Significant penalties, data portability, the principle of lex loci solutionis: The provisions of the EU General Data Protection Regulation apply to virtually every company in Germany.
Meanwhile, the adjustments it will entail within the EU will also affect U.S. corporations like Facebook, Amazon, and Google.
Let’s take a look at how SAP is dealing with the GDPR.
What Exactly Will Change?
While the GDPR took effect on May 25, 2016, it will not enter into force until the same date in 2018, following a two-year transition period. The provisions of Germany’s Federal Data Protection Act (BDSG) that are relevant for German companies will largely be replaced — apart from the “flexibility clauses”* — by the corresponding rules of the GDPR. Since the GDPR is a European regulation, it applies directly to all EU member states and generally does not need to be implemented through national legislation.
For companies, the GDPR introduces an obligation to establish a “structure conducive to data protection.” This includes the following requirements, among others:
- Data protection impact assessments when using new technologies
- Data portability, which ensures that data can easily be transported from one network to another
- The obligation to delete private data when requested by the respective user
- The use of technologies that were developed based on the principles of privacy by design and privacy by default, which means that technical data-protection requirements were met during the design of a given product and are easy for users to modify
- Observance of the lex loci solutionis principle, which means that the GDPR applies to all companies operating within the EU, regardless of where they are headquartered
- The obligation to maintain proof that all of the necessary data protection measures are being taken at a given company. The GDPR provides for much higher penalties (up to four percent of a company’s revenues) if this requirement is not met.
What Can Companies Expect?
Since they are less able than large companies to invest in related consulting, small and midsize enterprises (SMEs) will be particularly affected by the changes in data protection regulations. This means that the certification of products and services could become increasingly important in the future, at least to the extent that companies can use them to document their GDPR-compliant data management practices.
For Michael Wiedemann, SAP’s own deputy data protection officer, this will be a new market for business consultants, certification bodies, and external data protection officers. “These entities will benefit most from the GDPR because many companies don’t have the capacity to establish their own data protection organizations,” he says.
What Measures is SAP Taking?
For those responsible for protecting corporate data, certifications are already playing an important role. The data protection management system the company has been using for seven years is a key component of SAP’s corresponding strategy.
“It’s certified according to British Standard 10012,” Wiedemann reports. He goes on to explain that the London-based British Standards Institution (BSI) currently offers “the only certifiable standard for assembling and operating personal information management systems, and it already covers the requirements of the GDPR.”
The main characteristics of management systems like these include the capability to document processes and data flows relevant to data protection in the necessary detail. Here, many companies are only just getting started from an organizational perspective.
“Even if these obligations are already in place at a given company, the regular auditing they require hasn’t been performed in a lot of cases,” Wiedemann says. This is why he tests the data protection knowledge of employees in various locations as part of 100-150 audits each year.
According to Weidemann, systematic monitoring is the only way to maintain a high level of data protection across all units and locations. In addition to its own intensive internal inspections, SAP has BSI conduct another 40-50 annual audits of its operations. “BSI puts together an annual audit report that we make available to our customers,” Weidemann affirms. “It gives them a way to understand and assess our data protection measures.”
What Internal Actions Does SAP Still Need to Take?
One SAP’s remaining tasks involves “maintaining a record of processing activities” for all processes as stipulated by Article 30 of the GDPR. This represents a significant expansion of the process register required by the BDSG. At many companies, these records only see rudimentary updates, if they are maintained at all. Organizations will soon be obligated to document both longstanding processes and newly established procedures across all their business areas and review them in accordance with data protection law.
“Companies need to set up process controls that permeate their operations down to an intricate level of detail,” Wiedemann points out.
At SAP, for example, ideas are developed into new products and services each and every day. “Each of the processes involved has to be listed and promptly checked for data protection compliance,” explains Wiedemann, who has all of SAP’s processes recorded in a decentralized manner. For this purpose, SAP has come up with a dedicated system that also enables experienced data protection employees to enter processes on their own for automatic evaluation.
“Anyone who creates a new process now puts it straight into the central record,” Wiedemann adds. By the end of the year, SAP wants to have all of its processes listed – that’s more than a thousand in total.
* In some parts of the GDPR, flexibility clauses give national legislators the power to further specify and supplement the regulation’s provisions.