Más contenido relacionado La actualidad más candente (20) Similar a The Basics of GDPR (20) Más de Bhupesh Chaurasia (20) The Basics of GDPR 1. SAP WhitePaper
GDPR
The Basics of GDPR
How the right HCM solutions can support your
compliance journey
©2017SAPSEoranSAPaffiliatecompany.Allrightsreserved.
1 / 14
2. 2 / 14
Table of Contents
4 Introduction and Objectives
5 Scope
6 Impact
10 Features of SAP SuccessFactors Solutions
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
3. The Basics of GDPR
3 / 14
In May 2016, the European Union (EU)
adopted a newly harmonized data
protection law called the General Data
Protection Regulation (GDPR). As of May
25, 2018, the GDPR will be in force
throughout all EU member states and in
the European Economic Area. Any
organization that collects or processes
personal data of an individual within the
Union is subject to this regulation,
regardless of the organization’s location.
While the GDPR does not introduce many
substantially new concepts, it
substantially increases the compliance
requirements of data controllers and
processors regarding their handling of
personal data.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
4. The Basics of GDPR
4 / 14
As a company, SAP is committed to ensuring
compliance with the GDPR by May 25, 2018. We
have been consistent in our approach to data
protection as part of our general product stan-
dards, and we are now extending this approach to
reflect new requirements of the GDPR.
As you, our customers, prepare for compliance,
we have summarized the changes introduced by
the GDPR, the implications of these changes, and
how SAP® product features can help you imple-
ment GDPR requirements.
The information contained in this document
is for general guidance only and is provided on
the understanding that SAP is not herein en-
gaged in rendering legal advice. The responsibili-
ty to adopt appropriate measures to achieve
GDPR compliance rests with your organization as
controllers in terms of the GDPR, and SAP ac-
cepts no liability for any actions taken as re-
sponse to this document. As such, it should not
be used as a substitute for legal or professional
consultation.
OBJECTIVES
The GDPR aims to harmonize data protection
requirements across Europe into one single EU
data protection regulation. It addresses corporate
bodies governed by public and private law in their
capacity of either controller or processor. The
new law aims to protect the rights and freedoms
of natural persons, to enhance data subjects’
confidence in organizations that hold or process
their personal data, and to strengthen the EU’s
internal market. To this end, the GDPR provides a
uniform set of rules to govern the processing of
personal data across the EU. The degree of EU-
wide harmonization achievable by the GDPR is,
however, restricted to the extent that the regula-
tion contains opening clauses that allow EU
member states to set out country-specific laws
and requirements for specific data processing
activities. These opening clauses, therefore, may
result in applying additional rules and obligations
for data controllers and processors.
Introduction and Objectives
The GDPR aims to harmonize data protection
requirements across Europe into one single
EU data protection regulation.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
5. The Basics of GDPR
5 / 14
MATERIAL SCOPE
The GDPR has a broad material scope covering
the processing of personal data by automated
means or in other structured form, including
those intended for part of a filing system. The
GDPR states that the regulation does not apply
where natural persons process personal data ex-
clusively during a purely personal, private, or
household activity.
TERRITORIAL SCOPE
Likewise, the GDPR has a broad territorial scope
and applies to any activities of a data controller
or processor in the EU that comprise the pro-
cessing of an individual’s personal data. Central
to this is whether the controller or processor is
located in the EU. The GDPR also applies to con-
trollers or processors located outside the EU
where the processing serves to offer goods or
services to data subjects in the EU or to monitor
the behavior of data subjects in the EU.
Scope
The GDPR introduces several
new legal requirements that may
substantially affect a controller’s or
processor’s business.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
6. The Basics of GDPR
6 / 14
LAWFUL GROUNDS FOR PROCESSING
Processing personal data will be lawful only if one
of the criteria for permission, as set forth in the
GDPR, is met. In the absence of direct legal allow-
ance, organizations need consent from individu-
als whose data is to be processed. This consent
must cover all purposes for which the organiza-
tions (intending to process the data) collect and
process the data and must allow for the individu-
al’s right to withdraw consent at any time. This
means that blanket consent or global consent is
not valid for the processing of
personal data.
The GDPR specifies what are considered lawful
grounds for the processing of personal data.
These are shown in Figure 1 and described below.
These are good practices to follow regardless of
whether an organization is subject to the GDPR.
Regulations concerning data privacy and protec-
tion are ever evolving, and it is in your organiza-
tion’s best interest to establish and maintain
strict data privacy and protection policies. In the
end, each organization must make its own inter-
pretation of what it considers legal grounds for
processing personal data. Chapter 2, Article 6, of
the GDPR describes the lawfulness of processing
as follows:
Processing shall be lawful only if and to the ex-
tent that at least one of the following applies:
The GDPR introduces several new legal require-
ments that may substantially affect a controller’s
or processor’s business. Therefore, each control-
ler or processor must verify which GDPR obliga-
tion applies to them and must also ascertain how
to implement the requirements accordingly.
GENERAL PRINCIPLES
In accordance with its general processing princi-
ples, the GDPR requires the processing of per-
sonal data to be lawful, proportionate, transpar-
ent, adequate, accurate, secure, confidential,
limited in time and to designated purposes, and
conducted in a responsible and accountable
manner. This last point means applying appropri-
ate security—including technical and organiza-
tional measures—to ensure integrity and
confidentiality.
PERSONAL DATA
The GDPR explicitly defines what it means by the
term personal data: any data that identifies or
can be used to identify an individual. The term
clearly includes metadata or other associated
data such as IP addresses, cookies, or other iden-
tifiers that may trace back to an individual. The
GDPR has broadened the known catalog of spe-
cial categories of personal data to include genetic
data, biometric data if used to uniquely identify a
natural person, and data related to criminal con-
victions and offenses.
Impact
In the absence of direct legal allowance,
organizations need consent from individuals
whose data is to be processed.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
7. The Basics of GDPR
7 / 14
•• The data subject has given consent to the pro-
cessing of his or her personal data for one or
more specific purposes
•• Processing is necessary for the performance of
a contract to which the data subject is party or
in order to take steps at the request of the data
subject prior to entering into a contract
•• Processing is necessary for compliance with a
legal obligation to which the controller is subject
•• Processing is necessary in order to protect the
vital interests of the data subject or of another
natural person
•• Processing is necessary for the performance of
a task carried out in the public interest or in the
exercise of official authority vested in the
controller
•• Processing is necessary for the purposes of the
legitimate interests pursued by the controller or
by a third party, except where such interests are
overridden by the interests or fundamental rights
and freedoms of the data subject which require
protection of personal data, in particular where
the data subject is a child
ACCOUNTABILITY
The GDPR aims to improve accountability of
those processing personal data and increase
transparency of the data being processed.
Despite its similarity in substance and structure
to the current data protection legislation, the
GDPR will take a much tougher line in helping
enforcement. Penalties for noncompliance are
Lawful grounds for processing personal data
Figure 1
CONSENT
PUBLIC INTEREST
CONTRACT
PROTECTION OF
VITAL INTERESTS
LEGAL OBLIGATION
LEGIMIATE INTEREST
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
8. The Basics of GDPR
8 / 14
remarkably high, including administrative fines of
up to €20 million or 4% of an enterprise’s global
annual revenue, with potential damage claims
and other legal liability risks designed to incentiv-
ize companies to enhance internal structures and
processes to comply with the regulation.
DATA PROTECTION BY DESIGN AND BY DEFAULT
Under the terms of the GDPR, organizations
must deliberately build in privacy, and both sys-
tems and processes have to adopt privacy by de-
fault. Organizations are obligated to ensure that
the processing of personal data is for a specific
purpose, and the organizations must demon-
strate that data protection is at the heart of their
IT framework and solution design.
TECHNICAL AND ORGANIZATIONAL SECURITY
Organizations are also obligated to implement all
necessary technical and organizational measures
to ensure a level of security appropriate to the
risk of the processing for the data subjects. It is
therefore necessary that the organization analyz-
es its internal IT asset landscape to identify and
map data flows. This will help to ascertain the ap-
propriateness of the security framework.
DATA SUBJECT RIGHTS
Organizations should be guided by the concept
that the individual should know and always be
able to identify what personal data is processed,
by whom, for what purposes, and over what peri-
od of time. Thus, data controllers will need to ac-
tively provide certain general and specific infor-
mation; this is in accordance with the GDPR’s
revised concepts of data portability and the indi-
vidual’s rights to access, refuse or object, or be
forgotten. Organizations involved in processing
personal data will therefore require robust inter-
nal processes with designated roles.
DATA GOVERNANCE
With an onus to clearly show customers, data
subjects, and regulators that they are GDPR
compliant, organizations must implement a host
of systemic measures to reduce the risk of viola-
tion. Complexity grows when organizations need
to keep track of every purpose for which personal
data is being processed and when they need to
ensure that all individuals have given their con-
sent for each data processing use case. These
measures must be built into existing IT infra-
structures. Depending on the outcome of a data
protection risk assessment, organizations should
take measures to help maintain compliance. Such
measures include the appointment of a dedicated
data protection officer (DPO), the execution of
privacy impact assessments (PIAs), and the
adoption of regular audit procedures.
DATA RETENTION VERSUS DATA DELETION
Business systems, such as human capital man-
agement (HCM) systems, contain combinations
of a multitude of records on both employees and
other individuals, such as job applicants and
contractors. A company’s HCM system may, for
example, store data related to job applications,
payroll records, training history, compensation
history, retirement plans, health information, and
so on. Over time, a company’s HCM system will
accumulate a considerable number of records,
many of which contain personal information
related to individuals.
The GDPR requires organizations to remove any
personal data from their systems once this data
is no longer needed for the course of business.
You must do this, for example, when an employee
leaves the company (including any transfer of
employment to an affiliated company). In other
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
9. The Basics of GDPR
9 / 14
cases, an employee may simply revoke their con-
sent to a special data processing activity. At the
same time, personal data obtained may still be
lawfully processed on other legal grounds or be
an integral part of records that are subject to re-
tention times of 5, 10, or even 30 years. In such
cases, the company needs to determine how to
best store that data so it is not unnecessarily ac-
cessed but can still be retrieved by authorized
parties.
DATA PROTECTION AS A PART OF
LEGAL COMPLIANCE
Data protection requirements are only one sub-
set of compliance requirements faced by
a company. Data protection requirements need
to be aligned with other applicable requirements,
including tax legislation or industry-specific laws.
Retention requirements are the best example.
If more specific legislation defines that certain re-
cords, including personal information, need to be
kept for 30 years, deletion of this data is not al-
lowed. Organizations need to analyze their busi-
ness processes with regard to all applicable legis-
lation, and establish the appropriate technical
and organizational measures to achieve and
maintain compliance.
ROLE OF SAP PRODUCTS
As mentioned previously, SAP has been consis-
tent in our approach to data protection as part of
our general product standards. We are extending
this approach as related to the new requirements
of the GDPR as well as improving existing
standards.
Therefore, our company is committed to achieving
GDPR compliance by May 25, 2018. In tandem,
we are committed to developing and further
improving our products to help you, our customers,
meet GDPR requirements to the best of your ability.
Development measures include the ongoing en-
hancement of already existing product features
as well as the implementation of new requirements.
If configured properly, SAP software products
can help your controllers comply with certain
GDPR obligations. This is because SAP products
(as a digital platform and from a solutions per-
spective) are designed to help ensure the consis-
tency and accuracy of data across systems. SAP
solutions provide layers of assurance, appropri-
ate technical and organizational measures – such
as pseudonymization and encryption – and a
management system of standards and best prac-
tices. All these strategies help protect fundamen-
tal rights and freedoms of natural persons as
stated under the GDPR.
Organizations need to analyze their business processes
with regard to all applicable legislation, and establish
the appropriate technical and organizational measures
to achieve and maintain compliance.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
10. The Basics of GDPR
10 / 14
We will now look more specifically at how
features of SAP SuccessFactors solutions can
support your organization’s journey toward
GDPR compliance. We will examine this function-
ality by looking at the lifecycle of personal data.
We can view the lifecycle of data—including
personal data—as comprising three phases:
the “active” phase, during which the data is pro-
cessed for its intended purpose; the “retention”
or “blocked” phase, during which the data should
not be actively processed but can be displayed
for specific reasons; and the “end-of-use” phase
at the end of the data’s applicable retention peri-
od. (See Figure 2.) SAP SuccessFactors solutions
provide robust data protection features for all
three phases.
Each organization needs to define for itself what
it classifies as personal or “sensitive” data (such
as special categories of personal data).
Therefore, we plan to offer configuration options
for SAP SuccessFactors solutions to mark data
elements as personal or sensitive. Classifying
data elements as personal or sensitive will facili-
tate blocking, deleting, and reporting on personal
or sensitive data.
ACTIVE DATA PHASE
During the phase when you actively need person-
al data in an HCM system, your company typical-
ly uses it for processes such as time tracking,
payroll, and performance management.
Features of SAP® SuccessFactors® Solutions
Personal data lifecycle
Figure 2
Active Retention End of Use
Data processed for its
intended purpose
Data displayed or
processed for specific
purposes only
Data purged
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
11. The Basics of GDPR
11 / 14
READ LOGGING AND REPORTING
SAP SuccessFactors solutions log every read ac-
cess to sensitive data, regardless of the channel
used to read the data (for example, user inter-
face, API, exports, or reporting). SAP plans to cre-
ate a report for this information. The goal is to al-
low authorized users to run a report that shows
the personal data that was read for a specific
data subject or personal data that was read by a
specific user.
CHANGE LOGGING AND REPORTING
Any changes made to personal data (including
corrections) are automatically tracked in SAP
SuccessFactors solutions. The SAP SuccessFac-
tors Employee Central solution, for example, cap-
tures all changes made to personal data by de-
fault. You can define yourself whether or not to
track changes to metadata framework (MDF)-
based objects. The software tracks all changes
regardless of the channel used to make the
change (user interface, API, or imports).
SAP plans to create a “change log report” that
will display all changes made to personal data in
the format “before value” and “after value.”We
plan for the software to provide additional infor-
mation depending on the functional subarea to
explain the context of a change.The goal is to al-
low authorized users to run a report that shows
changes to sensitive data for a specific data sub-
ject or changes to sensitive data by a specific user.
PERMISSIONS
SAP SuccessFactors solutions offer a compre-
hensive permission control, called role-based
permissions (RBPs), to help keep personal data
secure. With RBPs, you can set up a very fine-
grained authorization concept following the
“need to know” principle, including the ability to
define separate permissions for displaying,
changing, and deleting data. You should regularly
confirm that the rationale to grant permissions
still applies.
The main elements of RBPs are permission roles
and permission groups.
•• Permission role controls the access rights that
an employee or group of employees has to the
application or employee data. RBPs allow you
to grant a role to a specific employee, a manag-
er, a group, or all employees in the company.
•• Permission group is used to define groups of
employees who share specific attributes. You
can use various attributes to select the group
members – for example, a user’s department,
country, or job code. Groups can be static or
dynamic.
•• How are roles and groups related? While roles
define what is allowed, the groups define who is
allowed to do it (granted users) and for whom
(target users).
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
12. The Basics of GDPR
12 / 14
PERSONAL DATA REPORTING
There may be cases in which you need to report
on personal data stored within the SAP Success-
Factors solution for a specific data subject. For
example, an (ex-)employee might request a copy
of all their personal data stored in the HR system,
for what purpose the data is being used, and how
long it will be retained. SAP plans to develop an
“information report” to display this information.
The report is designed to be associated with spe-
cific permissions to help ensure only authorized
persons can run the report. The goal is for the
system to also track when the report was run, by
whom, and whether it was downloaded.
RETENTION DATA PHASE
Once there is no longer a business need to pro-
cess personal data, it is advisable to delete – or
at least restrict – access to it to minimize risk of
data loss or breach. There may be cases where
you no longer need to actively process the per-
sonal data but need to retain it for compliance
reasons. Retention periods include legal, regula-
tory, contractual, or statutory retention require-
ments. The blocking and deletion of personal
data in business software tends to be complex.
This is largely due to the number of retention reg-
ulations that need to be taken into account, but
also because the same data is used for different
processes by different users. When restricting the
use of personal data, you may need to consider
not just the kind of data, but the “age” of the data.
For example, performance feedback is not effec-
tive-dated, but it does have a validity for a specif-
ic year (that is, performance is evaluated for a
calendar year).
Once there is no longer a business need
to process personal data, it is advisable
to delete—or at least restrict—
access to the data to minimize risk
of data loss or breach.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
13. The Basics of GDPR
13 / 14
BLOCKING
You can use blocking to restrict access to histori-
cal personal data within a retention period that is
still in the system. In some cases, one role may
need to still have access to the data, while you
may block access for another role.
RBPs in SAP SuccessFactors solutions already
have the option to restrict the permissions for a
role to the current data only (that is, no historical
records). Planned enhancements for RBPs in-
clude the ability to define a time period for which
the history should be visible, including the ability
to define different intervals of time restrictions
based on country as well as employee status (ac-
tive/inactive). This is needed because different
countries may have different rules about how
long certain data can be accessed.
MASKING
You can use masking to hide (or mask) field con-
tents on the user interface. If data is masked, it
will be displayed as asterisks (********* [Click to
View]) to the user. Only in the case when the user
explicitly clicks on the masked field will it
be displayed. You can switch on masking per
field, which helps you not expose personal or
even sensitive data by default.
Note: You can use field-level permissions to re-
strict the access to specific fields as well.
END-OF-USE PHASE
The cost of data storage continues to decline.
This tends to discourage organizations from in-
vesting in effort to remove data that is no longer
needed. Nevertheless, organizations are legally
obliged to delete personal data at the end of the
applicable retention period.
Organizations are legally obliged to
delete personal data at the end of the
applicable retention period.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
14. The Basics of GDPR
14 / 14
DATA PURGING
Purging personal or sensitive data when it is no
longer needed for business purposes is a good
risk management strategy – and one of the re-
quirements of the GDPR.
SAP SuccessFactors solutions offer a “data re-
tention management” tool that enables you to
purge obsolete data and inactive users from SAP
SuccessFactors solutions. You can create busi-
ness rules to specify exceptions or dependen-
cies, as well as an approval workflow for oversight
of data purge requests. SAP plans to enhance the
existing data retention management tool so that
you can flexibly define retention configuration by
time period and country for each data retention
object at a minimum. Each product within the
SAP SuccessFactors solutions may offer addi-
tional criteria to define purge rules, such as divi-
sion, department, location, and so on.
When executing a data purge request, the soft-
ware will check for dependencies in all compo-
nents and purge the data accordingly. The purge
configurations are provided at the functional
object level, and you can group multiple purge
objects into a data retention group. You can con-
figure retention times at data retention group lev-
el based on different parameters – such as coun-
try level and employee data type (active/inactive).
DATA PORTABILITY AND EXPORT
Under GDPR, data controllers across all industry
sectors will be required to provide personal data
to individuals—or even directly to competitors—
in a structured, machine-readable format. For
more information on this requirement, see also
the Guidelines to the Article 29 Data Protection
Working Party document on the right to data
portability.
SAP SuccessFactors solutions already make all
personal data for a data subject available for
reporting.
You can download and export reporting data, for
example, in .CSV and .XLS format.
MORE INFORMATION
SAP plans to provide updates to support GDPR compliance
in the normal quarterly release cycles and provide corre-
sponding documentation with those releases.
For information on GDPR and SAP go to www.sap.com/gdpr
For further information on data privacy and protection at
SAP view, www.sap.com/security.
You can reference the full text of the General Data
Protection Regulation (Regulation (EU) 2016/679)
vQ417 © 2017 SAP SE or an SAP affiliate company. All rights reserved.
15. © 2017 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE or
an SAP affiliate company.
The information contained herein may be changed without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for
informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to
pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein.
This document, or any related presentation, and SAP SE’s or its affiliated
companies’ strategy and possible future developments, products, and/or
platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality.
All forward-looking statements are subject to various risks and
uncertainties that could cause actual results to differ materially from
expectations. Readers are cautioned not to place undue reliance on these
forward-looking statements, and they should not be relied upon in making
purchasing decisions.
SAP and other SAP products and services mentioned herein as
well as their respective logos are trademarks or registered trademarks
of SAP SE (or an SAP affiliate company) in Germany and other countries.
All other product and service names mentioned are the trademarks of
their respective companies.
See http://www.sap.com/corporate-en/legal/copyright/index.epx for
additional trademark information and notices.
www.sap.com/contactsap