A stable SAP data security policy is imperative to implement GDPR

CIOs can reduce the risk of penalties within a short time by automated transfer control of sensitive SAP data

The requirements of GDPR in the European Union have, for quite some time, been adorning the front pages of the SAP and business media. In particular, SAP customers are concerned about identification of personal data in the SAP system landscape, their pseudonymisation in copies of the production system, as well as timely information, blocking and finally deletion of individual user data. With the end of the transitional period on 25 May 2018, the much discussed topic has now become reality. Anyone who has not set up a project at the beginning of 2018 should better set up provisions in the event of an ‘unforeseen’ violation – this is a serious recommendation by experts.

Lack of data security carries greater penalty risks than violation of individual information

What makes the implementation of GDPR actually so expensive? The predicted length of the project is primarily due to the complexity of today’s business processes. Even if SAP applications play a central role, the individual process steps often spread over several applications. Data is exported from SAP systems and is processed further in other non-SAP applications such as Microsoft Excel. This removes them from the control of the SAP authorization system and Information Lifecycle Management (ILM). Locking and deleting data in such cases is very difficult, if not impossible. The result is that companies violate information, blocking and removing rights of individuals.

That is not all. In fact, it can get worse. If important data security mechanisms are lacking, any data misuse by hackers or insiders becomes a potential GDPR violation evoking strong repercussion. In an emergency, this means alerting the supervisory authorities and thus evoke high penalties. In short: Without a functioning IT security concept, the basis for any data protection measure will be hollow. In particular, the control of data exports from SAP applications is one of the basic requirements of GDPR-compliant processing of personal data.

The lesser data circulates outside SAP, the lower the overhead of securing it

With the help of rapidly deployable security solutions, such as HALOCORE®, and automated classification of downloads, unauthorized exports can be effectively prevented. At the same time, data that is required outside of SAP can be provided with the same protection requirements as within the SAP application itself, thereby effectively being protected.

To secure SAP data in unstructured documents, the de facto standard from Microsoft is leveraged for HALOCORE. With Microsoft AIP/RMS, all types of documents can be encrypted, allowing granular access control and processing rights. This protects personal information and reduces the critical share of the risk of fines for GDPR violations. At the same time, mission-critical data, such as intellectual property, is protected from abuse and loss.

For more information about HALOCORE®, you can read about HALOCORE here.

Related Reading

[1] Protecting corporate information in the SAP data security space

[2] Companies realize that they are unprepared for GDPR

[3] Do you have Microsoft Azure Information Protection? What stops you from using it?


[1] SAP Security on Premise and in the Cloud with HALOCORE