What is SAP GRC ?

Governance, Risk Management and Compliance or GRC is an umbrella term whose scope touches most offices in an organization.

GRC aims to synchronize various internal functions, integrate governance, management, risk and compliance activities.

SAP GRC is a software solution used for managing compliance and policy management. The compliance management capabilities allow organizations to manage and monitor their internal control environments. GRC Modules include;

  1. SAP GRC Access Control

  2. SAP GRC Process Control and Fraud Management

  3. SAP GRC Risk Management

  4. SAP GRC Audit Management

  5. SAP GRC Fraud Management

  6. SAP GRC Global Trade Services

Considerations for choosing the right privacy tech vendor

Some organizations and SAP users choose to use a privacy tech vendor like Natuvion’s CIO-competence-center to help them achieve compliance. Five areas of support include;

  1. Privacy Assessment Management and Privacy Program Management Creation

  2. Data Search and Mapping

  3. De-identification or pseudonymization

  4. DSR (Data Subject Rights Processing

  5. Consent Management

The International Association of Privacy Professionals is policy neutral and they are the world’s largest information privacy organization. Below is a list of four items they recommend you consider when selecting the right privacy tech vendor;

  1. Working in partnership with law firms

  2. Privacy office budget

  3. Involvement of IT/CIO in decision making and implementation

  4. Ability to keep up with a rapidly changing legal regulations AND rapidly changing SAP technology

Typically privacy tech vendors are broken into two categories; The first is privacy program management (focused on privacy processes) and the second is enterprise program management (focused on technical items).

Natuvion is the the only SAP privacy tech vendor that consolidates both suites of privacy management into one competence center. To learn more contact us here.

GDPR Data Protection Officer | Do organizations have to appoint a Data Protection Officer (DPO)?

GDPR Data Protection Officer | Do organizations have to appoint a Data Protection Officer (DPO)?

A data protection officer, DPO is the voice of data protection compliance within an organization. The DPO is still expected to be able to help organizations comply with their legal obligations and for GDPR manage the security of personal data.

4 Responsibilities of a Privacy Program Manager

A Privacy Program Manager is responsible for managing and operationalizing a corporate privacy program across the company. Their most important responsibility is to be ACCOUNTABLE for the safekeeping and responsible use of personal information - not just to investors and regulators but to the everyday consumer, vendors, partners and employees.

4 key responsibilities include;

  1. Identify privacy obligations for the company

  2. Identify business, employee and customer privacy risks

  3. Identify existing documentation, policies and procedures.

  4. Create, revise and implement policies and procedures that effect positive practices and together comprise a privacy program that is aligned with corporate strategy. Dont forget that your corporate policies have a lifecycle -

    • Draft - inward facing policies, aligned and consistent across the organization

    • Approved - from decision makers and stakeholders

    • Disseminate and train all employees

    • Review and revise policies regularly. In all our clients this process is done in a quarterly basis or immediately after a breach or the business changes for example a merger or acquisition.

  5. Continuously maintain and improve the privacy program

5 Goals of a Privacy Program

A successful privacy program will integrate privacy requirements and procedures into the functional areas across and organization.

  1. Demonstrate compliance with applicable laws and regulations

  2. Promote customer trust and confidence

  3. Enhance an organization’s reputation

  4. Facilitate privacy program awareness with employees, customers, partners and service providers.

  5. Respond to privacy breaches

Do you have a privacy governance model?

To manage privacy in your company you need a team. Obviously this varies by organizational size, however there is flexibility around this team structure depending on your organization structure and goals. Regardless of size, an organization MUST have a contact for privacy and designated “first responders” to privacy incidents.

While there is no perfect privacy governance model, these are the three most popular ways to organize such a team;

1) Hybrid

This model combines a centralized and decentralized (local) team. We have seen this work well. Generally there is one organization responsible for privacy, usually a Data Protection and Privacy Office [DPPO] owns all the privacy processes in a company (heavily supported by a legal team). Each functional organization then has a person or sub-team responsible for that function and that has a dotted reporting line into the DPPO. In our experience for a large organization this is the best way to structure your teams for optimal compliance and communication as long as your employees are empowered to make decisions. Even in a smaller organization where one person is assigned to lead privacy in addition to their other responsibilities - we have see this scenario work well.

2) Localized/Decentralized

Privacy decision making is delegated to the lower levels of an organization.

3) Centralized

Just one team is responsible for all privacy related actions. In our experience this one comes with significant issues. In large organizations where we saw this in practice, many of the functions felt isolated and unaware of what contribution they were supposed to make and when to the privacy program, it caused a significant amount of confusion and inability to plan.

The DPO Role

EU-GDPR requires all public authorities in the EU and many private organizations to appoint a Data Protection Officer. Private organizations that must hire a DPO are ones that process personal data in high volumes or consistently process highly sensitive data. Article 29 working party state that companies should err on the side of caution.

We previously wrote a blog on the topic of the DPO and you can read more here.

6 elements to include in your Privacy Program Scope and Charter

  1. Business teams and their requirements

  2. Global and local laws, regulations and standards driving compliance

  3. Risk tolerance levels, cultural expectations and perspectives - values regarding privacy

  4. Types of personal information collected, stored and processed

  5. Regulatory changes that need to be observed (for example in USA, this would be state law changes)

  6. Privacy challenges

Now you have a Privacy Program Scope, next create a Privacy Strategy

A privacy strategy lays out your organization’s privacy program. The privacy strategy explains WHY is privacy important to your organization.

Generally this strategy crossed multiple functions in your company therefore it is important to consider;

  1. Business alignment of goals

  2. Data governance of personal information

Often missed but CRITICAL - procedures for handling inquiries or complaints. ** We recommend you review our DSR App to help automate, track and simplify this process for you **

Now you have a Privacy Strategy, next create a Privacy Framework

A Privacy Framework is the structure that the privacy program will take. The framework provides a series of implementation road-maps that guide the privacy teams through privacy management. This framework also prompts and reminds them for all the details required for each privacy relevant decision.

3 elements of a privacy framework are;

  1. Laws, legal policies, regulations and programs. Laws you need to be aware of are;

    • PIPEDA - Candadian Personal Information Protection and Electronics Documents Act.

    • APPs - Australian Privacy Principles

    • EU-GDPR - European General Data Protection Regulation

    • EU-U.S. - Privacy Shield (a data transfer mechanism that replaced the safe harbor framework).

    • HIPAA - Health Insurance Portability and Accountability Act.

    • Example of a local legal framework is CNIL, France’s Commission.

  2. Principles, standards and guidelines. Examples of principles and standards you need to know about are;

    • Fair Information Practice [FIPS] - these provide basic privacy principles that cross several modern frameworks such as EU-GDPR e.g. Rights of individuals, Controls on Information, Information Lifecycle and Management.

    • The organization for economic cooperation and development [OECD], protection of privacy and transborder flows of personal data.

    • The American Institute of Certified Public Accountants [AICPA], have a privacy task force and created the GAPP - Generally Accepted Privacy Principles.

    • The Canadian Standards Association [CSA].

    • The APEC Privacy Framework, enables Asia-Pacific data transfers.

    • Finally a topic we have focused on previously in our blog - BINDING CORPORATE RULES.

  3. Privacy Program activities - program plans (and sub-plans and tasks). Examples of solutions you need to be aware of are;

    • Privacy By Design - ensures privacy protection at every stage of product development

    • The National Institute of Standards and Technologies [NIST] - provides the concept of privacy in engineering and risk management in federal systems.

    • AICPA and CICA created WebTrust, once an accountant is certified they can conduct privacy evaluations.

    • Natuvion has a set of processes and templates that span the 99 articles to help with rapid program management and implementation of compliance both in your core SAP systems but also through a transformation program to S/4HANA.

  4. Organization communication plan to ensure continuous alignment to laws and regulations

The benefits of a privacy framework are;

  1. Risk Reduction - Avoid or plan for the risk of data loss, plan for an audit.

  2. Helps to sustain market value and reputation of your company

  3. Provides measurements/metrics for compliance to the law, regulation and standards.

How does your organization title its privacy leaders?

iAPP.org states that the title an organization used to denote its privacy leaders may tell a lot about its approach to privacy. They state the most popular 5 terms are;

1) Privacy Officer

2) Chief of Privacy, or Chief Privacy Officer

3) Counsel

4) Security Director

5) Vice President of Privacy

So you have a privacy leader, where do they fit within your organization?

While iAPP states there is no standard organization structure for privacy across organizations, Natuvion’s GDPR or transformation projects have consistently worked with 3 business functions; a legal or DPPO team, business analyst team and technical team (IT). The GDPR project itself was driven by Legal or a DPPO [Data Protection and Privacy Office], with each function running a sub-project for their related actions.

So you have a privacy leader, do you have privacy vision?

A privacy mission statement or vision document has the goal of communicating your company’s privacy position to all stakeholders and is always used in company wide education too.

Elements of a privacy vision

1) Value or privacy to the organization

2) Organizational objectives

3) Strategies to achieve intended outcomes

4) Roles and responsibilities - for example, only trained and authorized employees will have permission to work with personal data.

Natuvion Partners with SAP Hybris to put more focus on GDPR consent.

Natuvion Partners with SAP Hybris to put more focus on GDPR consent.

The demand for companies to give their customers complete control over their personal data has never been higher especially with the new General Data Protection Regulations in place. Natuvion has now formed a partnership with SAP Hybris (formerly known as Gigya) to help businesses build trusted relationships with their customers by giving them full control of their personal data and preferences through their GDPR consent.

The New General Data Protection Regulation (GDPR) At A Glance

The New General Data Protection Regulation (GDPR) At A Glance

As compared to Directive 95/46/EC (the “Data Protection Directive”) which it replaces, the new General Data Protection Regulation seeks to extend the reach of EU data protection law. − An EU based data controller and processor falls into its scope where GDPR personal data is processed “in the context of its activities” - a broadly interpreted test.

Pseudonymization of GDPR sensitive personal data techniques enjoy benefits under GDPR!

Pseudonymization of GDPR sensitive personal data techniques enjoy benefits under GDPR!

If you pseudonymize the gdpr sensitive data in your SAP production systems it reduces the risk of GDPR fines and individual claims because in the event of a data breach, it is much less likely that pseudonymous data will cause harm to the affected individuals.

HR | How does GDPR apply to company employees?

HR | How does GDPR apply to company employees?

With GDPR, if a US company has employees or contractors in the EU, employers need to take notice of the ways in which they process employee data protection, the purposes for which they process employee data and the processes and procedures in place for the collecting,

What SAP applications help with Right of Access?

What SAP applications help with Right of Access?

Art. 15 “Right of access by the data subject” - The data subject shall have the right to obtain from the controller confirmation as to whether or not gdpr personal data concerning him or her are being processed, and, if that is the case, access to the gdpr personal data plus other details.  There are other examples too.

GDPR Implementation | How do we automatically identify all personal data in a SAP system landscape?

GDPR Implementation | How do we automatically identify all personal data in a SAP system landscape?

Sophia software provides discovery analytics that helps with the first step of implementing the GDPR compliance process by reporting on what personal data is in your landscape and where it is stored.

GDPR compliance requirements: Does an organization need explicit permission to store records of email addresses and phone numbers of customer contacts that are already in my CRM?

GDPR compliance requirements: Does an organization need explicit permission to store records of email addresses and phone numbers of customer contacts that are already in my CRM?

If you are using a SAP CRM system and its email marketing system with prospects and customers from the European Union, then the GDPR legislation is very important for you and your organization.  You will need explicit permission to store records and email addresses of prospects and customers to follow GDPR compliance requirementsPseudonymization can reduce the risk with these data protection processes.

Data Protection Marketing (Target Marketing)| GDPR Data Subject Rights

Data Protection Marketing (Target Marketing): The GDPR restricts “profiling” and sets significant GDPR data subject rights to avoid profiling-based decisions.

Advancements in technology have expedited methods for data controllers to gather, analyze, and process personal data for a variety of purposes, including drawing conclusions about data subjects and potentially taking action in response to those conclusions in data protection marketing such as target marketing or price differentiation. This is called "profiling."

Under Article 4(4), data processing may be characterized as “profiling” when it involves

  • automated processing of GDPR personal data and
  • using that personal data to evaluate certain personal aspects relating to a natural person. 

Specific examples include analyzing or predicting “aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”

"Profiling” requires some sort of an outcome or action resulting from the data processing, and is underscored by the GDPR data subject rights in which the data subject is informed about the “consequences” of profiling decisions

Articles 13 and 15 cover the GDPR data subject rights and addresses the information to be provided to data subject upon personal data collection and--upon the GDPR data subject's request--both require disclosure of “the existence of automated decision making including profiling” along with “the significance and the envisaged consequences of such processing for the data subject.”

When we analyzed Natuvion customer’s current processing times to meet these GDPR requirements that cover GDPR data subject rights, to produce such report (in a useful format for a data subject) on this data, across heterogeneous landscapes, it takes a minimum of two months, and sometimes much longer.  GDPR requires a response in one month.

This is where SAP Information Retrieval Framework helps.  Schedule your one-day GDPR workshop so the Natuvion team can share how hundreds of other SAP customers use free SAP tools to meet these GDPR reporting requirements.

 

Inc. 5000: Natuvion Earns Spot as One of the Fastest Growing Companies in Europe

Inc. 5000: Natuvion Earns Spot as One of the Fastest Growing Companies in Europe

Natuvion is proud to have earned a spot in Inc. 5000's fastest growing companies in Europe

What is the EU-US Privacy Shield 2.0? Is it relevant for USA companies?

What is the EU-US Privacy Shield 2.0?  Is it relevant for USA companies?

This new Data Privacy Framework replaces the EU Safe Harbor program but did not however embed protections against US law and policy on government surveillance. However, the GDPR and Privacy Shield and are now fully confirmed and enacted, transferring data across the Atlantic is still a challenging and complex legal procedure. 

Preparing for the General Data Protection Regulation | Why should a company act now and not wait?

Preparing for the General Data Protection Regulation | Why should a company act now and not wait?

Preparing for the General Data Protection Regulation: A 'Wait and See' approach is going to be pricey for US organizations doing business with the EU.

GDPR | Are there GDPR solutions and templates for Article 30 (records of processing activities)?

GDPR | Are there GDPR solutions and templates for Article 30 (records of processing activities)?

What is a data processing inventory?

A data processing inventory reflects how the business processes data and starts with listing the processing activities and their purpose.  A data processing inventory is aligned with how the business works, making it is easy for the business to engage.

The GDPR creates an opportunity for organizations to limit their data inventory. Organizations need an inventory of their data processing operations, instead of all their data holdings and detailed inventory.

What do Human Resources departments need to know about Data Protection Policy (GDPR) when using SAP HCM or SAP SuccessFactor systems?

What do Human Resources departments need to know about Data Protection Policy (GDPR) when using SAP HCM or SAP SuccessFactor systems?

What do Human Resources departments need to know about Data Protection Policy (GDPR) when using SAP HCM or SAP SuccessFactor systems?

The General Data Protection Regulation (GDPR) will be enforced from 25 May 2018, giving Human Resources (HR) departments just a few months to ensure that they have updated their processes for collecting and processing data about employees, former employees and job candidates.

Three important GDPR articles that HR needs to know now....