1. When will the new GDPR come into force and what will change under the Regulation?
The General Data Protection Regulations (GDPR) were published by the EU on 27 April 2016, there is then a two-year transition before it becomes EU law on 25 May 2018. It is a Regulation and not a Directive and therefore does not need national laws to be enacted to allow enforcement. GDPR replaces the previous EU Data Protection Directive 1995.
The regulations span to over 200 pages, but some of the key areas that will change include the following:
- Data Breach Notification – a breach of personal data should be notified to a supervisory authority within 48 hours.
- Right to Data Portability - this is to enable an individual to acquire their personal information from an organisation in a machine-readable format. One benefit is that this gives the individual the opportunity to re-use that information to their own advantage via another service provider.
- ‘Right to be Forgotten’ – this is to enable an individual to request the deletion or removal of personal data if there is no compelling reason for its continued processing.
- Accountability - organisations will need to be able to prove that they have done the right thing to regulators, to individuals and potentially to shareholders and the media often years after a decision was taken. Many organisations will need to appoint a Data Protection Officer (DPO) to advise and monitor compliance to GDPR.
2. How will this effect SAP customers on SAP Business Suite and SAP S/4 HANA?
Organisations need to understand where personal data is stored across their entire IT landscape including back-end systems such as SAP ERP and S/4HANA. A field-by-field analysis needs to be done to understand whether the field could be used to identify an individual – even indirectly. This is not just for ‘Production’ systems but Development, Test and Training systems must also be examined.
Examples areas include:
- Sales Order / Purchase Order processing – e.g. bank details, email addresses
- Employee data
- Plant Maintenance Orders with Employee certification
- BW – personal data held in data warehouses
- Unstructured data such as invoices containing personal data held in Document Management systems or Enterprise Content Management systems.
3. What core business areas will be impacted?
All business processes which touch personal data. Examples include:
- Sales Order / Purchase Order processing, E-commerce
- HR - Employee / Manager self-service, employee reviews, employee records, sickness records
- Time and Expenses, bank details, invoices/ receipts with personal data – names addresses, credit card details
- Employee Certification – Plant Maintenance / HR
- BW, Data Warehouses for reporting requirements.
4. Which areas need investment for SAP customers?
SAP customers need to urgently review their processes for managing personal data both Master Data and associated Transaction Data. Additionally, unstructured data storage is impacted as it could contain personal data. A review is required of Information Lifecycle Management processes, which is how data is archived, blocked and deleted.
5. How can you review compliance to the Regulation and what could be the consequences for non-compliance?
To review compliance, organisations must address the following:
- Review data processed by the organisation and any supplier that processes data on their behalf – review Data Controller and Data Processor activities, if in doubt assume data is personal as the GDPR definitions are extremely wide.
- Consider securely wiping all personal data or anonymising it where it needs to be collected and stored by the organisation. Pseudonymous data is the next best approach if personal identification is required, this will reduce the harm caused to individuals in the event of a data breach.
- Review ‘Consent’ processing, this will need separating from all other T&Cs and will not be valid unless freely given, specific, informed and unambiguous. The data controller will need to ensure the extra rights around data portability, right to be forgotten and right to withdraw consent for individuals are addressed.
- Transfer of data ‘cross border’ needs very careful consideration, this will be allowed across all EU member states and a few third countries but not currently with the US.
- Data Breach notification – implement infrastructure to enable prompt, compliant notification to individuals and ‘Supervisory Authorities’ EU-wide.
- Some organisations will need to appoint a Data Protection Officer (DPO) to advise and monitor compliance to GDPR.
- Fines for non-compliance are now levied on the ‘Undertaking’ rather than a Data Controller or Processor. Group companies are part of the same ‘Undertaking’ and therefore fines are based upon the group revenues which can be significant for large multinational companies. The fines for non-compliance are split into 2 categories:
- 20M Euros or for an ‘Undertaking’ – 4% of worldwide revenue. This is the maximum fine that can be imposed for the most serious infringements e.g. insufficient customer consent to process data or contravening the core of Privacy by Design concepts.
- 10M Euros or for an ‘Undertaking’ – 2% of worldwide revenue. This is for not having records in order, not informing the supervising authority and individual about a breach or not conducting an impact assessment.
6. Are there any SAP solutions that can help you comply with GDPR?
SAP provide an array of solutions that can help you comply with GDPR. AgilityWorks offer a range of services to enable you on your journey towards GDPR compliance, starting with a complementary workshop. For more information about how SAP technology can help you comply with GDPR, please contact us.
7. What are the recommendations for technical approaches and business policies to start implementing now?
The following approach should be executed to achieve compliance:
- Audit and Gap Analysis – where is the data, is it lawfully processed and what are the risks?
- Implement data and procedures management – ‘tagging’ personal data and managing its lifecycle, securing the data within the organisation and any third parties. Ensuring policies are in place around Breach notification, consent, security and risk assessment.
8. How does Brexit affect the GDPR?
Brexit does not affect GDPR implementation for the United Kingdom as the negotiated exit from the EU will not take place until after GDPR has been implemented which will mean all the current 28 member states must comply. Post Brexit, any UK based ‘Undertaking’ which uses data of individuals in EU member states for providing Goods, Services and Monitoring Internet usage will need to comply with the regulations.
9. What if we are not an EU based company, does this still affect us?
Yes, GDPR does affect non-EU based companies if they use EU based individuals’ data for provision of Goods, Services and Monitoring internet usage.
10. What rights do individuals and companies have?
The rights under GDPR include the following:
- Right to Data Portability, this is the right to receive data from and transmit data to a Data Controller, giving control of their personal data to the data subject.
- Right to be Forgotten, this is erasing or removing personal data if there is no compelling reason for its continued processing.
- Right to Restrict Processing, this is the right to block or suppress processing of personal data. If the personal data in question has been disclosed to third parties, they must be informed about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.
- Right to be Informed, this right is to ensure that Organisations are clear on how they use personal data. This is typically satisfied through a privacy notice with clear language stating use of personal data, with clear positive ‘opt ins’ for different types of data usage. A separate positive Direct Marketing Data opt in is also required.
- Right of Access, this right is to allow access to their personal data so that they are aware of and can verify the lawfulness of the processing.
- Right to Object, this right is to object to the use of personal information in certain circumstances. There must be a way for data subjects to object online if the processing of personal data is for the purposes of Direct Marketing or Research. Additionally, for processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling).
- Rights in relation to Automatic Decision Making or Profiling, this right is to safeguard against potentially damaging decisions taken without human intervention.
11. What happens when personal data is breached under GDPR?
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
GDPR will introduce an EU wide obligation on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.
The ‘Data Controller’ must notify the breach to the ‘supervisory authority’ “without undue delay”, and where feasible, not later than 72 hours after having become aware of it.
When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller is also required to notify the affected individuals "without undue delay".
Data Processors are required to notify the controller without undue delay having become aware of the breach.
Data Controllers based in multiple Member States are required to work with their ‘Lead Supervisory Authority’. Therefore, with ‘cross border’ data breaches these authorities will need to be alerted along with authorities in each State and will then be expected to work together.
A data breach notification should include the following information, where possible:
- The categories and approximate number of individuals concerned; and the categories and approximate number of personal data records concerned;
- The name and contact details of the Data Protection Officer (if your organisation has one) or other contact point where more information can be obtained;
- A description of the likely consequences of the personal data breach; and a description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.
For more infomraiton please download our latest GDPR webinar: