relevant data can be stored in SAP, documents and (email) messages, etc. containing privacy relevant data can be stored in SAP or to the to SAP connected content/archive servers. This needs to be checked as well. Example: keeping successfully send emails in SAP containing personal data is a widely spread practice (and potential risk regarding the purpose limitation, unauthorized disclosure of email content, data minimization, etc.).

Identify where privacy relevant data lives in your SAP system Personal data (in SAP)

SLIDE 15

Identify the purpose & processes related to the identified personal data in SAP systems

14

Identify the purpose for processing personal data (identify relevant business processes) Purpose(s) of processing

Personal data of a particular person can be used for different (lawful)
purposes. Example: usage of email address

Attribute Used in system Data is stored in Purpose(s) Business process(es) Email (customer) ECC KNA1, SOES Different types

f business

transaction communication Send contract, order & delivery confirmation (MM/SD), invoices (FI), product defect notifications, etc. Email (business partner) CRM BUT020, SOES Marketing Campaign management Email (employee) HR PA0105, SOES HR - Employee communication Many different HR processes

SLIDE 16

Aligning purposes, retention rules & laws

Purpose Active availability Retention period Master data Dependent on other purposes With related data Until last related retention period ends g in this example: pension law Payment details Dependent on other purposes With related data Until last retention period for payment details ends g e.g. tax law Communication details Dependent on other purposes With related data With master data Marketing Marketing Until consent is revoked or missing renewal after x years None Data: purchase contract for iPhone & maintenance Processing purchase contract Processing maintenance Until end of maintenance requirements Until last related retention period ends g e.g. tax law Data: purchase contract for “The Divine Comedy“ Processing purchase contract During processing of purchase contract, possibly for reporting purposes Until last related retention period ends g e.g. tax law Data: contract for works Processing contract for works During processing of contract for works, possibly for reporting purposes Until last related retention period ends g e.g. contract law Data: employment contract Processing employment relationship During time of employment and for processing end of employment Attention: deadlines of pensions, pensions

ffices,…

15

Determine the lawful basis for processing (displayed: some examples of a lawful basis)

SLIDE 17

Know what information (not) to retain

What type of information?
How long should it be preserved?

Note: GDPR Article 17 ( right to be forgotten) does not overrule retention rules defined in other legislation !

Identify the context: determine the retention and deletion periods and triggers

Develop A Records and Retention Schedule!

SLIDE 18

Next step: populate your data privacy register, and start with data privacy “book keeping”

Consult your DPO

r privacy

program manager

Document the results of your data & process analysis in a “data privacy

register”

Example of a very simple data privacy register template is provided by the EDPS. Source: https://edps.europa.eu/data-protection/our-work/publications/other-documents/register-template-0_en Example of a more extensive data privacy register template is provided by the Belgium DPA . https://onetrust.com/wp-content/uploads/2017/09/Belgian-DPA-Registry-of-Processing-Activities-Template-20170907-EN.xlsx

SLIDE 19

Now we identified the context of data, whats next? Assess & prioritize the risk using a privacy impact assessment

There are many different (D)PIA tools and templates. One example: www.isaca.org/GDPR-DPIA A (D)PIA can be seen as a kind of risk assessment to identify how privacy relevant data in handled (by the different business processes) in your organization. Based on the outcome you can define improvements in different area’s (like data protection measures, policies/procedures, etc.).

Consult your DPO

r privacy

program manager

SLIDE 20

The roadmap to GDPR compliance

Key questions

Idenfity the context of privacy relevant data Where (systems) is privacy relevant data used/stored? How & where is it processed (business process)? For what (lawful) purpose? What are the relevant (legal/fiscal) retention rules? Document outcome in your data register & records and retention scheme Assess & prioritize privacy risks What are the identified privacy risks (PIA)? Gap analysis regarding

rganizational & technical measures

Evaluate risks, measures & prioritize. Develop and execute a privacy program How to mitigate the identified privacy risks? What are our data privacy policies and procedures? How do we govern/evaluate (ongoing) data privacy? Technical measures: What are the appropriate privacy enhancing tools? Implement technical measures based on defined policies Etc.

SLIDE 21

Part 2 – Overview of privacy enhancing SAP tools

SLIDE 22

GDPR Article 24(1): the GDPR Key aspects

The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: https://gdpr-info.eu/

SLIDE 23

Map the different GDPR articles to “appropiate measures”

24 - 27 28 - 29 44 - 50 30 17 16 5, 12-14, 19 15 5 - 11 18 20 21 22 6, 7 35 - 36 33, 34 40 - 43 32

GDPR articles

37 - 39 25

(Source picture: SAP SE)

The GDPR contains 99 articles. You can read the full legislative text of the EU GDPR here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

Discussion: Identify some measures and Supporting (SAP) tools

SLIDE 24

Overview of some privacy enhancing SAP tools

SAP ILM RM (Data blocking & deletion) HR process Workbench (Mass deletion process automation) ) Data controler rule framework (central retention rules) ) SAP (special) authorizations (SOD, restrict access to privacy relevant data) SAP UI Masking (Masking/blocking data based on user roles) ) Data deletion & blocking Restrict the access to (personal) data SAP Read Access Logging (Monitor the access to (sensitive) personal data) SAP Enterprise Thread Detection Data breach detection / data access logging Options for consent request / (standard SAP functions) SAP consent management (future feature) Consent management, privacy notifications E-discover & legal hold ) SAP system security (Firewall, SSO, encryption, system settings, etc ) SAP (system/data) security Information retrieval Framework (report on personal data) Inform the data subject SAP TDMS (encryption/anonymization) NON productive systems SAP GRC Privacy management software Privacy Cockpit 3rd party PET software

SLIDE 25

Requesting explicit consent in SAP

Individuals have rights when it comes to the collection & processing of personal information. Consent and choice are two of those rights. As a result, organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information. There are different options in SAP to request explicit consent for the storage and processing

f personal data in for example HCM (e-

recruiting), ECC, SRM, CRM, IS*, etc. Processing personal data in SAP without explicit consent is unlawful and should be avoided.

Options for consent request / (standard SAP functions)

SLIDE 26

Policy driven erasure of personal data

Under GDPR Article 17, controllers must erase personal data “without undue delay” if the data is no longer needed (purpose), the data subject objects to processing, or the processing was unlawful. GDPR Article 5: purpose limitation and data minimization: do not collect/keep data without a clear purpose

SLIDE 27

Introduction of SAP ILM

The lifecycle of information (put under corporate control) can be managed with SAP Information Lifecycle management (ILM). SAP ILM is currently the only SAP tool to manage the lifecycle of SAP data and documents in a controlled way using records management & retention policies.

SLIDE 28

Data destruction objects

For the controlled destruction of privacy relevant SAP data and documents, SAP ILM offers so called data destruction objects. Alone in SAP module HCM we find more then 100 data destruction

bjects, and the SAP HCM data destruction objects can (in most of the cases) be used without

additional SAP license implications.

SLIDE 29

SAP ILM RM: applying retention rules in SAP (1)

 ILM Policies are the instruments to translate (differentiated) external legal & fiscal retention and data destruction rules to SAP data and documents  ILM retention rules serve mainly the following purposes:

separate the data (e.g. per country) during archiving/deletion processes
store the data in different containers (when needed for archiving)
apply retention rules to the data (how long it MUST be preserved)
apply expiration dates (when the data can/must be destroyed)

SLIDE 30

Retention policy: manage the lifecycle of your data

Privacy relevant data should be managed in alignment with other legislation based on retention

rules. Other (overruling) legislation – e.g. tax regulation – might require the preservation of privacy

relevant data, blocking e.g. the destruction of financial data containing privacy relevant data. With SAP ILM we can harmonize this and apply specific policies for specific types of SAP data.

SLIDE 31

SAP ILM RM: executing data deletion in SAP

SLIDE 32

Final (policy based) data destruction in SAP

Based on the defined retention rules in SAP ILM it is possible to comply with the retention and deletion rules to block and destroy privacy relevant SAP data in a controlled way.

SLIDE 33

Personal Data Lifecycle in SAP: block or delete?

Blocking phase Access only for explicitly authorized persons Deletion

Processing in accordance with intended purpose

Source: SAP

SLIDE 34

Masterdata: blocking of business partner

Source Picture:SAP SE.

SLIDE 35

Blocking privacy relevant data

SAP delivers business functions for the blocking of personal (business partner) data that can’t be deleted instantly for different reasons (SAP data consistency or data must be preserved longer due to overruling legal or fiscal legislation, etc.).

SLIDE 36

Restrict the access to personal & sensitive data

Unauthorized access to & processing of privacy relevant must be prevented using SOD (segregation of duties) principles and (logical) data minimization – access only the data you need

SLIDE 37

Authorizations - restrict access to privacy relevant data

Special technical and organizational measures must be taken in order to combat the risk of unauthorized access to the SAP ERP System. When taken, these measures ensure that unauthorized viewing and unintentional/intentional manipulation of data is prevented. Limit access to personal & sensitive data:

Use a solid, flexible and clear authorization concept
Define a strict access management policy and process
Consistent across SAP applications & dbase layer (ECC, S/4HANA, BW, HR, FIORI, CRM,…)
Restrict access to blocked data elements
Restrict access to data reports
Store data extracts at secure locations
Implement sufficient security parameters to prevent unauthorized access

The Audit Information System (transaction SUIM) and many other tools (like GRC) can be useful.

SLIDE 38

Authorizations – Analysis of access to personal data

Example of a 3rd party tool (Soterion) to assess GDPR related authorization risks

Source Picture: Soterion

SLIDE 39

HR: context & time sensitive authorizations

With the authorization object P_DURATION it is possible to block access to personal data from the past (stored in infotypes) by users. This could be required if data needs to be available due to legal retention periods for or is still required for other processes, but active use or processing by users should no longer be possible, because of data privacy rules. There are many other types of solution like e.g. SAP Dynamic authorizations that can support in the definition of tailored authorization concepts.

Source Picture: SAP SE.

SLIDE 40

Security of personal & sensitive data

SLIDE 41

Protect the access to privacy relevant data in SAP

Source Picture: SAP SE.

SLIDE 42

UI Masking and logging (I)

Configure on field level how a field is displayed. Define whether data are shown, or how they are masked Register Authorized Users per Field

In transaction PFCG, assign users

to the UI Masking authorization a role.

Users assigned to these roles will

be able to see unmasked values for the applicable fields

Source Picture – Public slides SAP SE.

SLIDE 43

Authorizations - UI Masking (II)

Result: data masking Data is masked in GUI transaction display for un-authorized users. This also affects high-level “admin” system users (in dynamic transactions, e.g. SE11, SE12, SE16, SE16n) unless explicitly authorized UI Masking also protects data during download, export, and print.

Source Picture – Public slides SAP SE.

SLIDE 44

Authorizations - UI Masking (III)

Example of role based masking of particular screen fields.

SLIDE 45

Authorizations - UI logging – Access log (I)

Source Picture – Public slides SAP SE.

SLIDE 46

Authorizations UI logging – Access log (II)

Source Picture – Public slides SAP SE.

SLIDE 47

Data breach notifications

“Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” In the event of a personal data breach, data controllers must notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”

SLIDE 48

Monitoring data breaches in SAP using RAL

If data is leaked, companies must inform the Data Protection Authority (DPA) within 72 hours of them being aware of the breach. All data breaches must be sufficiently documented. So organizations must indicate exactly where in the systems breaches have taken place and what consequences they have. They potentially must also inform the owners of the leaked data. SAP offers a standard tool (as part of NetWeaver) to monitor the unauthorized access to (privacy relevant) data – even if this is “just looking” at privacy relevant data. The name of the tool is RAL (Read Access Logging) and it can monitor the access to data from many different channels.

Source: SAP SE.

SLIDE 49

RAL (Read Access Logging) - 1

With RAL you can define and categorize the logging purpose, domains and object yourself.

SLIDE 50

RAL (Read Access Logging) - 2

Access to privacy relevant SAP data via different channels (Gui, internet, RFC) can be logged in a flexible way so that you can determine what needs to be logged in detail. RAL can help you significantly in detecting and logging data breaches in SAP.

SLIDE 51

Data privacy versus system & data security

SLIDE 52

Information security = information privacy?

The term information privacy refers to the handling, controlling, sharing and disposal of personal information while the term information security includes a very wide range of activities both physical and administrative that protect not only personal information, but any type of information or information asset that supports a business. The difference between information privacy and information security supports the statement, “You can have security without privacy…but you cannot have privacy without security.” For example, a secure computer with solid access controls may be secure however if access controls were not assigned correctly privacy may become an issue.

SLIDE 53

List of possible technical measures

The German SAP user group (DSAG) provides in a document (maybe not completely updated with the GDPR but sill useful) regarding the different technical measures you can implement to enhance the (data) security and privacy based on for example:

recommendations on system parameters
known authorization risks
risks related to interfaces
logging mechanisms and housekeeping
measures around the security of the (SAP) network, database, system, etc.

https://www.dsag.de/fileadmin/media/Leitfaeden/110818_Leitfaden_Datenschutz_Englisch_final.pdf

SLIDE 54

Data protection in non productive SAP systems

Context: the GDPR prohibit the unauthorized access to personal data and encourage the (pseudo) anonymization of data when possible. How do you give developers, testers and contract workers access to a non-production system without endangering your data privacy and data security regulations?

SLIDE 55

Privacy relevant data in NON productive systems

SAP offers, with SAP TDMS 4.0, the option to scramble privacy relevant data in non productive SAP

systems. (see SAP slide of TDMS 4.0 above).

Alternative 3rd party solutions are delivered by e.g. EPI-USE, Natuvion, etc.

Source Picture – Public slides SAP SE.

SLIDE 56

Instruments for complex data privacy operations

Maintaining records and retention rules for different types of information and with differentiated retention rules per country or organizational entity can be a challenge

SLIDE 57

SAP Data Controller Rule Framework

The SAP data controller Rule framework can be used to define differentiated business rules on the retention of SAP data used for the blocking and deletion of SAP data. This “rule generator” populates SAP ILM with the correct ILM rules.

SLIDE 58

Mass processing of deletion in HR: process models

The HR process workbench can be used to define (country specific) data destruction processes for the execution of the (controlled) destruction of data from many different infotypes.

SLIDE 59

Data subject information requests

SLIDE 60

SAP Information Retrieval Framework (IRF)

Source: SAP SE.

The Information Retrieval Framework toolset can be used to define and execute the reporting of personal data in case of a data subject request. There are also alternative 3rd party tools delivered by e.g. EPI-USE.

SLIDE 61

Privacy management instruments

SLIDE 62

How privacy management could look like in SAP

There are many different tools to administer, monitor document and control different data privacy

aspects. SAP promotes SAP GRC, and is thinking about the development of a data protection
cockpit. There are also many NON SAP tools on the market, delivered by e.g. Truste, Nymity, etc.

Source: SAP SE.

SLIDE 63

Summary of privacy enhancing SAP tools

SAP ILM RM (Data blocking & deletion) HR process Workbench (Mass deletion process automation) ) Data controler rule framework (central retention rules) ) SAP (special) authorizations (SOD, restrict access to privacy relevant data) SAP UI Masking (Masking/blocking data based on user roles) ) Data deletion & blocking Restrict the access to (personal) data SAP Read Access Logging (Monitor the access to (sensitive) personal data) SAP Enterprise Thread Detection Data breach detection / data access logging Options for consent request / (standard SAP functions) SAP consent management (future feature) Consent management, privacy notifications E-discover & legal hold ) SAP system security (Firewall, SSO, encryption, system settings, etc ) SAP (system/data) security Information retrieval Framework (report on personal data) Inform the data subject SAP TDMS (encryption/anonymization) NON productive systems SAP GRC Privacy management software Data Protection Cockpit 3rd party PET software

SLIDE 64

The roadmap to GDPR compliance

Key questions

Idenfity the context of privacy relevant data Where (systems) is privacy relevant data used/stored? How & where is it processed (business process)? For what (lawful) purpose? What are the relevant (legal/fiscal) retention rules? Document outcome in your data register & records and retention scheme Assess & prioritize privacy risks What are the identified privacy risks (PIA)? Gap analysis regarding

rganizational & technical measures

Evaluate risks, measures & prioritize. Develop and execute a privacy program How to mitigate the identified privacy risks? What are our data privacy policies and procedures? How do we govern/evaluate (ongoing) data privacy? Technical measures: What are the appropriate privacy enhancing tools? Implement technical measures based on defined policies Etc.

SLIDE 65

Questions?

DISCLAMER. This document is provided without a warranty of any kind, either express or implied, including but not limited to,

the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The Author assumes no responsibility for errors or omissions in this document, except if such damages were caused intentionally or grossly negligent.