My personal impression is making a company GDPR compliant is a hard nut to crack. In this context, I want to talk about critical steps that you need to implement to make your SAP system GDPR compliant.
First of all, yes SAP is one of the core components of GDPR-compliant IS environments since a considerable amount of sensitive data kept in these systems such as personnel, customer, and vendor data. Besides, SAP is one of the largest software vendors who provide big data, HR, BI, and CRM solutions with 15M+ subscribers on its cloud services.
In my humble opinion, don’t waste your time with a question like whether your SAP system is GDPR related or not. The challenge is which steps do you need to perform to make your SAP system GDPR-compliant. I want to explain these steps in a very brief fashion. (I assume that you already know the data subjects’ rights and other fundamentals of GDPR regulation.)
1. SAP Security Audit Log
Actually, this is not just about make your SAP system GDPR compliant. If you want to talk about SAP security, you must activate SAL without any filters. SAL in SAP system collects all data about system logons, RFC logons, transaction calls, etc. Keep in mind that SAL is disabled as default and you should enable it manually. Plus, there is a common belief about the possible performance and data cost effects of SAL. As mentioned in many SAP notes, SAP Security is embedded into the kernel. Thus, SAL doesn’t create any noticeable performance impact on the system. Besides, data cost is hype. A system with approximately 1000 users may generate 500 MB of logs every single day which results in 180 GB in 6 months. The cost of the 200 GB of data is insignificant compared to the value of logs in case of an incident.
2. Personal Data Inventory
It’s better to know how much information you have which can be marked as ‘’personal’’. Whether or not it is personal or sensitive information, a company which holds so much data should start its digital transformation for security and privacy as well. You have to start from somewhere and regulations like GDPR always encourage you to start to this kind of transformations. Thus, it’s better to see this obligation as an opportunity.
You’d better start to build your personal data inventory. It may seem complicated at first, but remember that; vendor, customer and employee master data holds most of the personal information and SAP data architecture allows us to create and collect this data in clusters in a simple way.
3. Consent Management
GDPR has a strict definition of processing of personal information. The processing of personal data is forbidden! As long as no justifying reason is given such as;
- Contract
- Legal Reasons
- Effective declaration of consent.
So, I think it is pretty clear that, as long as you need to process personal information to keep your company running, you have to manage the data subject’s consents and its retentions. You have to collect and prove the existence of a given consent for a specified period of time if you want to process this person’s data.
By the way, it is not enough to get consent from the data subject to process all of its information. You have to define your purposes and link your personal information with these purposes. You are not allowed to use your data subjects date of birth information for health insurance if you got consent for a birthday discount from the online market.
4. Hybrid Access Management
From the information complexity point of view, such information systems like SAP, access management should have more dynamic functions. We all know that SAP has a role-based authorisation approach like a lot of ERP programs. However, regulations and new business requirements force us to configure a lot more complex scenarios for access management. So, we need to enrich SAP’s RBAC capabilities with attribute-based access control (ABAC) methods. For example, you should filter access to a field or application by valid consent data or a business purpose. Also, such real-time information like location or time can also help us to solve more complex access management situations. ABAC vs. RBAC is an entirely different story but in my perspective, you should start to think how much you can get if you make the right combination of these. Sooner or later, we will face this kind of business needs, so it’s better to start before its too late.
5. Single Source of Access
SAP is a complex system, it holds a lot of business sensitive data and if you nominate a system as a single source of truth my choice will be SAP. As I mentioned in the previous title, we need to gain a holistic view of access management. So it’s not just about SAP. It’s about creating a secure environment which can be controlled centrally. Therefore you should use ABAC techniques to be sure all systems which consume SAP data use only required data from SAP. You should put controls in place on web-services, BI connections, RFC connections, and downloads.
6. Audit, Record and Documentation
We all know that it’s all about monitoring. If you can’t see what you are doing and how you are doing it’s meaningless to develop programs or get advice from legal experts. In my opinion, Security Audit Log and other log reports of SAP is great to start but it’s too complicated to monitor. Besides, critical-labelled records are not adequate to monitor. You should understand that every company and every industry has its own critical processes and sensitive data. That’s why you should create your own KPI’s. For example, if you just log and report only critical SAL records, you’ll miss such critical operations like user creation, user data change and table display and you can hack any SAP system if you are able to run this function when nobody’s watching it. So, know your own risk and create your own reports to ensure that your SAP system is secure.
I think we can use the following ‘pyramid’ to summarise your GDPR journey;
Last but not least, I have to say that fraud is common in SAP systems. In my opinion, a GDPR compliant SAP system is a starting point. It’s an excellent opportunity for companies because this economic attention will bring great software and knowledge to the ecosystem. In this way, we will enrich our digital transformation journey with a privacy perspective. There is a bitter truth that we ignore: we are far from our potential of keeping personal data private. As a result of this, I think there is no better time to start to create a privacy-aware culture for ERP systems.