Comply with data privacy legislation:
Data Privacy Suite for SAP solutions
Our innovative data privacy and compliance solution helps companies with SAP® systems comply with legislation like
GDPR (the General Data Protection Regulation) and other data privacy legislation.
In accordance with latest information available as of September 2023
The global privacy landscape is changing rapidly, in line with how data is used and shared in our modern world. Across all recent (and forthcoming) privacy acts/regulations, there are consistent rules dealing with:
- A data subject’s right to access the information you hold
- A data subject’s right to request removal and/or correction of the data held
- The need for proactive management of Personally Identifiable Information (PII)
- Informed and explicit consent from data subjects on how their data is being used.
These changes are complex for any company using larger ERP platforms like SAP, because of the integrated data model used to provide ERP solutions. As experts in the SAP data model, we provide targeted solutions for the challenges faced in complying with data privacy laws.
What are your challenges in SAP data privacy and security?
- Increase data privacy compliance in SAP
- Respond to the Right to Access/Removal in Production systems
- Scramble data in non-production systems
- Improve and understand your data privacy and security risks
- Drive business-centric GRC for SAP
Increase data privacy compliance in SAP
How can you increase data privacy compliance in SAP?
The aim of any privacy project is to increase compliance with the required data privacy laws within the company’s jurisdiction. And SAP’s structure makes addressing data privacy compliance particularly tricky. One of the most compelling reasons for data privacy compliance is the enforcement fines; the new laws provide for high financial sanctions to be applied by legal bodies.
We have been implementing privacy projects around the globe in multiple industries for over 20 years, and have identified essential steps in a common project approach:
- Identify your risks: Impact and risk assessment
- Find and map your PII
- Review access Risk and Controls
- Clean up the backlog in Production
- Manage PII in Production copies
- Handle Data Subject Access Requests (DSARs)
- Process individual requests for removal
- Proactive identification of Data Subjects
- Ongoing audit and review
Respond to the Right to Access/Removal in Production systems
Respond to the Right to Access/Removal in Production systems
Whether you’re adhering to PDPA in Thailand, one of the state laws in the USA, or GDPR in Europe, you are required to provide a response to the Right to Access and deletion of personal data from your environment.
The Right to Removal does not overrule any of your other legal and compliance requirements, such as keeping records for tax audit. You now need to find a way to validate if data is required for any other legal reason, and if not, remove sensitive data from your system.
SAP presents a challenge in data removal; as a relational database, the sensitive data is intrinsically linked with your business transactions. So traditional ways of archiving or deleting mean you need to remove your transactions and master data completely.
EPI-USE Labs provides an alternative in Data Redact, removing the PII from records but leaving the referential integrity of the solution. And Data Disclose provides effective PII mapping in a PDF output, allowing an efficient process to respond to the Right to Access.
Scramble data in non-production systems
Scramble data in non-production systems
Every business needs to test their processes, whether it’s the annual payroll taxation updates, service pack upgrade or new customizations. You don’t want to find out you have an issue with the new processes in Production; so most businesses will take a copy of their Production systems and create test environments.
The number of testing environments varies depending on the business, but a typical set-up would be to have
- Development with limited to no real data
- Quality a reduced data copy from Production
- Pre-production a full copy of the Production database.
The new privacy laws state that you must have informed and explicit consent for the use of the data relating to data subjects. In our experience, most businesses do not have this consent for using data for testing purposes. Even if you did have a consent process there is an additional challenge in understanding what to do for a no-consent response from a data subject.
We recommend data anonymisation with Data Secure, providing direct in-place data anonymisation, or the ability to scramble on exit when linked with Client Sync, part of the Data Sync Manager Suite.
Improve and understand your data privacy and security risks
Improve and understand your data privacy and security risks
To solve a problem, you first need to understand the problem. For both data privacy and security, you need to understand the risks you hold in your business process and your IT estate.
Consider your business processes and security risks. For example, do your front office or HR colleagues take notes during calls? If so, what is the security process for those notes? Are you following best practice for data security throughout your business?
Regarding your IT estate, three primary considerations are:
- External threat: Network and infrastructure security such as firewalls or VPN protection.
- Internal threat: The risk of access to data in the network / SAP system.
- Compliance risk: Where is your PII and how is it being managed?
Drive business-centric GRC for SAP
Drive business-centric GRC for SAP
Governance, Risk and Compliance (GRC) solutions take many aspects of access risk into account. We are partnered with Soterion, offering a fast, efficient analysis of your GRC risks with standard delivered rulesets to cover:
- Segregation of Duties (SoD)
- Privacy: users accessing sensitive data
- Cross-jurisdictional data access
- Critical transaction risk.
These solutions can integrate between SAP and cloud applications (such as SAP SuccessFactors) to provide a holistic view of your access risk.
Soterion also offers assessment of your system licences, firefighter access processes and more.
Find and map your sensitive SAP data and benchmark your access risks
Understand, identify and map your Personally Identifiable Information (PII) with EPI-USE Labs’ SAP data privacy assessment service.
Data Privacy Suite for SAP solutions
Our Data Privacy Suite for SAP solutions leverages our industry-leading Data Sync Manager™ Suite which offers a semantic understanding of your SAP environment and provides data sub-setting and secure rule-based masking capabilities. Data Disclose, Data Redact and Data Retain are built on a solid foundation of existing technology and Intellectual Property to help you comply with global data privacy legislation like GDPR, CCPA and POPIA.
How to comply with data privacy laws in SAP
SAP is one of the most robust systems in the world, but also one of the most complex, as SAP has purchased and integrated many diverse components and solutions over the years. SAP’s structure makes addressing data privacy compliance particularly tricky. Detailed domain knowledge is required to map and understand the cross-functional integration of multiple SAP objects and systems.
EPI-USE Labs has been an SAP partner for over 30 years, and has an in-depth understanding of how SAP data is structured. We have developed detailed knowledge of the different versions of SAP, including their uses and intricacies, and our integrity mapping is defined both on the individual field level and between systems. Since 2000, we have helped our clients comply with data privacy laws, scrambling non-production data copied out of Production systems. We also address the de-sensitisation of data in Production with our redaction technology.
Our Data Privacy Suite for SAP solutions leverages our industry-leading Data Sync Manager™ Suite, which is certified by SAP for 'Integration with SAP S/4HANA®' and 'Integration with SAP S/4HANA Cloud®'. Our global Professional Services team has certifications in CISSP, CIPPT and CIPPM. Combined with extensive project experience across multiple countries and industries, we can give you expert guidance on your data privacy challenges.
Why not get a free assessment on your data today?