Is your company ready for the General Data Protection Regulation (GDPR)? But what exactly is the GDPR and how is SAP SuccessFactors making sure that they are compliant?
The General Data Protection Regulation is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). The GDPR replaces the Data Protection Directive of 1995. It gives individuals control and protection of their Personal Data. Data controllers, who determine the purpose and means of processing personal data, and processors, who process for controllers, are affected. Organizations that offer goods or services to, or monitor the behavior of, EU data subjects and those that process or hold the Personal Data of EU residents are subject to this regulation. Organizations that are not compliant when the regulation becomes effective on May 25, 2018 can expect big penalties.
GDPR has the following components:
GDPR is all about the protection of Personal Data. The GDPR explicitly defines what it means by the term Personal Data – any data that identifies or can be used to identify an individual – and brings the definition of Personal Data up-to-date with technology advances to now include IP address, location data, biometric data, and even more.
Lawful Processing of Personal Data
Organizations must have a lawful reason for processing Personal Data and should be able to demonstrate this. Personal Data must be kept accurate and stored only as long as needed. Consent is one of several possible grounds for lawful legal processing. Consent must be explicitly obtained for each purpose for which the data is to be used. Consent given to use Personal Data for one purpose does not imply consent for any other purpose.
Individual are given increased rights to ensure that their data is being processed lawfully. Key rights called out in the legislation includes:
- The right to be forgotten – individuals can request deletion of personal data (including backups, archives, and that shared with third parties).
- Restriction of processing – If Personal Data are ‘restricted,’ then the controller may only store the data. It may not further process the data unless certain conditions are met. In more general terms, restriction of processing refers to the practice of limiting access to and processing of Personal Data wherever possible.
- Access to information – individuals can request their Personal Data in machine readable form and/or have it sent to another company. Businesses generally cannot charge fees and must respond within one month.
The GDPR aims to improve accountability of those processing Personal Data and increase transparency of the data being processed. It involves establishing a comprehensive framework, set of principles and organization for the protection of data. Organizations must produce and maintain evidence of compliance-supporting actions, build data protection into product design and development, and in some cases, appoint a Data Protection Officer (DPO).
Demonstration of Compliance
Compliance and accountability are integral to a data protection program. Documentation of specific policies and procedures (including codes of conduct relative to data protection) can be used to prove that they are not only in place, but that they have been distributed to and understood by employees and others as well.
This occurs when something goes wrong – when the internal organizational measures have not prevented a data breach, or processing of Personal Data has been found to be outside lawful purpose. In the event of a data breach, the supervisory authority must be notified within 72 hours of becoming aware of the situation. Individuals that are impacted must be informed without undue delay.
It is obvious that SAP is committed to ensure its compliance by May 25, 2018. SAP presented its view and the actions that will be taken to be compliant at the SuccessConnect event in June in London.
Please view this video about SAP and GDPR by clicking this link.
SAP SuccessFactors GDPR features
SAP will generally release several GDPR features in the 1802 release of SAP SuccessFactors, which is the Q1 release of 2018. Two features however will already be available in the 1711 release (Q4 2017 release), but only in the preview systems. The reason for doing so is that SAP wants to collect customer feedback on the two features before making it generally available in the Q1 2018 release.
- Change Logging
- Read Access Logging
Logging and Reporting of any view of Sensitive Personal Data (Union Membership, Sexual Orientation, etc.) to view who has accessed a person’s Personal Data.
- Data Subject Information Reporting
Customer can report on a User’s Data stored in SAP SuccessFactors.
- Data Purge
Data Retention configuration and support for permanent data purge. With this feature customers will be able to permanently delete any Personal Data in response to a request, once the legally required retention time for the information has passed.
- Data Blocking
Prevent Personal Data from being processed, changed, or purged until further notice. Access to historical data (for example, past performance reports) can be limited .
Consent management has been available for years in Recruiting Management. Both internal and external candidates can be required to accept a Data Privacy consent statement prior to submitting an application. These Data Privacy consent statements can be defined by country and candidate type, with version control and auditing of whether candidates accept or decline the consent statement. SAP SuccessFactors is considering enhancing consent management to allow for more granular consent as well as consent for active employees.
The two features that SAP will release in the preview environments are the Data Subject Information Reporting and the Data Purge.
To be able to use these features properly, some configuration steps are necessary. Please be on the lookout for our next article where we provide more detail on this.
In case you would like to know more about SAP SuccessFactors and GDPR, as well as learn about our experience with other clients, please reach out to us at firstname.lastname@example.org.