SAP eXperience Day Pronti per il GDPR? eXperience Day Pronti per il GDPR? - 15 febbraio 2018 GDPR:...

SAP eXperience Day Pronti per il GDPR? - 15 febbraio 2018

GDPR: sfide e opportunità. Gli strumenti EIM e GRC, essenziali per operare con successo nell’era post-GDPR

Silvio Arcangeli, Senior Director, Platform – Integration, SAP EMEA South

Daniela D’Amore, SAP Finance and Risk Management Presales, SAP Italia

Uri Bahar, Director, Solution Architecture EMEA, Gigya an SAP Company

2INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ

GDPR at a glance

Protects fundamental rights related to the processing of personal data

Individual rights

…to be informed

…to restrict

processing

…of access

…to data portability

…to rectification

…to object

…to erasure

Auto. decisions

and profiling

Accountability

Data protection

officer

Evidence of

compliancePrivacy by design

Privacy impact

assessments

Breach

notification

Penalties

Response time

Evidence of

compliance

ISO 27001

Codes of conduct

Personal data

Sensitive personal data

Controllers Processors

Transfer of data

EU and non-EU

Lawful processing always requires legal permission

Vital

interestConsent

Legitimate

interest

Legal

obligationContract

Public

interest


SAP’s integrated and industry-leading solutions

are highly relevant for meeting end-to-end GDPR

requirements.

Enterprise-grade solutions cover SAP and non-SAP

systems and work with existing infrastructure

investments.

Go

vern

an

ce

SAP Access ControlSAP Process ControlGovernance, risk,

compliance, and security

solutions

Business systems

Apply a risk based approach to data privacy

How SAP helps customers address GDPR requirements


Personal

Data

Lifecycle

Data Privacy Impact Assessment

Active Data

Archive Delete

Your journey through GDPR with SAP

Which processes touch

personal data?

Accountability

Data protection

officer

Evidence of


Privacy impact

assessments

Evidence of compliance

ISO 27001Codes of conduct

Which processes touch personal data


REPORT

e.g. “Sign-Off”

MONITOR

Perform automated, exception-based monitoring of ERP systems

DOCUMENT

Document processes, controls, regulations

and policies

SCOPE

Plan assessments

EVALUATEEvaluate control design

and effectiveness; raise and remediate issues

Add intelligence to reduce compliance costs

SAP Process Control

Overview


Here an example of record of the

processing activity (Art. 30) built

through the assessment features

Analogously, Data Protection Impact

Assessment (Art. 35) can be managed

through the GRC assessment

capabilities

Speakers’ idea of an approach and types of information to report and/or manage. It is not intended

to represent a current or future product

SAP Process Control & Risk Management

Art. 30 and Art. 35


Document risks, processes, controls and map key

regulations in a central unique repository

Distribute accountability within the organization

Central controls repository collates data

for subsequent audit and review

Schedule recurring assessment of controls

Provide ongoing reporting of GDPR compliance

to the DPO and stakeholders

Support sign-off process

SAP Process Control & Risk Management

Evidence of compliance


Personal

Data

Lifecycle


Active Data

Archive Delete


Who could access personal data

Who could access

personal data?

Accountability

Evidence of



MONITOR PRIVILEGES

Monitor emergency access

CERTIFY AUTHORIZATIONS

Users and roles review

ANALYZE RISK

SoD risk analysis and mitigation/remediation

MANAGE ACCESS

Access provisioning

MAINTAIN ROLESRoles provisioning

SAP Access Control

Overview


• Define sensitive/critical access risks for GDPR

• Monitor and periodically review the access

defined for GDPR

• Schedule reporting to DPO

Sample of

SoD Risk

SAP Access Control

Risk Analysis


Create access request

Review the request

Approve the request

(no risk)

Auto provision

Create access request

on behalf of another user

using Request Template

Review the request

Approve the request

(risk exists)

Assign mitigation

controls and approve

request with risks

Example of template based request

Example of business role provisioning

End User

Accounts Payable Manager & BP Owner

Security Owner

Accounts Payable Clerk

Legenda• Leverage workflow escalation where GDPR relevant accessis included (provisioning process)

• Define and categorize security roles for personal data management

SAP Access Control

User Access Provisioning


SAP’s integrated and industry-leading solutions

are highly relevant for meeting end-to-end GDPR

requirements.

Enterprise-grade solutions cover SAP and non-SAP

systems and work with existing infrastructure

investments.

How SAP helps customers address GDPR requirementsO

pera

tio

ns

SAP Information Lifecycle Management

SAP Extended Enterprise Content

Management by OpenText

SAP Data Services software

and SAP Information Steward

SAP Process Mining by Celonis

Database and data

management solutions

Business systems

Recognize information as a strategic key asset

in the Digital Economy


GDPR seen from your customer

Address

➢ 14 Newnham Rd,

➢ Cambridge CB3 9EX

Communication

➢ Phone: +44 610

9607207

➢ Portal Account:

CarCust

Purchased Goods:

➢ eieiPhone + Maintenance

agreement (3.2015)

➢ eBooks

Payment details

➢ Perfect Bank

➢ IBAN: DE12500903170648489890

Contract for services:

➢ Targeted marketing

with Beacons and

Geofencing (12.2017)

Employee contract

➢ Working student

(04.2011 – 03.2014)


Individual rights

Personal

Data

LifecycleData Privacy Impact Assessment

Active Data

Archive Delete

What personal data are we

storing and where?


What personal data are we storing and where

Personal data

Sensitive personal data …to data portability …to rectification …to erasure


Sources

SAP Business

Suite

SAP BW

Databases

Delimited Files

Data Discovery & Stewardship

BI systems

ETL tools

Data Modeling

tools

SAP

HANA

Hadoop

1.Discover

2.Define

3.Workflow4.Monitor

5.Analyze

SAP

Information

Steward

1.Discover

SAP Information StewardProfile, Assess, Monitor and Manage Data Compliance & Quality Across the

EnterpriseBusiness

IT


SAP Information Steward – demo

IS in action for discovery of personal data


Personal Data Lifecycle


Active Data

Archive Delete

Which process flows are actually

touching personal data?


Which process flows are actually touching personal data

Accountability

Privacy by design


How can you discover your actual data flows?


Visualization of

actual processes…

Digital footprints from

any IT system

Data-based process

discovery

… and proactive improvement

insights

Discover how compliant

your processes are

Find out where to include Consent

Logic

Help define Information Retrieval

for GDPR SAR

Discover Process Inefficiencies

and opportunities for improvement

Intuitive, graphical visual

representations of as-is processes

Ability to evaluate non-compliant

flows and detect inefficiencies



A live example

ADD VIDEO - SILVIO




Active Data

Archive Delete

Manage and “design” rules for personal

data archiving and deletion


Data archiving and deletion

Individual rights

…to erasure


Data Archiving

DB Volume Management

• Analyze data volumes

• Securely move data from

the database to the archive

• Comfortably access archived

data

DB Volume Management

Data ArchivingRetention Management

End-of-life Data

• Manage and enforce retention

policies across the enterprise

• Manage the responsible

destruction of data based

on policies

• Perform e-Discovery and set

legal holds

Retention Management

End-of-Life DataEnd-of-Life System

System Decommissioning

End-of-life System

• Decommission legacy

systems

• Enforce retention policies

on data from shut-down system

• Benefit from independently

understandable archive

SAP Information Lifecycle Mgt

SAP Information Lifecycle Management

Use cases


Retention Policy

Management

Maintain Separate Archives per Retention

Period

• Create multiple data archives for each data

expiration date

Apply Hold on Data

• Automatically prevent data deletion

or destruction

• Apply holds to archives and current database

Perform e-Discovery

• Search for information in response to legal

requests

Manage and enforce retention policies

• Set policies for automatic data retention

and subsequent destruction

• Retain data according to set policy

• Responsibly destroy data when expiration

date has been reached

Open Text

Retention and Deletion management


Three lines of

defense

SAP Risk Management

SAP Audit Management

SAP Business Integrity

Screening

Access

governance & identity mgt

SAP Dynamic Authorization

Management by NextLabs

SAP Identity Management

SAP Cloud Identity Access

Governance software

Gigya

Cybersecurity

risk and governance

SAP Enterprise Threat

Detection

SAP Enterprise Digital

Rights Management by

NextLabs

UI field masking solutions

UI logging solutions

SAP Extended Enterprise

Content Management by

OpenText

SAP PowerDesigner

SAP Master Data Governance

SAP Process Mining by

Celonis

Database and data

management

Additional solutions from SAP

Strengthening GDPR governance and more


Breach notification



Active Data

Archive Delete

Focus on cyber security


Focus on cyber security

PenaltiesResponse time


BIG DATA ACQUIRE ANALYZE ACT REAL RESULTS

REAL TIME

Vast amount of log

data scattered across

the landscape

Bring data together

in one place with a

common format

Evaluate attack

detection patterns.

Browse & analyze

Lock user account, cut

off connection, …

Detect attacks early

and prevent harm

Protect the integrity of business processes and prevent theft

or manipulation of business data

SAP Enterprise Threat Detection

A big-data solution to a serious security challenge


Initial analysisAlertsFurther analysis and derive

new patterns

Delivered ETD Patterns

~ 70

SAP Enterprise Threat Detection

Monitor, fields of attention, and forensic lab


Lawful processing always

requires legal permission



Active Data

Archive Delete

Consent management, Customer data

control, Social compliance


Consent management, Customer data control, Social compliance

Individual rights

…of accessConsent …to rectification …to erasure…to restrict

processing


From Anonymous To Known: Building Identity Progressively

Building rich profiles along the customer journey with privacy at the forefront

Customer & Social Profile Data

Consent Management

Profile and Preference Management

Authentication and Authorization

Awareness Consideration Conversion Retention Advocacy

Anonymous Known

KEY CAPABILITIES

Anonymous

InteractionsLite Registration Full Registration

Progressive

Profiling

Enriching Customer

Profiles


GDPR Is About Putting The Customer In Control Of Their Data

CUSTOMER DATA INDIVIDUAL RIGHTS

▪ The right to be informed

▪ The right of access

▪ The right to rectification

▪ The right to erasure

▪ The right to restrict processing

▪ The right to data portability

▪ The right to object

▪ Rights in relation to automated decision

making and profiling

Social DataConnections

Device

Data

Likes &

Interests

Registration

Data

Behavioral

Data

Location

Data

Profile Data

VS.


Managing preferences & consent throughout the lifecycle of the customer

Preference &

Consent Capture

Version Control

Accurate and

Enforced Records

Self-Service

Preference Center

PRESENT POLICIES

▪ Terms of Service (ToS)

▪ Privacy Policies

▪ Cookie Consent

▪ Consent for marketing and custom

activities

ENFORCES CONSENT

Synchronize preferences, consent and

profile data to downstream marketing,

sales, and services applications

USERS CONTROL PREFERENCES & CONSENT

▪ View profile, preferences & consent

▪ Add and modify profile, preferences

and consent information

▪ Withdraw consent

▪ Download user data

Audit-Ready

Vault

MAINTAINS ACCURATE CONSENT

▪ Trigger consent renewals

▪ Record consent at renewal

▪ Track consent history

▪ Audit consent


Consent – Preference & Consent Capture

Registration, Login and Auto-Login Consent Collection Use-Cases

Records

Audit-Ready

Vault

Login –

Brand A

Registration –

Brand A

Consent for new

registrations:

Cross-brand

SSO and consent:

Consent

CollectionAdd user

preferences:

Preference

Center

EPM

Auto Login (SSO) –

Brand B

Consent Renewal

Collection

Re-consent after

changes to terms: Login –

Brand A

Consent Collection

Login with Re-

consent

Register

CIAM

1

2

3

4

IDE

NT

ITY

Login

Preference

& Consent

Capture


Consent – Version Control

Earning Customer Trust with Triggered Consent Renewals Gains

Loyal CustomersVersion Control

1

2

3


Consent – Accurate and Enforced Records

Synchronize preferences, consent and profile data

to downstream marketing, sales, and services applications

Accurate

and Enforced

Records


Consent – Self-Service Preference Center

Preference Center Consent Use-Cases

EPM

IDE

NT

ITY

Audit-Ready

Vault

Preference

Center

(Pre) registered user

Opt-Out:

Preference

Center

Registered User

Consent Withdraw:

Preference

Center

Registered User

Consent Expiration:

Withdraw

Automatic Revocation

Opt-out

Acceptance

Self-Service

Preference

Center


Gigya integrates with SAP Hybris Commerce and SAP Hybris Marketing

Enables Better B2C Experiences Enables Real-time Customer Journeys


Gigya and SAP Hybris Commerce


Gigya and SAP Hybris Marketing


What you have

Assess

Execute on your plan

Respond

Ready to dialog with the regulator

Monitor

Find gaps and plan solutions

Plan

Get started quickly while enabling a sustainable GDPR program


Create Value with SAP

TrUst and BranD TraNspaRency wiTh StakehOlderS

DisTribute AccOuntaBilitY

CyBer SecuRity and Real-Time detEctioN

Create a unique customer experience

Best-of-Breed TecHnolOgy

RedUce comPliancE coStsMulti-ComPliancE

UniQue cOrpoRate CompLIance rePositOry

InforMation as a StratEgic keY asSet in the DigiTal EconOmy

Thank you

mailto:[email protected]




The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This presentation is not subject to your license

agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related presentation,

or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP's strategy and possible future developments, products and/or

platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information on this document is not a

commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including

but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or noninfringement. This document is for informational purposes and may not be

incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, and shall have no liability for damages of any kind including without limitation

direct, special, indirect, or consequential damages that may result from the use of this document. This limitation shall not apply in cases of intent or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place

undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

NOTE: The information contained in this presentation is for general guidance only and provided on the

understanding that SAP is not herein engaged in rendering legal advice. As such, it should not be used as a

substitute for legal consultation. SAP SE accepts no liability for any actions taken as response hereto.

It is the customer’s responsibility to adopt measures that the customer deems appropriate to achieve GDPR

compliance.

Legal Disclaimer

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components

of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated

companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are

set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release

any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,

and/or platforms, directions, and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The

information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks

and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and

they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company)

in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.

See www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

© 2018 SAP SE or an SAP affiliate company. All rights reserved.

http://www.sap.com/corporate-en/legal/copyright/index.epx

SAP eXperience Day Pronti per il GDPR? eXperience Day Pronti per il GDPR? - 15 febbraio 2018 GDPR:...

Documents

Transcript of SAP eXperience Day Pronti per il GDPR? eXperience Day Pronti per il GDPR? - 15 febbraio 2018 GDPR:...