Personal Data

GDPR Data Protection Officer | Do organizations have to appoint a Data Protection Officer (DPO)?

GDPR Data Protection Officer | Do organizations have to appoint a Data Protection Officer (DPO)?

A data protection officer, DPO is the voice of data protection compliance within an organization. The DPO is still expected to be able to help organizations comply with their legal obligations and for GDPR manage the security of personal data.

Pseudonymization of GDPR sensitive personal data techniques enjoy benefits under GDPR!

Pseudonymization of GDPR sensitive personal data techniques enjoy benefits under GDPR!

If you pseudonymize the gdpr sensitive data in your SAP production systems it reduces the risk of GDPR fines and individual claims because in the event of a data breach, it is much less likely that pseudonymous data will cause harm to the affected individuals.

GDPR Implementation | How do we automatically identify all personal data in a SAP system landscape?

GDPR Implementation | How do we automatically identify all personal data in a SAP system landscape?

Sophia software provides discovery analytics that helps with the first step of implementing the GDPR compliance process by reporting on what personal data is in your landscape and where it is stored.

Data Protection Marketing (Target Marketing)| GDPR Data Subject Rights

Data Protection Marketing (Target Marketing): The GDPR restricts “profiling” and sets significant GDPR data subject rights to avoid profiling-based decisions.

Advancements in technology have expedited methods for data controllers to gather, analyze, and process personal data for a variety of purposes, including drawing conclusions about data subjects and potentially taking action in response to those conclusions in data protection marketing such as target marketing or price differentiation. This is called "profiling."

Under Article 4(4), data processing may be characterized as “profiling” when it involves

  • automated processing of GDPR personal data and
  • using that personal data to evaluate certain personal aspects relating to a natural person. 

Specific examples include analyzing or predicting “aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”

"Profiling” requires some sort of an outcome or action resulting from the data processing, and is underscored by the GDPR data subject rights in which the data subject is informed about the “consequences” of profiling decisions

Articles 13 and 15 cover the GDPR data subject rights and addresses the information to be provided to data subject upon personal data collection and--upon the GDPR data subject's request--both require disclosure of “the existence of automated decision making including profiling” along with “the significance and the envisaged consequences of such processing for the data subject.”

When we analyzed Natuvion customer’s current processing times to meet these GDPR requirements that cover GDPR data subject rights, to produce such report (in a useful format for a data subject) on this data, across heterogeneous landscapes, it takes a minimum of two months, and sometimes much longer.  GDPR requires a response in one month.

This is where SAP Information Retrieval Framework helps.  Schedule your one-day GDPR workshop so the Natuvion team can share how hundreds of other SAP customers use free SAP tools to meet these GDPR reporting requirements.

 

What is the EU-US Privacy Shield 2.0? Is it relevant for USA companies?

What is the EU-US Privacy Shield 2.0?  Is it relevant for USA companies?

This new Data Privacy Framework replaces the EU Safe Harbor program but did not however embed protections against US law and policy on government surveillance. However, the GDPR and Privacy Shield and are now fully confirmed and enacted, transferring data across the Atlantic is still a challenging and complex legal procedure. 

Preparing for the General Data Protection Regulation | Why should a company act now and not wait?

Preparing for the General Data Protection Regulation | Why should a company act now and not wait?

Preparing for the General Data Protection Regulation: A 'Wait and See' approach is going to be pricey for US organizations doing business with the EU.

GDPR | Are there GDPR solutions and templates for Article 30 (records of processing activities)?

GDPR | Are there GDPR solutions and templates for Article 30 (records of processing activities)?

What is a data processing inventory?

A data processing inventory reflects how the business processes data and starts with listing the processing activities and their purpose.  A data processing inventory is aligned with how the business works, making it is easy for the business to engage.

The GDPR creates an opportunity for organizations to limit their data inventory. Organizations need an inventory of their data processing operations, instead of all their data holdings and detailed inventory.

Is GDPR consent required for the use of anonymous data?

Is GDPR consent required for the use of anonymous data?

The GDPR sets very particular regulations on consent. With the new regulation coming in May 2018, companies need to be prepared for new GDPR consent mechanisms for their SAP test and QA systems. Anonymizing data in these systems make GDPR consent no longer mandatory. Natuvion's TDA tool offers a safe way to anonymize data so that it can be safely and rightfully used while expediting the process to full compliance and without the risk of facing GDPR  fines.  

GDPR | What is SAP ILM and why is it important for data retention GDPR compliance? Why not use SAP GRC?

GDPR  | What is SAP ILM and why is it important for data retention GDPR compliance?  Why not use SAP GRC?

One of the most impactful rights defined by the GDPR is the blocking and deletion of personal data that is no longer required within the purpose defined for the processing. According to the data retention GDPR rule, personal data must be deleted after the primary purpose of the processing has ended.

GDPR Legal | What Is A Data Registry or a Records-Processing-Register?

GDPR Legal | What Is A Data Registry or a Records-Processing-Register?

What is a data registry? 

In this workshop, Natuvion walks you not only through the requirements of creating a data registry for your company but in doing so also helps you find a way to comply with other GDPR articles. This includes an analyzation of the different basis of processing and grounds for deletion including many others that build the necessary information needed for a data registry.

Is there a document available online which lists everything that is considered GDPR personal data?

In the General Data Protection Regulation, the personal data definition is formulated very generally. Below, we list some examples. However, given the breadth of the regulation, it is not easy to list all the types of data that are considered personal.

The GDPR regulation applies to any kind of data concerning a determinate or determinable individual.  Below we listed some examples we see at our customers but there are more;

 

  1. Personal employee data (name, address, date of birth, etc.)
  2. Information about customers, patients, clients (marketing databases, medical records, contact lists, any contact information)
  3. Data transferred to third parties (accounting books, credit registers, direct marketing)
  4. Non-public personal data of business partners and providers
  5. IP (Internet Protocol) addresses
  6. Cookie identifiers, or others such as Radio Frequency Identification (RFID) tags
  7. Camera records
  8. Iris scan
  9. User ID and passwords - access registration
  10. Smart meter data
  11. Biometric data
  12. Health data
  13. Membership of a labor organization
personaldata.JPG