<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2002698&amp;fmt=gif">

Whitaker-Taylor Insights

GDPR - Read Audit

Oct 2, 2020 2:21:00 PM / by Niels Fuit

In the digital world we live in, we like to have all data at our fingertips, but what data do we need in order to complete our work? What should we have access to? One of the seven key principles of GDPR is data minimization. This means that we should not store or collect more data about a user than what we need to run our business. The principle is designed to make sure companies limit what they store about a user. When you are creating your system, always ask yourself if you need the data that you want to store to run your operations. If the data is not needed to run your business operations, then it should not be stored.

The other question we should consider is who needs to able to access the data. Does a financial controller need to see the name of an employee or is a personnel number sufficient? This is handled via permission roles and groups in the system, but how can we check if an employee that has a certain level of access adheres to the compliancy regulations of your company? Since the release of H1 2020, a read audit report has been enabled by default in all preview and production systems that can assist in checking who accessed sensitive data.

There are a few notes to keep in mind:

  • Read audit reports can have an impact on performance within a system, so it is critical that your test environment is free of any real user data. This happens sometimes when a refresh or copy of a production to test occurs.
  • The Read audit reports only contain information that is considered sensitive by SAP. They will not include all personal data, no data that is stored in custom fields or data that is stored in country/region specific fields.
  • For SuccessFactors Onboarding, only documents that contain sensitive personal data will be included in read audit reports
Within SuccessFactors Onboarding, the following fields are considered sensitive:
  • Basic User Information
  • Ethnicity
  • Minority
  • SSN

Within SuccessFactors Employee Central, the following fields are considered sensitive:

  • Ethnic-group
  • Visible Minority
  • National ID

When creating a read audit report, you must first select the type of user.


  • For an employee or onboardee (Onboarding 2.0), choose Person Search
  • For an external candidate, choose External Candidate Search
  • For a new hire onboardee (Onboarding 1.0), choose onboardee search

When selecting Person Search there are two options: check if the data was accessed on a specific user or check whose data was access by a specific user.


gdpr2 When selecting Person Search there are two options: check if the data was accessed on a specific user or check whose data was access by a specific user.


Last selections are which modules you want to included and which time range. The max time range is 7 days. If a larger time frame needs to be selected, then multiple reports need to be created.

We will be hosting a live webinar to discuss GDPR in greater detail. Be sure to join us on Tuesday, October 13th beginning at 11am CEST. Please click here to register for the webinar. For any questions, please send us an email at info@whitakertaylor.com.


Topics: SuccessFactors, SAP, GDPR

Niels Fuit
Written by: Niels Fuit