How to Prepare Your SAP System for the New European Union General Data Protection Regulation

  • by Hernan Huwyler, Risk and Compliance Expert
  • September 21, 2016
Learn how to change your practices within your SAP environment so that they comply with the new data General Data Protection Regulation (GDPR) privacy regulation.
Learning Objectives

After reading this article, you’ll know how to:

  • Identify sensitive personal information stored, processed, transferred, and deleted in SAP systems
  • Limit access to personal information and its availability while it is needed
  • Implement controls for preventing downloading personal information
  • Follow best practices for transferring and deleting personal data in an SAP system in productive and non-productive environments
Key Concept
The new European Union General Data Protection Regulation (GDPR) will become effective on May 25, 2018. Companies using European personal data, both inside and outside of Europe, are adjusting practices, privacy controls, and parameters in SAP environments to comply with this regulation. New policies are being implemented to protect sensitive personal information that is kept in the customer, client, employee, and candidate master, and that is sometimes transferred to or from service providers.

Preparation to comply with the new European General Data Protection Regulation (GDPR) needs to start now. Consequences of mishandling personal data will significantly increase, since non-complying organizations face fines of up to 4 percent of the global annual turnover or €20 million, whichever is higher. Even though this regulation becomes effective in May 2018, requirements and practices to protect sensitive data are already defined, and they bring major challenges. Furthermore, it also applies to organizations based outside the European Union if they process personal data of European residents.

Global annual turnover is the revenue of a company or the amount of money a company generates around the world. It establishes the calculation bases for a fine related to a data protection regulation breach. Fines are calculated following the accounting principles for gross and net sales (from discounts and taxes). Using the basis of calculation in similar regulations, the revenue is taken from ordinary activities and after turnover taxes and discounts.

This requirement creates many career opportunities for SAP experts and consultants. Being the first to communicate and to address these compliance risks is a critical factor.

A comprehensive risk analysis about current data collection, transfer, use, and disposal against the new GDPR requirements needs to be performed to prioritize the preparation plans. This article serves as a roadmap to prepare your SAP system to comply with the GDPR.

1. Define In-Scope SAP Data

Personal information is any data relating to an individual, including names, email addresses, identification numbers, bank details, medical information, and even a photo or an IP address. The GDPR also broadens personal information to biometric and genetic data.

A preparation plan starts by identifying all the SAP environments, clients, master data tables, and fields containing personal information of European residents, even customized z-tables and z-fields. All SAP systems such as SAP ERP Central Component (ECC), Business Intelligence (BI), Customer Relationship Management (CRM), and other solutions should be included in the preparation project. Backups, legacy systems, and archives of SAP databases should also be included in the planning. Digitized documents integrated into SAP containing private information should also be covered.

The quantity and quality of sensitive personal data to protect largely differs between industries and legal areas. Certain sectors, such as healthcare, insurance, banking, recruitment, and marketing, deal with a high volume and wide variety of personal information. These sectors need to comply with stricter industry rules and regulations. As a general reference, personal information is stored in global master tables for customers (KNA1, KNBK, KNVK), vendors (LFA1, LFBK), addresses (ADRC, ADR2, ADR3, ADR6), business partners (BP000, BP030), users (USR03), and credit cards (VCNUM). Other master data tables containing employment, date of birth, citizenship, identification number, tax, and credit data should be scoped. Also, some solutions as SAP Patient Relationship Management keep very sensitive information. The information system repository in SAP ABAP can be used to list all the tables containing fields with personal information in the program Where-Used List for Domain in Tables (RSCRDOMA).

Personal information on employees is stored in SAP HCM infotypes. It typically includes personal data for ethnic origin, military status, and disability (infotypes 0002 and 0077), severely challenged persons (infotype 0004), addresses (infotype 0006), bank details (infotype 0009), related person (infotype 0021), internal medical services (infotype 0028 with all the subtypes), and residence status (infotype 0094). Personal information from applicants is usually included in the employee base. The SAP country-specific features may widen the scope of personal information.

During the scope planning, it is important to validate with the business owners why the personal information is collected for the impact assessment. Confirming the specific and legitimate needs of keeping personal information with business experts is highly advisable. Also, understanding the business need for each type of information helps to define responsible contact and data retention requirements and to show how data is transferred and interfaced between the SAP system and other systems and organizations. Reducing the amount of personal information will facilitate the preparation by mitigating risk in the SAP system.

Hernan Huwyler

Hernan Huwyler is a CPA and MBA who specializes in risk management, compliance, and internal controls for multinational companies. He works in developing IT and SAP controls to address regulatory and legal requirements in European and American companies. He served as Risk Management and Internal Control Director for Veolia, leading governance practices in Iberia and Latin America. He previously worked for Deloitte, ExxonMobil, Baker Hughes, and Tenaris.

Follow Hernan on Twitter @hewyler.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.