A data protection officer, DPO is the voice of data protection compliance within an organization. The DPO is still expected to be able to help organizations comply with their legal obligations and for GDPR manage the security of personal data.
If you pseudonymize the gdpr sensitive data in your SAP production systems it reduces the risk of GDPR fines and individual claims because in the event of a data breach, it is much less likely that pseudonymous data will cause harm to the affected individuals.
Sophia software provides discovery analytics that helps with the first step of implementing the GDPR compliance process by reporting on what personal data is in your landscape and where it is stored.
If you are using a SAP CRM system and its email marketing system with prospects and customers from the European Union, then the GDPR legislation is very important for you and your organization. You will need explicit permission to store records and email addresses of prospects and customers to follow GDPR compliance requirements. Pseudonymization can reduce the risk with these data protection processes.
Data Protection Marketing (Target Marketing): The GDPR restricts “profiling” and sets significant GDPR data subject rights to avoid profiling-based decisions.
Advancements in technology have expedited methods for data controllers to gather, analyze, and process personal data for a variety of purposes, including drawing conclusions about data subjects and potentially taking action in response to those conclusions in data protection marketing such as target marketing or price differentiation. This is called "profiling."
Under Article 4(4), data processing may be characterized as “profiling” when it involves
- automated processing of GDPR personal data and
- using that personal data to evaluate certain personal aspects relating to a natural person.
Specific examples include analyzing or predicting “aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”
"Profiling” requires some sort of an outcome or action resulting from the data processing, and is underscored by the GDPR data subject rights in which the data subject is informed about the “consequences” of profiling decisions.
Articles 13 and 15 cover the GDPR data subject rights and addresses the information to be provided to data subject upon personal data collection and--upon the GDPR data subject's request--both require disclosure of “the existence of automated decision making including profiling” along with “the significance and the envisaged consequences of such processing for the data subject.”
When we analyzed Natuvion customer’s current processing times to meet these GDPR requirements that cover GDPR data subject rights, to produce such report (in a useful format for a data subject) on this data, across heterogeneous landscapes, it takes a minimum of two months, and sometimes much longer. GDPR requires a response in one month.
This is where SAP Information Retrieval Framework helps. Schedule your one-day GDPR workshop so the Natuvion team can share how hundreds of other SAP customers use free SAP tools to meet these GDPR reporting requirements.
Preparing for the General Data Protection Regulation: A 'Wait and See' approach is going to be pricey for US organizations doing business with the EU.
What is a data processing inventory?
A data processing inventory reflects how the business processes data and starts with listing the processing activities and their purpose. A data processing inventory is aligned with how the business works, making it is easy for the business to engage.
The GDPR creates an opportunity for organizations to limit their data inventory. Organizations need an inventory of their data processing operations, instead of all their data holdings and detailed inventory.
The GDPR sets very particular regulations on consent. With the new regulation coming in May 2018, companies need to be prepared for new GDPR consent mechanisms for their SAP test and QA systems. Anonymizing data in these systems make GDPR consent no longer mandatory. Natuvion's TDA tool offers a safe way to anonymize data so that it can be safely and rightfully used while expediting the process to full compliance and without the risk of facing GDPR fines.
With the new regulations taking place in May, the GDPR requires a Data Protection impact assessment (DPIA). A data protection impact assessment helps identify the risks when handling personal data and provides a structured process for your company. This assessment increases the transparency and provides a structure for unknown processes that involve dealing with personal data that reduces the risk of non-compliance with GDPR.