A data protection officer, DPO is the voice of data protection compliance within an organization. The DPO is still expected to be able to help organizations comply with their legal obligations and for GDPR manage the security of personal data.
Business teams and their requirements
Global and local laws, regulations and standards driving compliance
Risk tolerance levels, cultural expectations and perspectives - values regarding privacy
Types of personal information collected, stored and processed
Regulatory changes that need to be observed (for example in USA, this would be state law changes)
Now you have a Privacy Program Scope, next create a Privacy Strategy
A privacy strategy lays out your organization’s privacy program. The privacy strategy explains WHY is privacy important to your organization.
Generally this strategy crossed multiple functions in your company therefore it is important to consider;
Business alignment of goals
Data governance of personal information
Often missed but CRITICAL - procedures for handling inquiries or complaints. ** We recommend you review our DSR App to help automate, track and simplify this process for you **
Now you have a Privacy Strategy, next create a Privacy Framework
A Privacy Framework is the structure that the privacy program will take. The framework provides a series of implementation road-maps that guide the privacy teams through privacy management. This framework also prompts and reminds them for all the details required for each privacy relevant decision.
3 elements of a privacy framework are;
Laws, legal policies, regulations and programs. Laws you need to be aware of are;
PIPEDA - Candadian Personal Information Protection and Electronics Documents Act.
APPs - Australian Privacy Principles
EU-GDPR - European General Data Protection Regulation
EU-U.S. - Privacy Shield (a data transfer mechanism that replaced the safe harbor framework).
HIPAA - Health Insurance Portability and Accountability Act.
Example of a local legal framework is CNIL, France’s Commission.
Principles, standards and guidelines. Examples of principles and standards you need to know about are;
Fair Information Practice [FIPS] - these provide basic privacy principles that cross several modern frameworks such as EU-GDPR e.g. Rights of individuals, Controls on Information, Information Lifecycle and Management.
The organization for economic cooperation and development [OECD], protection of privacy and transborder flows of personal data.
The American Institute of Certified Public Accountants [AICPA], have a privacy task force and created the GAPP - Generally Accepted Privacy Principles.
The Canadian Standards Association [CSA].
The APEC Privacy Framework, enables Asia-Pacific data transfers.
Finally a topic we have focused on previously in our blog - BINDING CORPORATE RULES.
Privacy Program activities - program plans (and sub-plans and tasks). Examples of solutions you need to be aware of are;
Privacy By Design - ensures privacy protection at every stage of product development
The National Institute of Standards and Technologies [NIST] - provides the concept of privacy in engineering and risk management in federal systems.
AICPA and CICA created WebTrust, once an accountant is certified they can conduct privacy evaluations.
Natuvion has a set of processes and templates that span the 99 articles to help with rapid program management and implementation of compliance both in your core SAP systems but also through a transformation program to S/4HANA.
Organization communication plan to ensure continuous alignment to laws and regulations
The benefits of a privacy framework are;
Risk Reduction - Avoid or plan for the risk of data loss, plan for an audit.
Helps to sustain market value and reputation of your company
Provides measurements/metrics for compliance to the law, regulation and standards.
With GDPR, if a US company has employees or contractors in the EU, employers need to take notice of the ways in which they process employee data protection, the purposes for which they process employee data and the processes and procedures in place for the collecting,
Art. 15 “Right of access by the data subject” - The data subject shall have the right to obtain from the controller confirmation as to whether or not gdpr personal data concerning him or her are being processed, and, if that is the case, access to the gdpr personal data plus other details. There are other examples too.
Sophia software provides discovery analytics that helps with the first step of implementing the GDPR compliance process by reporting on what personal data is in your landscape and where it is stored.
If you are using a SAP CRM system and its email marketing system with prospects and customers from the European Union, then the GDPR legislation is very important for you and your organization. You will need explicit permission to store records and email addresses of prospects and customers to follow GDPR compliance requirements. Pseudonymization can reduce the risk with these data protection processes.
Data Protection Marketing (Target Marketing): The GDPR restricts “profiling” and sets significant GDPR data subject rights to avoid profiling-based decisions.
Advancements in technology have expedited methods for data controllers to gather, analyze, and process personal data for a variety of purposes, including drawing conclusions about data subjects and potentially taking action in response to those conclusions in data protection marketing such as target marketing or price differentiation. This is called "profiling."
Under Article 4(4), data processing may be characterized as “profiling” when it involves
- automated processing of GDPR personal data and
- using that personal data to evaluate certain personal aspects relating to a natural person.
Specific examples include analyzing or predicting “aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”
"Profiling” requires some sort of an outcome or action resulting from the data processing, and is underscored by the GDPR data subject rights in which the data subject is informed about the “consequences” of profiling decisions.
Articles 13 and 15 cover the GDPR data subject rights and addresses the information to be provided to data subject upon personal data collection and--upon the GDPR data subject's request--both require disclosure of “the existence of automated decision making including profiling” along with “the significance and the envisaged consequences of such processing for the data subject.”
When we analyzed Natuvion customer’s current processing times to meet these GDPR requirements that cover GDPR data subject rights, to produce such report (in a useful format for a data subject) on this data, across heterogeneous landscapes, it takes a minimum of two months, and sometimes much longer. GDPR requires a response in one month.
This is where SAP Information Retrieval Framework helps. Schedule your one-day GDPR workshop so the Natuvion team can share how hundreds of other SAP customers use free SAP tools to meet these GDPR reporting requirements.
Preparing for the General Data Protection Regulation: A 'Wait and See' approach is going to be pricey for US organizations doing business with the EU.
What do Human Resources departments need to know about Data Protection Policy (GDPR) when using SAP HCM or SAP SuccessFactor systems?
The General Data Protection Regulation (GDPR) will be enforced from 25 May 2018, giving Human Resources (HR) departments just a few months to ensure that they have updated their processes for collecting and processing data about employees, former employees and job candidates.
Three important GDPR articles that HR needs to know now....
The GDPR sets very particular regulations on consent. With the new regulation coming in May 2018, companies need to be prepared for new GDPR consent mechanisms for their SAP test and QA systems. Anonymizing data in these systems make GDPR consent no longer mandatory. Natuvion's TDA tool offers a safe way to anonymize data so that it can be safely and rightfully used while expediting the process to full compliance and without the risk of facing GDPR fines.
What is a data registry?
In this workshop, Natuvion walks you not only through the requirements of creating a data registry for your company but in doing so also helps you find a way to comply with other GDPR articles. This includes an analyzation of the different basis of processing and grounds for deletion including many others that build the necessary information needed for a data registry.
Cross-border data transfers.
The GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules GDPR (BCRs).
The GDPR changes prospect and customer engagement rules.
The conditions for obtaining prospect consent are stricter under GDPR requirements, as the individual must have the right to withdraw consent at any time. There is also a presumption that consent will not be valid unless separate consents are obtained for different processing activities.
- Newsletters | This means you have to be able to prove that the individual agreed to a certain action, like receiving a newsletter for instance. It is not allowed to assume or add a disclaimer, and providing an opt-out option is not enough.
- Marketing and sales activities | Companies will have to review business processes, applications and forms to be compliant with double opt-in rules and email marketing best practices. For example in order to sign up for communications, prospects will have to fill out a form or tick a box and then confirm it was their actions in a further email.
- Audit Trails | Organizations must prove that consent was given in a case when the individual objects to receiving the communication. This means that any data held, must have an audit trail that is time stamped and reports information detailing what the contact opted into and how. It must also be possible to permanently delete data from your CRM systems.
- Purchase marketing lists | The company is responsible for getting the proper consent information, even if a vendor or outsourced partner was responsible for gathering the data.
- Trade Shows | In the corporate world, sales people meet potential customers at a trade show, they exchange business cards, and they add the contacts to the company’s mailing list when they come back to the office. In 2018, this will not be possible anymore. Companies will have to look at new ways of collecting trade show prospect information.
In the General Data Protection Regulation, the personal data definition is formulated very generally. Below, we list some examples. However, given the breadth of the regulation, it is not easy to list all the types of data that are considered personal.
The GDPR regulation applies to any kind of data concerning a determinate or determinable individual. Below we listed some examples we see at our customers but there are more;
- Personal employee data (name, address, date of birth, etc.)
- Information about customers, patients, clients (marketing databases, medical records, contact lists, any contact information)
- Data transferred to third parties (accounting books, credit registers, direct marketing)
- Non-public personal data of business partners and providers
- IP (Internet Protocol) addresses
- Cookie identifiers, or others such as Radio Frequency Identification (RFID) tags
- Camera records
- Iris scan
- User ID and passwords - access registration
- Smart meter data
- Biometric data
- Health data
- Membership of a labor organization
The best way to eliminate your risk is to anonymize the data in secondary systems. Anonymizing the data removes the need for data privacy consent and (with proof) removes the systems from GDPR compliance processing, while still providing the data for analysis or testing.