Siirry pääsivulle

Get to know your SAP and S/4HANA data

Cybersecurity and Privacy Matter in S/4HANA Projects

SAP processes personal data
 

It is not uncommon to hear statements that SAP does not contain personal data and thus that SAP as a system would not be subject to GDPR requirements. However, the meaning of personal data is very broad, and the term does not only refer to social security numbers and names of individuals. According to GDPR, any information that can be used to identify an individual can be considered personal data.

In SAP, depending on the system being used, personal data refers to different types of information, such as:

  • Employee ID
  • Username
  • Name of the employee
  • Contact details
  • Next of kin and contact information in HCM systems
  • Employee salary data
  • Customer data (names, contact details, bank connections, credit card details and the history thereof)
  • Confidential documents, printing information and emails


As in your S/4HANA projects, your organisation stores, transfers and otherwise processes personal data, the GDPR enters into play.

Preparing for possible unfavourable outcomes in organisational operations raises the question of accountability. It is the leadership and management teams who are primarily responsible for ensuring compliance, and therefore accountable for any non-compliance issues. For the S/4HANA projects this means that the management must ensure that the system has been implemented in a way that mitigates any potential risks to the organisation.

It is the leadership and management teams who are primarily responsible for ensuring compliance, and therefore accountable for any non-compliance issues.

How to build privacy by design and by default into the S/4HANA project?
 

The GDPR requires privacy to be built in by design and by default. This basically means that in S/4HANA projects it is crucial to take privacy and cybersecurity into consideration at the earliest. As a leader , you should do the following:

  1. Name privacy and cybersecurity professionals to the S/4HANA project team. This way these professionals can raise concerns and solutions throughout the project, and you will not be at risk of using additional budget to fix configurations later.
  2. Ensure that S/4HANA project team members are trained and instructed on the most common cybersecurity and privacy risks and pitfalls.
  3. Require the project to conduct risk assessments. Note that many of these are required by law and need to be completed in the very early stages of the project.
    1. During the implementation phase of the process, you transfer large data sets to a new system and thus, a Data Protection Impact Assessment (DPIA) is key in achieving compliance.
    2. As S/4HANA is a cloud-based system, conducting a Transfer Impact Assessment (TIA) is highly recommended.
  4. Verify that mitigation actions which arise from the above assessments are implemented. In essence, each recommendation should clearly indicate responsibility and a deadline.
  5. Ensure that all decisions, assessments and mitigation actions are documented and stored centrally so that your organisation is able to demonstrate compliance.