Manage your SAP data privacy, security and risk

Respond to the Right to Access/Removal in Production systems

Whether you’re adhering to PDPA in Thailand, one of the state laws in the USA, or GDPR in Europe, you are required to provide a response to the Right to Access and deletion of personal data from your environment.

The Right to Removal does not overrule any of your other legal and compliance requirements, such as keeping records for tax audit. You now need to find a way to validate if data is required for any other legal reason, and if not, remove sensitive data from your system.

SAP presents a challenge in data removal; as a relational database, the sensitive data is intrinsically linked with your business transactions. So traditional ways of archiving or deleting mean you need to remove your transactions and master data completely.

EPI-USE Labs provides an alternative in Data Redact, removing the PII from records but leaving the referential integrity of the solution. And Data Disclose provides effective PII mapping in a PDF output, allowing an efficient process to respond to the Right to Access.

Scramble data in non-production systems

Every business needs to test their processes, whether it’s the annual payroll taxation updates, service pack upgrade or new customizations. You don’t want to find out you have an issue with the new processes in Production; so most businesses will take a copy of their Production systems and create test environments.

The number of testing environments varies depending on the business, but a typical set-up would be to have

• Development with limited to no real data
• Quality a reduced data copy from Production
• Pre-production a full copy of the Production database.

The new privacy laws state that you must have informed and explicit consent for the use of the data relating to data subjects. In our experience, most businesses do not have this consent for using data for testing purposes. Even if you did have a consent process there is an additional challenge in understanding what to do for a no-consent response from a data subject.

We recommend data anonymisation with Data Secure, providing direct in-place data anonymisation, or the ability to scramble on exit when linked with Client Sync, part of the Data Sync Manager Suite.

Understand and mitigate your data privacy and security risks

To solve a problem, you first need to understand the problem. For both data privacy and security, you need to understand the risks you hold in your business process and your IT estate.

Consider your business processes and security risks. For example, do your front office or HR colleagues take notes during calls? If so, what is the security process for those notes? Are you following best practice for data security throughout your business? 

Regarding your IT estate, three primary considerations are:

• External threat: Network and infrastructure security such as firewalls or VPN protection.
• Internal threat: The risk of access to data in the network / SAP system.
• Compliance risk: Where is your PII and how is it being managed?

Our comprehensive SAP data privacy assessment service provides transparency about the Internal and Compliance risks for your business.

Drive business-centric GRC for SAP

Governance, Risk and Compliance (GRC) solutions take many aspects of access risk into account. We are partnered with Soterion, offering a fast, efficient analysis of your GRC risks with standard delivered rulesets to cover:

• Segregation of Duties (SoD)
• Privacy: users accessing sensitive data
• Cross-jurisdictional data access
• Critical transaction risk.

These solutions can integrate between SAP and cloud applications (such as SAP SuccessFactors) to provide a holistic view of your access risk.

Soterion also offers assessment of your system licences, firefighter access processes and more.

Minimize attack surface in your SAP landscape

To protect sensitive data, consider reducing ‘the attack surface’ in your SAP landscape – the topography of the systems and data which can be attacked. Data masking or obfuscation can keep the referential integrity and functionality of your test, training, sandbox and development system data without making data subjects identifiable, or leaving sensitive data fields exposed.

Data Secure, part of EPI-USE Labs’ Data Sync Manager (DSM) suite, is a complete data protection solution that masks SAP data to safeguard sensitive information. It allows the data to function correctly with hundreds of pre-delivered masking rules. New rules can be built from scratch, existing ones extended or content downloaded from other community users on our collaborative platform, Client Central. The result is real-time data protection.

Many companies have integrated SAP landscapes with data distributed across ERP, CRM, SRM, and external environments. Data Secure anonymizes integrated data objects consistently on different systems.

Need to scramble data outside SAP? Our custom development team can build a solution that will scramble data, which extends Data Secure to non-SAP systems.