SAP eXperience Day Pronti per il GDPR? eXperience Day Pronti per il GDPR? - 15 febbraio 2018 GDPR:...
Transcript of SAP eXperience Day Pronti per il GDPR? eXperience Day Pronti per il GDPR? - 15 febbraio 2018 GDPR:...
SAP eXperience Day Pronti per il GDPR? - 15 febbraio 2018
GDPR: sfide e opportunità. Gli strumenti EIM e GRC, essenziali per operare con successo nell’era post-GDPR
Silvio Arcangeli, Senior Director, Platform – Integration, SAP EMEA South
Daniela D’Amore, SAP Finance and Risk Management Presales, SAP Italia
Uri Bahar, Director, Solution Architecture EMEA, Gigya an SAP Company
2INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
GDPR at a glance
Protects fundamental rights related to the processing of personal data
Individual rights
…to be informed
…to restrict
processing
…of access
…to data portability
…to rectification
…to object
…to erasure
Auto. decisions
and profiling
Accountability
Data protection
officer
Evidence of
compliancePrivacy by design
Privacy impact
assessments
Breach
notification
Penalties
Response time
Evidence of
compliance
ISO 27001
Codes of conduct
Personal data
Sensitive personal data
Controllers Processors
Transfer of data
EU and non-EU
Lawful processing always requires legal permission
Vital
interestConsent
Legitimate
interest
Legal
obligationContract
Public
interest
3INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP’s integrated and industry-leading solutions
are highly relevant for meeting end-to-end GDPR
requirements.
Enterprise-grade solutions cover SAP and non-SAP
systems and work with existing infrastructure
investments.
Go
vern
an
ce
SAP Access ControlSAP Process ControlGovernance, risk,
compliance, and security
solutions
Business systems
Apply a risk based approach to data privacy
How SAP helps customers address GDPR requirements
4INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Personal
Data
Lifecycle
Data Privacy Impact Assessment
Active Data
Archive Delete
Your journey through GDPR with SAP
Which processes touch
personal data?
Accountability
Data protection
officer
Evidence of
compliancePrivacy by design
Privacy impact
assessments
Evidence of compliance
ISO 27001Codes of conduct
Which processes touch personal data
5INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
REPORT
e.g. “Sign-Off”
MONITOR
Perform automated, exception-based monitoring of ERP systems
DOCUMENT
Document processes, controls, regulations
and policies
SCOPE
Plan assessments
EVALUATEEvaluate control design
and effectiveness; raise and remediate issues
Add intelligence to reduce compliance costs
SAP Process Control
Overview
6INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Here an example of record of the
processing activity (Art. 30) built
through the assessment features
Analogously, Data Protection Impact
Assessment (Art. 35) can be managed
through the GRC assessment
capabilities
Speakers’ idea of an approach and types of information to report and/or manage. It is not intended
to represent a current or future product
SAP Process Control & Risk Management
Art. 30 and Art. 35
7INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Document risks, processes, controls and map key
regulations in a central unique repository
Distribute accountability within the organization
Central controls repository collates data
for subsequent audit and review
Schedule recurring assessment of controls
Provide ongoing reporting of GDPR compliance
to the DPO and stakeholders
Support sign-off process
SAP Process Control & Risk Management
Evidence of compliance
8INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Personal
Data
Lifecycle
Data Privacy Impact Assessment
Active Data
Archive Delete
Your journey through GDPR with SAP
Who could access personal data
Who could access
personal data?
Accountability
Evidence of
compliancePrivacy by design
9INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
MONITOR PRIVILEGES
Monitor emergency access
CERTIFY AUTHORIZATIONS
Users and roles review
ANALYZE RISK
SoD risk analysis and mitigation/remediation
MANAGE ACCESS
Access provisioning
MAINTAIN ROLESRoles provisioning
SAP Access Control
Overview
10INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
• Define sensitive/critical access risks for GDPR
• Monitor and periodically review the access
defined for GDPR
• Schedule reporting to DPO
Sample of
SoD Risk
SAP Access Control
Risk Analysis
11INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Create access request
Review the request
Approve the request
(no risk)
Auto provision
Create access request
on behalf of another user
using Request Template
Review the request
Approve the request
(risk exists)
Assign mitigation
controls and approve
request with risks
Example of template based request
Example of business role provisioning
End User
Accounts Payable Manager & BP Owner
Security Owner
Accounts Payable Clerk
Legenda• Leverage workflow escalation where GDPR relevant accessis included (provisioning process)
• Define and categorize security roles for personal data management
SAP Access Control
User Access Provisioning
12INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP’s integrated and industry-leading solutions
are highly relevant for meeting end-to-end GDPR
requirements.
Enterprise-grade solutions cover SAP and non-SAP
systems and work with existing infrastructure
investments.
How SAP helps customers address GDPR requirementsO
pera
tio
ns
SAP Information Lifecycle Management
SAP Extended Enterprise Content
Management by OpenText
SAP Data Services software
and SAP Information Steward
SAP Process Mining by Celonis
Database and data
management solutions
Business systems
Recognize information as a strategic key asset
in the Digital Economy
13INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
GDPR seen from your customer
Address
➢ 14 Newnham Rd,
➢ Cambridge CB3 9EX
Communication
➢ Phone: +44 610
9607207
➢ Portal Account:
CarCust
Purchased Goods:
➢ eieiPhone + Maintenance
agreement (3.2015)
➢ eBooks
Payment details
➢ Perfect Bank
➢ IBAN: DE12500903170648489890
Contract for services:
➢ Targeted marketing
with Beacons and
Geofencing (12.2017)
Employee contract
➢ Working student
(04.2011 – 03.2014)
14INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Individual rights
Personal
Data
LifecycleData Privacy Impact Assessment
Active Data
Archive Delete
What personal data are we
storing and where?
Your journey through GDPR with SAP
What personal data are we storing and where
Personal data
Sensitive personal data …to data portability …to rectification …to erasure
15INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Sources
SAP Business
Suite
SAP BW
Databases
Delimited Files
Data Discovery & Stewardship
BI systems
ETL tools
Data Modeling
tools
SAP
HANA
Hadoop
1.Discover
2.Define
3.Workflow4.Monitor
5.Analyze
SAP
Information
Steward
1.Discover
SAP Information StewardProfile, Assess, Monitor and Manage Data Compliance & Quality Across the
EnterpriseBusiness
IT
16INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Information Steward – demo
IS in action for discovery of personal data
17INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Personal Data Lifecycle
Data Privacy Impact Assessment
Active Data
Archive Delete
Which process flows are actually
touching personal data?
Your journey through GDPR with SAP
Which process flows are actually touching personal data
Accountability
Privacy by design
18INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
How can you discover your actual data flows?
SAP Process Mining by Celonis
Visualization of
actual processes…
Digital footprints from
any IT system
Data-based process
discovery
… and proactive improvement
insights
Discover how compliant
your processes are
Find out where to include Consent
Logic
Help define Information Retrieval
for GDPR SAR
Discover Process Inefficiencies
and opportunities for improvement
Intuitive, graphical visual
representations of as-is processes
Ability to evaluate non-compliant
flows and detect inefficiencies
19INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Process Mining by Celonis
A live example
ADD VIDEO - SILVIO
20INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Personal Data Lifecycle
Data Privacy Impact Assessment
Active Data
Archive Delete
Manage and “design” rules for personal
data archiving and deletion
Your journey through GDPR with SAP
Data archiving and deletion
Individual rights
…to erasure
21INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Data Archiving
DB Volume Management
• Analyze data volumes
• Securely move data from
the database to the archive
• Comfortably access archived
data
DB Volume Management
Data ArchivingRetention Management
End-of-life Data
• Manage and enforce retention
policies across the enterprise
• Manage the responsible
destruction of data based
on policies
• Perform e-Discovery and set
legal holds
Retention Management
End-of-Life DataEnd-of-Life System
System Decommissioning
End-of-life System
• Decommission legacy
systems
• Enforce retention policies
on data from shut-down system
• Benefit from independently
understandable archive
SAP Information Lifecycle Mgt
SAP Information Lifecycle Management
Use cases
22INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Retention Policy
Management
Maintain Separate Archives per Retention
Period
• Create multiple data archives for each data
expiration date
Apply Hold on Data
• Automatically prevent data deletion
or destruction
• Apply holds to archives and current database
Perform e-Discovery
• Search for information in response to legal
requests
Manage and enforce retention policies
• Set policies for automatic data retention
and subsequent destruction
• Retain data according to set policy
• Responsibly destroy data when expiration
date has been reached
Open Text
Retention and Deletion management
23INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Three lines of
defense
SAP Risk Management
SAP Audit Management
SAP Business Integrity
Screening
Access
governance & identity mgt
SAP Dynamic Authorization
Management by NextLabs
SAP Identity Management
SAP Cloud Identity Access
Governance software
Gigya
Cybersecurity
risk and governance
SAP Enterprise Threat
Detection
SAP Enterprise Digital
Rights Management by
NextLabs
UI field masking solutions
UI logging solutions
SAP Extended Enterprise
Content Management by
OpenText
SAP PowerDesigner
SAP Master Data Governance
SAP Process Mining by
Celonis
Database and data
management
Additional solutions from SAP
Strengthening GDPR governance and more
24INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Breach notification
Personal Data Lifecycle
Data Privacy Impact Assessment
Active Data
Archive Delete
Focus on cyber security
Your journey through GDPR with SAP
Focus on cyber security
PenaltiesResponse time
25INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
BIG DATA ACQUIRE ANALYZE ACT REAL RESULTS
REAL TIME
Vast amount of log
data scattered across
the landscape
Bring data together
in one place with a
common format
Evaluate attack
detection patterns.
Browse & analyze
Lock user account, cut
off connection, …
Detect attacks early
and prevent harm
Protect the integrity of business processes and prevent theft
or manipulation of business data
SAP Enterprise Threat Detection
A big-data solution to a serious security challenge
26INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Initial analysisAlertsFurther analysis and derive
new patterns
Delivered ETD Patterns
~ 70
SAP Enterprise Threat Detection
Monitor, fields of attention, and forensic lab
27INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Lawful processing always
requires legal permission
Personal Data Lifecycle
Data Privacy Impact Assessment
Active Data
Archive Delete
Consent management, Customer data
control, Social compliance
Your journey through GDPR with SAP
Consent management, Customer data control, Social compliance
Individual rights
…of accessConsent …to rectification …to erasure…to restrict
processing
28INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
From Anonymous To Known: Building Identity Progressively
Building rich profiles along the customer journey with privacy at the forefront
Customer & Social Profile Data
Consent Management
Profile and Preference Management
Authentication and Authorization
Awareness Consideration Conversion Retention Advocacy
Anonymous Known
KEY CAPABILITIES
Anonymous
InteractionsLite Registration Full Registration
Progressive
Profiling
Enriching Customer
Profiles
29INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
GDPR Is About Putting The Customer In Control Of Their Data
CUSTOMER DATA INDIVIDUAL RIGHTS
▪ The right to be informed
▪ The right of access
▪ The right to rectification
▪ The right to erasure
▪ The right to restrict processing
▪ The right to data portability
▪ The right to object
▪ Rights in relation to automated decision
making and profiling
Social DataConnections
Device
Data
Likes &
Interests
Registration
Data
Behavioral
Data
Location
Data
Profile Data
VS.
30INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Managing preferences & consent throughout the lifecycle of the customer
Preference &
Consent Capture
Version Control
Accurate and
Enforced Records
Self-Service
Preference Center
PRESENT POLICIES
▪ Terms of Service (ToS)
▪ Privacy Policies
▪ Cookie Consent
▪ Consent for marketing and custom
activities
ENFORCES CONSENT
Synchronize preferences, consent and
profile data to downstream marketing,
sales, and services applications
USERS CONTROL PREFERENCES & CONSENT
▪ View profile, preferences & consent
▪ Add and modify profile, preferences
and consent information
▪ Withdraw consent
▪ Download user data
Audit-Ready
Vault
MAINTAINS ACCURATE CONSENT
▪ Trigger consent renewals
▪ Record consent at renewal
▪ Track consent history
▪ Audit consent
31INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Consent – Preference & Consent Capture
Registration, Login and Auto-Login Consent Collection Use-Cases
Records
Audit-Ready
Vault
Login –
Brand A
Registration –
Brand A
Consent for new
registrations:
Cross-brand
SSO and consent:
Consent
CollectionAdd user
preferences:
Preference
Center
EPM
Auto Login (SSO) –
Brand B
Consent Renewal
Collection
Re-consent after
changes to terms: Login –
Brand A
Consent Collection
Login with Re-
consent
Register
CIAM
1
2
3
4
IDE
NT
ITY
Login
Preference
& Consent
Capture
32INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Consent – Version Control
Earning Customer Trust with Triggered Consent Renewals Gains
Loyal CustomersVersion Control
1
2
3
33INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Consent – Accurate and Enforced Records
Synchronize preferences, consent and profile data
to downstream marketing, sales, and services applications
Accurate
and Enforced
Records
34INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Consent – Self-Service Preference Center
Preference Center Consent Use-Cases
EPM
IDE
NT
ITY
Audit-Ready
Vault
Preference
Center
(Pre) registered user
Opt-Out:
Preference
Center
Registered User
Consent Withdraw:
Preference
Center
Registered User
Consent Expiration:
Withdraw
Automatic Revocation
Opt-out
Acceptance
Self-Service
Preference
Center
35INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Gigya integrates with SAP Hybris Commerce and SAP Hybris Marketing
Enables Better B2C Experiences Enables Real-time Customer Journeys
36INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Gigya and SAP Hybris Commerce
37INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Gigya and SAP Hybris Marketing
38INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
What you have
Assess
Execute on your plan
Respond
Ready to dialog with the regulator
Monitor
Find gaps and plan solutions
Plan
Get started quickly while enabling a sustainable GDPR program
39INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Create Value with SAP
TrUst and BranD TraNspaRency wiTh StakehOlderS
DisTribute AccOuntaBilitY
CyBer SecuRity and Real-Time detEctioN
Create a unique customer experience
Best-of-Breed TecHnolOgy
RedUce comPliancE coStsMulti-ComPliancE
UniQue cOrpoRate CompLIance rePositOry
InforMation as a StratEgic keY asSet in the DigiTal EconOmy
41INTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This presentation is not subject to your license
agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related presentation,
or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP's strategy and possible future developments, products and/or
platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information on this document is not a
commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including
but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or noninfringement. This document is for informational purposes and may not be
incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, and shall have no liability for damages of any kind including without limitation
direct, special, indirect, or consequential damages that may result from the use of this document. This limitation shall not apply in cases of intent or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
NOTE: The information contained in this presentation is for general guidance only and provided on the
understanding that SAP is not herein engaged in rendering legal advice. As such, it should not be used as a
substitute for legal consultation. SAP SE accepts no liability for any actions taken as response hereto.
It is the customer’s responsibility to adopt measures that the customer deems appropriate to achieve GDPR
compliance.
Legal Disclaimer
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components
of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated
companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are
set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release
any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,
and/or platforms, directions, and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The
information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks
and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and
they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company)
in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
See www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
© 2018 SAP SE or an SAP affiliate company. All rights reserved.