Preparing for the GDPR’s complex technical and procedural data privacy requirements

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

Privacy has become a prime concern for US and global companies—especially among those that do business in Europe. The EU started enforcing the General Data Protection Regulation (GDPR) on May 25th. This is a landmark privacy law that aims to protect the rights of EU residents and standardize rules governing the use of personal data across the 28-member block. Any organization that collects or processes personal information of an EU individual is subject to the GDPR, even if the business does not operate in Europe.

SAP has enhanced its SAP SuccessFactors HCM Suite to address the technical features necessary to protect personal data of employees, job candidates and external partners. SAP’s HCM solution can handle new processes for data access, use and reporting, localized for compliance in a multinational environment.

GDPR data privacy requirements

New and enhanced privacy requirements clients need to consider:

  • Demonstrating accountability through compliance, monitoring, auditing, and policy management process
  • Appointing a Data Protection Officer (DPO)
  • Maintaining comprehensive inventories of personal data
  • Expanded right to data portability, right to be forgotten, and right to object to profiling
  • Building privacy leading practices into new or enhanced products/services and formally assessing privacy impact for new and existing use cases
  • Sharing personal data with third parties that are able to demonstrate compliance with GDPR
  • Notifying individuals and regulators of breaches within 72 hours

Upgraded SuccessFactors functionalities include:

  • Access to data: Personal data is available for reporting and download.
  • Rectification of data: Users with appropriate permissions can change an individual’s personal data
  • Erasure of data: Organizations can configure country-specific data retention and purge rules to meet with local data retention regulations. These rules can be defined at functional object, country and user level to ensure companies keep the data only for as long as needed for business purposes
  • Restriction of processing: Role-based permissions (RBP) allow organizations to define which users or roles can display, edit or delete data, including restricting access to historical employee data
  • Data portability: Personal data for an individual is available for reporting and can be downloaded and exported
  • Data-breach notification: The HCM system must support data-breach notification as required by the GDPR. SAP documents its data breach notification obligations in the Data Processing Agreement for cloud customers
  • Consent: Consent-management features allow organizations to define and manage country-specific data privacy and consent statements for externalfacing applications, such as Recruiting, Learning and Onboarding
  • Information and transparency: Configurations can be documented and describe the features and processes used

"Businesses that see the GDPR as purely a costly compliance matter are missing the wider, strategic point: this is a catalyst for a fundamental shift in the digital economy. Respecting the privacy of people is good for business and it aligns directly with our mission at SAP to improve people’s lives. Our solutions help you protect personal data and privacy throughout your organization, so you can focus on taking care of customers and prospects, engaging employees and suppliers, and growing your business—all while meeting GDPR requirements"

Amy Wilson, SVP Products, SAP

Contact us

Kris Khanna

Principal, PwC US

Contact us

Rich Sernyak

Rich Sernyak

Partner, US SAP Alliance Leader, PwC US

Chris  Beiswenger

Chris Beiswenger

Partner, US SAP Practice Leader, PwC US