What does the GDPR Security Principle mean for you?

23 September 2020
Written by Magdaleen Kotzé

Magdaleen is responsible for global marketing at EPI-USE Labs, working in collaboration with the regional marketing and line of business leaders. Having been involved in the SAP industry for the last fifteen years, she has an in-depth understanding of how EPI-USE Labs solutions solve clients' SAP business challenges. She is passionate about listening to our clients and identifying how we can meet their needs effectively. She is also a strong advocate for content marketing and storytelling.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is certainly not news any more. Most individuals and companies have adapted to the large (and dare I say annoying) notices around cookies and getting ‘voluntary’ permission to process the individual’s data. You can definitely see there has been a change since May 2018. In general, the public is much more educated that data needs to be protected. But the application of the regulation is not without its problems.

 

GDPR was a much-needed change to the laws to guide a world where we have become 100% online. And it’s happened relatively fast; our children will never know the sound the modem used to make when you got a turn to quickly check emails.

 
What are the GDPR principles?

The GDPR is long and complex, with many aspects that organisations need to take into account.

 

I wanted to look at the principles that underpin the regulations. The ICO’s website is a very good succinct guide about what the principles are.

What are the GDPR principles?

Each of these principles can be used as a guide to show the intent of the regulation. Organisations need to focus on making sure they are fair and lawful when they gather, process and store data from a European citizen.

 

For this blog, I want to look at integrity and confidentiality (security). With the rise of many data breaches and cyber attacks making headlines globally, the profile and extent of the breaches are getting bigger. One of the most prominent breaches for 2020 was on Twitter, where major accounts were hacked and used to send fake tweets from the account to send money to an unknown Bitcoin address. Another example is where Zoom login details were up for sale as many people started to use the platform during the COVID-19 pandemic.

 
Cybersecurity = integrity

I want to focus on the Integrity and confidentiality (security) principle. The ICO states that this principle is about organisations being required to have the appropriate systems and processes in place to process data securely. And the way that the security principle is linked to integrity shows that it is clear that security of data is closely correlated with the integrity of the organisation. Your business might be about something completely removed from cybersecurity, but you still need to take this aspect as seriously, because it can reflect negatively on your brand reputation and the integrity of your business.

 

Certain steps that are recommended include that you start with risk assessments, and map out where your systems might be open to an attack. You need to look at both external and internal threats. According to a study done by Poneman Institute for ObserveIT, the number of insider-caused cybersecurity incidents increased by 47% since 2018. With the prevalence of working from home as part of the COVID-19 response, we expect to see that percentage increase even further, with permanent and contract workers no longer overlooked by their peers in an open-plan office.

 
Confidentiality reduces the security risks

The second part of this principle is ‘Confidentiality’. As the dictionary states, this is ‘the state of keeping information secret or private’. To adhere to this principle, organisations need to apply, where appropriate, pseudonymisation and encryption measures. Technology will help companies to achieve this.

 

Confidentiality_meaning

 

But when you think about it, confidentiality in SAP systems goes far beyond this first definition; it's also about knowing what data you need in its original form and monitoring access to this information. An easy win is to mask data in your non-production environment. This has been a guideline by SAP too.

 

“Customer shall not grant SAP access to Licensee systems or personal information (of Customer or any third party) unless such access is essential for the performance of SAP Services. Customer shall not store any Personal Data in non-production environments.”

 
More details about GDPR compliance for SAP

SAP is a great solution and will provide you with well-established security mechanisms. But you need to make sure that you have the security principle embedded in your processes. And sometimes take extra steps to ensure you are in line with this security principle, and also in general with GDPR. To add to this, S/4HANA might be your first major project since GDPR came into force and so data privacy must be included as part of the project design, which probably wasn't the case in any of your previous upgrades.

 

To help our clients with more detailed information and some practical steps to take into consideration, our EPI-USE Labs colleagues Paul Hammersley and Warren Eiserman wrote a white paper that is available here.

 

GDPR White Paper CTA

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act POPIA SAP Data Security SAP GDPR SAP data privacy and compliance Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data encryption SIEM SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: