general data protection regulation (gdpr) · pdf filesap ecc, bw, crm, srm, is-*, etc. sap...
TRANSCRIPT
OVERVIEW
2
In December 2015, following three years of drafting and negotiations, the European Parliament and Council of theEuropean Union reached an informal agreement on the final draft of the EU General Data Protection Regulation(GDPR – EU Regulation 2016/679). The aim of the General Data Protection Regulation is to reinforce data protectionrights of individuals, facilitate the free flow of personal data in the digital single market and reduce administrativeburden.
The GDPR shall replace the 1995 General Data Protection Directive and apply directly in each of the 28 EU memberstates.
The final text has been formally adopted by the European Parliament and Council in April 2016.
Applies to all data controllers and processors established in the EU and organizations that target EU citizens, will takeeffect in May 2018 after a 2-year transition period.
IMPACTS & CHALLENGES
3
A mandatory Data Protection Officer (DPO) will be required for companies that, on a large scale and as part of theircore activities, regularly and systematically monitor data subjects or process large amounts of sensitive personal data.
Increased transparency to individuals about processing activities. Unambiguous and affirmative action by datasubjects when relying on consent: Consumer consent to process data must be freely given and for specific purposes; Customers must be informed of their right to withdraw their consent; Consent must be ‘explicit’ in the case of sensitive personal data.
The “right to be forgotten” for individuals who no longer want their data processed, if there is no legitimate groundsfor the data controller to retain the information.
A right to data portability - where individuals have provided personal data to a service provider, they can require theprovider to transfer the data to another provider, provided this is technically feasible.
Privacy by design as a default in setup and management of systems and organizational processes. Privacy settings athigh level by default.
Organizations must undertake Privacy Impact Assessments (PIA) when conducting risky or large scale processing ofpersonal data.
IMPACTS & CHALLENGES
4
Accountability in the form of demonstrable compliance with the Regulation: Establishing a culture of monitoring, reviewing and assessing data processing procedures; Minimizing data processing and retention of data; Building in safeguards to data processing activities; Documenting data processing policies, procedures and operations that must be made available to the data
protection supervisory authority on request.
Data Processors processing on behalf of data controllers must also fully comply with the requirements of theRegulation.
SANCTIONS & RISKS
5
Fines for a breach of the GDPR are substantial. Regulators can impose fines of up to 4% of total annual worldwideturnover or €20,000,000.
Possibility to file class action lawsuits against data controllers/processors for breaches of the Regulation.
Reversal of burden of proof in lawsuits against data controllers/processors.
Right for compensation by individuals for damages resulting from violations of the Regulation by a controller orprocessor.
Organizations must notify supervisory authority of data breaches ‘without undue delay’ or within 72 hours, unless thebreach is unlikely to be a risk to individuals. If there is a high risk to individuals, those individuals must be informed aswell.
PRIVACY RELEVANT INFORMATION
6
There are many elements of personal information. Some examples are name, gender, age, date of birth, marital status,citizenship, languages spoken, veteran status, disabled status, IP address (some jurisdictions), business and personal(addresses, phone numbers, email addresses) , internal identification numbers, credit card and bank account numbers,government-issued identification numbers (social security, drivers license numbers, etc.) and identity verificationinformation, etc.
It is important to remember business data elements can be considered personal information as well.
BirthDate Addresses
Credit Card Number
IP Addresses
Phone Numbers Email Addresses
Bank Account Numbers
Social Media Handle
HOW CAN WE HELP?
7
Audit SAP data
privacy
Enforceexplicitconsent
Restrictdata access
Blocking ofSAP data
DestroySAP data
Encrypt, Mask.,
Anon., etc
PreventSAP data leakage
Monitor unlawfulaccess
Data privacy topic Applicable to SAP system, functionality or data
SAPFunctionality
3rd partyfunctionality
Data privacy impactassessment on SAP data
SAP ECC, BW, CRM, SRM, IS-*, etc. AIS, GRC (PC)
Activate explicit consent forprocessing of personal data
SAP ECC, BW, CRM, SRM, IS-*, etc. GRC (PC)
Restrict / limit access toprivacy relevant data
SAP ECC, BW, CRM, SRM, IS-*, etc. GRC (AC), IDM, DAM, SSO
Blocking of privacy relevantdata (if can’t be deleted)
SAP ECC, BW, CRM, SRM, IS-*, etc. SAP ILM
Destruction of privacyrelevant SAP data
SAP ECC, BW, CRM, SRM, IS-*, etc. SAP ILM, OT
Data encryption, masking,anonymizations, etc.
SAP ECC, BW, CRM, SRM, IS-*, etc. SAP TDMS EPI-USE, Dolphin, Camouflage, etc
Data protection &prevention of data leakage(outside SAP)
SAP ECC, BW, CRM, SRM, IS-*, etc. SAP Authorizations, AIS SECUDE, etc
Monitor unlawful access toprivacy relevant or sensitivedata in SAP
SAP ECC, BW, CRM, SRM, IS-*, etc. RAL (Read Access Logging), SAP Enterprise Threat detection (ETD)
Celonis, Information Steward, etc
HOW CAN WE HELP?
8
Audit SAP data
privacy
Enforceexplicitconsent
Restrictdata access
Blocking ofSAP data
DestroySAP data
Encrypt, Mask.,
Anon., etc
PreventSAP data leakage
Monitor unlawfulaccess
• Data Redact will mask or change thevalue of the data that needs to beforgotten on the productive environment.Data Retain allows you to define policiesfor the data that cannot be deleted,because of fiscal requirements.
• Client Sync lets you select and copy justthe relevant subsets of data, reducingdisk space needed for the target, savingcosts and reducing the transactions ofsensitive data.
• Data Secure is a data protectionsolution that masks SAP data tosafeguard sensitive information, beforeit ever leaves the source system.Reduces the exposure of the data that isneeded only for testing purposes.
• Data Disclose is a unique product thatfinds, retrieves and presents a datasubject’s footprint across the full SAPlandscape, as well as non-SAP systems,if integrated with the latest API’s.
Data Disclose
Data Secure
Data Redact &
Data Retain
ClientSync
HOW CAN WE HELP?
9
Audit SAP data
privacy
Enforceexplicitconsent
Restrictdata access
Blocking ofSAP data
DestroySAP data
Encrypt, Mask.,
Anon., etc
PreventSAP data leakage
Monitor unlawfulaccess
DATA DISCLOSE
App that enables you to search all SAP systems used by an organization to find where personal data is stored(productive and non productive systems.
Quickly find and view the data subject’s footprint.
Connect as many non-SAP systems as you wish.
View and customize the output.
Flexible company-branded PDF output to disclose to the individual what information your company has in thelandscape.
HOW CAN WE HELP?
10
Audit SAP data
privacy
Enforceexplicitconsent
Restrictdata access
Blocking ofSAP data
DestroySAP data
Encrypt, Mask.,
Anon., etc
PreventSAP data leakage
Monitor unlawfulaccess
MASKING WITH DATA SECURE
Mask all sensitive data in non-production systems to comply with statutory requirements and industry standards
Data Secure introduces the concept of Integrity Maps capturing field level metadata
Sensitive fields can be discovered from existing Integrity Map configuration
APIs for 3rd party integration Data masked consistently across system
types
HOW CAN WE HELP?
11
Audit SAP data
privacy
Enforceexplicitconsent
Restrictdata access
Blocking ofSAP data
DestroySAP data
Encrypt, Mask.,
Anon., etc
PreventSAP data leakage
Monitor unlawfulaccess
COPYING WITH CLIENT SYNC
Copy subsets of client dataApplication data
Master data Transactional data
(time-sliced) HCM data only User master data
Customizing data client-dependent client-independent HCM customizing data
onlyProduce fully functional client with
reduced footprintConsistent client on Time and
Enterprise slice
HOW CAN WE HELP?
12
Audit SAP data
privacy
Enforceexplicitconsent
Restrictdata access
Blocking ofSAP data
DestroySAP data
Encrypt, Mask.,
Anon., etc
PreventSAP data leakage
Monitor unlawfulaccess
Your sensitive data needs protection outside of SAP. How do you protect your SAP data today?
Data?
● Customer
● Finance
● HR
● Material
● Production
● Product design
● Pricing
Scenarios?
● Security & compliance
regulations
● SAP access from locations
all over the world
● Exchange of product & IP
related digital files
● IP in business processes
Tools?
● SAP GRC, SAP ETD,
SAP Digital Boardroom
● Microsoft Azure Information
Protection / RMS
HOW CAN WE HELP?
13
Audit SAP data
privacy
Enforceexplicitconsent
Restrictdata access
Blocking ofSAP data
DestroySAP data
Encrypt, Mask.,
Anon., etc
PreventSAP data leakage
Monitor unlawfulaccess
SAP user authorization either allows all data exports or blocks them all for a user.
However, a fundamental blocking of SAP data
exports by SAP authorization shuts down
many business processes.
SAP users can export, print or email all data,
which they are allowed to access.
……
HOW CAN WE HELP?
14
Audit SAP data
privacy
Enforceexplicitconsent
Restrictdata access
Blocking ofSAP data
DestroySAP data
Encrypt, Mask.,
Anon., etc
PreventSAP data leakage
Monitor unlawfulaccess
PROTECT
BLOCK
MONITOR
• Access control for sensitive documents out of SAP
• Ensuring the SAP sensitivity level outside SAP
• Blocking of unauthorized exports out of SAP
• Copy & Paste prevention
• Audit of all exports & RFCs.
• Alerting of unauthorized exports (File, Print, Mail)
• SAP GRC & SIEM integration
Automated
classification in all
modules
- File | Print | Mail | BO/BEx
- HDSI® (RFC & IDOC)
- File | Print | Mail | BO/BEx
- File | Mail | BO/BEx
with Data Stream Intelligence (HDSI®)
Full control of your SAP data exports / downloads & transparency in data streams between systems
HOW CAN WE HELP?
15
Audit SAP data
privacy
Enforceexplicitconsent
Restrictdata access
Blocking ofSAP data
DestroySAP data
Encrypt, Mask.,
Anon., etc
PreventSAP data leakage
Monitor unlawfulaccess
Integration in SAP and linkage to Microsoft Azure Information Protection (AIP / RMS) for document encryption
Request
Transfer
Encryption-Key
+
Interception of download /
export function call &
blocking in case of
missing user privilege
SAP
Function Modules
Classification
& PROTECT
File with classification
labels (metadata),
optional encrypted
Resumption of download /
export function call
Server
Transfer of data and
specific attributes
For PROTECT only
Customer IT infrastructure
Add-on
in certified
namespace for
MONITOR & BLOCK
TOINOVATE PROFILE
16
Started in January 2005, ToInovate has established itself in the Portuguese market as a supplier of excellent consultants to
the main consulting companies in the SAP world.
ToInovate brand has become, to our customers, a symbol of dedication, perseverance and excellence in results. Naturally
2007 consolidated ToInovate as a brand in the market for SAP consulting services. Strategic partnerships were developed,
including obtaining the status of SAP Channel Partner.
In 2008, ToInovate became the first Portuguese consulting company to obtain the status of SAP Business Objects Partner,
after the acquisition of Business Objects by SAP. Also in 2008, ToInovate became SAP Service Partner.
The concern to continue our policy of providing services that exceed expectations and generate added value to our
customers is the driver for the organization's sustained growth.
Today, ToInovate has a large team of consultants providing services on an installed base of customers from different
business areas.