Learn How to Prepare Your User Access Review to Comply with the General Data Protection Regulation (GDPR)

  • by Hernan Huwyler, Risk and Compliance Expert
  • July 24, 2017
Reviewing the user and database access in your SAP system to prepare for the new General Data Protection Regulation (GDPR) in the European Union has some particular requirements. Controls should be reinforced on user and database rights to access tables with personal information. Documentation, validation, and coordination should also be more comprehensive.
Learning Objectives

Reading this article, you will learn how to:

  • Adjust your user access review for compliance with the General Data Protection Regulation (GDPR)
  • Coordinate the access review to an organization-wide GDPR readiness project
  • Align the access review to key documents such as the inventory of personal data and the privacy impact assessment
  • Get a validation of the review and access changes
  • Understand that SAP system managers play a relevant role in protecting personal information (and the organization’s reputation)
  • In general, improve the SAP governance on data privacy controls
Key Concept

Organizations holding or processing personal data of European Union residents should align their SAP system access review with the General Data Protection Regulation (GDPR) readiness project to focus on rights to display, list, and download tables with personal information. SAP system managers should perform the access controls in collaboration with the compliance and the operations departments. 

Compliance with the General Data Protection Regulation (GDPR) requires improving SAP data governance in companies collecting, using, and transferring personal data of European Union (EU) residents. These new privacy rules become effective on May 25, 2018, and also apply to companies based outside the EU if they offer products or services in the EU single market.

The review of who has access to what (also called access certification) to comply with this regulation needs to be performed by a control methodology that differs from the one normally used. The access review for GDPR compliance should cover master data of employees, candidates, vendors, contractors, clients, suppliers, and business partners, as well as any other standard or custom table or table field containing personal information (see my previous SAP Experts article, “How to Prepare Your SAP System for the New European Union General Data Protection Regulation.” This article contains tips to adjust and improve the user access review to comply with the GDPR. 

Hernan Huwyler

Hernan Huwyler is a CPA and MBA who specializes in risk management, compliance, and internal controls for multinational companies. He works in developing IT and SAP controls to address regulatory and legal requirements in European and American companies. He served as Risk Management and Internal Control Director for Veolia, leading governance practices in Iberia and Latin America. He previously worked for Deloitte, ExxonMobil, Baker Hughes, and Tenaris.

Follow Hernan on Twitter @hewyler.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.