In the spring of 2018 the new EU data-protection requirements are due to enter in force. Companies of all sizes, saving and processing data, now only have a little less than one and a half years to comply both with the data-security rules and with the extensive accountability obligations. Otherwise, in the event of violations, they face huge fines - up to EUR 20 million or four per cent of their annual turnover. So what do companies using SAP need to take into account and how can they prepare?
What does this mean for companies now? Which data systems are particularly affected? Which steps need to be completed by 2018 to comply with the new rules?
The staged system of the new data-protection directive already provides for penalties of up to two per cent of the annual turnover generated worldwide, if processing operations are not documented in good order (Article 28). If security is breached, companies are obliged to notify the public authorities within 72 hours (Article 31).
Definition of Breach
According to the definition stated in the new EU legislation, it is also deemed to be a breach of protection if an employee views data that they personally do not need for their particular professional duties. In addition, companies must see to it that employees can recognise when they are violating laws by their data-processing activity or when they are processing data on an unauthorised basis.
The first and most important step for all companies is to check in which systems they are maintaining the documents and files affected by the legislation. The second step is to check whether the company can reliably trace and prove what is being done with this data if it leaves the system, for instance.
The first and most important step for all companies is to check in which systems they are maintaining the data affected (…)
In the context of IT environments that are ever more complex, it is a major challenge for companies to track which affected files are kept in which systems, and via which channels the data is shared (where applicable). Files specific to individuals are to be found particularly frequently in ERP systems.
Within this regulated IT environment, it is relatively simple to implement the rules for the new protection directives, if these systems have authorisation structures and audit-logs at their disposal. So does that provide security?
Unfortunately, no – because as soon as this data has been exported from the system, the SAP authorisation structures no longer take effect; also, what subsequently happens cannot be traced. Yet in most companies these exports take place each day, without the employees concerned being aware of possible consequences.
(…) as soon as this data has been exported from the system, the SAP authorisation structures no longer take effect.
In particular, this affects business sectors such as energy (electricity, oil and gas), transport (air, rail, water and road), other infrastructure sectors such as supply of drinking water, as well as bank infrastructure and financial-market infrastructure, trade centres, health-service providers and also digital infrastructures.
Protocolling and Audits
So it is necessary to introduce audit-solutions and protocolling solutions, recording who gains access to data, exports it and passes it on. It is also recommended to integrate a GRC solution, so that notifications are sent to the parties responsible in the event that rules are breached. However, ideally the sets should already be classified when that data first emerges.
Sensitive data, affected by the legislation, can then have corresponding rules attached to it for its entire life cycle. Thus, it can then be released solely for internal use by specified individuals; alternatively, the download of particular files is completely blocked.
(…) data can then be released solely for internal use by specified individuals (…)
This is how the staff are also sensitised to this issue and their attention drawn to possible violations. Introducing a rights-management system (RMS) helps in averting a breach of security (Article 31) and also to prove, or to restrict, the use of the data even outside the ERP system.
Likewise, the new legislation requires most companies to specify their designated team member responsible for protection (Article 35). For those responsible for this subject area, now is the ideal time to check the internal situation, to introduce suitable measures for sounding-out the data and securing it, as well as to thoroughly check the products offered as solutions.