How is GDPR relevant for US companies
•
2 j'aime•906 vues
GDPR Road-Map and Prioritization for SAP System Landscapes Doing Business in Europe? EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. What you need to know and do by Friday, May 25, 2018.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (9)
Similaire à How is GDPR relevant for US companies
Similaire à How is GDPR relevant for US companies (20)
Plus de Patric Dahse
Plus de Patric Dahse (20)
Dernier
Dernier (20)
How is GDPR relevant for US companies
- 3. 3 SAP Recognized Experts in Security and GDPR Office locations: Walldorf, Berlin, Munich, Vienna, and New York Rapidly growing: more than 60 employees SAP Co-Innovation-Program for Data Protection and Privacy Multi-city SAP customer workshops Innovation partner for Data Protection and Privacy Three Years of Successful SAP/GDPR Implementations Strategic IT Security, Data Protection and Privacy Management Accelerator 1 | Data Anonymization Engine [TDA] Accelerator 2 | Mass Data Decommissioning System Accelerator 3 | Templates for SAP Information Retrieval Solution Information Lifecycle Management [ILM] Competence Center About Natuvion | SAP Partner for GDPR Technology Manufacturing Automotive EnergyPharmaceutical Beverages Banking InsuranceRetail
- 4. Natuvion GmbH Altrottstraße 31 | 69190 Walldorf Fon +49 6227 73-1400 Fax +49 6227 73-1410 www.natuvion.com Your Experts Today Patric Dahse Geschäftsführer Fon: +49 151 171 357 02 Mail: patric.dahse@natuvion.com 18 Patric Dahse CEO / Founder Natuvion Americas Inc. 19 W. 34th Street, Suite 1018 New York, NY 10001, USA T +49 (0) 6227.73 -1400 F +49 (0) 6227.73 -1410 patric.dahse@natuvion.com Areas of expertise § Data Protection and Privacy § SAP Transformation Benjamin Spies IT Lawyer, Partner, SKW Schwarz Rechtsanwälte, Wittelsbacherplatz 1 80333 Munich, Germany T +49 (0) 89.286 40-108 F +49 (0) 89.280 94 32 B.Spies@skwschwarz.de Areas of expertise § IT-Law § Data Security Rights
- 5. What is GDPR? 5 EU General Data Protection Regulation (GDPR) 1. Designed to harmonize data privacy laws across Europe, GDPR protects and empowers all EU citizens by giving them more say over what companies do with their data. 2. Makes data protection legislation more consistent and clear across the EU, saving a collective €2.3 billion a year. 3. Replaces Data Protection Directive 1995 (from optional to regulated). The enforcement date is Friday, May 25, 2018. 4. Organizations in non-compliance will face yearly time-consuming investigations, heavy fines, up to two years in prison, and more. 5. Reverses the burden-of-proof to the detriment of data processing companies. Companies need to strategically shift focus to recognize individual rights. 6. Significantly increases the need for systematic solutions that allow for a comprehensive documentation of measures. Achieving compliance will require updating SAP and other technical solutions.
- 6. Summary of GDPR Key Facts 6 1. Enhanced rights of data subjects 2. Increased duty for protecting data 3. Mandatory data breach reporting 4. Significant penalties for non-compliance
- 7. 7 Compliance with GDPR in the United States How is GDPR relevant for US companies? What happens in cases of non-compliance? GDPR not only applies to organizations located within the EU, but it also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. Applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of company's location. Organizations can be fined up to 4% of annual global turnover, or 20,000,000 Euros, for non-compliance. The owners, shareholders, or members of a corporation can be held personally liable for corporate debts (Art. 82).Global Data Traffic
- 8. 8 Health Data* E-mail Address Name & Address IP Address Biometric Data* Camera Records Access Registration Iris Scan* Membership of Labor Organization* Username & Password Smart Meter Data Legal |Key Principles of the Protection of Personal Data Principle 1: Lawfulness, Fairness, and Transparency • Consumer consent is critical. • Shifts data control back to the individual. Principle 2: Data Minimization • Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Principle 3: Data Security • Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data, as well as against accidental loss, destruction of, or damage to personal data. Principle 4: Accuracy • Personal data shall be accurate and, where necessary, kept up-to-date. Principle 5: Accountability • Data Protection Officers govern adherence to regulation. • Data breach notification becomes mandatory. • Heightened requirements for processors.
- 11. 99 GDPR Arcticles – e.g., Six Rights of Individuals 11 Right of Access | Art.15 • Information • Copy Rectification | Art. 16 • Correction • Completion Deletion | Art. 17 • Person responsible • 3rd party (to be forgotten) Restrictions | Art. 18 • Restriction of processing • Blocking Portability | Art. 20 • Extraction • Automatic transfer to 3rd party Objections | Art. 21 • General • Direct marketing LEGAL | One month deadline (Exception: able to be extended by two months) LEGAL | Costs data must be provided free of charge (Exception: misuse) Anonymization drives efficiency and reduces costs when implementing GDPR requirements (Art. 5)
- 12. SAP & Natuvion Offer Features That Enable an Affective Data Governance Model Natuvion simplifies the GDPR compliance process! There are 99 GDPR articles and many technical SAP solutions. Natuvion simplifies the process by providing a roadmap of the steps you need to complete with the technical tools to expedite a data governance program. 12 Fields of Action Comprehensive real data in project / test and training systems Historical data in productive systems Extensive database of process execution Test and project system only with anonymous data Anonymization training and testing system Delete historical data Lock and implement continuous data managment Customer requests to provide information Request for information about personal data Natuvion DCS (Data selection and data deletion) SAP ILM (Data locking and data deletion) Natuvion TDA (Pseudonymization of systems and data) Natuvion EDA (Test data generation and duplication) SAP TDMS (Pseudonymization of systems and data) Natuvion DDI (Data information and search) SAP IRF (Data information and search) SAP LT 2.0 (Data selection and data deletion) SAP Archiving (Data selection and data deletion) SAP ILM Decommissioning (System replacement) Personal data after expiration of legitimation to be deleted Conformal use of approval & consent Conformal use of approval and consent SAP Consent (Collection & processing of consent) Structured, IT-supported processing Coming Soon SAP RAL & SAP UI Logging (Data Access Logging & Monitoring) SAP UI Masking (Data Masking / Blocking) SAP RAL / SAP UI Logging (Data Access Logging & Monitoring)
- 13. Deletion Article 17 – Customer M&A Example Historical Data in Productive System “Be Forgotten” Art. 5 Abs. (1) e) Identification of the data subject shall only be possible for as long as is necessary for the purposes for which it is processed. Art. 17 The person concerned has the right to require the person responsible to immediately delete any personal data relating to him. The responsible person is obliged to immediately delete personal data. • Fulfillment of purpose • Revocation of consent • Opposition to processing • Unlawful processing (including children) All relevant data must be deleted from the productive system. A pure "concealment" of the data is not sufficient. Right to be Forgotten SAP ERP/CRM/IS* Production IT-System Transfer of data at service provider charge BuKrs Designation 0400 Business 1 0600 Business 2 0800 Business 3 Production IT-System 0800 Business 3 Full historical data transfer to new service providers 13
- 14. Technical Procedure | Depending on the project requirements, selective data erasure can be performed in three different variants. Data Protection and Data Privacy – Cyber Security Week - ASUG / SAP / Natuvion 14 Big-Bang* Object Batch Typing the data (key definition) Delete data with optimized performance (within 40 hours) Reorganization of the database Possibility of data recovery Typing the data (key definition) Deleting the data with low process speed Object deletion with low performance Possibility of data recovery Step-by-step deletion of data on fixed dates Unique data typing Delete table type-oriented Delete with optimized performance Possibility of data recovery Variant 1 Variant 2 Variant 3 Variant 1-3 Selective Deletion DSO HH * Big-Bang is the most effective erasure process. Deletion of data is generally possible in less than 40 hours. Deletion Article 17 – Customer Approaches
- 15. 3000 BUKRS 15 Technical Procedure | Data erasure consists of a data shift and data erasure or clean-up powered by Natuvion’s data conversion server. Integrated System(s) SAP CRM / SAP ERP 1000 BUKRS 2000 BUKRS 3000 BUKRS 4000 BUKRS Integrated System(s) SAP CRM / SAP ERP 1000 BUKRS 2000 BUKRS 4000 BUKRS Integrated System(s) SAP CRM / SAP ERP 1000 BUKRS 2000 BUKRS 4000 BUKRS Selection Logical Deletion Physical Deletion 1 2 3 Blue Print Test 1 Test 2 GP GL Deletion Deletion Article 17 – Mass Data Decommissioning
- 17. 17 Management of Retention Rules: Automated Data Storage and Destruction Ÿ Data storage according to active rules. Ÿ Destroy the data as soon as the retention time is reached. Ÿ Data destruction directly from the database or the archive. “Data Cluster” per Retention Period Ÿ Generation of various archive files with the corresponding expiration date according to the defined retention period. E-Discovery Ÿ Search for information related to litigation. Legal Hold Ÿ Prevent early data destruction in legal cases. • Simplified blocking and deletion of personal data. • Functionality is based on SAP Information Lifecycle Management. • With SAP ILM, business partner data can not only be blocked or deleted, but transactional data can also be destroyed. Natuvion can support ASUG members exclusively with predefined templates and blueprints or implementation support via the Natuvion International ILM Competency Center. New! SAP ILM Blocking & Deletion Information Lifecycle Management – Competency Center
- 18. Right of Access Article 15 – New! SAP IRF Generic Smart Search Art. 15 “Right of access by the data subject” - The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, if that is the case, access to the personal data plus other details. Solution “Information Retrieval Framework “– Generic Smart Search. 18 Extract of the risks / challenges of new transparency obligations starting in 2018 1 2 3 4 X GDPR Art. 12 Abs. 3 (time limits) / GDPR Art. 13/14/15 (scope) Organization or Competition Single Person EnergieversorgerExample (current) Ø 41 Tage Retail Customer = current processing time ave. 41 days. GDPR = one month with more complex reporting requirements. Average working time (day) for Information Request Art. 15 GDPR KW26 KW13KW03KW46KW36 48 19 19 59 Privacy policy statement must include memory / erased data Fine kit for supervisory authorities, associations, competitors, and affected persons. Lack of implementation of a declared status quo Purpose of breach of conformity: high (personal) risk of liability. Individual or organization requests information / requests data transmission Within one month, information and/or transmission must be provided. Supervisory authority / court meets ad-hoc order for implementation Immediate implementation of data protection conditions and requirements apply. In the case of a delay, nonconformity, or incorrect answer Public disputes / announcement, monetary and sustainable impact, and reputation damage.
- 19. 19 New in a Netweaver patch: SAP Information Retrieval Framework – Generic Smart Search Using SAP IRF together with Natuvion‘s blueprints and data models, quickly identify GDPR-protected personal data across hereogeneous landscapes Searching for Data Ÿ The search can be carried out according to defined entry criteria (partner, customer, order, etc.). Ÿ Data models can be stored in different versions and variants. Ÿ The search can be performed centrally on all connected systems. Ÿ The search jobs are executed asynchronously in the system. Output of Results Ÿ The executed search jobs persist the results in their own tables (possibly their own clients). Ÿ This data will be deleted after the deadline. Ÿ Result processing can be filtered and/or modified. Ÿ Output of data ALV grid (SAP standard). Ÿ Connection of other technologies possible (SAP Fiori, UI5, HCP). Ÿ Form integration not standard. • Realtime data visibility across fragmented data sources. • Base technology (SAP BASIS) is included in the license costs of SAP Business Suite. • Data search for defined data models on all systems in SAP Business Suite. • Connection of non-SAP systems and web services possible. • Use of BASIS functionality “Generic Smart Search.” • Use of the ILM objects (table scope / grouping) and derivation of the reading paths. • Rule-based search and exclusion of values / results. Natuvion can support ASUG members exclusively either with predefined templates (data models), blueprints, and/or implementation support as a co-innovation development partner for IRF. Functionality Overview SAP Standard- Technology Information Retrieval Framework - Blueprint & Data Models
- 20. Anonymize & Pseudonymize with Natuvion’s Certified “TDA” 1. Anonymize real data in project, test, and training systems so they are not relevant for GDPR. 2. Pseudonymize data in production to expedite GDPR processing. 20 No personal data may be held in SAP test or project systems. All test procedures must be carried out with anonymous data. SAP CRM Production CRM SAP ERP / IS Production ERP SAP CRM Devel. CRM SAP ERP / IS Devel. ERP SAP CRM Test CRM SAP ERP / IS Test ERP Project- system CRM Training- system CRM Project- system ERP Training- system IS- UER P Sandbox- system CRM Sandbox- system ERP Sample of SAP System Landscape Art. 5 - Principles relating to personal data processing 1. Personal data must be: a) processed lawfully, fairly, and in a transparent manner in relation to the data subject (“lawfulness, fairness, and transparency”); b) collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes; further processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes shall, in accordance with Article 83(1), not be considered incompatible with the initial purposes; (“purpose limitation”); Principles Article 5
- 21. 21 Concept Test Position Individualization Golive § Introduction data anonymization in the department and record additional requirements, if necessary. § Survey of relevant process, authorization, or UI adjustments. § Delivery of transport orders. § Carry out the necessary standard customizing. § Create rules and variants. § Display of additional functions or selection features. § Customizing as a coaching approach. § Development of customer- driven developments / tables. § Adaptation of variants. § Test management § Test execution § Key user training § End user training § Golive § Stabilization § Certification of §9 German Federal Data Protection Act (optional) 2 - 3 PD 5 PD 10 - 15 PD 5 PD Project Duration: 6 to 10 Weeks 2 - 3 PD 3 PD 3 - 2 PD 3 PD Scope Test Environment Tailoring Your Solution Start of Regular Operation Typical Phases of Implementation ASUG offer - Natuvion’s Certified “TDA” ASUG Member
- 22. 22 Historical data in productive systems After the processing of data, contracts, or service contracts, customer data is passed onto new service providers. The historical data remains current and in the respective production systems. Extensive database of process execution Processes for acquisition and contract processing generate data. The use of this data is legitimate for the respective purpose. After the process has been completed, the data is still available without restriction. Customer requests to provide information Requests for information about the affected persons concerning the storage and processing of their personal data. Information must be provided in a structured, electronic form with the following specifics: place, reason, and recipient, as well as duration of the storage / deletion criteria. Comprehensive real data in project / test and training systems SAP test, training, and/or project systems are built on a complete copy of the production system. The access to data is possible at any time, extensively and partially depending on the authorization. û (1) To be implemented û (2) To be implemented û (3) To be implemented 6 4 3 1 Company codes in system with verified legitimation 77.000 4.200.000 ChangeInterested Persons Inactive 1.150.000 400 With Supervision Critical Currently about 120 p.a. Access – dark figure Data surveys with legitimation to be verified (Current Year) Right of access by the data subject (§ 15 GDPR) * Number of inquiries across all service providers currently cannot be determined. * Change = Rejected bills of exchange and storage of data û (0) To be implemented 1 20 3 Companies Real data in secondary system (Access restricted / restricted access / data anonymized) 16 4 2 475.000 Customers Extensive Limited Anonym. Customer Example Using TDA Reduced Risk by Removing Non-Prod SAP Systems Out of GDPR Focus
- 24. Natuvion GmbH Altrottstraße 31 | 69190 Walldorf Fon +49 6227 73-1400 Fax +49 6227 73-1410 www.natuvion.com Question and Answer Patric Dahse Geschäftsführer Fon: +49 151 171 357 02 Mail: patric.dahse@natuvion.com 18 Data Security und Data Privacy in SAP - Data Security und Data Privacy Patric Dahse CEO / Founder Natuvion Americas Inc. 19 W. 34th Street, Suite 1018 New York, NY 10001 USA T +49 (0) 6227.73 -1400 F +49 (0) 6227.73 -1410 patric.dahse@natuvion.com http://www.natuvion.com/en/north-america Areas of expertise: § Data Protection & Privacy § SAP Transformation Benjamin Spies IT Lawyer, Partner SKW Schwarz Rechtsanwälte Wittelsbacherplatz 1 80333 Munich Germany T +49 (0) 89.286 40-108 F +49 (0) 89.280 94 32 B.Spies@skwschwarz.de Areas of expertise: § IT-Law § Data Security Rights
- 26. 26 Risks and Consequences of Non-Compliance with GDPR Fines and Additional Consequences 1. Violation of Notification Requirement: Fine risk increases as more rules are violated. Administrative Fines Under current directives, certain violations can be fined up to 300 k€. GDPR fines are up to 20,000,000 Euros ($23,138,200) or 4% of the annual global turnover of the company for the previous fiscal year, whichever is greater. An "incident" may be as severe as an actual data leak, or as simple as a justified complaint with the competent supervisory authority. 2. Imprisonment Up to two years imprisonment for data protection offenses. 3. Damage Claims In case of a data breach, damage claims from data subjects can easily approach significant levels. The owners, shareholders, or members of a corporation can be held personally liable for corporate debts. 4. Failure of the Insurance If the manager has not complied with the statutory provisions, an existing insurance will refuse to pay. 5. Damaged Reputation Could result from a data breach affecting customers, suppliers, and employees. 6. Communication of Personal Data Breaches If data is transferred into the wrong hands, the data controller must warn the affected data subjects immediately in writing. If this involves disproportionate effort, there will be public communication. Probability Potential Negative Impact Risk Assessment Fines may rise proportionately to reach the maximum GDPR fines compared to current directive. 1 2 3 4 5 6 7