• English
  • Italian


Blog Image

GDPR and the SAP approach

  • On 20 October 2017

The GDPR, acronym for the General Data Protection Regulation, is the new EU Regulation (2016/679) for the protection of personal data of citizens in the digital age. It replaces Directive 95 / 46EC (protection of individuals with regard to the processing of personal data and privacy), and will enter into force in May 2018.

The aim of the GDPR is to regulate how companies process, store, and destroy personal data of users.

This regulation applies to Companies that have a physical presence in at least one EU country, foreign companies that process or store personal data of European citizens and companies using third-party services that process or store personal data of European citizens. For companies that will also violate one of these rights, heavy sanctions of 4% of the global business volume up to a maximum of 20 million euros are expected.

The most impressive novelties are the Respect of Data Breach, with notification obligation (within 72 hours) to the competent authority and affected users in the event of any leakage or compromise of data; Accountability, demonstration with documentary proof of full compliance with the Regulation and Nomination of Data Protection Officer, mandatory for businesses with 250 or more employees and public administrations.

This type of regulation impacts all systems and procedures of companies, not just SAP systems. Generally, specialist consulting companies propose a risk-based impacts assessment based on more or less standardized methodologies in which the possible system flaws are highlighted. SAP offers a set of tools that can be used to meet regulatory compliance, although not the use of software that ensures compliance but the orchestration of the same in a methodological framework suitable for the purpose.

Basically the components that indicate SAP can be summarized in the following categories:

  1. Software for managing information within SAP processes, their time mapping and identification
  2. Software for defining process scenarios and their control in order to draw processes so that they are compliance with the law and to provide the necessary certification throughout the time
  3. Software for profiling, controlling and mapping of access, data masking where necessary, logging of accesses.

Some of these components are already present in SAP’s Netweaver suite, others are SAP standards, such as the use of AIS, the Audit Information System, which allows you to extract useful information rather than user profiling according to well-defined authorization profiles. Others are instead forms or components, such as Information Lifecycle Management, whereby data retention time can be handled and their destruction is time when data is held on the company. The SAP GRC – Risk Management Suite is usable in this area for the definition of impacted processes and the redesign of processes themselves in compliance with GDPR compliance. Another usable component is Celonis, which allows you to map all the data within the processes and what data are used and how in business processes, thus allowing you to understand which processes to modify or simply monitor.

In this area, PL3 & Partners provides its application, technical and methodological skills to offer those who address this important problem an ad hoc solution to their needs. For information contact us by clicking here or by writing to marketing@pl3group.com


Paolo Ponte, Sales & Marketing Manager