Data security expert SECUDE summarizes the needs of companies using SAP – what they will have to pay attention to in the future and what preparations they will have to take to ensure they stay GDPR compliant
Alpharetta, GA, March 29, 2016 – The new EU General Data Protection Regulation (GDPR)* will come into effect in the spring of 2018. For companies collecting, saving and processing data, regardless of their size, this regulation goes hand-in-hand with greater responsibility for data security and an extended scope of accountability. Companies have two years to ensure compliance with the new regulations for saving and processing customer data. If they fail to become compliant, they will face fines,up to 20 million euros or four percent of their annual turnover. In response, SECUDE, a leading data security provider specializing in security for SAP software,,has put together the most important steps companies should take in preparation for these regulations.
“The first and most important step all companies have to take is to check which systems store the data affected by the legislation,” explained Volker Kyra, VP Sales & Marketing EMEA at SECUDE. “The second step should consist of checking whether the company is in a position to keep track of and provide reliable evidence for what happens to this data, for instance when it leaves the system.”
The tier system introduced by the new legislation already provides penalties of up to two percent of the annual turnover generated worldwide if the processing steps are not documented in the proper form (Article 28). If data security is breached, companies are under obligation to inform the authorities within 72 hours (Article 31). According to the new legislation, a breach of data protection has occured if an employee gains access to data not required for their occupational activity. Companies must ensure that employees are able to identify when the data processing they perform is in violation of the law or when they are processing data without being authorized to do so.
Are ERP systems such as SAP affected?
As part of increasingly complex and decentralized IT environments, being able to track where data is stored and the channels that may be used to share it poses a major challenge for companies. It is particularly common for personal data to be stored in ERP systems. The latter is a regulated IT environment, and within it, implementing the provisions for the new data protection directive is relatively easy, as long as there are authorization structures and audit logs in place. All of this tracking does not mean a company is protected. As soon as this data is exported from the system, SAP authorization structures are no longer effective, and it is no longer possible to keep track of what happens to the data at a later stage. However, most companies perform these kinds of data exports on a daily basis, without their employees being aware of the possible consequences.
This means it is necessary to introduce audit or logging solutions chronicling who has seen the data, and who has exported and forwarded it.. Furthermore, it is recommended that the companies integrate a GRC solution, enabling notifications to be sent to those responsible in the event of rules being breached. However, data records should be classified early on – ideally when they are created. Sensitive data affected by the legislation can then be equipped with appropriate rules for the entire duration of its life cycle. For example, it may only be released for internal use or to specific individuals. Alternatively, downloading special data may be blocked completely. This also raises employee awareness of the issue and indicates possible instances of breach. Implementing a Rights Management System (RMS) helps to prevent data security being breached (Article 31) and provides evidence for or limits the use of data, including outside the ERP system.
“The new legislation also contains provisions that make it mandatory for most companies to appoint a data protection officer (Article 35). For those responsible, now is the ideal time to assess the internal situation, introduce appropriate measures for probing and securing the data and carry out a thorough check of the solution opportunities on offer, ” added Kyra. .
SECUDE’s Halocore,takes these requirements into account, focusing especially on data security in an SAP environment. With Halocore, SAP users can monitor and analyze all data download and extraction activity from SAP applications to detect possible threats, as well as classify and protect that data with fine-grained permission policies, extending roles and authorizations configured in SAP. This approach bridges the gap between enterprise-wide and SAP security solutions, ensuring the same level of protection and control. Halocore is natively integrated with SAP applications and does not require an additional desktop application. This deep integration enables full contextual awareness, including detailed information about the user, the data itself and the technical environment. Halocore is extremely efficient in automatically classifying, blocking, or protecting sensitive data extracted from SAP applications, without blocking today’s necessary collaborations within and beyond company borders as not all data exports are equally risky.
For more information on the GDPR : *http://www.bna.com/final-european-union-n57982067329/
SECUDE is an innovative global provider of IT data protection solutions for SAP customers. The company was founded in 1996 as a partnership between SAP AG and Europe’s largest application-oriented research organization, Fraunhofer institute in Germany. SECUDE helps customers protect sensitive data from loss or theft and to meet legal and industry requirements and guidelines. Since 2011, SECUDE has been part of the SAP® PartnerEdge™ Value Added Reseller program and an SAP distribution partner in Germany and Switzerland. SECUDE’s solutions enable enterprises that run on SAP to identify sensitive data exports from SAP applications with intelligent classification and secure information with strong encryption and fine-grained permission policies, allowing it to be safely accessed, stored, and shared inside the enterprise and across cloud and mobile platforms. Today, SECUDE is trusted by a large number of Fortune 500 companies, including many DAX companies. With offices in Europe, North America and Asia, SECUDE embraces global IT security.