The demand for companies to give their customers complete control over their personal data has never been higher especially with the new General Data Protection Regulations in place. Natuvion has now formed a partnership with SAP Hybris (formerly known as Gigya) to help businesses build trusted relationships with their customers by giving them full control of their personal data and preferences through their GDPR consent.
As compared to Directive 95/46/EC (the “Data Protection Directive”) which it replaces, the new General Data Protection Regulation seeks to extend the reach of EU data protection law. − An EU based data controller and processor falls into its scope where GDPR personal data is processed “in the context of its activities” - a broadly interpreted test.
If you pseudonymize the gdpr sensitive data in your SAP production systems it reduces the risk of GDPR fines and individual claims because in the event of a data breach, it is much less likely that pseudonymous data will cause harm to the affected individuals.
With GDPR, if a US company has employees or contractors in the EU, employers need to take notice of the ways in which they process employee data protection, the purposes for which they process employee data and the processes and procedures in place for the collecting,
Art. 15 “Right of access by the data subject” - The data subject shall have the right to obtain from the controller confirmation as to whether or not gdpr personal data concerning him or her are being processed, and, if that is the case, access to the gdpr personal data plus other details. There are other examples too.
Sophia software provides discovery analytics that helps with the first step of implementing the GDPR compliance process by reporting on what personal data is in your landscape and where it is stored.
If you are using a SAP CRM system and its email marketing system with prospects and customers from the European Union, then the GDPR legislation is very important for you and your organization. You will need explicit permission to store records and email addresses of prospects and customers to follow GDPR compliance requirements. Pseudonymization can reduce the risk with these data protection processes.
Data Protection Marketing (Target Marketing): The GDPR restricts “profiling” and sets significant GDPR data subject rights to avoid profiling-based decisions.
Advancements in technology have expedited methods for data controllers to gather, analyze, and process personal data for a variety of purposes, including drawing conclusions about data subjects and potentially taking action in response to those conclusions in data protection marketing such as target marketing or price differentiation. This is called "profiling."
Under Article 4(4), data processing may be characterized as “profiling” when it involves
- automated processing of GDPR personal data and
- using that personal data to evaluate certain personal aspects relating to a natural person.
Specific examples include analyzing or predicting “aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”
"Profiling” requires some sort of an outcome or action resulting from the data processing, and is underscored by the GDPR data subject rights in which the data subject is informed about the “consequences” of profiling decisions.
Articles 13 and 15 cover the GDPR data subject rights and addresses the information to be provided to data subject upon personal data collection and--upon the GDPR data subject's request--both require disclosure of “the existence of automated decision making including profiling” along with “the significance and the envisaged consequences of such processing for the data subject.”
When we analyzed Natuvion customer’s current processing times to meet these GDPR requirements that cover GDPR data subject rights, to produce such report (in a useful format for a data subject) on this data, across heterogeneous landscapes, it takes a minimum of two months, and sometimes much longer. GDPR requires a response in one month.
This is where SAP Information Retrieval Framework helps. Schedule your one-day GDPR workshop so the Natuvion team can share how hundreds of other SAP customers use free SAP tools to meet these GDPR reporting requirements.
Natuvion is proud to have earned a spot in Inc. 5000's fastest growing companies in Europe.
This new Data Privacy Framework replaces the EU Safe Harbor program but did not however embed protections against US law and policy on government surveillance. However, the GDPR and Privacy Shield and are now fully confirmed and enacted, transferring data across the Atlantic is still a challenging and complex legal procedure.
Preparing for the General Data Protection Regulation: A 'Wait and See' approach is going to be pricey for US organizations doing business with the EU.
What is a data processing inventory?
A data processing inventory reflects how the business processes data and starts with listing the processing activities and their purpose. A data processing inventory is aligned with how the business works, making it is easy for the business to engage.
The GDPR creates an opportunity for organizations to limit their data inventory. Organizations need an inventory of their data processing operations, instead of all their data holdings and detailed inventory.
What do Human Resources departments need to know about Data Protection Policy (GDPR) when using SAP HCM or SAP SuccessFactor systems?
The General Data Protection Regulation (GDPR) will be enforced from 25 May 2018, giving Human Resources (HR) departments just a few months to ensure that they have updated their processes for collecting and processing data about employees, former employees and job candidates.
Three important GDPR articles that HR needs to know now....
The GDPR sets very particular regulations on consent. With the new regulation coming in May 2018, companies need to be prepared for new GDPR consent mechanisms for their SAP test and QA systems. Anonymizing data in these systems make GDPR consent no longer mandatory. Natuvion's TDA tool offers a safe way to anonymize data so that it can be safely and rightfully used while expediting the process to full compliance and without the risk of facing GDPR fines.
With the new regulations taking place in May, the GDPR requires a Data Protection impact assessment (DPIA). A data protection impact assessment helps identify the risks when handling personal data and provides a structured process for your company. This assessment increases the transparency and provides a structure for unknown processes that involve dealing with personal data that reduces the risk of non-compliance with GDPR.
One of the most impactful rights defined by the GDPR is the blocking and deletion of personal data that is no longer required within the purpose defined for the processing. According to the data retention GDPR rule, personal data must be deleted after the primary purpose of the processing has ended.
What is a data registry?
In this workshop, Natuvion walks you not only through the requirements of creating a data registry for your company but in doing so also helps you find a way to comply with other GDPR articles. This includes an analyzation of the different basis of processing and grounds for deletion including many others that build the necessary information needed for a data registry.
Cross-border data transfers.
The GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules GDPR (BCRs).
"Test-Data-Anonymization and Production-System-Pseudonymization Engine."
Article 25 of the General Data Protection Regulation (GDPR) communicates requirements for data-privacy-by-design and data-privacy by-default and Article 32 GDPR requires Data Controllers and Data Processors to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data.. GDPR created incentives for “pseudonymization” and "anonymization" of personal data to meet these requirement... the only GDPR certified technology available is...
Where do we find an experienced Data Protection Lawyer for GDPR?
For all GDPR work, our preferred lawyer is Benjamin Spies. Benjamin is an IT Lawyer and a partner, at SKW Schwarz.
Benjamin advises national and international companies mainly in the IT sector with the focus on data protection (GDPR), e-commerce, domain law, telecommunications and telemedia law.
The reasons we work with Benjamin are;
- Benjamin is located in Germany, however he is very familiar with the US, he graduated from a US high school and used to work for the award winning US law firm WilmerHale, he is also member of TerraLex and other large law firm networks with a US focus.
- Benjamin was the co-author on one of the first legal commentaries for the Federal German Data Protection Act.
- Benjamin has more than 10 years experience in IT law with a focus on Data Privacy & Security.
- A small sample of his clients are: Netflix, Expedia, Bosch, Addidas, Diamler , MediaSaturn Europes largest IT retailer.