General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)

OVERVIEW

2

In December 2015, following three years of drafting and negotiations, the European Parliament and Council of theEuropean Union reached an informal agreement on the final draft of the EU General Data Protection Regulation(GDPR – EU Regulation 2016/679). The aim of the General Data Protection Regulation is to reinforce data protectionrights of individuals, facilitate the free flow of personal data in the digital single market and reduce administrativeburden.

The GDPR shall replace the 1995 General Data Protection Directive and apply directly in each of the 28 EU memberstates.

The final text has been formally adopted by the European Parliament and Council in April 2016.

Applies to all data controllers and processors established in the EU and organizations that target EU citizens, will takeeffect in May 2018 after a 2-year transition period.

IMPACTS & CHALLENGES

3

A mandatory Data Protection Officer (DPO) will be required for companies that, on a large scale and as part of theircore activities, regularly and systematically monitor data subjects or process large amounts of sensitive personal data.

Increased transparency to individuals about processing activities. Unambiguous and affirmative action by datasubjects when relying on consent: Consumer consent to process data must be freely given and for specific purposes; Customers must be informed of their right to withdraw their consent; Consent must be ‘explicit’ in the case of sensitive personal data.

The “right to be forgotten” for individuals who no longer want their data processed, if there is no legitimate groundsfor the data controller to retain the information.

A right to data portability - where individuals have provided personal data to a service provider, they can require theprovider to transfer the data to another provider, provided this is technically feasible.

Privacy by design as a default in setup and management of systems and organizational processes. Privacy settings athigh level by default.

Organizations must undertake Privacy Impact Assessments (PIA) when conducting risky or large scale processing ofpersonal data.

IMPACTS & CHALLENGES

4

Accountability in the form of demonstrable compliance with the Regulation: Establishing a culture of monitoring, reviewing and assessing data processing procedures; Minimizing data processing and retention of data; Building in safeguards to data processing activities; Documenting data processing policies, procedures and operations that must be made available to the data

protection supervisory authority on request.

Data Processors processing on behalf of data controllers must also fully comply with the requirements of theRegulation.

SANCTIONS & RISKS

5

Fines for a breach of the GDPR are substantial. Regulators can impose fines of up to 4% of total annual worldwideturnover or €20,000,000.

Possibility to file class action lawsuits against data controllers/processors for breaches of the Regulation.

Reversal of burden of proof in lawsuits against data controllers/processors.

Right for compensation by individuals for damages resulting from violations of the Regulation by a controller orprocessor.

Organizations must notify supervisory authority of data breaches ‘without undue delay’ or within 72 hours, unless thebreach is unlikely to be a risk to individuals. If there is a high risk to individuals, those individuals must be informed aswell.

PRIVACY RELEVANT INFORMATION

6

There are many elements of personal information. Some examples are name, gender, age, date of birth, marital status,citizenship, languages spoken, veteran status, disabled status, IP address (some jurisdictions), business and personal(addresses, phone numbers, email addresses) , internal identification numbers, credit card and bank account numbers,government-issued identification numbers (social security, drivers license numbers, etc.) and identity verificationinformation, etc.

It is important to remember business data elements can be considered personal information as well.

BirthDate Addresses

Credit Card Number

IP Addresses

Phone Numbers Email Addresses

Bank Account Numbers

Social Media Handle

HOW CAN WE HELP?

7

Audit SAP data

privacy

Enforceexplicitconsent

Restrictdata access

Blocking ofSAP data

DestroySAP data

Encrypt, Mask.,

Anon., etc

PreventSAP data leakage

Monitor unlawfulaccess

Data privacy topic Applicable to SAP system, functionality or data

SAPFunctionality

3rd partyfunctionality

Data privacy impactassessment on SAP data

SAP ECC, BW, CRM, SRM, IS-*, etc. AIS, GRC (PC)

Activate explicit consent forprocessing of personal data

SAP ECC, BW, CRM, SRM, IS-*, etc. GRC (PC)

Restrict / limit access toprivacy relevant data

SAP ECC, BW, CRM, SRM, IS-*, etc. GRC (AC), IDM, DAM, SSO

Blocking of privacy relevantdata (if can’t be deleted)

SAP ECC, BW, CRM, SRM, IS-*, etc. SAP ILM

Destruction of privacyrelevant SAP data

SAP ECC, BW, CRM, SRM, IS-*, etc. SAP ILM, OT

Data encryption, masking,anonymizations, etc.

SAP ECC, BW, CRM, SRM, IS-*, etc. SAP TDMS EPI-USE, Dolphin, Camouflage, etc

Data protection &prevention of data leakage(outside SAP)

SAP ECC, BW, CRM, SRM, IS-*, etc. SAP Authorizations, AIS SECUDE, etc

Monitor unlawful access toprivacy relevant or sensitivedata in SAP

SAP ECC, BW, CRM, SRM, IS-*, etc. RAL (Read Access Logging), SAP Enterprise Threat detection (ETD)

Celonis, Information Steward, etc

HOW CAN WE HELP?

8

Audit SAP data

privacy

Enforceexplicitconsent

Restrictdata access

Blocking ofSAP data

DestroySAP data

Encrypt, Mask.,

Anon., etc

PreventSAP data leakage

Monitor unlawfulaccess

• Data Redact will mask or change thevalue of the data that needs to beforgotten on the productive environment.Data Retain allows you to define policiesfor the data that cannot be deleted,because of fiscal requirements.

• Client Sync lets you select and copy justthe relevant subsets of data, reducingdisk space needed for the target, savingcosts and reducing the transactions ofsensitive data.

• Data Secure is a data protectionsolution that masks SAP data tosafeguard sensitive information, beforeit ever leaves the source system.Reduces the exposure of the data that isneeded only for testing purposes.

• Data Disclose is a unique product thatfinds, retrieves and presents a datasubject’s footprint across the full SAPlandscape, as well as non-SAP systems,if integrated with the latest API’s.

Data Disclose

Data Secure

Data Redact &

Data Retain

ClientSync

HOW CAN WE HELP?

9

Audit SAP data

privacy

Enforceexplicitconsent

Restrictdata access

Blocking ofSAP data

DestroySAP data

Encrypt, Mask.,

Anon., etc

PreventSAP data leakage

Monitor unlawfulaccess

DATA DISCLOSE

App that enables you to search all SAP systems used by an organization to find where personal data is stored(productive and non productive systems.

Quickly find and view the data subject’s footprint.

Connect as many non-SAP systems as you wish.

View and customize the output.

Flexible company-branded PDF output to disclose to the individual what information your company has in thelandscape.

HOW CAN WE HELP?

10

Audit SAP data

privacy

Enforceexplicitconsent

Restrictdata access

Blocking ofSAP data

DestroySAP data

Encrypt, Mask.,

Anon., etc

PreventSAP data leakage

Monitor unlawfulaccess

MASKING WITH DATA SECURE

Mask all sensitive data in non-production systems to comply with statutory requirements and industry standards

Data Secure introduces the concept of Integrity Maps capturing field level metadata

Sensitive fields can be discovered from existing Integrity Map configuration

APIs for 3rd party integration Data masked consistently across system

types

HOW CAN WE HELP?

11

Audit SAP data

privacy

Enforceexplicitconsent

Restrictdata access

Blocking ofSAP data

DestroySAP data

Encrypt, Mask.,

Anon., etc

PreventSAP data leakage

Monitor unlawfulaccess

COPYING WITH CLIENT SYNC

Copy subsets of client dataApplication data

Master data Transactional data

(time-sliced) HCM data only User master data

Customizing data client-dependent client-independent HCM customizing data

onlyProduce fully functional client with

reduced footprintConsistent client on Time and

Enterprise slice

HOW CAN WE HELP?

12

Audit SAP data

privacy

Enforceexplicitconsent

Restrictdata access

Blocking ofSAP data

DestroySAP data

Encrypt, Mask.,

Anon., etc

PreventSAP data leakage

Monitor unlawfulaccess

Your sensitive data needs protection outside of SAP. How do you protect your SAP data today?

Data?

● Customer

● Finance

● HR

● Material

● Production

● Product design

● Pricing

Scenarios?

● Security & compliance

regulations

● SAP access from locations

all over the world

● Exchange of product & IP

related digital files

● IP in business processes

Tools?

● SAP GRC, SAP ETD,

SAP Digital Boardroom

● Microsoft Azure Information

Protection / RMS

HOW CAN WE HELP?

13

Audit SAP data

privacy

Enforceexplicitconsent

Restrictdata access

Blocking ofSAP data

DestroySAP data

Encrypt, Mask.,

Anon., etc

PreventSAP data leakage

Monitor unlawfulaccess

SAP user authorization either allows all data exports or blocks them all for a user.

However, a fundamental blocking of SAP data

exports by SAP authorization shuts down

many business processes.

SAP users can export, print or email all data,

which they are allowed to access.

……

HOW CAN WE HELP?

14

Audit SAP data

privacy

Enforceexplicitconsent

Restrictdata access

Blocking ofSAP data

DestroySAP data

Encrypt, Mask.,

Anon., etc

PreventSAP data leakage

Monitor unlawfulaccess

PROTECT

BLOCK

MONITOR

• Access control for sensitive documents out of SAP

• Ensuring the SAP sensitivity level outside SAP

• Blocking of unauthorized exports out of SAP

• Copy & Paste prevention

• Audit of all exports & RFCs.

• Alerting of unauthorized exports (File, Print, Mail)

• SAP GRC & SIEM integration

Automated

classification in all

modules

- File | Print | Mail | BO/BEx

- HDSI® (RFC & IDOC)

- File | Print | Mail | BO/BEx

- File | Mail | BO/BEx

with Data Stream Intelligence (HDSI®)

Full control of your SAP data exports / downloads & transparency in data streams between systems

HOW CAN WE HELP?

15

Audit SAP data

privacy

Enforceexplicitconsent

Restrictdata access

Blocking ofSAP data

DestroySAP data

Encrypt, Mask.,

Anon., etc

PreventSAP data leakage

Monitor unlawfulaccess

Integration in SAP and linkage to Microsoft Azure Information Protection (AIP / RMS) for document encryption

Request

Transfer

Encryption-Key

+

Interception of download /

export function call &

blocking in case of

missing user privilege

SAP

Function Modules

Classification

& PROTECT

File with classification

labels (metadata),

optional encrypted

Resumption of download /

export function call

Server

Transfer of data and

specific attributes

For PROTECT only

Customer IT infrastructure

Add-on

in certified

namespace for

MONITOR & BLOCK

TOINOVATE PROFILE

16

Started in January 2005, ToInovate has established itself in the Portuguese market as a supplier of excellent consultants to

the main consulting companies in the SAP world.

ToInovate brand has become, to our customers, a symbol of dedication, perseverance and excellence in results. Naturally

2007 consolidated ToInovate as a brand in the market for SAP consulting services. Strategic partnerships were developed,

including obtaining the status of SAP Channel Partner.

In 2008, ToInovate became the first Portuguese consulting company to obtain the status of SAP Business Objects Partner,

after the acquisition of Business Objects by SAP. Also in 2008, ToInovate became SAP Service Partner.

The concern to continue our policy of providing services that exceed expectations and generate added value to our

customers is the driver for the organization's sustained growth.

Today, ToInovate has a large team of consultants providing services on an installed base of customers from different

business areas.

REFERENCES

17