The world wakes up to GDPR: where did it come from?

06 February 2017
Written by Paul Hammersley

As Senior Vice-President of the ALM Products at EPI-USE Labs, Paul Hammersley's portfolio includes test data management, landscape optimisation, and archiving. He has been a remarkable technical force in the SAP arena for over 20 years, and has extensive hands-on experience of implementing Data Sync Manager (DSM) and helping clients to manage data across the breadth of their SAP landscapes.

Since the start of the year, the volume has definitely been turned up on GDPR. I was speaking to customers and partners about GDPR throughout 2016, but in many cases the start of the conversation was explaining the basics to them (which was often met with some shock and concern). Having enlightened a customer on this topic, I was expecting immediate requests for data analysis services, product demos etc. In my mind, this was such a wide-ranging compliance requirement, and May 2018 was looming ever nearer. I was starting to fret on my customers’ behalf and couldn’t understand why they weren’t.

Then it dawned on me: this regulation has been in the making for over seven years. The last few years probably started with the expectation of it being finalised, but that never came to pass. So those working exclusively in the data privacy and governance areas were aware of it, and monitoring the situation, but the wider business was unaware. And crucially, no additional budget was allocated for GDPR compliance in the 2016 fiscal year, because no one expected the draft to be agreed for sure. Organisations starting their fiscal year in January this year were for the first time able to plan budgets with a certainty of when this regulation would come into effect.

Of course, that is essentially how big organisations work. Projects may be interesting, important or critical to the business, but the moment you want to allocate someone’s time to them, the question is asked: which budget is this allocated against? And if the answer is ‘there isn’t one’, then the subject is put on the back burner. I remember a few years ago talking to a customer about why they weren’t masking data in test systems, and the response was ‘we know we should be doing more, but right now there isn’t budget for that’. And that, of course, is the difference. With the headline of potential fines of 4% of global turnover or €20 million Euro, it’s much easier to get a slice of the cake when the budget is being planned.

For the companies that now have budget allocated, a team has been put together, or at least earmarked, that combines IT, Compliance, Legal and Audit. And when they start to size up the sheer scope, it’s clear this is a significant undertaking. The project will look different for every company, varying greatly between industries, countries where they trade, company culture, IT systems used, business processes in place and much more.

In effect, the project looks like a big road map with some significant bridges or tunnels missing (or in some cases whole roads!) that would allow all the necessary journeys to take place. The focus is initially on the biggest gaps: How can we access file system data on shared drives? What about paper copies? Can we give the Right to be Forgotten for these data and process types? It’s interesting being in some of these discussions and seeing common themes and approaches.

I’ll continue to share more as these projects evolve.

Don't know where to start with GDPR and SAP? We do!

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act POPIA SAP Data Security SAP GDPR SAP data privacy and compliance Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data encryption SIEM SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: