Documente Academic
Documente Profesional
Documente Cultură
CUSTOMER
The SAP SuccessFactors Q1 2018 Release introduced new and enhanced features for data protection and
privacy. This document briefly explains these features, sample use cases and how to get started. This document
will be updated regularly. The latest version can be found here or on the SuccessFactors HCM Suite page on the
SAP Help Portal .
DISCLAIMER: The information contained in this document is for general guidance only and provided
on the understanding that SAP is not herein engaged in rendering legal advice. As such, it should not
be used as a substitute for legal consultation. SAP SE accepts no liability for any actions taken as
response hereto.
TABLE OF CONTENTS
PREREQUISITES ....................................................................................................................................................3
FEATURES ACROSS THE SAP SUCCESSFACTORS SUITE .............................................................................3
EFFORT ESTIMATES..............................................................................................................................................3
Change Audit ..........................................................................................................................................................4
Read Audit ...............................................................................................................................................................5
Data Subject Information Report ..........................................................................................................................5
Data Purge ...............................................................................................................................................................6
Data Blocking ..........................................................................................................................................................7
Consent Agreements .............................................................................................................................................7
MORE INFORMATION ............................................................................................................................................8
SAP SuccessFactors Customer Community GDPR Discussion Forum ..........................................................8
GDPR compliance: Where do I start? ..................................................................................................................8
Data Protection and Privacy Webinars ................................................................................................................8
2
PREREQUISITES
Role-based permissions (RBP) and Metadata Framework (MDF) are required to use these new
features.
Migrating to Role-Based Permissions
Implementing the Metadata Framework (MDF)
Understanding your data: Companies store a wide range of personal data on people, ranging from
basic details like name and date of birth, to more potentially sensitive information such as religion or
medical history. In order to be compliant with data privacy laws, companies need to ensure that they
process and protect data in accordance with the applicable regulations.
Personal data- any information relating to an identified or identifiable natural person, like
name, address, phone number, etc. Fields defined as “personal data” trigger the capture of
change audit logs.
Sensitive personal data- subset of personal information that may require additional levels of
protection, such as information on racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade-union membership, health or sex life, etc. Fields defined as
“sensitive personal data” trigger the capture of read audit logs.
EFFORT ESTIMATES
The effort estimates included below are for guidance only and assume you have already determined
your requirements together with your legal counsel or data privacy office. The estimates are for
configuration only and do not include testing time. The time it takes to set up these features may differ
based on the size and complexity of your organization. Be sure you allocate ample time to configure
and test these features.
3
Change Audit
Change audit functionality enables logging and reporting of all changes to personal data to see who
has created, modified, or deleted personal data. It is available today for Employee Central, Employee
Central Payroll, Learning, Onboarding, Recruiting Management, Recruiting Marketing and Recruiting
Posting, Performance & Goals, Compensation, Succession & Development, Employee Profile and
User Management.
General audit functionality to record and report on configuration changes in Role-Based Permissions,
Proxy and User Management is on the roamap for a later date.
Validation: Ensure Change Audit Flag is enabled - Admin Center> Manage Audit Configuration
Note: This usually takes 24 hours
Generate Change Audit reports
4
Read Audit
Read audit enables logging and reporting of all attempts to read sensitive personal data. Today, you are able to
configure fields as sensitive personal data. Soon, will also be able to record and report on access to sensitive
fields across applications. See Important Notes about Read Audit.
Use Case: Data Privacy Officer generates a report showing all personal data of an individual stored
in SuccessFactors
How to Enable: 1. Create Role (e.g. “Chief Privacy Officer” - someone in HR Dept. or Risk Mgt. Team)
2. Assign Permissions – Admin Center> Manage Permission Roles
• Enable Information on Data Subject
• Read Execution Manager Event Payload
• Admin Access to MDF OData API
3. Configure report - Admin Center> Data Subject Information> Configuration Tab
• Determine entities and fields to include in report (ie: team goals, ratings)
Ensure the fields selected have a purpose to answer “why” it’s being stored
Validation: Generate Report - Admin Center> Data Subject Information> Data Subject Search> Find
user
5
Data Purge
Enables you to define country-specific data retention rules and to permanently delete data once it is no longer
needed and the required retention time for the data has passed.
Validation: Ensure tools are enabled – Admin Center> Data Retention Management> Create New
Purge Request> Select a purge request type> DRTM
Admin Center> Data Retention Management> Maintenance Monitor to view the Preview
Report and approve the purge request
View the complete purge report after the purge request gets completed
Need to Know: Master Data Purge (DRTM Master Data Purge): purges all personal data, including
audit based on retention policy configured for master data. Overrides retention times
set for individual application purge objects
Application Data Purge (DRTM <Object Name> Purge): Purges personal data for all
active and inactive users in that specified application based on the purge object
retention time.
Audit Data Purge (DRTM Audit Purge): applicable for active or inactive users and
purges read and change audit data
6
Data Blocking
Allows you to restrict access to historical personal data based on the user's role.
Use Case: HR Call Center rep is restricted to view all historical personal data dating back 3 months
How to Enable: 1. Review Data Blocking options
2. Set up data blocking for MDF objects
• Configure blocking period field in MDF - Admin Center > Configure Object
Definitions > Open MDF object > Security > blockingPeriodField and enter
the reference date you want to use to determine the blocking period.
3. Configure roles that will not have full access to historical data
• Admin Center > Manage Permission Roles > Permission Role Detail >
Permission Settings and select permission category
o Employee Central Effective Dated Entities
o Permission Category for MDFs (ie: Miscellaneous Permissions)
• Select “View History”. Under Data Access Period Settings, select
“Restricted” and enter number of months
Validation: Data blocking is immediately activated for that role
Need to Know: Recommend all classic reporting tools are disabled and replaced with ORD reports
Recommend removing all sensitive data from classic reports if still used.
Consent Agreements
Allows you to inform individuals on how their personal data will be stored and used when they use particular
applications. Enables customers to configure and manage consent statements and their acceptance
7
MORE INFORMATION
Setting up and Using Data Protection and Privacy Features
SAP SuccessFactors Customer Community GDPR Discussion Forum
GDPR compliance: Where do I start?
Data Protection and Privacy Webinars
8
www.sap.com/contactsap
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable
for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this docume nt or any related presentation, or to develop or release any functionality
mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are
all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation
to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are
cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. See http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark
information and notices.