Data Protection and Privacy in SAP SuccessFactors

Quick Start Guide – May 21, 2018

CUSTOMER

The SAP SuccessFactors Q1 2018 Release introduced new and enhanced features for data protection and
privacy. This document briefly explains these features, sample use cases and how to get started. This document
will be updated regularly. The latest version can be found here or on the SuccessFactors HCM Suite page on the
SAP Help Portal .

DISCLAIMER: The information contained in this document is for general guidance only and provided
on the understanding that SAP is not herein engaged in rendering legal advice. As such, it should not
be used as a substitute for legal consultation. SAP SE accepts no liability for any actions taken as
response hereto.
TABLE OF CONTENTS
PREREQUISITES ....................................................................................................................................................3
FEATURES ACROSS THE SAP SUCCESSFACTORS SUITE .............................................................................3
EFFORT ESTIMATES..............................................................................................................................................3
Change Audit ..........................................................................................................................................................4
Read Audit ...............................................................................................................................................................5
Data Subject Information Report ..........................................................................................................................5
Data Purge ...............................................................................................................................................................6
Data Blocking ..........................................................................................................................................................7
Consent Agreements .............................................................................................................................................7
MORE INFORMATION ............................................................................................................................................8
SAP SuccessFactors Customer Community GDPR Discussion Forum ..........................................................8
GDPR compliance: Where do I start? ..................................................................................................................8
Data Protection and Privacy Webinars ................................................................................................................8

2
PREREQUISITES
Role-based permissions (RBP) and Metadata Framework (MDF) are required to use these new
features.
Migrating to Role-Based Permissions
Implementing the Metadata Framework (MDF)

FEATURES ACROSS THE SAP SUCCESSFACTORS SUITE

Understanding your data: Companies store a wide range of personal data on people, ranging from
basic details like name and date of birth, to more potentially sensitive information such as religion or
medical history. In order to be compliant with data privacy laws, companies need to ensure that they
process and protect data in accordance with the applicable regulations.
Personal data- any information relating to an identified or identifiable natural person, like
name, address, phone number, etc. Fields defined as “personal data” trigger the capture of
change audit logs.
Sensitive personal data- subset of personal information that may require additional levels of
protection, such as information on racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade-union membership, health or sex life, etc. Fields defined as
“sensitive personal data” trigger the capture of read audit logs.

EFFORT ESTIMATES
The effort estimates included below are for guidance only and assume you have already determined
your requirements together with your legal counsel or data privacy office. The estimates are for
configuration only and do not include testing time. The time it takes to set up these features may differ
based on the size and complexity of your organization. Be sure you allocate ample time to configure
and test these features.

3
Change Audit
Change audit functionality enables logging and reporting of all changes to personal data to see who
has created, modified, or deleted personal data. It is available today for Employee Central, Employee
Central Payroll, Learning, Onboarding, Recruiting Management, Recruiting Marketing and Recruiting
Posting, Performance & Goals, Compensation, Succession & Development, Employee Profile and
User Management.

General audit functionality to record and report on configuration changes in Role-Based Permissions,
Proxy and User Management is on the roamap for a later date.

See also Important Notes about Change Audit.

Change Audit – Link to Documentation

Effort Estimate:  Create role, assign permissions (1 hour per instance)
 Enable Change Audit (a few minutes per instance)
HR Admin changes marital status on an employee's record. Data privacy officer can
Use Case:
audit which fields were changed.
1. Create Role (e.g. “Chief Privacy Officer” - someone in HR Dept. or Risk Mgt. Team)
How to Enable:
2. Assign Permissions – Admin Center> Manage Permission Roles
• View Read and Change Audit Configuration
• Edit Read and Change Audit Configuration
• Generate Change Audit Reports
3. Enable Change Audit – Admin Center> Manage Audit Configuration> Enable
Change Audit

Validation: Ensure Change Audit Flag is enabled - Admin Center> Manage Audit Configuration
Note: This usually takes 24 hours
Generate Change Audit reports

4
Read Audit
Read audit enables logging and reporting of all attempts to read sensitive personal data. Today, you are able to
configure fields as sensitive personal data. Soon, will also be able to record and report on access to sensitive
fields across applications. See Important Notes about Read Audit.

Read Audit – Link to Documentation

Effort Estimate:  Create role, assign permissions (1 hour per instance)
 Enable Read Audit (a few minutes per instance)
 Adjust sensitive personal data fields as needed – effort depends on number of fields
Use Case: Data privacy officer can audit which sensitive personal data was viewed in case of a
suspected data breach
How to Enable: 1. Create Role (e.g. “Chief Privacy Officer” - someone in HR Dept. or Risk Mgt. Team)
2. Assign Permissions for user group - Admin Center> Manage Permission Roles
• View Read and Change Audit Configuration
• Edit Read and Change Audit Configuration
• Generate Read Audit Reports
3. Enable Read Audit - Admin Center> Manage Audit Configuration> Enable Read Audit
4. Determine if additional sensitive personal data fields are required and configure as
needed – review default sensitive fields and additional field configuration
Validation: Ensure Read Access Logging is On – see step #2
Create Report – On roadmap for Q3

Data Subject Information Report

Allows you to compile a report containing all the personal data your company has stored on a particular person
in SAP SuccessFactors.

Data Subject Information Report – Link to Documentation

Effort Estimate:  Create role, assign permissions (1 hour per instance)
 Configure report

Use Case: Data Privacy Officer generates a report showing all personal data of an individual stored
in SuccessFactors
How to Enable: 1. Create Role (e.g. “Chief Privacy Officer” - someone in HR Dept. or Risk Mgt. Team)
2. Assign Permissions – Admin Center> Manage Permission Roles
• Enable Information on Data Subject
• Read Execution Manager Event Payload
• Admin Access to MDF OData API
3. Configure report - Admin Center> Data Subject Information> Configuration Tab
• Determine entities and fields to include in report (ie: team goals, ratings)
Ensure the fields selected have a purpose to answer “why” it’s being stored
Validation: Generate Report - Admin Center> Data Subject Information> Data Subject Search> Find
user

5
Data Purge
Enables you to define country-specific data retention rules and to permanently delete data once it is no longer
needed and the required retention time for the data has passed.

Data Purge – Link to Documentation

Effort Estimate:  Enable Data Retention in Company Settings (1 hour per instance)
 Create role, assign permissions (1 hour per role per instance)
 Enable DRTM objects by country (1 hour per module per instance)
 Setup country-specific retention periods (15 minutes per DRTM object per instance)
Note: effort will vary based on number of countries and DRTM objects
Use Case: Data privacy officer can delete all personal data of an individual stored in
SuccessFactors.
How to Enable: 1. Enable Data Retention Management and define Minimum # of approvers - Admin
Center> Company System and Logo Settings> Data Retention Management
2. Create Role (e.g. “Chief Privacy Officer” - someone in HR Dept. or Risk Mgt. Team)
3. Assign Permissions – Admin Center> Manage Permission Roles
• Create DRTM Data Purge Request
• Approve DRTM Data Purge Request
4. Enable DRTM Objects - Admin Center> Upgrade Center> Search “DRTM”
5. Enable DRTM for each country – Admin Center> Manage Data> Search “Country”
• Insert “New Record” for each country that requires DRTM
• Set “Data Retention Enabled” to Yes
6. Configure purge process additional configuration

Validation: Ensure tools are enabled – Admin Center> Data Retention Management> Create New
Purge Request> Select a purge request type> DRTM
Admin Center> Data Retention Management> Maintenance Monitor to view the Preview
Report and approve the purge request
View the complete purge report after the purge request gets completed
Need to Know:  Master Data Purge (DRTM Master Data Purge): purges all personal data, including
audit based on retention policy configured for master data. Overrides retention times
set for individual application purge objects
 Application Data Purge (DRTM <Object Name> Purge): Purges personal data for all
active and inactive users in that specified application based on the purge object
retention time.
 Audit Data Purge (DRTM Audit Purge): applicable for active or inactive users and
purges read and change audit data

6
Data Blocking
Allows you to restrict access to historical personal data based on the user's role.

Data Blocking – Link to Documentation

Effort Estimate:  Enable view workflows with Approved, Rejected or Cancelled status (1 hour per role
per instance)
 Configure data blocking for MDF objects as needed (1 hour per MDF object per
instance)
 Assign permissions for data blocking (1 hour per object per instance)

Use Case: HR Call Center rep is restricted to view all historical personal data dating back 3 months
How to Enable: 1. Review Data Blocking options
2. Set up data blocking for MDF objects
• Configure blocking period field in MDF - Admin Center > Configure Object
Definitions > Open MDF object > Security > blockingPeriodField and enter
the reference date you want to use to determine the blocking period.
3. Configure roles that will not have full access to historical data
• Admin Center > Manage Permission Roles > Permission Role Detail >
Permission Settings and select permission category
o Employee Central Effective Dated Entities
o Permission Category for MDFs (ie: Miscellaneous Permissions)
• Select “View History”. Under Data Access Period Settings, select
“Restricted” and enter number of months
Validation: Data blocking is immediately activated for that role
Need to Know:  Recommend all classic reporting tools are disabled and replaced with ORD reports
 Recommend removing all sensitive data from classic reports if still used.

Consent Agreements
Allows you to inform individuals on how their personal data will be stored and used when they use particular
applications. Enables customers to configure and manage consent statements and their acceptance

Consent Agreements – Link to Documentation

Effort Estimate:  Enter ticket to have the feature enabled
o Enabled via Provisioning>Company Settings>Data Privacy Consent 2.0
 Create Statements: Time dependent based on customer requirements and modules
deployed.
Use Case: Companies can use consent statements to ensure candidates agree to the company’s
data privacy policy prior to applying for positions.
How to Enable: 1. Contact SAP Cloud Support to have “Data Privacy Consent Statement 2.0” turned on
2. Create a Statement> Admin Center> Data Privacy Statement
3. Click Create New Statement – Additional configuration of specific statements
Validation: Save as draft to review prior to publishing

7
MORE INFORMATION
Setting up and Using Data Protection and Privacy Features
SAP SuccessFactors Customer Community GDPR Discussion Forum
GDPR compliance: Where do I start?
Data Protection and Privacy Webinars

8
www.sap.com/contactsap

© 2018 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable
for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this docume nt or any related presentation, or to develop or release any functionality
mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are
all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation
to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are
cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. See http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark
information and notices.