In the wake of the GDPR, organizations are being forced to reconsider their network security, data discovery, data access, controls, mapping and governance policies and practices to ensure regulatory compliance and to prevent stiff fines for non-compliance. The European Union (EU) began enforcing the GDPR on May 25, 2018, to protect customer privacy and personal data. GDPR adherence requirements apply to any organization in any country — inside or outside of the EU — that handles or processes EU residents’ personal data. We’ll show you exactly how to accomplish your goals with our GDPR compliance checklist.
Protecting personal data of consumers is extremely important. Not only are too many consumers and companies suffering from data theft every year, but billions of dollars are spent to recover from data breaches. Regulation and protection of consumer personal data is not new. Companies need to assess their security and risk management strategies, data handling processes, data access roles and data governance to help ensure regulatory compliance and to properly manage enterprise business risk.
Essentially, the regulation is intended to provide EU data subjects with improved control over their personal data, enhance the processes carried out by organizations when transferring and storing the data of a customer, and unify 28 national data protection regulations to modernize Europe’s cyber-security policies. The law stipulates that organizations must do everything in their power to protect the personal data of EU data subjects. Moreover, GDPR gives EU data subjects enhanced and new rights over their personal data to protect their human rights.
But here’s the thing:
The regulation includes a broad definition of ‘personal data’. Any data that can be used to directly or indirectly identify an individual is considered personal data and must be protected. In addition to the obvious types of personal data (such as first name, last name and credit card information), the GDPR’s definition includes online identifiers and genetic, mental, cultural, economic and social information.
THE GDPR INCLUDES PROVISIONS FOR:
If a company fails to comply with the GDPR, an EU regulator can issue warnings, reprimands, suspensions of data transfers, bans on processing, and orders to correct infringement.
Many companies are making it easier to access your data. Their compliance efforts are showing, and it creates a sense of trust with their consumers.
Depending on the breach and other variables, an organization may face fines that are 4% of their revenue:
- While this alone should serve as a deterrent to lax GDPR compliance efforts, there are also the adherent risks to consider. In addition to fines and other sanctions, non-compliance may lead to class-action lawsuits, damage to an organization’s reputation and losses for investors.
To comply with the GDPR, your organization will need to assess its current governance, risk and compliance (GRC) strategy and implement processes and systems to discover, manage, protect and report on personal data issues.
Here are four actionable steps toward GDPR compliance:
1. Identify what personal data you have and where it resides.
- Determine if your data is within scope of the GDPR and identify how the data is stored (online, near-line, archived, documents
2. You must demonstrate how personal data is collected, used, accessed, and the governance process to monitor and protect data.
- Create an organization communication and process map, implement SAP ILM Retention Management (RM), and document your processes for complying with audit requirements
3. Companies are required to establish security controls to prevent, detect and respond to vulnerabilities and data breaches. In addition, GDPR includes rigid requirements for responding to vulnerabilities.
- Protect data from the ground up, starting at the firmware level, leverage modern technology, like artificial intelligence (AI) to prevent and stop breaches, detect, monitor, investigate and respond to advanced threats, minimize identity risk and encrypt at all levels
4. Organizations must act on data subject requests, report data breaches, and keep required documentation.
- Put strategies in place to document devices affected and the overall organizational impact, document data and file encryption and deletion states, prepare to document data breaches and document implementation of your organization’s security policies
SAP PRODUCTS AND DATA SOURCES SUBJECT TO GDPR
So, what does this mean to organizations using SAP?
SAP is taking GDPR seriously, as any large software publisher would when hosting billions of personal data records. SAP is working to ensure that its products support processes and systems to discover, manage, protect and report on personal data hosted in SAP systems. In addition to SAP application awareness, an organization must also determine where personal data is stored to ensure it is encrypted and protected.
Consider the ways in which personal data is stored in SAP’s ERP Central Component (ECC), which is SAP’s enterprise resource planning software that includes finance, logistics, HR, product planning and customer service modules.
A HOLISTIC APPROACH TO GDPR COMPLIANCE
The challenges associated with GDPR compliance are both complex and obscure. In many cases, enterprises have more questions than answers on the policies, processes and technologies they need to put in place in order to comply with GDPR. Auritas offer services that help your organization on your GDPR journey. Moreover, when you put Auritas on your team, you have ready access to expertise and insights that can help your business leaders understand your organizational requirements, identify the solutions to those requirements, and take steps today to avoid the high costs of non-compliance.
WHAT COMES NEXT
Auritas may be able to help you understand the issues at hand and create a plan toward resolution. Auritas offers essential services to help with GDPR requirements to ensure your organization is better positioned to adhere to new privacy and data protection regulations that are sure to come down the road.
As a leading provider of regulatory compliance solutions for enterprise SAP customers, the company provides a wide range of GDPR solutions, including:
- Blueprinting and mapping GDPR requirements to SAP data
- Hardware sizing for selected enabling technology
- Solution installation and configuration
- Gathering sample data and documentation detail for legal to present to GDPR authorities
Furthermore, services include assessment of an organization’s readiness and a suitable compliance strategy to minimize risk exposure. Some of the components available from SAP in regards to the GDPR include:
- SAP ILM
- SAP Data Controller Rule Framework
- SAP Information Retrieval Framework
For more information, please contact one of our CCPA & GDPR experts at CCPA@auritas.com.
If you’d like to read up on the CCPA and gain insight on the US data privacy regulations, feel free to click here!
Over the years I’ve always been impressed with the reasonable approach of the judges I’ve heard at the ARMA conferences when it comes to retention