SAP GDPR Compliance (ANONIMO)

GDPR 2018: is your ERP System compliant with the new regulation?

Inquaero ANONIMO is our solution to comply with the requirements of General Data Protection Regulation (GDPR) for SAP systems.

sap4hana

Our PII Intelligent Mapping solution makes data records less – or not at all – identifiable, while remaining suitable for data processing (specifically for test environments) and data analysis (statistics and data science).

During the masking process, conversion rules are safely saved and stored into a mapping table on an external system.

The used masking criteria are then made available only to a limited set of users (like the Data Protection Officer – DPO) for Legal Auditing needs, until the final data destruction, which occurs as soon as the legal retention time has expired.

Alternatively to this custom solution, we support the end-to-end implementation of SAP ILM (for productive systems) and SAP TMDS stand-alone data masking (for non productive systems).

SAP NetWeaver Information Lifecycle Management (SAP NetWeaver ILM) is the SAP Application that supports the management of information data through its complete lifecycle, starting from the business processes that generated the data into a transactional system, then by covering the processing of the data in accordance with intended purpose (residence time), then supporting the maintenance of the information into a dedicated storage system because of legal requirements (retention time), and eventually by managing the destruction of the information as soon as its retention time has expired.

The usage of SAP ILM has gradually grown in the last years, pushed both by legal requirements more and more compelling in the field of personal data protection (like GDPR), and by the need to reduce and to contain the Total Cost of Ownership (TCO) of SAP infrastructure investments and also by the need to optimize SAP systems, by removing data no more business relevant, in order to plan the adoption of innovative platforms and application (Suite on HANA and S/4HANA)

Solutions & Services for SAP GDPR Compliance

GDPR Compliance and SAP Data Quality by Inquaero® ANONIMO PII-IM

How to protect Data in Test Systems

The GDPR entered into force on 25 May 2018. And so-far nothing new. Question: Are we 100% sure that your SAP landscape is already fully in line with the directives of the regulation? In this article I tackle...

SAP ILM

  • P.I.I. Data reaching end of purpose are moved to archive and deleted form online system
  • Access to Storage System granted only to restricted users (ex. DPO) for auditing purposes
  • Limited risk of data breach, after data move to encrypted storage system and deletion from online system
  • Automatic permanent deletion of data, once legal retention period has been reached
  • Storage System ILM-Aware = needed
  • ILM license = needed
  • SAP UI masking = optional
  • SAP UI logging = optional

  Inquaero ANONIMO

  • P.I.I. Data Masking @ Database level
  • Store of masked data into an encrypted mapping table
  • Access to mapping table granted only to restricted users (ex. DPO) for auditing purposes
  • Limited risk of data breach, after pseudonymization of P.I.I. data directly in the online system
  • Automatic scheduling of full anonymization after reaching legal retention period
  • Storage System = not needed
  • ILM license = not needed
  • SAP UI masking = not needed
  • SAP UI logging = optional

Inquaero ANONIMO A17 (Art.17 GDPR)

How to manage the “Right to Be Forgotten” (Right to Erasure)

According to GDPR – Art.17, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; etc… etc…”

Inquaero® ANONIMO A17 is the right solution designed for managing the “Right to Be Forgotten (Right to Erasure)” within SAP Productive Systems .

How it works

ANONIMO A17 Solution simulates an ILM Blocking & Deletion scenario. No data is really blocked, nor deleted.

Only a temporary (in place of blocking) or permant (in place of deletion) anonymization is applied to the data subject personal data, once the business reason to keep this information in the database is over.

Shall a new request for erasure be raised by the data subject, the A17 software would trigger a list of checks to verify – within the SAP Prod system – if GDPR relevant due-dates have been met (EoB for End of Business, EoP for End of Purpose, EoRT for End of Retention Time).

In accordance with the results, ANONIMO A17 would execute:

  • the Blocking of BP (Business Partner) Master and Transactional Data by means of Pseudonimization on all personal data of the data subject
  • the Storage of the link to the original Data into a separate back-up table accessible to the DPO (Data Protection Officer)
  • the permanent Deletion of data saved in the back-up table, as soon as the End of Retention Time has been reached (EoRT)
sap4hana

The advantages of Inquaero ANONIMO Suite for GDPR

  • Detection and Extraction of all Personal Data of the Data Subject from SAP Systems (Art.15 – GDPR: “Right of Access”)
  • Management of the “Right to Erasure” (Right to Be Forgotten) of the Data Subject in SAP Productive Systems (Art.17 – GDPR: “Right to Erasure”)
  • Zero risk for Data Breach in non-productive enviroments (Development, Test, Pre-Prod, Project systems) by means of PII Intelligent Mapping technology
  • Rapid Implementation, Flexible and User-Friendly Software

SAP ILM: Typical archiving process flow