How to accelerate your

GDPR readiness with

SAP Process Control
Leveraging SAP GRC to prepare for the
General Data Protection Regulation (GDPR)
Introduction
Getting your SAP environment ready for
GDPR
From May 2018, the General Data Protection Regulation
(GDPR) will dramatically change the way organisations
handle personal data - with huge penalties in store for
businesses failing to comply.
Contents
Section 1: Managing personal data
Section 2: Privacy by Design
Section 3: Data Protection Impact Assessments (DPIAs)
Section 4: GDPR controls, policies & reporting
Summary

Businesses running SAP ERP systems hold a wide range of

personal information and must therefore take steps to ensure
their SAP environment remains fully secure.

While this represents a significant challenge, the tools that

sit within SAP’s Governance, Risk and Compliance (GRC)
suite can help you prepare for GDPR and ensure you stay
compliant after the deadline has passed.

The SAP Process Control tool in particular will be a key asset

in your journey. SAP Process Control effectively acts as an
organisation’s controls hub, improving your visibility and
control of compliance right across your business.

It will enable you to document controls, test strategies and

evaluate effectiveness through constant monitoring – all while
providing actionable insights through advanced reporting
functionality. But as we’ll explore in this guide, other tools
in the SAP GRC arsenal, such as SAP Access Control can be
leveraged further for GDPR compliance.

In this eBook, we’ll look at some of the key considerations

your business needs to make ahead of the GDPR deadline -
and identify just how SAP Process Control can help speed up
your readiness for the new regulations.

‘Businesses running SAP ERP systems hold a wide range of

personal information and must therefore take steps to ensure
their SAP environment remains fully secure.’
Section 1
Managing personal data
Whether it’s contractor bank details, employees’ sick leave
history or customer contact information, an organisation’s
SAP platform typically plays host to a wide range of sensitive
personal data likely to fall under GDPR jurisdiction.
Unfortunately, there isn’t a definitive list of every single piece
of data that would be considered sensitive under the new
regulations, so your organisation is going to need to first
understand what personal information you hold, then take a
viewpoint on whether that personal information will need to
be treated differently moving forwards.
Managing access to personal data in SAP
To help manage access to personal data, you can define
one-sided risks in SAP’s Access Control tool. This will create a
control that you can run periodically to check that the people
with access to these sensitive data sets are appropriate. This
will allow you to create a whitelist of sensitive access relevant
from a GDPR perspective. You can then monitor that specific
list and perform periodic access reviews on each item.
If you identify that people outside of this whitelist have access
to these areas, then you can take remediating actions; either
removing access or adding them to the whitelist.
While you might be using your SAP Access Control tool to
do a periodic access review every year or every six months,
for GDPR-relevant personal data that you hold in your SAP
environment, you’ll want to be doing that more frequently –
perhaps even once a month.
You can also monitor the effectiveness of that periodic access
review process, as well as apply workflow escalation where
your GDPR relevant access is included in a request. So, if
you have automated provisioning in place with SAP Access
Control, you can route specific requests to a different path,
which can be approved by your DPO (Data Protection Officer)
if necessary.

However, there is a strong possibility that at some point in

the past you will have defined processes and procedures for
dealing with data privacy. This work shouldn’t be overlooked.
The likelihood is, if you were carrying out those processes
exactly as you described them initially, you would be a lot
closer to compliance than you might think.

Before taking a blank sheet of paper and looking at how

you’re going to approach GDPR, you should first revisit
your data protection processes and start to implement your
original plan, if it’s not in place already. GDPR is effectively
nothing new - yes there are bigger penalties in place, but it’s
actually just applying a bigger stick to a set of requirements
that, broadly speaking, should have been in place for some
time.
Section 2
Privacy by Design
‘Privacy by Design’ is an approach to projects that promotes
privacy and data protection compliance from the start and
then throughout the whole process. Often data protection
is seen as an afterthought and therefore projects are not
managed as they should be.
Privacy Impact Assessments (PIAs) are an integral part of
taking a Privacy by Design approach. The concept of Privacy
by Design calls into question the differences between a PIA
and a DPIA (Data Protection Impact Assessment). We’ll cover
DPIAs in the next section.
A PIA can reduce the risks of harm to individuals through the
misuse of their personal information. It can also help you to
design more efficient and effective processes for handling
personal data. The PIA is common for Human Resources (HR)
departments and holds a lot of relevance in the preparation
for GDPR.
Fig 1: Example GDPR survey
In order to adequately assess the impact of any projects or
business changes on a particular application, it is important
to have them classified from a data privacy perspective.
Many companies struggle with this if they do not have a
coherent IT asset register, which is up to date and considers
the data that the application or asset holds.
A good start for this is to send out a scoping survey of some
sort to ask the relevant application owners to provide that
assessment. This can then be used as a starting point for
assessments and planning what sort of follow up actions
may be required.
You’ll have no doubt carried out a PIA if you’ve rolled out SAP
HCM or indeed any HR system project. And, if your business
is global, you might be familiar with the need to look at the
specific data privacy requirements of the countries in which
you operate. A similar approach to a broader set of projects -
any that affect sensitive data - is required to maintain GDPR
compliance.
Fig 2: SAP Process Control central repository
It’s important to ensure that both business and IT staff
understand these requirements and to also apply controls
that make sure the PIA process is operating effectively.
Supporting Privacy by Design with SAP GRC
Privacy Impact Assessments can be completed in both SAP
Process Control or SAP Risk Management, while the self-
assessment functionality within the tools can be used to
complete initial scoping questions that will determine whether
a DPIA is also required (or not).
You can distribute the PIA and those scoping questions
through workflow. You may go one step further and integrate
the distribution of those questions with an external project
management tool.
The figures below give an example of how this might be
handled within a process control solution. It may be based
upon a particular policy that is part of your policy library or
through a risk assessment as part of a project or through a
periodic control that is operated against the known IT asset
landscape on a regular basis. Regardless of the source, the
functionality exists to be able to send out a questionnaire
or assessment survey to get insight from the appropriate
members of your business teams.
You can also track the completion of your PIA. Once you’ve
captured everything within SAP Process Control, you’ll have a
view on whether any self-assessments have been completed
in their entirety - then you can use the tool to escalate issues
and plan remediation activities where required.
Tracking everything in this central repository is going to give
you the ability to carry out status reporting, which is also
going to evidence your governance process around PIAs.
Section 3
Data Protection Impact Assessments
(DPIAs)
A DPIA is a form of PIA in a specific format required by the
GDPR. The creation of a new project could initially trigger the
need for a PIA, then consequently the need for a DPIA, if the
screening questions yield certain results. Essentially, a DPIA
is a critical tool when implementing data processing systems
to ensure you comply with the General Data Protection
Regulation (GDPR).
A DPIA is mandatory when processing is, ‘likely to result in
a high risk to the rights and freedoms of natural persons’.
Failure to conduct a DPIA, to conduct one incorrectly, or fail to
consult the supervisory authority where required could all lead
to GDPR penalties.
A DPIA will be required if the PIA determines that some of the
data is large-scale or high-risk enough to pose a significant
threat of harm to the individual, should a disclosure occur.
Fig 3: Example ‘Disclosure survey’
Facilitating the DPIA using SAP Process Control
SAP Process Control can support the DPIA Governance
process, again offering self-assessment functionality similar
to a PIA. Additional information can be captured and
stored within SAP Process Control where a DPIA is required.
Effectively, you can expand an existing PIA with further detail
and drive the whole process through workflow.
With SAP Process Control, you can automate many aspects
of the process using workflow paths and routes that can be
configured to trigger outcomes based upon responses. For
example, a DPO can validate when you’re using your central
controls repository to collate data and then subsequently for
audit and review.
Fig 4: Example ‘Data protection impact assessment (DPIA)’
Section 4
GDPR controls, policies & reporting
A key element of GDPR preparation is creating a control
framework that helps you demonstrate your ongoing
compliance.
With the significant consequences of non-compliance, it’s
essential to put a number of controls in place that allow you
to understand whether or not you’re meeting your compliance
objectives.
Putting a tool such as SAP GRC Process Control at the heart
of your GDPR compliance efforts will also pay dividends
should your organisation be subjected to a compliance audit.
By capturing and storing GDPR-related documentation and
controls-related data, you are storing up the information
required by the regulator on an ongoing basis. A proactive
approach like this is likely to make your first GDPR
compliance audit a lot less painful than it could be.

Examples may include: Fig 5: Example ‘Self-assessment’

• Exception monitoring of encryption control settings
• Self-assessments for breach detection controls and
pseudo anonymisation
• Sample checking for internal breach registration, breach
escalation and notification
• Reporting controls around PIA and DPIA completion
• Third party risk management surveys and self-assessments
• Training completion and user responsibility
• Policy and awareness training distribution
• Surveys to test understanding and adherence
• Controls over the data catalogue
• Exception reporting for legal retention periods
• Subject access request turnaround times
• Controls over data transfers outside EEA

The management, automation and monitoring of controls

is the core competency of SAP Process Control and the Fig 6: Example ‘Data Protection Office’
tool offers a lot of flexibility in this respect. The controls you
define to manage your risk to non-compliance from a GDPR
perspective will often be quite specific to your organisation.
However, SAP Process Control has been designed with the
flexibility required to support the management and operation
of controls in complex environments.
Summary

With so much noise around the General Data Protection Regulation (GDPR) it can be difficult to know where to turn for
guidance. The important thing to remember is that the need for a robust strategy for data protection and controls across your
SAP landscape is nothing new. It’s just that the consequences of managing this badly are becoming much more severe.

However you decide to approach GDPR, the right tools, processes and skill-sets are going to be key. The SAP GRC suite
can help you automate and streamline your approach, yet technology alone will only take you so far. Experience of
designing and implementing security, compliance and data protection strategies in SAP environments is critical. There will
be many self-appointed GDPR experts offering one-size-fits-all solutions to make you compliant. But without a thorough
understanding of the nuances and complexities of your organisation, such attempts would be a wasted investment. Be sure
to tread carefully.

The suggestions outlined in this guide are aimed to provide some key technology-focused insights to help you in your
journey. But this is by no means an exhaustive set of recommendations. We suggest looking at GDPR readiness through the
lens of people and process too. If you’d like to understand how this could be applied to your organisation, please get in touch.

We hope you enjoyed the guide.

About Turnkey
Turnkey Consulting is a specialist GRC and IT security company that combines business consulting with technical implementation to deliver information security solutions in support of SAP
systems. It focuses on the delivery of specialised services in support of SAP solutions in the areas of security, governance, risk and compliance (GRC).

It works with service providers, audit partners and SAP clients directly to provide the security controls and solutions that safeguard and complement a company’s implementation of an SAP
system. Clients include some of the world’s largest blue-chip companies alongside systems integrators and a number of government agencies.

Turnkey’s global offices:

United Kingdom | United States | Australia | Germany | Malaysia

Head Office
Turnkey Consulting Ltd
58 Ayres Street
London
SE1 1EU

T: +44 (0)207 288 2578

E: info@turnkeyconsulting.com
W: www.turnkeyconsulting.com