Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
24 August 2013

Raising The Bar In Data Protection

windows10-data-protection-min-1The European Union is currently undertaking an overhaul of its Data Protection regime with the EU Directive (95/46/EC) being repealed in favor of the new General Data Protection Regulation (GDPR). With maximum fines for non-compliance of between 2% and 5% of Annual Worldwide Turnover being discussed, adherence to the new regulation is going to be important! 

In EU law there is an important distinction between a Directive and a Regulation – a Directive must be implemented by each member state, a Regulation becomes law in all member states upon implementation. As a consequence this new UK data protection legislation will become far more stringent than it has ever been.

The good news is that the new regulation will not be fully in force until 2017/18 so there is still time to prepare. One of the key changes is the concept of privacy by design. Similar to the idea of the least access principle, privacy by design requires that a company’s IT systems have been designed with data privacy compliance in mind. In practice this means that SAP customers will need to ensure their access controls support compliance with the regulation and that access to personal or sensitive data is justifiable and restricted to those who need it for legitimate purposes.

Whilst compliance with the new regulation will affect access controls in a number of SAP modules and there will be a number of industry specific risks, it will be SAP HCM and/or Success Factors customers who will certainly be affected. The initial draft of GDPR has proposed a series of mandatory icons which will need to be used to provide an overview of the status of an organisation’s compliance to the regulation. 

This will provide a requirement to justify the purposes for which the data is being held and processed. The requirement will have a number of implications with regards to the collection and retention of customer and supplier data and will also affect data held on employees in an HCM context.

Data retention is an area where many SAP implementations are going to need to tighten up in order to achieve GDPR compliance. For example, holding the full HCM record of an employee after he/she has left the organisation could be considered a breach given that the company will have no justifiable reason to retain details such as dependents or next of kin.

This requirement has some interesting implications for predictive analytics and other Big Data applications. Was data collected by the organisation for these purposes and can this be considered a reasonable extension of the data usage?

Whilst organisations may not intend to disseminate, sell or rent the personal data, they hold an obligation to ensure their employees do not is also implied by this requirement. Therefore, access controls and the ability to restrict data downloads will become increasingly important.

Insisting on the encryption of an entire SAP database is likely to be met with significant resistance from the BASIS team for a number of reasons, not least of which is performance. HANA databases have been built with encryption capabilities as standard but for those SAP customers without the luxury of a HANA landscape, compliance to this obligation will be a significant challenge.

Interestingly GDPR compliance will apply a test that will look familiar to those of us with an audit background:

  1. it must be designed so the controller is compliant if it is followed; and
  2. it must allow it to demonstrate such compliance to SAs and to data subjects

This is basically the test of design and operational effectiveness applied to controls during an audit. Roles and authorisations clearly play an important part in the implementation of a GDPR compliant solution but other tools will also be useful:

GRC Process Controls

Tools such as SAP GRC Process Controls will be very useful in the implementation of a GDPR compliance programme:

  • Documentation of the organisation’s GDPR compliance procedures
  • Assignment of control ownership and operation of these controls using PC workflows
  • Documenting and issuing Data Protection policies and amendments using the Policy Management component
  • Issue management and remediation
  • Demonstration of GDPR related compliance activities
  • GDPR compliance sign-off

 Read access logging

The new Read Access Logging functionality inherent in SAP Netweaver will be extremely useful in the implementation of monitoring controls. Allowing access to sensitive data to be monitored at a more detailed level will provide an alternative where an access controls solution would be too restrictive.