Ready for GDPR: Non-Production Data Security

09 August 2017
Written by James Watson

James is responsible for the global line of business for EPI-USE Labs' data privacy and SAP IS-* Solutions, supporting all regions and key accounts running Data Sync Manager (DSM) for these complex requirements. With a functional and business background of over 20 years, James provides the bridge between Development, Basis, Test/Competency Centres and leadership teams to provide guidance and advise on the route to data privacy compliance. His history includes SAP specialisms in non-production data management and anonymisation, Production data removal or redactions, System Landscape Optimisation (SLO) and SAP industry solutions.

My previous post explains how with the use of Data Sync Manager (DSM) and EPI-USE Labs you can ensure that the Data held in your non-production environments is proportional to its use, and therefore more compliant with Article 5 of GDPR. Of course, being proportionate is not the only method required to prove your compliance with GDPR; you can also consider obfuscating sensitive data. EPI-USE Labs is ready to assist here too.

From my research, Article 89 of GDPR deals with data security; this is a far-reaching topic, and rather than moving into network and security again, I’d like to focus on the SAP data and landscape.

Remove or scramble sensitive data?

The simple way to reduce your risk on data security is to remove the sensitive data which is of concern. Of course, simply removing the full data would mean you no longer have production quality data to test against. Instead, I recommend scrambling the sensitive parts of the data model but leaving the integration as is. Data Secure™ is a product that was developed by EPI-USE Labs specifically to mask data in SAP non-production systems.

Data Secure - pre-built Integrity maps

Based on the Objects already defined within Data Sync Manager, Data Secure maintains pre-built Integrity maps which detail the required data integration points to consistently affect sensitive data. These Integrity maps have already been designed for the most commonly transformed and sensitive data areas. Just a few examples include:

  • Employee – personal details, salary, payroll results etc
  • Customer – Names, phone numbers and more
  • Business Partner – Names, phone numbers and so on
  • Vendor – Names, phone numbers etc
  • Addresses – Identifying the country of the address and ensuring a consistent Post/ZIP code is used.

As a customer using Data Secure, you would be able to choose which fields within each Object you wish to scramble and which you don’t, providing you the flexibility to obfuscate only the data needed to meet your requirements.

A bespoke solution

Of course each one of you will have Customisations and extensions applied, which we are not aware of in our “default” model. To address this, we also deliver Data Discovery as part of the solution. This allows the EPI-USE Labs consultant to identify through both Data Dictionary and Data level searches of the DB where a certain Data item is maintained. This can then easily be added to the Integrity map, ensuring all areas of the system are kept consistent.

As well as the “Out of the box” Data Secure solution, our Services team is able to consult with you and define extensions or new Integrity Maps as required. For each map and data item within that map, you have the ability to select one of the following actions to consistently occur:

  1. Clear the field entirely
  2. Apply a fixed value to all entries
  3. Randomise the entry
  4. Provide a mapping table for the conversion
  5. Apply a user exit with custom scrambling code as per your requirement.
System integration

Data Secure also provides an integration to your other SAP instances, via RFC, so you can scramble consistently between systems. As an example, if you have both SRM and ECC in your environment and you wish to scramble the Bank Details for your Vendor, Data Secure will interrogate both ECC and SRM and apply the same scrambled value to each.Find out more about Data Secure

Best practice - and GDPR compliance

Making sure your non-production systems are secure is not only good practice in general, it will become more important than ever with the GDPR coming into effect on 25 May 2018. By leveraging our unique IP, the EPI-USE Labs Services team is able to slice, refresh and scramble your non-productive environment. This allows you to work towards compliance to the non-production SAP data storage requirements of GDPR.


All of the items I’ve discussed so far have been in relation to managing your non-production environment. Of equal concern is addressing the Right to View, Change and Delete which comes into force with GDPR. In the next article, I will begin to describe how EPI-USE Labs can also assist with this.

If you want any further information please contact our GDPR specialist team at gdpr@labs.epiuse.com.

 

Don't know where to start with GDPR and SAP? We do!

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act POPIA SAP Data Security SAP GDPR SAP data privacy and compliance Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data encryption SIEM SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: