On May 25th the GDPR comes into full effect. Whilst many businesses are scrambling to become compliant, others are adopting a wait and see mentality, postponing full blown ‘GDPR Readiness’ until they see what vigour the ICO are using to police compliance. In this session we ask you “Where does your business sit in the GDPR Readiness Spectrum?” contextually discussing the GDPR on a Page and calling out key steps. Finally we’ll walk through a common set of roadmap actions based on Cedar’s PeopleSoft Security Assessment framework and answer any burning questions you may have (preferably about the GDPR, but we’re open to a challenge).

1. Is Your PeopleSoft Ready For the GDPR?
48 Hours to Go...
Oracle HCM Cloud & PeopleSoft Cedar Day 2018
Wednesday, 23rd May 2018
Sarah Hurley, Cedar Consulting

2. Introduction - GDPR

3. The GDPR on a Page
3

4. The GDPR on a Page
4
₋ Lawful, fair, and transparent
₋ Purpose limitation
₋ Data minimization
₋ Accurate and up-to-date
processing
₋ Limitation of storage
₋ Confidential and secure
₋ Accountability andliability
7 Principles:

5. Data Classification
PeopleSoft captures a plethora of personal
and sensitive data
Examples of this data can include the
following depending on context:
– Name
– Ethnic or racial origin
– Political opinions
– Memberships
– Physical or mental
health details
– Criminal orcivil
offenses
– IP Address
– Photo
– Meal Preferences
Personal and Sensitive Data
ORACLE©. (2018, May). Be in the Know for PeopleSoft HCM Data Privacy [Webinar].

6. Data Classification
 The Personally Identifiable and Sensitive data (doc ID 2313438.1) is
being updated (likely this month) with NA payroll and benefits
being added
 Future plans:
 An online (in app) version of the tool is being released which
will allow the addition of custom fields
 Additional spreadsheets being launched for FSCM, ELM and CRM

7. Data Classification
Oracle’s Mockup of the Online Identification and Usage solution

8. Data Masking
 Masking of production environments in the user interface (security
driven) – released in PI 26 – currently limited to:
 Date of Birth
 National ID
 Bank Account Number (all but last 4 digits)
 This document is really useful: Implementing Sensitive Data
Masking (Doc ID 2375376.1)

9. Data Masking
 Future plans:
 A more configurable approach to managing personal and
sensitive data is planned in the form of a Data Privacy
Framework
 Field level security as masked, hidden or display-only
 Full or partial masking
 Support custom masking formats
 Any personal or sensitive data field on any transaction
 Role security or additional controls (country or reg region)

10. Data Right to be Forgotten
 Person Delete – improved in Image 25 & 26
 Data deleted from all tables with Emplid field
 Configure records excluded from delete e.g. Audit tables
 Individuals ignored with payroll calcs (can be overridden)
 Applicant delete available since image 25
 Future plans
 Integration from HCM to notify ‘subscribers’ that emp info has
been deleted (FSCM, ELM, CRM and third party systems
integrated with IB)
 Learner delete in ELM

11. Data Right to be Forgotten
 Data Archive Manager is already available to day (PeopleTools)
 Configurable framework supports data retention policies
 Defines tables/records to be archived
 Identifies criteria for rows of data to be archived (query)
 Allows archive, delete and restore
 Sample templates delivered for many products
 Use person or applicant delete for individuals, use Data Archive
Manager for rules based (specific countries, timeframes etc)

12. Data Subject Consent
 The Acknowledgement Framework was delivered in PI 26
(configurable)
 RTF text display
 Used for acknowledgements and agreements
 Electronic signature capture and audit trail
 Verify identity of individual
 Can be added as a step in an activity guide
 Example is delivered in onboarding
 PeopleSoft HCM Acknowledgement Framework Red Paper (Doc ID
2377140.1)

13. Auditing
 Future plans
 A solution is needed to track who viewed information
 Ability to configure (rather than customize) the transactions
which are audited
 Most third party solutions today usually track the SQL request of
data (what was retrieved from the database), this does not
mean the data was actually viewed since it could be hidden in
the User Interface

14. Right to Portability
PeopleSoft provides a number of methods to report on and extract
information from the application:
 “Grids” in the PeopleSoft UI on a transaction page allow download to Excel
 Query Manager reports/extracts data to the browser, file, spreadsheet, or XML
 Pivot Grids leverage queries to generate analytics similar to those provided by
common software such as Microsoft Excel
 BI Publisher formats reports based on a data input source
 Structure Query Reporting (SQR) is a development tool for complex extraction,
formatting, and reporting of data from PeopleSoft or other data sources
 Many sample queries, analytics, and reports are delivered by the application

15. Privacy by Design…
PEOPLE
People
• Employees/Customers
Suppliers
• Users
• IT/Security

16. Privacy by Design…
PROCESSPEOPLE
Process
• Threat Management
• Consent Management
• Third Party Due Diligence
• Access Management
People
• Employees/Customers
Suppliers
• Users
• IT/Security

17. Privacy by Design…
TECHNOLOGY
PROCESSPEOPLE
PRIVACY BY
DESIGN
Process
• Threat Management
• Consent Management
• Third Party Due Diligence
• Access Management
People
• Employees/Customers
Suppliers
• Users
• IT/Security
Technology
• Vulnerability Management
(patching)
• Pseudoanonymisation/
Anonymisation
• Data Classification and
Retention

18. Privacy by Design…
TECHNOLOGY
PROCESSPEOPLE
PRIVACY BY
DESIGN
PRIVACY
BY DESIGN
WHERE
THESE
AREAS
INTERSECT

19. Cedar Security Assessment
Client completes Cedar PS Security Questionnaire
Cedar join the client on site looking at relevant
configuration and questionnaire follow-up
Cedar deliver “PS Security Assessment” with
vulnerabilities graded and suggested remediation
Cedar present report on site to allow for an in
depth discussion re vulnerabilities and next steps
Initial
Assessment
Onsite
Consultancy
Security
Assessment
Findings
Delivered
01
02
03
04

20. Cedar Security Assessment
Better appreciation of
PeopleSoft patching
A patching strategy in place
including recommended
PeopleTools upgrades
Key vulnerabilities
remediated
Proposals for improved IS
procedures
Suggested infrastructure
and/or architecture changes

21. Automated Data Anonymisation
Production Data
Individual Identifiable
Lower Environments
(e.g. Test)Anonymisation Scripts
Individual Not Identifiable

22. Automated Data Anonymisation
Production Data
Individual Identifiable
Lower Environments
(e.g. Test)Anonymisation Scripts
Individual Not Identifiable
Cedar are in the early stages of
development of a configurable
anonymisation tool for PeopleSoft.

23. Next Steps
Assess Vulnerabilities
•-Security Assessment
•-GDPR Programme
•-Disaster Recovery
•-Penetration Testing
•-Selective Adoption
Strategy
Review Architecture
-Data Classification
-Production
-Non Production
-Interfaces
-Third party due
diligence
Review Processes
Joiners/Leavers/Movers
Data Retention
Lawful Processing
• GDPR is a marathon not a
sprint.
• Look for the quickest wins ‘low
hanging fruit’
• New technology might not be
the answer
• GDPR compliance is the
responsibility of EVERY
employee of a company (make
sure they understand)
Tips:

24. Questions…

25. +44(0)207 822 2997
www.blackstarglobalrisk.com