Guardians of the wild: SAP data privacy lessons from nature

On a recent beach holiday, while basking in the tranquillity of the island, an inspiring thought came to me as a golden retriever approached and checked me for any signs of danger. What if there is a correlation between the animal kingdom and how we look at data privacy and security?

I started to research how wildlife, individuals and organisations play host to our own set of predators and protectors in our modern world's ever-shifting landscapes, where the battlegrounds are digital, predators are hidden in code, and we need to balance our rights to privacy and the unyielding advancement of technology.

In this blog, I explore parallels between the survival of the fittest in both nature and the digital sphere, and examine how strategies must evolve and adapt, as hackers and digital poachers become more sophisticated in their methods.

Lions exhibit territorial behaviours to safeguard their pride. Despite having no natural predators, lion cubs remain vulnerable to potential attacks. In the hierarchy of the animal kingdom, male lions, often dubbed as the 'Kings of the Jungle,' diligently mark their territories, emitting resonating roars to dissuade intruders and reinforce their dominance.

Fun fact: A lion’s roar can be heard from five miles away,
and also serves as a display of authority among males.

Similarly, in the world of data privacy and security, you need to keep your ‘territory’ safe. A good place to start is by assessing what data you store is sensitive, and then also look beyond the digital realm when assessing threats. Everyday actions, such as jotting down Personally Identifiable Information (PII) on a notepad for routine tasks, can unexpectedly expose vulnerabilities.

According to a study by Ponemon Institute , insider threats can range from 46 incidents (largest) to 1 (smallest) incident for a given company, broken down into three insider profiles as follows: employee or contractor negligence, criminal/malicious insider, and credential thief (imposter risk). So make sure that you have implemented the correct roles and authorisations to keep your data secure.

In the context of SAP, consider a Governance, Risk Management and Compliance (GRC) solution that can give you quick insight into who has access to what data/transactions. When it comes to non-production systems, you can reduce the risk to your ‘territory’ by scrambling data and not having PII data visible to a broader development or testing group.

Lessons for SAP data privacy professionals:

• Cultivate a ‘security-first’ culture in your company.
• Look at a holistic picture of security; include both digital and business processes in your assessment.
• Assess what PII data you have in your systems.
• Reduce the target by scrambling non-production environments.
• Educate your staff about how they contribute to your security. Your security is only as strong as the weakest point.

Elephants have a remarkable ability to locate distant water sources, and it’s been proved that they have good memories. They navigate their surroundings with purpose and heightened awareness, using their exceptional memory to recall dangerous situations and old feeding grounds, ensuring their survival in the wild over extended periods.

Fun fact: An adult elephant's brain weighs around 11.5 pounds.

So, what can elephants’ behaviour teach us? The notion of longevity and resilience raises some questions: How can you fortify your own company security for short- and long-term application? What does it mean to embark on a journey to pinpoint and map PII throughout your digital ecosystem and business history?

In the SAP context, you need to get a better understanding of where data is stored. SAP’s data model stores data in different tables and areas, and how data is linked is quite different from other ERP systems. You also need to consider how your SAP systems have been customised over the years. An in-depth assessment of your SAP system will give you the insights to map and create a security plan. Security isn’t a one-size fits all approach: you need to consider your organisation’s needs and risks as you proceed.

Much like the cooperative dynamics within elephant herds, partnering with the right ally to support you in your data privacy and security journey is important. Your team should include legal, technology (IT) and business representatives.

Lessons for SAP data privacy professionals:

• Leverage discovery tools to find and map PII will save you time and cost, and remove human error.
• Consider how SAP is different from other systems, and make provision for this.
• Retention periods used to be about keeping data for as long as possible; but with GDPR and other privacy legislations, keeping data too long increases your risk.
• Create a multi-disciplinary team.

Soaring through the skies with excellent vision, hawks can focus on distant prey with precision, despite the prey being camouflaged. Found in diverse habitats ranging from tropical regions with high rainfall to arid landscapes, these remarkable birds thrive across the earth. They exhibit an energy-efficient hunting and migratory technique, skilfully using wind currents to glide over great distances while conserving energy through minimal wing flapping.

Fun fact: Some hawks can spot prey more than 3km away,
and dive at a speed of more than 180 miles an hour.

Drawing a compelling analogy, these avian predators underscore the need for vigilant observation when it comes to privacy compliance around the globe. As an organisation that runs SAP, you need to consider how you will respond to a Subject Access Request. For examples, for GDPR, this applies to all European residents.

According to the ICO, Subject Access Requests can be made to find out:

• what personal information an organisation holds about you;
• how they are using it;
• who they are sharing it with; and
• where they got your data from.

As SAP doesn’t deliver an out-of-the-box solution to comply with this legislation, you could consider a solution like the EPI-USE Labs’ Data Privacy Suite for SAP that allows you to disclose the data, redact it if needed, and also look at longer-term retention policies.

You should also look at whether you acquired the necessary permissions to use the data for testing and training purposes. If you are using system copies, you could have employee, business partner and vendor data that is personally identifiable.

To get that ‘hawks-eye’ vision for your landscape, explore how you can get a proactive alerting system in place. Splunk is one of the best-of-breed solutions that can give you an overview of your full landscape, including SAP.

Lessons for SAP data privacy professionals:

• Implement solutions that can help your organisation with Articles 15, 17 and 18 of GDPR, i.e. reporting on what data you hold about a person, and removing the data if they request it.
• Get clear visibility of where personally identifiable data is stored.
• Gain an overview of your security landscape with built-in alerts when your system is under attack.
• Minimise your attack surface by scrambling data in a non-production environment.

In the world of unusual inspiration, consider the lowly maggot – not exactly a creature associated with grandeur, yet surprisingly adept at its task. Maggots, notorious for their appetite for decaying organic matter, play a unique role in larvae therapy by cleaning wounds. Their remarkable ability to consume dead tissue and harmful bacteria, leaving healthy flesh to heal, offers an intriguing analogy for data management.

Fun fact: Research reveals that maggots possess the ability to
detect specific odours and respond to light stimuli.

Much like these industrious creatures, SAP professionals need to take a comprehensive approach to data privacy. Just as maggots clean only the decayed and rotten material, you need to evaluate data systems with a discerning eye, identifying and removing excess and unnecessary data that may clutter the digital landscape.

The recommendation is to discover the answer to these main questions:

• Where do you have PII data in the system?
• What data do you need to keep for legal reasons?
• What data is excessive?

Lessons for SAP data privacy professionals:

• With a deeper consideration of data cleaning and by embracing this holistic perspective, you can ensure your data environment is optimised, streamlined, and aligned with privacy regulations.
• Just as maggots contribute to wound healing, this approach contributes to the health and efficiency of data systems, fostering a space where only what's essential thrives.

Wolves exhibit remarkable synergy within their packs, with each member contributing their unique strengths to ensure collective well-being. They are constantly vigilant, and adapt quickly to threats, relying on their acute senses to detect changes in their environment.

Fun fact: The Tapetum lucidum is a light-reflecting layer on a wolf’s eye, and it facilitates night vision. Their eyes are also extremely sensitive to movement.

Similarly, audit and review processes integrate various layers of expertise and assessment, forming a cohesive strategy for data protection. The ongoing audit and review procedures for data security and privacy require vigilance and adaptability. These procedures employ advanced tools to identify potential vulnerabilities and breaches as business changes arise.

The pack's social structure, where experienced wolves guide the young, mirrors the relationship that may occur during audits for compliance, security, or privacy; acting before a potential threat may affect an individual, employee, or the whole enterprise thus helping to navigate the complex terrain of digital security.

By embracing the spirit of a wolf pack, organisations forge a resilient path, ever-watchful and ready to defend against emerging threats in the realm of data privacy.

Lessons for SAP data privacy professionals:

To ensure that data protection strategies are consistently and properly enforced, these stakeholders must work together as a pack:

• Internal audit
• Data owners
• Security team
• External audit

Imagine diving into the depths of the ocean and encountering Cyanogaster noctivaga, a creature that captures the imagination with its bioluminescent display. Aside from its transparent skin, it has a dazzling blue belly, hence its name of the ‘blue-bellied night wanderer.’ This deep-sea marvel uses its radiant patterns to communicate and navigate the darkness.

Fun fact: The murky Rio Negro is where this fish lives,
which may have contributed to its elusiveness.

These luminous fish mirror the importance of illuminating data handling, with the concept of transparency in data privacy practices. Transparent data privacy practices guide users through the often murky waters of data usage, empowering them with knowledge and fostering a sense of trust. In the digital world, data privacy laws demand transparency in revealing how personal information is collected, used, and safeguarded.

What types of requests may be asked of you in accordance with privacy rights?

• Data Subject Access Requests (DSARs)
• Individual requests for removal

Lessons for SAP data privacy professionals:

By embracing the vibrant spirit of these fish living deep in the Amazon, companies can ensure that their data privacy practices are open and transparent in accordance with data privacy laws.

These parallels reveal that nature can teach us interesting lessons about data privacy and security. Survival, whether in nature or the digital space, demands an ever-evolving strategic approach. The behaviour of lions exemplifies the importance of vigilant impact and risk assessments; elephants illuminate the discovery and mapping of PII. The sharp insight of hawks emphasises the significance of a proactive privacy overview; and maggots careful data cleaning. Wolf packs advocate for ongoing audits and review; and transparent fish encourage data transparency. The journey towards effective data security and privacy calls for unwavering vigilance, adaptation, and collaboration – lessons we can glean from guardians of the wild.