From May 2018, the new General Data Protection Rights (GDPR) directive will become law in the EU and the UK. This directive is designed to ensure that any personal data that you hold about people is accurate and protected from misuse or exposure, whether that be deliberate or accidental.

There is a heavy onus on companies to ensure compliance, with the risk of hefty fines should there be any data breaches. Suspected data breaches must also be reported to the Information Commissioners Office within 72 hours.

So what risks does this expose you to with regard to your SAP data and how can you mitigate these risks?

There are many facets and complexities involved with GDPR compliance but, as this article is designed to be a briefing, then we will encapsulate them into 4 steps;

(1) Data Discovery: Identify and Classify your Personal Data

The first step is being able to identify and classify which data you hold that is relevant to GDPR. In broad terms this is 'any data that can be used to directly or indirectly identify a person', including names, photos, email addresses, bank details, posts on social networking websites, medical, genetic, mental, cultural, and economic information.

Every organization and business is different so this data will typically fall into two areas; (a) the information that you hold about your employees and (b) particularly for B2C organizations, the information that you hold about your customers.

This kind of data can be found in many places within your SAP systems including your core ECC instance, SAP HR/HCM and BW. Some of this data is easy to find and common across most SAP estates but some will be very specific to your own organization.

(2) Access Review: Reviewing who can access this data and how they can access it

Once you've identified your 'GDPR sensitive' data then you need to then know who and how this data can be accessed. There are a number of ways that data in SAP can be accessed and all methods should be analysed. Access methods include; transaction codes, ABAPs, function modules, Remote Function Calls (RFC), query reports and direct table access. Be particular wary of checking access to some standard SAP function modules that can unknowingly pull personal employee data direct from SAP HCM/HR.

Usage of these methods can also come from various sources such as dialog users, background jobs, SAP system accounts, remote systems, interfaces.

Product solutions such as ProfileTailor Dynamics can very quickly identify who has access to any sensitive data that you've identified with out-of-the-box tools that enable you to analyse the access capabilities of named users, system accounts, roles, and authorization objects. It can identify access whether this be explicitly granted through roles, or whether access is being gained by superuser privileges such as profiles like SAP_ALL.

(3) Monitor and Detect: Continuous Monitoring of Access Rights and actual access of personal data.

The third step is having monitors, traps and triggers in place that will immediately detect access to any personal data in a manner that is not in accordance with your normal processing of such data. For instance, tools such as ProfileTailor™ Dynamics can be used to create highly specific custom events down to a key-stroke level to ensure that you are not inundated with false-positive alerts. As an example, you could define a custom event to detect something such as ‘a user has directly accessed a table beginning 'customerdata*' and has used the keystrokes to attempt to download or export this data’.

ProfileTailor can also detect suspicious activity such as user or system accounts accessing data or using transaction codes that these accounts do not normally use, or activity by accounts from terminal-IDs that the account has not previously used.

(4) Alert and Communicate: Immediate alerting of a suspected data breach

Any detection of a suspected data breach should set off an immediate alert and also trigger a workflow to ensure that the proper governance process is being followed and that potential breaches can be reported according to the GDPR regulations. Again, tools such as ProfileTailor™ Dynamics have sophisticated workflow engines that can initiate these processes.

Such workflows can not only be used for reporting and compliance purposes but they could also take immediate remedial actions such as forcing off and locking any accounts detected as behaving abnormally.

What about data outside SAP?

ProfileTailor™ Dynamics can also provide the same levels of monitoring and breach detection outside of SAP, for instance, within your Active Directory network. Please do get in touch with us if you would like to learn more


Next Steps...

If you would like to find out more about how Grey Monarch and ProfileTailor™ Dynamics can help in this area then please do contact us or have a look at our dedicated page here.

You can also share this page via the following buttons: