Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Brief Introduction to Data Protection and Privacy in S/4 HANA

former_member246453
Explorer
‎01-01-2019 5:00 AM
This article is a mostly copied summary of the current Security Guide. It has been reviewed and adapted from the S/4HANA DPP Product Owner volker.lehnert .

Data protection is associated with numerous legal requirements and privacy concerns.
In addition to compliance with general data protection acts, it is necessary to consider compliance with industry-specific legislation in different countries. This blog briefly describes the features S/4 HANA explicitly provides to support compliance with the relevant legal requirements and data protection. Other features like authentication or authorizations are in the blog not named. Still the customer will have effort to adapt e.g. the authorization concept to reach compliance. Please refer to the official security guide of S/4 HANA for detailed information on the prerequisites and features.

1) Consent Management :

Any personal data collected or processed must be linked to a specific, pre-defined purpose, such as the fulfillment of a contract or legal obligation. If there is no other legal basis for the lawful processing of personal data or in some cases if the data is to be sent to a third party, you must obtain consent from the data subject to use their personal data. This consent data can be stored in the SAP system as consent records.
Consent Management enables you to search for and display stored consent records as well as to import consent records as copies from either a file on your device or via the Consent Repository service available on the SAP Cloud Platform.

2)Read Access Logging :

Read access to personal data is partially based on legislation, and it is subject to logging functionality. The Read Access Logging (RAL) component can be used to monitor and log read access to data and provide information such as which business users accessed personal data (for example, fields related to bank account data), and when they did so.

3)Information Retrieval :

Data subjects have the right to get information regarding their personal data undergoing processing, including the reason (purpose) for processing.
The SAP NetWeaver component Information Retrieval Framework can be used to carry out a cross-application search for personal data of a specified data subject. The data is retrieved from the system and displayed in a structured, easy-to-read list, subdivided according to the purposes for which the data was initially collected and processed.

4)Deletion of Personal Data :

Personal data in a system can be blocked as soon as the business activities for which this data is needed are completed and the residence time for the data has elapsed. After this time, only users who are assigned additional authorizations can access the data.
When the retention period has expired, personal data can be destroyed completely so that it can no longer be retrieved. Residence and retention periods are defined in the customer system.
For this purpose, SAP uses SAP Information Lifecycle Management (ILM) to help you set up a compliant information lifecycle management process in an efficient and flexible manner.

5)Change Log :

Creation and change of personal data need to be documented. Therefore, for review purposes or as a result of legal regulations, it may be necessary to track the changes made to this data. When these changes are logged, you should be able to check which employee made which change, the date and time, the previous value, and the current value, depending on the configuration. It is also possible to analyze errors in this way.

For more information about topics related to data protection, see the Data Protection section in the relevant application-specific security guides.

Please contact volker.lehnert or Peter Dejon for any queries related to the topic.
Labels:
5 Comments
former_member341280
Discoverer
‎01-17-2019 8:55 AM
0 Kudos
 

Hi Manasi,

many thanks for the info.

In addition to those 5 points, what is your proposed solution for the anonymization of productive system copies (in QA, Dev etc) in support of:

  • Legal requirements (GDPR, HIPAA etc.)

  • Protection of customer's own IP?


Regards, Alan
Volker-Lehnert
Advisor
Advisor
‎01-17-2019 9:32 AM
0 Kudos
We currently do not have any solution.

 

Pls, do not use the term anonymization at all. This is likely niche reachable

 

KR

 

Volker Lehnert

(Datenschutzbeauftragter DSB-TÜV)

Senior Director Data Protection S/4HANA

 
former_member341280
Discoverer
‎01-17-2019 11:11 AM
0 Kudos

 

Hi Volker,

what term(s) do you prefer please?

And what is 'niche reachable' in simple english. 

 

Regards, Alan

Volker-Lehnert
Advisor
Advisor
‎01-17-2019 1:43 PM
0 Kudos
„niche reachable“ is a typo not reachable was meant. Thank you for pointing out.

The term aligned with DPO to be used "De-personalization", The argumentation for customers is quite simple: Whether data is in fact anonymized (re-identifcation is not possible)  or pseudonymized  (as defined in Art. 4 No. 5 GDPR) can only be judged in the concrete scenario.

 

KR

 
Saritha_K
Contributor
‎11-22-2019 5:52 AM
0 Kudos

Hi Team,

 

With respect to RAL for ODATA services, what are the pre-requisites? I have added the RAL related add ons to both backend and front end servers, but am not able to configure it specifically for odata logging.

note- our system is having below details SAP S/4HANA 1809 FP01, Netweaver release 7.52

Regards,

Saritha

Popular Blog Posts