GDPR in the EU

As of May 25 2018, the Regulation of the European Parliament and the Council (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data will be directly applicable in all EU Member States. Its purpose is to protect personal data and the free movement of data within the European Union. While in the case of requirements regarding the responsibility for data or the possibility of its transfer, changes in internal processes will be necessary, the consumer protection or the right to be forgotten – officially known as the “right to erasure" – will require changes in the data protection itself. Organizations will have to make sure that they appropriately protect the rights of people whose personal data they store.

It will be a huge challenge for companies to ensure compliance with various requirements of the GDPR. First of all, it will be necessary to identify all processes in which personal data is used. These processes will be the starting points for designing programs for ensuring compliance with the GDPR and key compliance factors. This data should be verified and evaluated in terms of chances to minimize its volume or to eliminate it totally. Another extremely important factor is the quality of data. The better the quality, the easier it is to define rational ways to ensure compliance with the GDPR requirements.

When preparing to ensure compliance with the GDPR, the people responsible for ensuring the confidentiality of data must develop plans for secure storage of information in data processing systems of their organizations. Good plans will define not only the proper way of handling personal data in corporate IT environments, but they will also describe the rules and processes of data protection, taking responsibility for data, data transfer capabilities and the right to erasure.

It will be particularly urgent to ensure information security in non-production application systems. It is not without reason that test systems are usually fed with data that is very similar to the data of the production system. “Production" personal data can only be used in test systems if it is adequately secured – especially if application systems can be accessed by data processors from other companies, living or working outside the EU. One of the method of securing personal data is anonymization or pseudonymization.

Requirements regarding SAP users

The first step of anonymization is to define data that is particularly sensitive according to the GDPR. It is also important to understand which business processes use or process confidential personal data.

Communication between systems is also important. It is easy to lose orientation when information is exchanged outside of systems or even between systems of the same system landscape. In the event that the data is anonymized in one ERP system and non-anonymized data from another system is imported, it may be necessary to cancel the anonymization. Therefore, application systems should not be perceived as silos intended for anonymization purposes. Instead, an analysis should clearly identify which systems communicate with each other and what data they share.

Conceptual design

In the conceptual design phase, you define which data requires anonymization or pseudonymization and how to do it. The General Data Protection Regulation (GDPR) requires companies to protect the personal data of individuals. This means at least masking the personal data of individuals by means of anonymization or pseudonymization.

Designing the anonymization or pseudonymization processes usually gives rise to the following questions:

  • What exactly is “personal data"?
  • Where is it used in the system?
  • What data is exchanged between systems?
  • How can personal data be masked?
  • How can the consistency of data masking be ensured?
  • What data can be anonymized?
  • What data can be pseudonymized?
  • What data is suitable for pseudonymization?

Once the analysis and conceptual design phase is over, it is time to implement the approved procedures. In the conceptual design phase, it is defined which data should be anonymized and how. This makes it easier to describe the masking environments with many elements:

Objects

  • Suppliers
  • Customers
  • Business partners
  • Employees

Areas:

  • Names:
  • Addresses
  • Bank account numbers/IBAN
  • Contact details

Rules:

  • Fixed values with conditions / without conditions
  • Ascending values
  • Encryption
  • Review tables

It is rational to define the above elements in such a way that they can be used in many different applications. In this way, the related data will be masked consistently in different systems (such as ERP and CRM).

To ensure compliance with the GDPR requirements, you need tools that allow you to easily configure settings in the way enabling them to be reused, and that quickly and consistently anonymize aggregate data.

Such products are, among others, our solutions –  SNP Data Provisioning & Masking (SNP DPM) and All for One HR Cloner.