Is your SAP HR/Payroll system ready for GDPR? - A 'How to' Guide to GDPR Compliance
In only a few short weeks (May 25th 2018), the new EU General Data Protection Regulation (GDPR) act comes into effect. It imposes strict requirements on the way all businesses collect, store and manage personal data.
Some companies have started on their GDPR journey, others are still at the “rabbits in the headlights” stage – they know that they should be doing something, but they just aren’t sure what.
In this blog, I suggest ways in which companies can use some already available standard SAP tools to address key requirements of GDPR – specifically in the HR & Payroll modules of SAP.
It is not SAP’s responsibility to ensure GDPR compliance it is the responsibility of the organisation - but SAP does provide tools which can assist greatly in GDPR compliance.
General Data Protection Regulation (GDPR) and HR/Payroll System Data
Before getting into this blog, we should remind ourselves of the definition of personal data under GDPR: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
If you consider the definition above and reflect on the data you hold in your SAP HR/Payroll system then the association is clear – for companies that run SAP HR/Payroll then this should be their immediate and number one focus in regard to GDPR compliance.
Below I have identified five of the key requirements that you should look at when reviewing GDPR compliance in your SAP HR/Payroll system:
- Scope. Where is this personal data held?
- Secure. What can I do to secure that data?
- Scramble. Should I scramble/mask personal data in non-Production environments?
- Retain/Delete. What do I need to do to increasingly restrict access to personal data and finally to actually delete data from my HR/Payroll system?
- Audit. What can I do to keep on top of my GDPR compliance status?
Let’s examine each in turn to review what we can do using SAP delivered tools to address each requirement.
Before sallying forth into “doing stuff” mode, I would recommend taking a step back to consider the scope of the effort – and particularly where that personal data might be held.
The standard HR infotypes such as 0002 - Personal Data, 0006 - Addresses, 0008 - Basic Pay, 0009 - Bank Details and so forth come to mind quite readily. What might be less obvious, but is equally important, is to extend your view to consider where else that data might be lurking. For example:
- reports downloaded to C drives/shared directories? Many reports will be downloaded in the first instance to the SAP application server directory.
- in payroll results postings to finance?
- If you have expenses you may have the employee master data replicated as vendors.
- BACS file information, is the BACs information stored in the DME? Do you know information will still be present in tables REGUH, REGUP for example?
If you are going to address GDPR, then get your scope set out from the beginning – standard infotypes, custom infotypes , extraneous data sources – and don’t forget data warehouses.
The SAP authorisation controls in mature SAP HR/Payroll systems may have atrophied over time. It’s definitely worthwhile to use your standard SAP authorisation tools such as SUIM to review who has access to what and in which SAP environment (don’t consider just your SAP Production environment). Consider the infotypes related to Personal data identified during the scoping exercise and identify who has access to these. Do the same for files held elsewhere in, or outside, of SAP.
Where necessary, revise and tighten your authorisation roles and profiles and thus control the personal data a user can access.
I alluded to it in the previous section, but “don’t consider just Production”. HR/Payroll data is typically copied back into Quality Assurance, Development and Sandbox environments, where there is a risk that a whole new community of support consultants, developers and others may have access to personal data.
Identify data that may need to be scrambled when it is copied from Production and institute tools and procedures to implement this scrambling.
SAP has /BKC/SOL21 (ex “Clone and Test”) available as a standard SAP program. There are also various other scrambling tools available – from Absoft and other vendors.
Don’t multiply your GDPR headache – use scrambling/masking to minimise your exposure in non-Production environments.
One of the key premises of GDPR is the “Right to erasure (‘right to be forgotten’)”, representing the right of an individual to request the erasure personal data concerning him or her without undue delay.
At face value this seems to be suggest that deletion of personal data is the sole requirement. In reality, the story is more nuanced as the organisation may face competing requirements to retain certain elements of that person’s data for a certain period to meet legal and statutory obligations.
To respect both requirements – the right of the individual to be “forgotten” and the legal requirement for the organisation to retain data, a middle ground is found in which personal data through time becomes increasingly “unavailable” until it is appropriate to delete it.
This “unavailability” typically manifests itself in the form of stages (a “lifecycle”) involving increasing security controls, migration of the data to a more protected and locked down system or combinations thereof.
So, in addition to the deletion requirement, we also have the requirement to define appropriate retention lifecycles and manage data through those lifecycles until finally deleting it.
Data Deletion (SARA)
Let’s start with the more draconian requirement – deletion. Your current SAP system provides a solution via transaction SARA (Archiving). SARA is based on the concept of an archive object. An archive object contains data that is related from a business perspective and that can be archived or destroyed collectively - in our case by Infotype or a specific collective grouping of related data.
SAP have delivered a number of archiving objects most of which have been available for a long time but new objects have been added specifically for GDPR purposes. If you have customer specific Infotypes you can develop a new archiving object to delete your own archiving objects and reports.
Archiving via SARA lets us identify and segment appropriate data for destruction.
To manage the retention lifecycle requirement, SAP provides the Information Lifecycle Management product (ILM). ILM supports the implementation of data retention rules into your data with the potential to create separate archives based on varying data lifetimes.
SAP ILM enables the transfer of data to an archive, which fulfils the blocking (“increasing unavailablility”) requirement in GDPR. In addition, it supports an “end of purpose” check which is the threshold at which point the data can be deleted.
Those of an inquisitive nature will have noted the release of data privacy and audit functionality provided by SAP for other countries with respect to the deletion of data. Absoft have reviewed these utilities and in some cases believe that they may be an appropriate addition to the tools at your disposal to address your GDPR requirements.
Further to archiving objects, the destruction of personnel numbers in a live system is possible whereby you can destroy personnel numbers and the associated data completely. Of course, this would need to be performed with care.
If you would like to discuss authorisations, ILM, Data Archiving or data destruction options, all of which we have experience of, do not hesitate to contact us. Note it does not stop here - further audit reporting functionality and data masking are here!
Do remember it’s your responsibility but there are tools to help you adhere to good practice.
A small piece of cautionary advice - ensure your policy is appropriate, don’t throw the baby out with the bath water, don’t delete payroll results without consideration of legislation requirements.